Introduction

To begin with, hacking is becoming an occupational crime, which is on the rise where various organizations have fallen victims. The growth of technology has made this practice become intense making organizations intensify their internet security. Hacking involves the modification of features belonging to a system with a motive of accomplishing a goal, outside the creator’s original resolution. Therefore, a hacker is a person involved in hacking and has accepted to engage themselves in the lifestyle of hacking. Computer hacking is very popular nowadays mainly in computer security, although other forms of hacking like phone and brain hacking also exists.

In terms of computing, malicious attacks are deliberate physical or electronic actions carried out to a system with the intentions to acquire, destroy, modify or access users’ data without their consent. Physical attacks include thefts and destruction of hardware storing personal and confidential information. Hackers attack systems electronically involve unauthorized access and modification of the computer users. They also use malicious threats to breach and violate the security system. They are either intentionally caused by the hacker or accidental. For example, due to natural acts like fire. This paper has detailed information regarding ways, which one can protect themselves from malicious malwares, and threats.

The malicious attacks generally disrupt the function ability of the computer system. These attacks take different forms that include viruses, worms, Trojan horses, logical bombs, trap and backdoors, phishing and spoofing. A virus is a program that is capable of copying itself to another program. When it occurs in a running program, it spreads to other executable functions. These threats a very deadly and causes harms to users. There are various ways in which we can defend and eliminate these threats.

Introduction

Welcome to this document from the Midsize Business Security Guidance collection. Microsoft hopes that the following information will help you create a more secure and productive computing environment.

Executive Summary

As malicious software or malware becomes more evolved and sophisticated, so have the software and hardware technologies for helping to prevent malware threats and attacks.

Malware threats have been very costly for midsize businesses in both attack defense and response technologies and operations. The Internet has significantly raised the profile of external threats to midsize business environments while some of the greatest threats still continue, such as internal attacks.

Internal attacks that have the highest potential for damage result from the activities of insiders in the most trusted positions, such as network administrators. Insiders involved with malicious activities are likely to have specific goals and objectives, such as planting a Trojan horse or unauthorized file system browsing while maintaining legitimate access to the systems. More commonly, insiders do not have malicious intent but may plant malicious software by unintentionally connecting infected systems or devices to an internal network resulting in a compromise of the integrity/confidentiality of the system or by affecting system performance, availability, and/or storage capacity.

Analysis of both internal and external threats has led many midsize businesses to investigate systems that help monitor networks and detect attacks, including resources for helping to manage malware risks in real time.

Overview

This document provides information about strategies for helping to manage malware risks in midsize businesses. The document is divided into four main sections: Introduction, Definition, Challenges, and Solutions.

Definition

This section clarifies what malware is (and also what is not malware), its characteristics, and risk management.

Challenges

This section describes many of the common challenges that midsize businesses face with regard to managing malware risks, including:

Common information system assets

Common threats

Vulnerabilities

Educating end users and policies

Balancing risk management and business need

Solutions

This section provides additional information about policies, approaches, and strategies, including:

Physical and logical policies

Reactive and proactive approaches to malware and virus prevention

Strategies for helping to reduce malware

Malware risk assessment and management are also discussed in this section as part of the strategies to help prevent malware threats. This section will also provide information about monitoring and reporting tools to help scan, detect, and report malware activities.

Who Should Read This Guide

This document is primarily intended for management and IT personnel in midsize businesses to help them better understand malware threats, how to help defend against these threats, and how to respond quickly and appropriately when malware attacks occur.

HYPERLINK “http://technet.microsoft.com/en-us/library/cc875818.aspx” l “mainSection” Top Of Page

Definition

Malware is an abbreviation of the words “malicious software.” It is a collective noun that includes viruses, worms, and Trojan horses that intentionally perform malicious tasks on a computer system. Technically, malware is any malicious code.

Understanding the Different Types of Malware

The following subsections describe different malware categories.

Concealment

Trojan horse. A program that appears to be useful or harmless but that contains hidden code designed to exploit or damage the system on which it is run. Trojan horse programs (also called Trojan code) are most commonly delivered to users through e-mail messages that misrepresent the program’s purpose and function. Trojan horse programs do this by delivering a malicious payload or task when they are run.

Infectious Malware

Worm. A worm uses self-propagating malicious code that can automatically distribute itself from one computer to another through network connections. A worm can take harmful action, such as consuming network or local system resources, possibly causing a denial of service attack. Some worms can execute and spread without user intervention, while others require users to execute the worm code directly in order to spread. Worms may also deliver a payload in addition to replicating.

