Database and Cloud Security

Database and Cloud Security
Chapter 5 This chapter looks at the unique security issues that relate to databases. The focus of this chapter is on relational database management systems (RDBMS). The relational approach dominates industry, government, and research sectors and is likely to do so for the foreseeable future. We begin with an overview of the need for database-specific security techniques. Then we provide a brief introduction to database management systems, followed by an overview of relational databases. Next, we look at the issue of database access control, followed by a discussion of the inference threat. Then we examine security issues for statistical databases. Next, we examine database encryption. Finally, we examine the issues raised by the use of cloud technology. Database and Cloud Security

Lab Recap 1. Linux & Pen Testing Environment Basics
1.1 Finding your way around Kali 1.2 Linux Basic & Linux Services 1.2.1 Linux basic commands 1.2.2 Text viewers and editors for Linux Newbies 1.2.3 SSHD 1.2.4 Apache 1.3 Parsing with Grep 1.3.1 Sample Solution 1.4 Netcat 1.4.1 Connecting to a TCP/UDP port with Netcat 1.4.2 Listening on a TCP/UDP port with Netcat 1.4.3 Transferring files with Netcat 1.4.4 Remote Administration with Netcat – Bind Shell 1.5 Wireshark for Sniffing Packets Wireshark & Packet Sniffing Background Wireshark Step by Step 1.6 Cross-site scripting A basic example Persistent XSS payload Reflected XSS Preventing XSS Attacks 1.7 Creating a Keylogger to Snoop (on your home PC)

Security News

Database management system (DBMS)
Databases Database management system (DBMS) Suite of programs for constructing and maintaining the database Offers ad hoc query facilities to multiple users and applications Structured collection of data stored for use by one or more applications Contains the relationships between data items and groups of data items Can sometimes contain sensitive data that needs to be secured Query language: Provides a uniform interface to the database Organizational databases tend to concentrate sensitive information in a single logical system. Examples include: • Corporate financial data • Confidential phone records • Customer and employee information, such as name, Social Security number, bank account information, credit card information • Proprietary product information • Health care information and medical records For many businesses and other organizations, it is important to be able to provide customers, partners, and employees with access to this information. But such information can be targeted by internal and external threats of misuse or unauthorized change. Accordingly, security specifically tailored to databases is an increasingly important component of an overall organizational security strategy. In some cases, an organization can function with a relatively simple collection of files of data. Each file may contain text (e.g., copies of memos and reports) or numerical data (e.g., spreadsheets). A more elaborate file consists of a set of records. However, for an organization of any appreciable size, a more complex structure known as a database is required. A database is a structured collection of data stored for use by one or more applications. In addition to data, a database contains the relationships between data items and groups of data items. As an example of the distinction between data files and a database, consider the following. A simple personnel file might consist of a set of records, one for each employee. Each record gives the employee’s name, address, date of birth, position, salary, and other details needed by the personnel department. A personnel database includes a personnel file, as just described. It may also include a time and attendance file, showing for each week the hours worked by each employee. With a database organization, these two files are tied together so that a payroll program can extract the information about time worked and salary for each employee to generate paychecks. Accompanying the database is a database management system (DBMS) , which is a suite of programs for constructing and maintaining the database and for offering ad hoc query facilities to multiple users and applications. A query language provides a uniform interface to the database for users and applications. Organizational databases tend to concentrate sensitive information in a single logical system. Examples include: • Corporate financial data • Confidential phone records • Customer and employee information, such as name, Social Security number, bank account information, credit card information • Proprietary product information • Health care information and medical records

Database designers and administrators make use of a data definition language (DDL) to define the database logical structure and procedural properties, which are represented by a set of database description tables. A data manipulation language (DML) provides a powerful set of tools for application developers. Query languages are declarative languages designed to support end users. The database management system makes use of the database description tables to manage the physical database. Figure 5.1 provides a simplified block diagram of a DBMS architecture. Database designers and administrators make use of a data definition language (DDL) to define the database logical structure and procedural properties, which are represented by a set of database description tables. A data manipulation language (DML) provides a powerful set of tools for application developers. Query languages are declarative languages designed to support end users. The database management system makes use of the database description tables to manage the physical database. The interface to the database is through a file manager module and a transaction manager module. In addition to the database description table, two other tables support the DBMS. The DBMS uses authorization tables to ensure the user has permission to execute the query language statement on the database. The concurrent access table prevents conflicts when simultaneous, conflicting commands are executed. Database systems provide efficient access to large volumes of data and are vital to the operation of many organizations. Because of their complexity and criticality, database systems generate security requirements that are beyond the capability of typical OS-based security mechanisms or stand-alone security packages. Operating system security mechanisms typically control read and write access to entire files. So they could be used to allow a user to read or to write any information in, for example, a personnel file. But they could not be used to limit access to specific records or fields in that file. A DBMS typically does allow this type of more detailed access control to be specified. It also usually enables access controls to be specified over a wider range of commands, such as to select, insert, update, or delete specified items in the database. Thus, security services and mechanisms are needed that are designed specifically for, and integrated with, database systems. The interface to the database is through a file manager module and a transaction manager module. In addition to the database description table, two other tables support the DBMS. The DBMS uses authorization tables to ensure the user has permission to execute the query language statement on the database. The concurrent access table prevents conflicts when simultaneous, conflicting commands are executed.

Relational Databases Table of data consisting of rows and columns
Each column holds a particular type of data Each row contains a specific value for each column Ideally has one column where all values are unique, forming an identifier/key for that row Enables the creation of multiple tables linked together by a unique identifier that is present in all tables Use a relational query language to access the database Allows the user to request data that fit a given set of criteria The basic building block of a relational database is a table of data, consisting of rows and columns, similar to a spreadsheet. Each column holds a particular type of data, while each row contains a specific value for each column. Ideally, the table has at least one column in which each value is unique, thus serving as an identifier for a given entry. For example, a typical telephone directory contains one entry for each subscriber, with columns for name, telephone number, and address. Such a table is called a flat file because it is a single two-dimensional (rows and columns) file. In a flat file, all of the data are stored in a single table. For the telephone directory, there might be a number of subscribers with the same name, but the telephone numbers should be unique, so that the telephone number serves as a unique identifier for a row. However, two or more people sharing the same phone number might each be listed in the directory. To continue to hold all of the data for the telephone directory in a single table and to provide for a unique identifier for each row, we could require a separate column for secondary subscriber, tertiary subscriber, and so on. The result would be that for each telephone number in use, there is a single entry in the table. The drawback of using a single table is that some of the column positions for a given row may be blank (not used). Also, any time a new service or new type of information is incorporated in the database, more columns must be added and the database and accompanying software must be redesigned and rebuilt. The relational database structure enables the creation of multiple tables tied together by a unique identifier that is present in all tables. Users and applications use a relational query language to access the database. The query language uses declarative statements rather than the procedural instructions of a programming language. In essence, the query language allows the user to request selected items of data from all records that fit a given set of criteria. The software then figures out how to extract the requested data from one or more tables. For example, a telephone company representative could retrieve a subscriber’s billing information as well as the status of special services or the latest payment received, all displayed on one screen.

Figure 5.2 shows how new services and features can be added to the telephone database without reconstructing the main table. In this example, there is a primary table with basic information for each telephone number. The telephone number serves as a primary key. The database administrator can then define a new table with a column for the primary key and other columns for other information.

