Eaten by the Worms The perils of network

Зарегистрируйтесь, чтобы просмотреть полный документ!

Eaten by the Worms The perils of network hostile code Dr Neil Barrett Technical Director - IRM Plc 27 th September 2001 – Hong Kong © IRM Plc 2001 Slide 1

Introduction • Nature and development of Computer Worms • Risk elements and damage potential • Responses and preparation work • Future of worms • Conclusion © IRM Plc 2001 Slide 2

What is a Computer Worm? • • • A self-replicating program Copies itself from system to system Free-standing and complete Not really a virus But can carry a hostile ‘Payload’ © IRM Plc 2001 Slide 3

Where did Worms come from? • Self-replicating programs in early 1984 • By mid 1984 had become network mobile • First viruses start to be proposed • By 1985, self-replicating programs through trust networks • Hostile viruses arise • And then along came Robert Morris Jnr… © IRM Plc 2001 Slide 4

The Morris Worm - 1988 • First true ‘Exploit Worm’ • Used a security weakness to force replication – I. e. , outside of the trust network • Also followed trust network, but interest is in the exploit aspects • Used a then new trick called ‘Buffer Overflows’ © IRM Plc 2001 Slide 5

The Morris Worm (2) • Buffer overflows first proposed by Morris Snr • Now well known, but then very new • Allowed worm to be an ‘automated hacker’ • Did nothing deliberately damaging – Indeed, believed to have been loosed accidentally • But resulted in system flooding © IRM Plc 2001 Slide 6

Worms since Morris • Took a few years for subsequent worms • More interest in viruses • Worms scripted to use emerging exploits – E. g. , Word macro, Unicode, etc • Slowly became objective focused © IRM Plc 2001 Slide 7

Development of Worms • Most early worms achieved no objective • Damage resulted from flooding or from panic • Solitary objective was self-propagation • More recent worms grab and copy some information – E. g. , PGP information • Some military use of focused worms © IRM Plc 2001 Slide 8

How do Modern Worms Work? • E. g. , NIMDA spread from server to server through Web exploits • Spread from client to client through executables – I. e. , persuasive mail attachments • Potential for uncontrollable executables – I. e. , Web pages, Outlook preview panel, etc © IRM Plc 2001 Slide 9

Risk Elements and Damage Potential • Essentially threefold • Flooding and related panic behavior – System shutdown and associated costs • Or information leakage – Leakage is so far only limited • Or a set of destructive payloads – I. e. , resetting BIOS and system information © IRM Plc 2001 Slide 10

How Great a Risk? • Reputation, financial, security risks • Damage, disclosure or distrust of stored information • Costs of repair or of business loss • Reputation risks depend on worm publicity profile – I. e. , wide spreading worm carries low reputation risk © IRM Plc 2001 Slide 11

Countermeasures • Best approach is to know one’s exposure • Not virus related • But hacker related • Best option is to have had focused, audit-based penetration testing – Because worms now use well-known hacking tricks – These can be looked for and removed © IRM Plc 2001 Slide 12

Countermeasures (2) • Constant system monitoring and correction of known existing weaknesses • A culture of security awareness – Limits executable tricks • An alert system management staff – That are a part of the ‘community’ • No ‘Head in the Sand’ attitude – Share information and experiences © IRM Plc 2001 Slide 13

Future • No reason at all to believe that worms will stop! • Increasing sophistication – More clever option controls – Multiple exploit selection – Multi-platform and multi-environment • Increasing incidence of hostile intent • Growth into non-IP environment – Mobile phones? PDA? © IRM Plc 2001 Slide 14

Conclusion • • • Best defense comes from knowledge Knowledge comes from testing Correct the faults shown through testing Share information with others Don’t expect this problem to go away! © IRM Plc 2001 Slide 15

Thank You! • Dr Neil Barrett Technical Director – IRM Plc Tel: + 44 (0) 20 7808 6420 ‘Neil. Barrett@IRMPLC. com’ • Richard Stagg Managing Consultant – IRM Asia Level 30 Bank of China Tower Tel: 2251 8291 ‘Richard. Stagg@IRMPLC. com’ © IRM Plc 2001 Slide 16

Скачать презентацию Eaten by the Worms The perils of network

04a93c169f0045710f3f251302d707c2.ppt

Количество слайдов: 16