Virus. A virus uses code written with the express intention of replicating itself. A virus attempts to spread from computer to computer by attaching itself to a host program. It may damage hardware, software, or data. When the host is executed, the virus code also runs, infecting new hosts and sometimes delivering an additional payload.

Malware for Profit

Spyware. This type of software is sometimes referred to as spybot or tracking software. Spyware uses other forms of deceptive software and programs that conduct certain activities on a computer without obtaining appropriate consent from the user. These activities can include collecting personal information and changing Internet browser configuration settings. Beyond being an annoyance, spyware results in a variety of issues that range from degrading the overall performance of your computer to violating your personal privacy.

Web sites that distribute spyware use a variety of tricks to get users to download and install it on their computers. These tricks include creating deceptive user experiences and covertly bundling spyware with other software users might want, such as free file sharing software.

Adware. A type of advertising display software, specifically certain executable applications whose primary purpose is to deliver advertising content potentially in a manner or context that may be unexpected and unwanted by users. Many adware applications also perform tracking functions, and therefore may also be categorized as tracking technologies. Some consumers may want to remove adware if they object to such tracking, do not wish to see the advertising caused by the program, or are frustrated by its effects on system performance. Conversely, some users may wish to keep particular adware programs if their presence subsidizes the cost of a desired product or service or if they provide advertising that is useful or desired, such as ads that are competitive or complementary to what the user is looking at or searching for.

For more information, see the HYPERLINK “http://en.wikipedia.org/wiki/Malware” t “_blank” Malware topic in Wikipedia at http://en.wikipedia.org/wiki/Malware and the HYPERLINK “http://www.microsoft.com/technet/security/guidance/serversecurity/avdind_2.mspx” l “ELF” What is Malware? topic in The Antivirus Defense-in-Depth Guide at www.microsoft.com/technet/security/guidance/serversecurity/avdind_2.mspx#ELF.

Understanding Malware Behaviors

The various characteristics that each category of malware can exhibit are often very similar. For example, a virus and a worm may both use the network as a transport mechanism. However, a virus will look for files to infect while the worm will simply attempt to copy itself. The following section provides brief explanations of typical malware characteristics.

Target Environments

When malware attempts to attack a host system, a number of specific components may be required before the attack can succeed. The following components are typical examples of the types of components malware may require to launch an attack against a host:

Devices. Some malware will specifically target a device type, such as a personal computer, an Apple Macintosh computer, or even a Personal Digital Assistant (PDA). Mobile devices such as cell phones are becoming more popular target devices.

Operating systems. Malware may require a particular operating system to be effective. For example, the CIH or Chernobyl virus of the late 1990s could only attack computers running Microsoft® Windows® 95 or Windows 98. Newer operating systems are more secure. Unfortunately, malware is becoming more sophisticated as well.

Applications. Malware may require a particular application to be installed on the target computer before it can deliver a payload or replicate. For example, the LFM.926 virus of 2002 could only attack if Shockwave Flash (.swf) files could execute on the local computer.

Carrier Objects

If the malware is a virus, it will attempt to target a carrier object (also known as a host) to infect it. The number and type of targeted carrier objects varies widely among different forms of malware, but the following list provides examples of the most commonly targeted carriers:

Executable files. These carriers are the targets of the “classic” virus type that replicates by attaching itself to a host program. In addition to typical executable files that use the .exe extension, files with extensions such as the following can also be used for this purpose: .com, .sys, .dll, .ovl, .ocx, and .prg.

Scripts. Attacks that use scripts as carriers target files that use a scripting language, such as Microsoft Visual Basic® Script, JavaScript, AppleScript, or Perl Script. Extensions for files of this type include: .vbs, .js, .wsh, and .prl.

Macros. These carriers are files that support a macro scripting language of a particular application, such as a word processor, spreadsheet, or database application. For example, viruses can use the macro languages in Microsoft Word and Lotus Ami Pro to produce a number of effects, ranging from mischievous (switching words around in the document or changing colors) to malicious (formatting the computer’s hard drive).

Transport Mechanisms

An attack can use one or many different methods to try and replicate between computer systems. This section provides information about a few of the more common transport mechanisms that malware uses.

Removable media. The original and probably the most prolific transmitter of computer viruses and other malware (at least until recently) is file transfer. This mechanism started with floppy disks, then moved to networks, and is now finding new media such as Universal Serial Bus (USB) devices and Firewire. The rate of infection is not as rapid as with network-based malware, yet the threat is ever present and hard to eradicate completely because of the need to exchange data between systems.