Relational Database Elements
Primary key Uniquely identifies a row Consists of one or more column names Foreign key Links one table to attributes in another View/virtual table Result of a query that returns selected rows and columns from one or more tables In relational database parlance, the basic building block is a relation , which is a flat table. Rows are referred to as tuples , and columns are referred to as attributes. A primary key is defined to be a portion of a row used to uniquely identify a row in a table; the primary key consists of one or more column names. In previous example, a single attribute, PhoneNumber, is sufficient to uniquely identify a row in a particular table. In relational database parlance, the basic building block is a relation , which is a flat table. Rows are referred to as tuples , and columns are referred to as attributes A primary key is defined to be a portion of a row used to uniquely identify a row in a table; the primary key consists of one or more column names. In the example of Figure 5.2 , a single attribute, PhoneNumber, is sufficient to uniquely identify a row in a particular table. To create a relationship between two tables, the attributes that define the primary key in one table must appear as attributes in another table, where they are referred to as a foreign key . Whereas the value of a primary key must be unique for each tuple (row) of its table, a foreign key value can appear multiple times in a table, so that there is a one-to-many relationship between a row in the table with the primary key and rows in the table with the foreign key. A view is a virtual table. In essence, a view is the result of a query that returns selected rows and columns from one or more tables. Views are often used for security purposes. A view can provide restricted access to a relational database so that a user or application only has access to certain rows or columns. A view is a virtual table. In essence, a view is the result of a query that returns selected rows and columns from one or more tables

Basic Terminology for Relational Databases
Table 5.1 Basic Terminology for Relational Databases Basic Terminology for Relational Databases

An abstract model of a relational database
table is shown as Figure 5.3. There are N individuals, or entities, in the table and M attributes. Each attribute Aj has |Aj | possible values, with xij denoting the value of attribute j for entity i . An abstract model of a relational database Table. There are N individuals, or entities, in the table and M attributes. Each attribute Aj has |Aj | possible values, with xij denoting the value of attribute j for entity i .

Figure 5. 4a provides an example
Figure 5.4a provides an example. In the Department table, the department ID (Did ) is the primary key; each value is unique. This table gives the ID, name, and account number for each department. The Employee table contains the name, salary code, employee ID, and phone number of each employee. The Employee table also indicates the department to which each employee is assigned by including Did . Did is identified as a foreign key and provides the relationship between the Employee table and the Department table. Figure 5.4b is a view that includes the employee name, ID, and phone number from the Employee table and the corresponding department name from the Department table. The linkage is the Did , so that the view table includes data from each row of the Employee table, with additional data from the Department table. It is also possible to construct a view from a single table. For example, one view of the Employee table consists of all rows, with the salary code column deleted. A view can be qualified to include only some rows and/or some columns. For example, a view can be defined consisting of all rows in the Employee table for which the Did = 15.

Structured Query Language (SQL)
Standardized language to define schema, manipulate, and query data in a relational database Several similar versions of ANSI/ISO standard All follow the same basic syntax and semantics SQL statements can be used to: Create tables Insert and delete data in tables Create views Retrieve data with query statements Structured Query Language (SQL) is a standardized language that can be used to define schema, manipulate, and query data in a relational database. There are several versions of the ANSI/ISO standard and a variety of different implementations, but all follow the same basic syntax and semantics. SQL statements can be used to create tables, insert and delete data in tables, create views, and retrieve data with query statements.

SQL Injection Attacks (SQLi)
One of the most prevalent and dangerous network-based security threats Designed to exploit the nature of Web application pages Sends malicious SQL commands to the database server Most common attack goal is bulk extraction of data Depending on the environment SQL injection can also be exploited to: Modify or delete data Execute arbitrary operating system commands Launch denial-of-service (DoS) attacks The SQL injection (SQLi) attack is one of the most prevalent and dangerous network-based security threats. Consider the following reports: 1. The July 2013 Imperva Web Application Attack Report [IMPE13] surveyed a cross-section of Web application servers in industry and monitored eight different types of common attacks. The report found that SQLi attacks ranked first or second in total number of attack incidents, the number of attack requests per attack incident, and average number of days per month that an application experienced at least one attack incident. Imperva observed a single Web site that received 94,057 SQL injection attack requests in one day. 2. The Open Web Application Security Project’s 2013 report [OWAS13] on the ten most critical Web application security risks listed injection attacks, especially SQLi attacks, as the top risk. This ranking is unchanged from its 2010 report. 3. The Veracode 2013 State of Software Security Report [VERA13] found that percentage of applications affected by SQLi attacks is around 32% and that SQLi attacks account for 26% of all reported breaches. Veracode also considers this among the most dangerous threats, reporting that three of the biggest SQL injection attacks in 2012 resulted in millions of addresses, user names, and passwords being exposed and damaged the respective brands. 4. The Trustwave 2013 Global Security Report [TRUS13] lists SQLi attacks as one of the top two intrusion techniques. The report notes that poor coding practices have allowed the SQL injection attack vector to remain on the threat landscape for more than 15 years, but that proper programming and security measures can prevent these attacks. In general terms, an SQLi attack is designed to exploit the nature of Web application pages. In contrast to the static Web pages of years gone by, most current Web sites have dynamic components and content. Many such pages ask for information, such as location, personal identity information, and credit card information. This dynamic content is usually transferred to and from back-end databases that contain volumes of information—anything from cardholder data to which type of running shoes is most purchased. An application server Web page will make SQL queries to databases to send and receive information critical to making a positive user experience. In such an environment, an SQLi attack is designed to send malicious SQL commands to the database server. The most common attack goal is bulk extraction of data. Attackers can dump database tables with hundreds of thousands of customer records. Depending on the environment, SQL injection can also be exploited to modify or delete data, execute arbitrary operating system commands, or launch denial-of-service (DoS) attacks. The July 2013 Imperva Web Application Attack Report surveyed a cross-section of Web application servers and found that SQLi attacks ranked first or second in total number of attack incidents, the number of attack requests per attack incident, and average number of days per month that an application experienced at least one attack incident. Imperva observed a single Web site that received 94,057 SQL injection attack requests in one day.

6. The Web server sends the credit card details to the hacker.
1. Hacker finds a vulnerability in a custom Web application and injects an SQL command to a database by sending the command to the Web server. The command is injected into traffic that will be accepted by the firewall. 2. The Web server receives the malicious code and sends it to the Web application server. 3. The Web application server receives the malicious code from the Web server and sends it to the database server. 4. The database server executes the malicious code on the database. The database returns data from credit cards table. 5. The Web application server dynamically generates a page with data including credit card details from the database. 6. The Web server sends the credit card details to the hacker. SQLi is an attack that exploits a security vulnerability occurring in the database layer of an application (such as queries). Using SQL injection, the attacker can extract or manipulate the web application’s data. The attack is viable when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed, and thereby unexpectedly executed. Figure 5.5, from [ACUN13], is a typical example of an SQLi attack. The steps involved are as follows: 1. Hacker finds a vulnerability in a custom Web application and injects an SQL command to a database by sending the command to the Web server. The command is injected into traffic that will be accepted by the firewall. 2. The Web server receives the malicious code and sends it to the Web application server. 3. The Web application server receives the malicious code from the Web server and sends it to the database server. 4. The database server executes the malicious code on the database. The database returns data from credit cards table. 5. The Web application server dynamically generates a page with data including credit card details from the database. 6. The Web server sends the credit card details to the hacker.

Subsequent text is ignored at execution time
Injection Technique The SQLi attack typically works by prematurely terminating a text string and appending a new command Because the inserted command may have additional strings appended to it before it is executed the attacker terminates the injected string with a comment mark “- -” Subsequent text is ignored at execution time The SQLi attack typically works by prematurely terminating a text string and appending a new command. Because the inserted command may have additional strings appended to it before it is executed, the attacker terminates the injected string with a comment mark “--”. Subsequent text is ignored at execution time.

SQLi Attack Avenues User input Server variables Second-order injection
Attackers inject SQL commands by providing suitable crafted user input User input Attackers can forge the values that are placed in HTTP and network headers and exploit this vulnerability by placing data directly into the headers Server variables A malicious user could rely on data already present in the system or database to trigger an SQL injection attack, so when the attack occurs, the input that modifies the query to cause an attack does not come from the user, but from within the system itself Second-order injection An attacker could alter cookies such that when the application server builds an SQL query based on the cookie’s content, the structure and function of the query is modified Cookies Applying user input that constructs an attack outside the realm of web requests Physical user input We can characterize SQLi attacks in terms of the avenue of attack and the type of attack [CHAN11, HALF06]. The main avenues of attack are as follows: • User input: In this case, attackers inject SQL commands by providing suitably crafted user input. A Web application can read user input in several ways based on the environment in which the application is deployed. In most SQLi attacks that target Web applications, user input typically comes from form submissions that are sent to the Web application via HTTP GET or POST requests. Web applications are generally able to access the user input contained in these requests as they would access any other variable in the environment. • Server variables: Server variables are a collection of variables that contain HTTP headers, network protocol headers, and environmental variables. Web applications use these server variables in a variety of ways, such as logging usage statistics and identifying browsing trends. If these variables are logged to a database without sanitization, this could create an SQL injection vulnerability. Because attackers can forge the values that are placed in HTTP and network headers, they can exploit this vulnerability by placing data directly into the headers. When the query to log the server variable is issued to the database, the attack in the forged header is then triggered. • Second-order injection: Second-order injection occurs when incomplete prevention mechanisms against SQL injection attacks are in place. In second-order injection, a malicious user could rely on data already present in the system or database to trigger an SQL injection attack, so when the attack occurs, the input that modifies the query to cause an attack does not come from the user, but from within the system itself. • Cookies: When a client returns to a Web application, cookies can be used to restore the client’s state information. Because the client has control over cookies, an attacker could alter cookies such that when the application server builds an SQL query based on the cookie’s content, the structure and function of the query is modified. • Physical user input: SQL injection is possible by supplying user input that constructs an attack outside the realm of web requests. This user-input could take the form of conventional barcodes, RFID tags, or even paper forms which are scanned using optical character recognition and passed to a database management system.

Inband Attacks Tautology End-of-line comment Piggybacked queries
Uses the same communication channel for injecting SQL code and retrieving results The retrieved data are presented directly in application Web page Include: Tautology This form of attack injects code in one or more conditional statements so that they always evaluate to true End-of-line comment After injecting code into a particular field, legitimate code that follows are nullified through usage of end of line comments Piggybacked queries The attacker adds additional queries beyond the intended query, piggy-backing the attack on top of a legitimate request Attack types can be grouped into three main categories: inband, inferential, and out-of-band. An inband attack uses the same communication channel for injecting SQL code and retrieving results. The retrieved data are presented directly in the application Web page. Inband attack types include the following: • Tautology: This form of attack injects code in one or more conditional statements so that they always evaluate to true. • End-of-line comment: After injecting code into a particular field, legitimate code that follows are nullified through usage of end of line comments. An example would be to add ”- -” after inputs so that remaining queries are not treated as executable code, but comments. The preceding tautology example is also of this form. • Piggybacked queries: The attacker adds additional queries beyond the intended query, piggy-backing the attack on top of a legitimate request. This technique relies on server configurations that allow several different queries within a single string of code. The example in the preceding section is of this form.

Inferential Attack There is no actual transfer of data, but the attacker is able to reconstruct the information by sending particular requests and observing the resulting behavior of the Website/ database server Include: Illegal/logically incorrect queries This attack lets an attacker gather important information about the type and structure of the backend database of a Web application The attack is considered a preliminary, information-gathering step for other attacks Blind SQL injection Allows attackers to infer the data present in a database system even when the system is sufficiently secure to not display any erroneous information back to the attacker With an inferential attack , there is no actual transfer of data, but the attacker is able to reconstruct the information by sending particular requests and observing the resulting behavior of the Website/database server. Inferential attack types include the following: • Illegal/logically incorrect queries: This attack lets an attacker gather important information about the type and structure of the backend database of a Web application. The attack is considered a preliminary, information-gathering step for other attacks. The vulnerability leveraged by this attack is that the default error page returned by application servers is often overly descriptive. In fact, the simple fact that an error messages is generated can often reveal vulnerable/injectable parameters to an attacker. • Blind SQL injection: Blind SQL injection allows attackers to infer the data present in a database system even when the system is sufficiently secure to not display any erroneous information back to the attacker. The attacker asks the server true/false questions. If the injected statement evaluates to true, the site continues to function normally. If the statement evaluates to false, although there is no descriptive error message, the page differs significantly from the normally functioning page.

Out-of-Band Attack Data are retrieved using a different channel (e.g., an with the results of the query is generated and sent to the tester). This can be used when there are limitations on information retrieval, but outbound connectivity from the database server is lax In an out-of-band attack , data are retrieved using a different channel (e.g., an with the results of the query is generated and sent to the tester). This can be used when there are limitations on information retrieval, but outbound connectivity from the database server is lax.

SQLi Countermeasures Three types: Defensive coding Detection
Because SQLi attacks are so prevalent, damaging, and varied both by attack avenue and type, a single countermeasure is insufficient. …..Rather an integrated set of techniques is necessary. Manual defensive coding practices Parameterized query insertion SQL DOM Defensive coding Signature based Anomaly based Code analysis Detection Check queries at runtime to see if they conform to a model of expected queries Run-time prevention Because SQLi attacks are so prevalent, damaging, and varied both by attack avenue and type, a single countermeasure is insufficient. Rather an integrated set of techniques is necessary. In this section, we provide a brief overview of the types of countermeasures that are in use or being researched, using the classification in [SHAR13]. These countermeasures can be classified into three types: defensive coding, detection, and run-time prevention. Many SQLi attacks succeed because developers have used insecure coding practices. Thus, defensive coding is an effective way to dramatically reduce the threat from SQLi. Examples of defensive coding include the following: Manual defensive coding practices: A common vulnerability exploited by SQLi attacks is insufficient input validation. The straightforward solution for eliminating these vulnerabilities is to apply suitable defensive coding practices. An example is input type checking, to check that inputs that are supposed to be numeric contain no characters other than digits. This type of technique can avoid attacks based on forcing errors in the database management system. Another type of coding practice is one that performs pattern matching to try to distinguish normal input from abnormal input. • Parameterized query insertion: This approach attempts to prevent SQLi by allowing the application developer to more accurately specify the structure of an SQL query, and pass the value parameters to it separately such that any unsanitary user input is not allowed to modify the query structure. • SQL DOM: SQL DOM is a set of classes that enables automated data type validation and escaping [MCCL05]. This approach uses encapsulation of database queries to provide a safe and reliable way to access databases. This changes the query-building process from an unregulated one that uses string concatenation to a systematic one that uses a type-checked API. Within the API, developers are able to systematically apply coding best practices such as input filtering and rigorous type checking of user input. A variety of detection methods have been developed, including the following: • Signature based: This technique attempts to match specific attack patterns. Such an approach must be constantly updated and may not work against self-modifying attacks. • Anomaly based: This approach attempts to define normal behavior and then detect behavior patterns outside the normal range. A number of approaches have been used. In general terms, there is a training phase, in which the system learns the range of normal behavior, followed by the actual detection phase. • Code analysis: Code analysis techniques involve the use of a test suite to detect SQLi vulnerabilities. The test suite is designed to generate a wide range of SQLi attacks and assess the response of the system. Finally, a number of run-time prevention techniques have been developed as SQLi countermeasures. These techniques check queries at runtime to see if they conform to a model of expected queries. Various automated tools are available for this purpose [CHAN12, SHAR13]. Three types:

Database Access Control
Database access control system determines: If the user has access to the entire database or just portions of it What access rights the user has (create, insert, delete, update, read, write) Can support a range of administrative policies Centralized administration Small number of privileged users may grant and revoke access rights Ownership-based administration The creator of a table may grant and revoke access rights to the table Decentralized administration The owner of the table may grant and revoke authorization rights to other users, allowing them to grant and revoke access rights to the table Commercial and open-source DBMSs typically provide an access control capability for the database. The DBMS operates on the assumption that the computer system has authenticated each user. As an additional line of defense, the computer system may use the overall access control system described in Chapter 4 to determine whether a user may have access to the database as a whole. For users who are authenticated and granted access to the database, a database access control system provides a specific capability that controls access to portions of the database. Commercial and open-source DBMSs provide discretionary or role-based access control. We defer a discussion of mandatory access control considerations to Chapter 13 . Typically, a DBMS can support a range of administrative policies, including the following: • Centralized administration: A small number of privileged users may grant and revoke access rights. • Ownership-based administration: The owner (creator) of a table may grant and revoke access rights to the table. • Decentralized administration: In addition to granting and revoking access rights to a table, the owner of the table may grant and revoke authorization rights to other users, allowing them to grant and revoke access rights to the table. As with any access control system, a database access control system distinguishes different access rights, including create, insert, delete, update, read, and write. Some DBMSs provide considerable control over the granularity of access rights. Access rights can be to the entire database, to individual tables, or to selected rows or columns within a table. Access rights can be determined based on the contents of a table entry. For example, in a personnel database, some users may be limited to seeing salary information only up to a certain maximum value. And a department manager may only be allowed to view salary information for employees in his or her department.