Network shares. When computers were provided a mechanism to connect to each other directly via a network, malware writers were presented with another transport mechanism that had the potential to exceed the abilities of removable media to spread malicious code. Poorly implemented security on network shares produces an environment where malware can replicate to a large number of computers connected to the network. This method has largely replaced the manual method of using removable media.

Peer-to-peer (P2P) networks. For P2P file transfers to occur, a user must first install a client component of the P2P application that will use the network.

For additional information, see the ” HYPERLINK “http://www.microsoft.com/technet/security/guidance/serversecurity/avdind_2.mspx” l “EQAAC” Malware Characteristics” section of The Antivirus Defense in Depth Guide at www.microsoft.com/technet/security/guidance/serversecurity/avdind_2.mspx#EQAAC.

What Is Not Included in the Definition of Malware

A variety of threats exist that are not considered malware because they are not computer programs written with malicious intent. However, these threats can still have both security and financial implications for midsize businesses. The following list describes some common examples of threats that should be considered and understood when developing a comprehensive security strategy.

Joke software. Joke applications are designed to produce a smile or, at worst, a waste of someone’s time. These applications have existed for as long as people have been using computers. Because they were not developed with malicious intent and are clearly identified as jokes, they are not considered malware for the purposes of this guidance. Numerous examples of joke applications exist, producing everything from interesting screen effects to amusing animations or games.

Hoaxes. A trick message warning of a virus that doesn’t actually exist is an example of a hoax. Like some other forms of malware, hoaxes use social engineering to attempt to trick computer users into performing some act. However, there is no code to execute in a hoax; the hoaxer is usually simply trying to trick the victim. A common example of a hoax is an e-mail message or a chain-mail that claims a new virus type has been discovered and to warn friends by forwarding the message. This type of hoax message wastes people’s time, takes up e-mail server resources, and consumes network bandwidth. However, hoaxes can also cause damage if they instruct users to change computer configurations (for example, deleting registry keys or system files).

Scams. An e-mail message that attempts to trick the recipient into revealing personal information that can be used for unlawful purposes (such as bank account information) is a common example of a scam. One particular type of a scam has become known as phishing (pronounced “fishing”) and is also referred to as brand spoofing or carding.

Spam. Spam is unsolicited e-mail generated to advertise some service or product. This phenomenon is generally considered a nuisance, but spam is not malware. However, the dramatic increase in the number of spam messages being sent is a problem for the infrastructure of the Internet. Spam also causes lost productivity for employees who are forced to wade through and delete such messages every day.

Internet cookies. Internet cookies are text files that are placed on a user’s computer by Web sites that the user visits. Cookies contain and provide identifying information about the user to the Web sites that place them on the user computer, along with whatever information the sites want to retain about the user’s visit.

Cookies are legitimate tools that many Web sites use to track visitor information. Unfortunately, some Web site developers have been known to use cookies to gather information without the user’s knowledge. Some may deceive users or omit their policies. For example, they may track Web surfing habits across many different Web sites without informing the user. The site developers can then use this information to customize the advertisements the user sees on a Web site, which is considered an invasion of privacy.

For additional detailed information about malware and its characteristics, see HYPERLINK “http://www.microsoft.com/technet/security/guidance/serversecurity/avdind_0.mspx” The Antivirus Defense-in-Depth Guide on Microsoft TechNet at www.microsoft.com/technet/security/guidance/serversecurity/avdind_0.mspx.

Understanding Risk Management and Malware

Microsoft defines risk management as the process by which risks are identified and the impact of those risks determined.

Attempting to put in place a plan for security risk management can be overwhelming for midsize businesses. Possible factors may include the lack of in-house expertise, budget resources, or guidelines to outsource.

Security risk management provides a proactive approach that can assist midsize businesses in planning their strategies against malware threats.

A formal security risk management process enables midsize businesses to operate in the most cost efficient manner with a known and acceptable level of business risk. It also gives them a consistent, clear path to organize and prioritize limited resources in order to manage risk.

To facilitate the tasks of managing risks, Microsoft has developed The Security Risk Management Guide, which provides guidance about the following four processes:

Assessing risk. Identify and prioritize risks to the business.

Conducting decision support. Identify and evaluate control solutions based on a defined cost-benefit analysis process.

Implementing controls. Deploy and operate control solutions to help reduce risk to the business.

Measuring program effectiveness. Analyze the risk management process for effectiveness and verify that controls are providing the expected degree of protection.

Detailed information about this topic is beyond the scope is this paper. However, it is essential to understand the concept and processes in order to help plan, deploy, and implement a solution strategy for malware risk. The following figure shows the four primary processes of risk management.