SQL Access Controls Two commands for managing access rights:
Grant Used to grant one or more access rights or can be used to assign a user to a role Revoke Revokes the access rights Typical access rights are: Select / Insert / Update / Delete /References SQL provides two commands for managing access rights, GRANT and REVOKE. For different versions of SQL, the syntax is slightly different. In general terms, the GRANT command has the following syntax: GRANT { privileges | role } [ON table] TO { user | role | PUBLIC } [IDENTIFIED BY password] [WITH GRANT OPTION] This command can be used to grant one or more access rights or can be used to assign a user to a role. For access rights, the command can optionally specify that it applies only to a specified table. The TO clause specifies the user or role to which the rights are granted. A PUBLIC value indicates that any user has the specified access rights. The optional IDENTIFIED BY clause specifies a password that must be used to revoke the access rights of this GRANT command. The GRANT OPTION indicates that the grantee can grant this access right to other users, with or without the grant option. As a simple example, consider the following statement. GRANT SELECT ON ANY TABLE TO ricflair This statement enables user ricflair to query any table in the database. Different implementations of SQL provide different ranges of access rights. The following is a typical list: • Select: Grantee may read entire database; individual tables; or specific columns in a table. • Insert: Grantee may insert rows in a table; or insert rows with values for specific columns in a table. • Update: Semantics is similar to INSERT. • Delete: Grantee may delete rows from a table. • References: Grantee is allowed to define foreign keys in another table that refer to the specified columns. The REVOKE command has the following syntax: REVOKE { privileges | role } [ON table] FROM { user | role | PUBLIC } Thus, the following statement revokes the access rights of the preceding example: REVOKE SELECT ON ANY TABLE FROM ricflair As with any access control system, a database access control system distinguishes different access rights, including create, insert, delete, update, read, and write. Some DBMSs provide considerable control over the granularity of access rights. Access rights can be to the entire database, to individual tables, or to selected rows or columns within a table. Access rights can be determined based on the contents of a table entry. For example, in a personnel database, some users may be limited to seeing salary information only up to a certain maximum value and a department manager may only be allowed to view salary information for employees in his or her department.

What happens if bob revokes the privilege from David?
The grant option enables an access right to cascade through a number of users.We consider a specific access right and illustrate the cascade phenomenonin Figure 5.4 . The figure indicates that Ann grants the access right to Bob at time t = 10 and to Chris at time t = 20. Assume that the grant option is always used. Thus, Bob is able to grant the access right to David at t = 30. Chris redundantly grants the access right to David at t = 50. Meanwhile, David grants the right to Ellen, who in turn grants it to Jim; and subsequently David grants the right to Frank. Just as the granting of privileges cascades from one user to another using the grant option, the revocation of privileges also cascaded. Thus, if Ann revokes the access right to Bob and Chris, then the access right is also revoked to David, Ellen, Jim, and Frank. A complication arises when a user receives the same access right multiple times, as happens in the case of David. Suppose that Bob revokes the privilege from David. David still has the access right because it was granted by Chris at t = 50. However, David granted the access right to Ellen after receiving the right, with grant option, from Bob but prior to receiving it from Chris.Most implementations dictate that in this circumstance, the access right to Ellen and therefore Jim is revoked when Bob revokes the access right to David. This is because at t = 40, when David granted the access right to Ellen, David only had the grant option to do this from Bob. When Bob revokes the right, this causes all subsequent cascaded grants that are traceable solely to Bob via David to be revoked. Because David granted the access right to Frank after David was granted the access right with grant option from Chris, the access right to Frank remains. These effects are shown in the lower portion of Figure 5.6 . To generalize, the convention followed by most implementations is as follows. When user A revokes an access right, any cascaded access right is also revoked, unless that access right would exist even if the original grant from A had never occurred. This convention was first proposed in [GRIF76]. The grant option enables an access right to cascade through a number of users. We consider a specific access right and illustrate the cascade phenomenon. The figure indicates that Ann grants the access right to Bob at time t = 10 and to Chris at time t = 20. Assume that the grant option is always used. Thus, Bob is able to grant the access right to David at t = 30. Chris redundantly grants the access right to David at t = 50. Meanwhile, David grants the right to Ellen, who in turn grants it to Jim; and subsequently David grants the right to Frank. What happens if bob revokes the privilege from David?

Role-Based Access Control (RBAC)
Role-based access control eases administrative burden and improves security A database RBAC needs to provide the following capabilities: Create and delete roles Define permissions for a role Assign and cancel assignment of users to roles Categories of database users: A role-based access control (RBAC) scheme is a natural fit for database access control. Unlike a file system associated with a single or a few applications, a database system often supports dozens of applications. In such an environment, an individual user may use a variety of applications to perform a variety of tasks, each of which requires its own set of privileges. It would be poor administrative practice to simply grant users all of the access rights they require for all the tasks they perform. RBAC provides a means of easing the administrative burden and improving security. In a discretionary access control environment, we can classify database users in three broad categories: • Application owner: An end user who owns database objects (tables, columns, rows) as part of an application. That is, the database objects are generated by the application or are prepared for use by the application. End user other than application owner: An end user who operates on database objects via a particular application but does not own any of the database objects. • Administrator: User who has administrative responsibility for part or all of the database. We can make some general statements about RBAC concerning these three types of users. An application has associated with it a number of tasks, with each task requiring specific access rights to portions of the database. For each task, one or more roles can be defined that specify the needed access rights. The application owner may assign roles to end users. Administrators are responsible for more sensitive or general roles, including those having to do with managing physical and logical database components, such as data files, users, and security mechanisms. The system needs to be set up to give certain administrators certain privileges. Administrators in turn can assign users to administrative-related roles. A database RBAC facility needs to provide the following capabilities: • Create and delete roles. • Define permissions for a role. • Assign and cancel assignment of users to roles. Application owner An end user who owns database objects as part of an application End user An end user who operates on database objects via a particular application but does not own any of the database objects Administrator User who has administrative responsibility for part or all of the database

Table 5.2 Fixed Roles in Microsoft SQL Server
A good example of the use of roles in database security is the RBAC facility provided by Microsoft SQL Server. SQL Server supports three types of roles: server roles, database roles, and user-defined roles. The first two types of roles are referred to as fixed roles ( Table 5.2 ); these are preconfigured for a system with specific access rights. The administrator or user cannot add, delete, or modify fixed roles; it is only possible to add and remove users as members of a fixed role. Fixed server roles are defined at the server level and exist independently of any user database. They are designed to ease the administrative task. These roles have different permissions and are intended to provide the ability to spread the administrative responsibilities without having to give out complete control. Database administrators can use these fixed server roles to assign different administrative tasks to personnel and give them only the rights they absolutely need. Fixed database roles operate at the level of an individual database. As with fixed server roles, some of the fixed database roles, such as db_accessadmin and db_securityadmin, are designed to assist a DBA with delegating administrative responsibilities. Others, such as db_datareader and db_datawriter, are designed to provide blanket permissions for an end user. SQL Server allows users to create roles. These user-defined roles can then be assigned access rights to portions of the database. A user with proper authorization (typically, a user assigned to the db_securityadmin role) may define a new role and associate access rights with the role. There are two types of user-defined roles: standard and application. For a standard role, an authorized user can assign other users to the role. An application role is associated with an application rather than with a group of users and requires a password. The role is activated when an application executes the appropriate code. A user who has access to the application can use the application role for database access. Often database applications enforce their own security based on the application logic. For example, you can use an application role with its own password to allow the particular user to obtain and modify any data only during specific hours. Thus, you can realize more complex security management within the application logic.