HYPERLINK “http://technet.microsoft.com/en-us/library/Cc875818.sfmmr1_big%28l=en-us%29.gif” INCLUDEPICTURE “http://i.technet.microsoft.com/dynimg/IC226570.gif” * MERGEFORMATINET

Figure 1. The 4 primary risk management processes

For more information about risk management, see HYPERLINK “http://go.microsoft.com/fwlink/?linkid=30794” t “_blank” The Security Risk Management Guide on Microsoft TechNet at http://go.microsoft.com/fwlink/?linkid=30794.

HYPERLINK “http://technet.microsoft.com/en-us/library/cc875818.aspx” l “mainSection” Top Of Page

Challenges

Malware attacks can be mounted via different vectors or attack methods on a specific weak point. It is recommended that midsize businesses perform risk assessments that not only determine their vulnerability profiles but also help determine what level of risk is acceptable to that specific company. Midsize businesses need to develop strategies to help reduce malware risks.

Some of the challenges for reducing malware risks in a midsize business environment include:

Common information system assets.

Common threats

Vulnerabilities

User education

Balancing risk management and business needs.

Common Information System Assets

Information systems security provides essential information to help manage the security of midsize businesses. Common information system assets refer to both the physical and the logical aspects of a company. They could include servers, workstations, software, and user licenses.

Employee business contact data, mobile computers, routers, human resources data, strategic plans, internal Web sites, and employee passwords are all common information system assets. An extensive list is provided in “Appendix A: Common Information System Assets” at the end of this document.

Common Threats

Several methods through which malware can compromise midsize businesses are sometimes referred to as threat vectors, and represent the areas that require the most attention when designing an effective solution to help reduce malware risks. Common threats include natural disasters, mechanical failures, malicious persons, uninformed users, social engineering, malicious mobile code, and disgruntled employees. This wide range of threats presents challenges not only for midsize businesses but businesses of all sizes.

“Appendix B: Common Threats” at the end of this document provides an extensive list of threats that are likely to affect midsize businesses.

Vulnerabilities

Vulnerabilities represent weaknesses in IT system security procedures and policies, administrative controls, physical layout, internal controls, and other areas that could be exploited by a threat to gain unauthorized access to information or disrupt critical processing.  Vulnerabilities are both physical and logical. They include natural disaster, mechanical failures, software misconfigurations, unpatched software, and human error. “Appendix C: Vulnerabilities” at the end of this document provides an extensive list of vulnerabilities that are likely to affect midsize businesses.  

User Education

With regard to physical and logical information security, the biggest vulnerability is not necessarily the computers or software flaws but the computer users. Employees may make obtrusive errors such as typing in their passwords where others can see them, downloading and opening e-mail attachments that contain viruses, or failing to shut down their computers at night. Because human actions can greatly affect computer security, educating employees, IT staff, and management should be made a priority. Equally as important is the need for all personnel to develop good security habits. These approaches simply are more cost efficient for the business in the long run. Training should provide users with recommendations for avoiding malicious activities and should educate about potential threats and how to avoid them. Security practices that users should be aware of include the following:

Never reply to e-mail requests for financial or personal information.

Never provide passwords.

Do not open suspicious e-mail file attachments.

Do not respond to any suspicious or unwanted e-mails.

Do not install unauthorized applications.

Lock their computers when they are not actively using them by by password-protecting the screen saver or through the CTRL-ALT-DELETE dialog box.

Enable a firewall.

Use strong passwords on their remote computers.

Policies

Written policies and accepted procedures are a necessity for helping to enforce the security practices. To be effective, all IT policies should include the support of upper management and provide an enforcement mechanism, a way to inform users, and a way to educate users. Example policies might address the following topics:

How to detect malware on a computer.

How to report suspected infections.

What users can do to assist incident handlers such as the last action a user did before the system became infected.

Processes, and procedures to mitigate operating system and application vulnerabilities that malware might exploit.

Patch management, application of security configuration guides and checklists.

Balancing Risk Management and Business Needs

Investing in a risk management process helps prepare midsize businesses to articulate priorities, plan to mitigate threats, and address the next threat or vulnerability to the business.

Budget constraints may dictate IT security spending but a well-structured risk management methodology, when used effectively, can help management identify appropriate controls for providing the mission-essential security capabilities.

Midsize business must weigh the delicate balance between risk management and their business needs. The following questions may be helpful when balancing risk management and business needs:

Should the company configure its systems itself or should it be done by the hardware/software supplier? What would be the cost?

Should you use load balancing or clustering as mechanisms to ensure high availability of applications? What does it take to put these mechanisms in place?

Do you need alarm system for your server room?

Should you use electronic key systems for the building or the server room?

What is the company’s budget for computer systems?

What is the company’s budget for technology support and maintenance?

How much money would you estimate your company has spent on your computer systems (hardware /software maintenance) in last year?

How many computers are in the main site of your company? Do you have an inventory of computer hardware and software?

Are your older systems powerful enough to run most of the software you need to run?

How many new or upgraded computers would you estimate you need? How many would be optimum?

Does each user have to have a printer?

For more detail information on risk management, refer to the HYPERLINK “http://go.microsoft.com/fwlink/?linkid=30794” t “_blank” Security Risk Management Guide at http://go.microsoft.com/fwlink/?linkid=30794.

HYPERLINK “http://technet.microsoft.com/en-us/library/cc875818.aspx” l “mainSection” Top Of Page

Solutions

This section explains different strategies for helping to manage malware risks, including reactive and proactive approaches to malware, physical, and logical policies. Validation methods such reporting tools and monitoring will be discussed as well.

Developing Strategies for Reducing Malware

When developing strategies to help reduce malware, it is important to define necessary operational key points where malware detection and/or prevention can be implemented. When it comes to managing malware risk, a single device or technology should not be solely relied upon as the only line of defense. Preferred methods should include a layered approach using proactive and reactive mechanisms throughout the network. Antivirus software plays a key role in this area; however, it should not be the only instrument used to determine malware attacks. For further detailed information on layered approach, refer to the section titled ” HYPERLINK “http://www.microsoft.com/technet/security/guidance/serversecurity/avdind_3.mspx” l “E1F” The Malware Defense Approach” in The Antivirus Defense-in-Depth Guide at www.microsoft.com/technet/security/guidance/serversecurity/avdind_3.mspx#E1F.

The following operational key points are discussed further in detail:

Assessing malware risks

Physical security

Logical security

Proactive vs. reactive policies and procedures

Deployment and management

Assessing Malware Risks

When assessing malware risks, midsize businesses need to be mindful of the attack vectors that are most vulnerable to threats. How are they protected and to what extent? The following questions should be considered:

Does the company have a firewall installed?

Firewalls are an important part of perimeter defense. A network firewall commonly serves as a primary line of defense against external threats to an organization’s computer systems, networks, and critical information. Midsize businesses should have some sort of firewalls implemented be it software or hardware firewalls.

Does the company have internal or external vulnerability scan analysis capability? How is the scanned information analyzed?

A tool such as the Microsoft Baseline Security Analyzer (MBSA) is recommended for scanning for misconfigurations or vulnerabilities. It is also possible to outsource the security vulnerability testing process by hiring outside vendors to assess the security environment and provide suggestions for improvement where deemed necessary.

Note   MBSA is an easy-to-use tool designed for the IT professional that helps small and medium-sized businesses determine their security state in accordance with Microsoft security recommendations. It also offers specific remediation guidance. Improve your security management process by using MBSA to help detect common security misconfigurations and missing security updates on your computer systems.

Is there a backup and recovery assessment plan in place?

Ensure that there are backup plans and that the backup server is working effectively.

How many kinds of antivirus software does the company have? Is antivirus software installed on all systems?

Reliance on a single antivirus platform may expose a company to risks, because each package has its own strengths and weaknesses.

Does the company have a wireless network implemented? If so, is the security on the wireless network enabled and properly configured?

Even if a wired network is completely secured, an unsecured wireless network can introduce an unacceptable level of risk in an otherwise secure environment. Old wireless standards, such as WEP, are easily compromised, so research should be done to ensure that the most appropriate wireless security solution is in place.

Are the employees trained about how to prevent malware? Are they educated about the topic of malware risks?

The most common form of malware propagation involves some form of social engineering and the most effective defense against social engineering threats is education.

Is there a written policy in place about how to prevent or handle malware threats? How often is the policy reviewed? Is it enforced? How well do staff adhere to this policy?

Ensure that users are trained on how to avoid malware threats and malware prevention. It’s very important to have all of this information documented; written policy pertinent to the above information and procedures should exist and be reinforced. Reviews of this policy should be conducted whenever changes occur to ensure the effectiveness and the validity of stated policies.

Physical Security

Physical security entails restricting access to equipment for the purposes of preventing tampering, theft, human error, and the subsequent downtime caused by these actions.

Although physical security is more of a general security issue than a specific malware problem, it is impossible to protect against malware without an effective physical defense plan for all client, server, and network devices within an organization’s infrastructure.

The following list includes critical elem