Inference, as it relates to database security, is the process of performing authorized queries and deducing unauthorized information from the legitimate responses received. The inference problem arises when the combination of a number of data items is more sensitive than the individual items, or when a combination of data items can be used to infer data of a higher sensitivity. Figure 5.7 illustrates the process. Inference, as it relates to database security, is the process of performing authorized queries and deducing unauthorized information from the legitimate responses received. The inference problem arises when the combination of a number of data items is more sensitive than the individual items, or when a combination of data items can be used to infer data of a higher sensitivity. Figure 5.7 illustrates the process. The attacker may make use of nonsensitive data as well as metadata. Metadata refers to knowledge about correlations or dependencies among data items that can be used to deduce information not otherwise available to a particular user. The information transfer path by which unauthorized data is obtained is referred to as an inference channel . The attacker may make use of nonsensitive data as well as metadata. Metadata refers to knowledge about correlations or dependencies among data items that can be used to deduce information not otherwise available to a particular user. The information transfer path by which unauthorized data is obtained is referred to as an inference channel .

In general terms, two inference techniques can be used to derive additional
information: analyzing functional dependencies between attributes within a table or across tables, and merging views with the same constraints. An example of the latter shown in Figure 5.8 , illustrates the inference problem. Users of these views are not authorized to access the relationship between Item and Cost. A user who has access to either or both views cannot infer the relationship by functional dependencies. That is, there is not a functional relationship between Item and Cost such that knowing Item and perhaps other information is sufficient to deduce Cost. However, suppose the two views are created with the access constraint that Item and Cost cannot be accessed together. A user who knows the structure of the Inventory table and who knows that the view tables maintain the same row order as the Inventory table is then able to merge the two views to construct the table shown in Figure 5.8c. This violates the access control policy that the relationship of attributes Item and Cost must not be disclosed.

Inference Detection Two approaches Inference detection during database design Approach removes an inference channel by altering the database structure or by changing the access control regime to prevent inference Techniques in this category often result in unnecessarily stricter access controls that reduce availability Inference detection at query time Approach seeks to eliminate an inference channel violation during a query or series of queries If an inference channel is detected, the query is denied or altered In general terms, there are two approaches to dealing with the threat of disclosure by inference: • Inference detection during database design: This approach removes an inference channel by altering the database structure or by changing the access control regime to prevent inference. Examples include removing data dependencies by splitting a table into multiple tables or using more fine-grained access control roles in an RBAC scheme. Techniques in this category often result in unnecessarily stricter access controls that reduce availability. • Inference detection at query time: This approach seeks to eliminate an inference channel violation during a query or series of queries. If an inference channel is detected, the query is denied or altered. For either of the preceding approaches, some inference detection algorithm is needed. This is a difficult problem and the subject of ongoing research. To give some appreciation of the difficulty, we present an example taken from [LUNT89]. Consider a database containing personnel information, including names, addresses, and salaries of employees. Individually, the name, address, and salary information is available to a subordinate role, such as Clerk, but the association of names and salaries is restricted to a superior role, such as Administrator. This is similar to the problem illustrated in Figure 5.8. One solution to this problem is to construct three tables, which include the following information: Employees (Emp#, Name, Address) Salaries (S#, Salary) Emp-Salary (Emp#, S#) where each line consists of the table name followed by a list of column names for that table. In this case, each employee is assigned a unique employee number (Emp#) and a unique salary number (S#). The Employees table and the Salaries table are accessible to the Clerk role, but the Emp-Salary table is only available to the Administrator role. In this structure, the sensitive relationship between employees and salaries is protected from users assigned the Clerk role. Now suppose that we want to add a new attribute, employee start date, which is not sensitive. This could be added to the Salaries table as follows: Salaries (S#, Salary, Start-Date) However, an employee’s start date is an easily observable or discoverable attribute of an employee. Thus a user in the Clerk role should be able to infer (or partially infer) the employee’s name. This would compromise the relationship between employee and salary. A straightforward way to remove the inference channel is to add the start-date column to the Employees table rather than to the Salaries table. The first security problem indicated in this sample, that it was possible to infer the relationship between employee and salary, can be detected through analysis of the data structures and security constraints that are available to the DBMS. However, the second security problem, in which the start-date column was added to the Salaries table, cannot be detected using only the information stored in the database. In particular, the database does not indicate that the employee name can be inferred from the start date. In the general case of a relational database, inference detection is a complex and difficult problem. For multilevel secure databases, discussed in Chapter 13 , and statistical databases, discussed in the next section, progress has been made in devising specific inference detection techniques. Some inference detection algorithm is needed for either of these approaches Progress has been made in devising specific inference detection techniques for multilevel secure databases and statistical databases

Database Encryption The database is typically the most valuable information resource for any organization Protected by multiple layers of security Firewalls, authentication, general access control systems, DB access control systems, database encryption Encryption becomes the last line of defense in database security Can be applied to the entire database, at the record level, the attribute level, or level of the individual field Disadvantages to encryption: Key management Authorized users must have access to the decryption key for the data for which they have access Inflexibility When part or all of the database is encrypted it becomes more difficult to perform record searching The database is typically the most valuable information resource for any organization and is therefore protected by multiple layers of security, including firewalls, authentication mechanisms, general access control systems, and database access control systems. In addition, for particularly sensitive data, database encryption is warranted and often implemented. Encryption becomes the last line of defense in database security. There are two disadvantages to database encryption: • Key management: Authorized users must have access to the decryption key for the data for which they have access. Because a database is typically accessible to a wide range of users and a number of applications, providing secure keys to selected parts of the database to authorized users and applications is a complex task. • Inflexibility: When part or all of the database is encrypted, it becomes more difficult to perform record searching. Encryption can be applied to the entire database, at the record level (encrypt selected records), at the attribute level (encrypt selected columns), or at the level of the individual field. A number of approaches have been taken to database encryption. In this section, we look at a representative approach for a multiuser database. A DBMS is a complex collection of hardware and software. It requires a large storage capacity and requires skilled personnel to perform maintenance, disaster protection, update, and security. For many small and medium-sized organizations, an attractive solution is to outsource the DBMS and the database to a service provider. The service provider maintains the database off site and can provide high availability, disaster prevention, and efficient access and update. The main concern with such a solution is the confidentiality of the data.

User – human entity that presents queries to the system
Data owner – organization that produces data to be made available for controlled release User – human entity that presents queries to the system Client – frontend that transforms user queries into queries on the encrypted data stored on the server Server – an organization that receives the encrypted data from a data owner and makes them available for distribution to clients A straightforward solution to the security problem in this context is to encrypt the entire database and not provide the encryption/decryption keys to the service provider. This solution by itself is inflexible. The user has little ability to access individual data items based on searches or indexing on key parameters, but rather would have to download entire tables from the database, decrypt the tables, and work with the results. To provide more flexibility, it must be possible to work with the database in its encrypted form. An example of such an approach, depicted in Figure 5.9 , is reported in [DAMI05] and [DAMI03]. A similar approach is described in [HACI02]. Four entities are involved: • Data owner: An organization that produces data to be made available for controlled release, either within the organization or to external users. • User: Human entity that presents requests (queries) to the system. The user could be an employee of the organization who is granted access to the database via the server, or a user external to the organization who, after authentication, is granted access. Client: Frontend that transforms user queries into queries on the encrypted data stored on the server. • Server: An organization that receives the encrypted data from a data owner and makes them available for distribution to clients. The server could in fact be owned by the data owner but, more typically, is a facility owned and maintained by an external provider.

Searchable Encryption

Cloud Security NIST SP-800-145 defines cloud computing as:
“A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.” There is an increasingly prominent trend in many organizations to move a substantial portion or even all information technology (IT) operations to an Internet-connected infrastructure known as enterprise cloud computing. The use of cloud computing raises a number of security issues, particularly in the area of database security. NIST SP defines cloud computing as follows: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.

The definition refers to various models and characteristics, whose relationship is illustrated in Figure The essential characteristics of cloud computing include the following: • Broad network access: Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs) as well as other traditional or cloud-based software services. Rapid elasticity: Cloud computing gives you the ability to expand and reduce resources according to your specific service requirement. For example, you may need a large number of server resources for the duration of a specific task. You can then release these resources upon completion of the task. • Measured service: Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparncy for both the provider and consumer of the utilized service. • On-demand self-service: A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider. Because the service is on demand, the resources are not permanent parts of your IT infrastructure. • Resource pooling: The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a degree of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources, but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, network bandwidth, and virtual machines. Even private clouds tend to pool resources between different parts of the same organization.

• Software as a service (SaaS) provides service to customers in the form of software, specifically application software, running on and accessible in the cloud e.g. Gmail, Google’s service, and Salesforce.com, which helps firms keep track of their customers. • Platform as a service (PaaS) provides service to customers in the form of a platform on which the customer’s applications can run e.g. Google App Engine and the Salesforce1 Platform from Salesforce. com are examples of PaaS NIST defines three service models , which can be viewed as nested service alternatives (Figure 5.12): • Software as a service (SaaS): Provides service to customers in the form of software, specifically application software, running on and accessible in the cloud. SaaS follows the familiar model of Web services, in this case applied to cloud resources. SaaS enables the customer to use the cloud provider’s applications running on the provider’s cloud infrastructure. The applications are accessible from various client devices through a simple interface such as a Web browser. Instead of obtaining desktop and server licenses for software products it uses, an enterprise obtains the same functions from the cloud service. SaaS saves the complexity of software installation, maintenance, upgrades, and patches. Examples of services at this level are Gmail, Google’s service, and Salesforce.com, which helps firms keep track of their customers. • Platform as a service (PaaS): Provides service to customers in the form of a platform on which the customer’s applications can run. PaaS enables the customer to deploy onto the cloud infrastructure customer-created or acquired applications. A PaaS cloud provides useful software building blocks,plus a number of development tools, such as programming languages, runtime environments, and other tools that assist in deploying new applications In effect, PaaS is an operating system in the cloud. PaaS is useful for an organization that wants to develop new or tailored applications while paying for the needed computing resources only as needed and only for as long as needed. Google App Engine and the Salesforce1 Platform from Salesforce. com are examples of PaaS. • Infrastructure as a service (IaaS): Provides the customer access to the underlying cloud infrastructure. IaaS provides virtual machines and other abstracted hardware and operating systems, which may be controlled through a service application programming interface (API). IaaS offers the customer processing, storage, networks, and other fundamental computing resources so that the customer is able to deploy and run arbitrary software, which can include operating systems and applications. IaaS enables customers to combine basic computing services, such as number crunching and data storage, to build highly adaptable computer systems. Examples of IaaS are Amazon Elastic Compute Cloud (Amazon EC2) and Windows Azure. Infrastructure as a service (IaaS) provides the customer access to the underlying cloud infrastructure. IaaS provides virtual machines and other abstracted hardware and operating systems, which may be controlled through a service application programming interface (API). Examples of IaaS are Amazon Elastic Compute Cloud (Amazon EC2) and Windows Azure.

NIST Deployment Models
Public cloud The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services The cloud provider is responsible both for the cloud infrastructure and for the control of data and operations within the cloud Private cloud The cloud infrastructure is operated solely for an organization It may be managed by the organization or a third party and may exist on premise or off premise The cloud provider is responsible only for the infrastructure and not for the control Community cloud The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns It may be managed by the organizations or a third party and may exist on premise or off premise Hybrid cloud The cloud infrastructure is a composition of two or more clouds that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability NIST defines four deployment models : • Public cloud: The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services. The cloud provider is responsible both for the cloud infrastructure and for the control of data and operations within the cloud. • Private cloud: The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise. The cloud provider is responsible only for the infrastructure and not for the control. • Community cloud: The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise. • Hybrid cloud: The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).

Figure 5. 13 illustrates the typical cloud service context
Figure 5.13 illustrates the typical cloud service context. An enterprise maintains workstations within an enterprise LAN or set of LANs, which are connected by a router through a network or the Internet to the cloud service provider. The cloud service provider maintains a massive collection of servers, which it manages with a variety of network management, redundancy, and security tools. In the figure, the cloud infrastructure is shown as a collection of blade servers, which is a common architecture.

Cloud Computing Reference Architecture
NIST SP establishes a reference architecture described as follows: “The NIST cloud computing reference architecture focuses on the requirements of ‘what’ cloud services provide, not a ‘how to’ design solution and implementation. The reference architecture is intended to facilitate the understanding of the operational intricacies in cloud computing. It does not represent the system architecture of a specific cloud computing system; instead it is a tool for describing, discussing, and developing a system-specific architecture using a common framework of reference.” NIST SP (NIST Cloud Computing Reference Architecture ) establishes a reference architecture described as follows: The NIST cloud computing reference architecture focuses on the requirements of “what” cloud services provide, not a “how to” design solution and implementation. The reference architecture is intended to facilitate the understanding of the operational intricacies in cloud computing. It does not represent the system architecture of a specific cloud computing system; instead it is a tool for describing, discussing, and developing a system-specific architecture using a common framework of reference.

Objectives NIST developed the reference architecture with the following objectives in mind: To illustrate and understand the various cloud services in the context of an overall cloud computing conceptual model To provide a technical reference for consumers to understand, discuss, categorize, and compare cloud services To facilitate the analysis of candidate standards for security, interoperability, and portability and reference implementations NIST developed the reference architecture with the following objectives in mind: • To illustrate and understand the various cloud services in the context of an overall cloud computing conceptual model. • To provide a technical reference for consumers to understand, discuss, categorize, and compare cloud services. • To facilitate the analysis of candidate standards for security, interoperability, and portability and reference implementations.

The reference architecture, depicted in Figure 5
The reference architecture, depicted in Figure 5.14, defines five major actors in terms of the roles and responsibilities: • Cloud consumer: A person or organization that maintains a business relationship with, and uses service from, cloud providers. • Cloud provider (CP): A person, organization, or entity responsible for making a service available to interested parties. • Cloud auditor: A party that can conduct independent assessment of cloud services, information system operations, performance, and security of the cloud implementation. • Cloud broker: An entity that manages the use, performance and delivery of cloud services, and negotiates relationships between CPs and cloud consumers. • Cloud carrier: An intermediary that provides connectivity and transport of cloud services from CPs to cloud consumers. The roles of the cloud consumer and provider have already been discussed. To summarize, a cloud provider can provide one or more of the cloud services to meet IT and business requirements of cloud consumers . For each of the three service models (SaaS, PaaS, and IaaS), the CP provides the storage and processing facilities needed to support that service model, together with a cloud interface for cloud service consumers. For SaaS, the CP deploys, configures, maintains, and updates the operation of the software applications on a cloud infrastructure so that the services are provisioned at the expected service levels to cloud consumers. The consumers of SaaS can be organizations that provide their members with access to software applications, end users who directly use software applications, or software application administrators who configure applications for end users. For PaaS, the CP manages the computing infrastructure for the platform and runs the cloud software that provides the components of the platform, such as runtime software execution stack, databases, and other middleware components. Cloud consumers of PaaS can employ the tools and execution resources provided by CPs to develop, test, deploy, and manage the applications hosted in a cloud environment. For IaaS, the CP acquires the physical computing resources underlying the service, including the servers, networks, storage, and hosting infrastructure. The IaaS cloud consumer in turn uses these computing resources, such as a virtual computer, for their fundamental computing needs. The cloud carrier is a networking facility that provides connectivity and transport of cloud services between cloud consumers and CPs. Typically, a CP will set up service level agreements (SLAs) with a cloud carrier to provide services consistent with the level of SLAs offered to cloud consumers, and may require the cloud carrier to provide dedicated and secure connections between cloud consumers and CPs. A cloud broker is useful when cloud services are too complex for a cloud consumer to easily manage. Three areas of support can be offered by a cloud broker: • Service intermediation: These are value-added services, such as identity management, performance reporting, and enhanced security. • Service aggregation: The broker combines multiple cloud services to meet consumer needs not specifically addressed by a single CP, or to optimize performance or minimize cost. • Service arbitrage: This is similar to service aggregation except that the services being aggregated are not fixed. Service arbitrage means a broker has the flexibility to choose services from multiple agencies. The cloud broker, for example, can use a credit-scoring service to measure and select an agency with the best score. A cloud auditor can evaluate the services provided by a CP in terms of security controls, privacy impact, performance, and so on. The auditor is an independent entity that can assure that the CP conforms to a set of standards.

Cloud Security Risks The Cloud Security Alliance lists the following as the top cloud specific security threats: Abuse and nefarious use of cloud computing Insecure interfaces and APIs Malicious insiders Shared technology issues Data loss or leakage Account or service hijacking Unknown risk profile In general terms, security controls in cloud computing are similar to the security controls in any IT environment. However, because of the operational models and technologies used to enable cloud service, cloud computing may present risks that are specific to the cloud environment. The essential concept in this regard is that the enterprise loses a substantial amount of control over resources, services, and applications but must maintain accountability for security and privacy policies. The Cloud Security Alliance [CSA10] lists the following as the top cloud-specific security threats: • Abuse and nefarious use of cloud computing: For many CPs, it is relatively easy to register and begin using cloud services, some even offering free limited trial periods. This enables attackers to get inside the cloud to conduct various attacks, such as spamming, malicious code attacks, and denial of service. PaaS providers have traditionally suffered most from this kind of attacks; however, recent evidence shows that hackers have begun to target IaaS vendors as well. The burden is on the CP to protect against such attacks, but cloud service clients must monitor activity with respect to their data and resources to detect any malicious behavior. Countermeasures include (1) stricter initial registration and validation processes; (2) enhanced credit card fraud monitoring and coordination; (3) comprehensive introspection of customer network traffic; and (4) monitoring public blacklists for one’s own network blocks. • Insecure interfaces and APIs: CPs expose a set of software interfaces or APIs that customers use to manage and interact with cloud services. The security and availability of general cloud services is dependent upon the security of these basic APIs. From authentication and access control to encryption and activity monitoring, these interfaces must be designed to protect against both accidental and malicious attempts to circumvent policy. Countermeasures include (1) analyzing the security model of CP interfaces; (2) ensuring that strong authentication and access controls are implemented in concert with encrypted transmission; and (3) understanding the dependency chain associated with the API. • Malicious insiders: Under the cloud computing paradigm, an organization relinquishes direct control over many aspects of security and, in doing so, confers an unprecedented level of trust onto the CP. One grave concern is the risk of malicious insider activity. Cloud architectures necessitate certain roles that are extremely high-risk. Examples include CP system administrators and managed security service providers. Countermeasures include the following: (1) enforce strict supply chain management and conduct a comprehensive supplier assessment; (2) specify human resource requirements as part of legal contract; (3) require transparency into overall information security and management practices, as well as compliance reporting; and (4) determine security breach notification processes. • Shared technology issues: IaaS vendors deliver their services in a scalable way by sharing infrastructure. Often, the underlying components that make up this infrastructure (CPU caches, GPUs, etc.) were not designed to offer strong isolation properties for a multi-tenant architecture. CPs typically approach this risk by the use of isolated virtual machines for individual clients. This approach is still vulnerable to attack, by both insiders and outsiders, and so can only be a part of an overall security strategy. Countermeasures include the following: (1) implement security best practices for installation/configuration; (2) monitor environment for unauthorized changes/activity; (3) promote strong authentication and access control for administrative access and operations; (4) enforce SLAs for patching and vulnerability remediation; and (5) conduct vulnerability scanning and configuration audits. • Data loss or leakage: For many clients, the most devastating impact from a security breach is the loss or leakage of data. We address this issue in the next section. Countermeasures include the following: (1) implement strong API access control; (2) encrypt and protect integrity of data in transit; (3) analyze data protection at both design and run time; and (4) implement strong key generation, storage and management, and destruction practices. • Account or service hijacking: Account and service hijacking, usually with stolen credentials, remains a top threat. With stolen credentials, attackers can often access critical areas of deployed cloud computing services, allowing them to compromise the confidentiality, integrity, and availability of those services. Countermeasures include the following: (1) prohibit the sharing of account credentials between users and services; (2) leverage strong two-factor authentication techniques where possible; (3) employ proactive monitoring to detect unauthorized activity; and (4) understand CP security policies and SLAs. • Unknown risk profile: In using cloud infrastructures, the client necessarily cedes control to the cloud provider on a number of issues that may affect security. Thus the client must pay attention to and clearly define the roles and responsibilities involved for managing risks. For example, employees may deploy applications and data resources at the CP without observing the normal policies and procedures for privacy, security, and oversight. Countermeasures include (1) disclosure of applicable logs and data; (2) partial/full disclosure of infrastructure details (e.g., patch levels and firewalls); and (3) monitoring and alerting on necessary information. Similar lists have been developed by the European Network and Information Security Agency [ENIS09] and NIST [JANS11].

Table 5. 4. NIST Guidelines on Cloud Security and Privacy
Table NIST Guidelines on Cloud Security and Privacy Issues and Recommendations As can be seen from the previous section, there are numerous aspects to cloud security and numerous approaches to providing cloud security measures. A further example is seen in the NIST guidelines for cloud security, specified in SP and listed in Table 5.4. Thus, the topic of cloud security is well beyond the scope of this chapter. In this section, we focus on one specific element of cloud security. (This table can be found on page 190 in the textbook.)

Data Protection in the Cloud
The threat of data compromise increases in the cloud Risks and challenges that are unique to the cloud Architectural or operational characteristics of the cloud environment Multi-instance model Provides a unique DBMS running on a virtual machine instance for each cloud subscriber Gives the subscriber complete control over administrative tasks related to security Multi-tenant model Provides a predefined environment for the cloud subscriber that is shared with other tenants typically through tagging data with a subscriber identifier Gives the appearance of exclusive use of the instance but relies on the cloud provider to establish and maintain a secure database environment There are many ways to compromise data. Deletion or alteration of records without a backup of the original content is an obvious example. Unlinking a record from a larger context may render it unrecoverable, as can storage on unreliable media. Loss of an encoding key may result in effective destruction. Finally, unauthorized parties must be prevented from gaining access to sensitive data. The threat of data compromise increases in the cloud, due to the number of and interactions between risks and challenges that are either unique to the cloud or more dangerous because of the architectural or operational characteristics of the cloud environment. Database environments used in cloud computing can vary significantly. Some providers support a multi-instance model , which provides a unique DBMS running on a virtual machine instance for each cloud subscriber. This gives the subscriber complete control over role definition, user authorization, and other administrative tasks related to security. Other providers support a multi-tenant model , which provides a predefined environment for the cloud subscriber that is shared with other tenants, typically through tagging data with a subscriber identifier. Tagging gives the appearance of exclusive use of the instance, but relies on the cloud provider to establish and maintain a sound secure database environment. Data must be secured while at rest, in transit, and in use, and access to the data must be controlled. The client can employ encryption to protect data in transit, though this involves key management responsibilities for the CP. The client can enforce access control techniques but, again, the CP is involved to some extent depending on the service model used. For data at rest, the ideal security measure is for the client to encrypt the database and only store encrypted data in the cloud, with the CP having no access to the encryption key. So long as the key remains secure, the CP has no ability to read the data, although corruption and other denial-of-service attacks remain a risk. The model depicted in Figure 5.10 works equally well when the data is stored in a cloud.

Cloud Security As A Service
SecaaS - Is a segment of the SaaS offering of a CP Defined by The Cloud Security Alliance as the provision of security applications and services via the cloud either to cloud-based infrastructure and software or from the cloud to the customers’ on-premise systems The Cloud Security Alliance has identified the following SecaaS categories of service: • Identity and access management • Data loss prevention • Web security • security • Security assessments • Intrusion management • Security information and event management • Encryption • Business continuity and disaster recovery & • Network security The term security as a service has generally meant a package of security services offered by a service provider that offloads much of the security responsibility from an enterprise to the security service provider. Among the services typically provided are authentication, anti-virus, antimalware/spyware, intrusion detection, and security event management. In the context of cloud computing, cloud security as a service, designated SecaaS, is a segment of the SaaS offering of a CP. The Cloud Security Alliance defines SecaaS as the provision of security applications and services via the cloud either to cloud-based infrastructure and software or from the cloud to the customers’ on-premise systems (Table 5.4) [CSA11b]. The Cloud Security Alliance has identified the following SecaaS categories of service: • Identity and access management • Data loss prevention • Web security • security • Security assessments • Intrusion management • Security information and event management • Encryption • Business continuity and disaster recovery • Network security

cloud-based infrastructure and services (Figure 5.15).
Identity and access management (IAM) includes people, processes, and systems that are used to manage access to enterprise resources by assuring that identitiyof an entity is verified, and then granting the correct level of access based on this assured identity. The access management portion of IAM involves authentication and access control services. For example, the CSP must be able to authenticate users in a trustworthy manner. Data loss prevention (DLP) is the monitoring, protecting, and verifying the security of data at rest, in motion, and in use. Web security is real-time protection offered either on premise or via the Cloud by proxying or redirecting Web traffic to the CP. A CSP may provide a Web-based service, for which security measures are needed - provides control over in/outbound etc Security assessments are third-part audits of cloud services. While this service is outside the province of the CSP, the CSP can provide tools and access points to facilitate various assessment activities. Intrusion management encompasses intrusion detection, prevention, and response. The core is the implementation of intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) at entry points to the cloud and on servers in the cloud. In this section, we examine these categories with a focus on security of the cloud-based infrastructure and services (Figure 5.15). Identity and access management (IAM) includes people, processes, and systems that are used to manage access to enterprise resources by assuring that the identity of an entity is verified, and then granting the correct level of access based on this assured identity. One aspect of identity management is identity provisioning, which has to do with providing access to identified users and subsequently deprovisioning, or denying access, to users when the client enterprise designates such users as no longer having access to enterprise resources in the cloud. Another aspect of identity management is for the cloud to participate in the federated identity management scheme (see Chapter 15) used by the client enterprise. Among other requirements, the cloud service provider (CSP) must be able to exchange identity attributes with the enterprise’s chosen identity provider. The access management portion of IAM involves authentication and access control services. For example, the CSP must be able to authenticate users in a trustworthy manner. The access control requirements in SPI environments include establishing trusted user profile and policy information, using it to control access within the cloud service, and doing this in an auditable way. Data loss prevention (DLP) is the monitoring, protecting, and verifying the security of data at rest, in motion, and in use. Much of DLP can be implemented by the cloud client, such as discussed in Section The CSP can also provide DLP services, such as implementing rules about what functions can be performed on data in various contexts. Web security is real-time protection offered either on premise through software/ appliance installation or via the Cloud by proxying or redirecting Web traffic to the CP. This provides an added layer of protection on top of things like antiviruses to prevent malware from entering the enterprise via activities such as Web browsing. In addition to protecting against malware, a cloud-based Web security service might include usage policy enforcement, data backup, traffic control, and Web access control. A CSP may provide a Web-based service, for which security measures are needed. security provides control over inbound and outbound , protecting the organization from phishing, malicious attachments, enforcing corporate polices such as acceptable use and spam prevention. The CSP may also incorporate digital signatures on all clients and provide optional encryption. Security assessments are third-part audits of cloud services. While this service is outside the province of the CSP, the CSP can provide tools and access points to facilitate various assessment activities. Intrusion management encompasses intrusion detection, prevention, and response. The core of this service is the implementation of intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) at entry points to the cloud and on servers in the cloud. An IDS is a set of automated tools designed to detect unauthorized access to a host system. We discuss this in Chapter 21. An IPS incorporates IDS functionality but also includes mechanisms designed to block traffic from intruders. Security information and event management (SIEM) aggregates (via push or pull mechanisms) log and event data from virtual and real networks, applications, and systems. This information is then correlated and analyzed to provide real-time reporting and alerting on information/events that may require intervention or other type of response. The CSP typically provides an integrated service that can put together information from a variety of sources both within the cloud and within the client enterprise network. Encryption is a pervasive service that can be provided for data at rest in the cloud, traffic, client-specific network management information, and identity information. Encryption services provided by the CSP involve a range of complex issues, including key management, how to implement virtual private network (VPN) services in the cloud, application encryption, and data content access. Business continuity and disaster recovery comprise measures and mechanisms to ensure operational resiliency in the event of any service interruptions. This is an area where the CSP, because of economies of scale, can offer obvious benefits to a cloud service client [WOOD10]. The CSP can provide backup at multiple locations, with reliable failover and disaster recovery facilities. This service must include a flexible infrastructure, redundancy of functions and hardware, monitored operations, geographically distributed data centers, and network survivability. Network security consists of security services that allocate access, distribute, monitor, and protect the underlying resource services. Services include perimeter and server firewalls and denial-of-service protection. Many of the other services listed in this section, including intrusion management, identity and access management, data loss protection, and Web security, also contribute to the network security service. Security information and event management (SIEM) aggregates (via push or pull mechanisms) log and event data from virtual and real networks, applications, and systems. This information is then correlated and analyzed to provide real-time reporting and alerting on information/events that may require intervention or other type of response. Encryption is a pervasive service that can be provided for data at rest in the cloud, traffic, client-specific network management information, and identity information. Business continuity and disaster recovery comprise measures and mechanisms to ensure operational resiliency in the event of any service interruptions. Network security consists of security services that allocate access, distribute, monitor, and protect the underlying resource services. Services include perimeter and server firewalls and denial-of-service protection.

Chapter 6 Malicious Software
This chapter examines the wide spectrum of malware threats and countermeasures. We begin with a survey of various types of malware, and offer a broad classification based first on the means malware uses to spread or propagate , and then on the variety of actions or payloads used once the malware has reached a target. Propagation mechanisms include those used by viruses, worms, and Trojans. Payloads include system corruption, bots, phishing, spyware, and rootkits. The discussion concludes with a review of countermeasure approaches. Malicious Software

Malware [SOUP13] defines malware as:
“a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim’s data, applications, or operating system or otherwise annoying or disrupting the victim.” Malicious software , or malware , arguably constitutes one of the most significant categories of threats to computer systems. [SOUP13] defines malware as “a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim’s data, applications, or operating system or otherwise annoying or disrupting the victim.” Hence, we are concerned with the threat malware poses to application programs, to utility programs, such as editors and compilers, and to kernel-level programs. We are also concerned with its use on compromised or malicious Web sites and servers, or in especially crafted spam s or other messages, which aim to trick users into revealing sensitive personal information. Hence, we are concerned with the threat malware poses to application programs, to utility programs, such as editors and compilers, and to kernel-level programs. We are also concerned with its use on compromised or malicious Web sites and servers, or in especially crafted spam s or other messages, which aim to trick users into revealing sensitive personal information.

Table 6.1 Malware Terminology (Table can be found on page 201
The terminology in this area presents problems because of a lack of universal agreement on all of the terms and because some of the categories overlap. Table 6.1 is a useful guide to some of the terms in use. (Table can be found on page 201 in the textbook.)

Classification of Malware
Classified into two broad categories: Based first on how it spreads or propagates to reach the desired targets Then on the actions or payloads it performs once a target is reached Also classified by: Those that need a host program (parasitic code such as viruses) Those that are independent, self-contained programs (worms, trojans, and bots) Malware that does not replicate (trojans and spam ) Malware that does replicate (viruses and worms) A number of authors attempt to classify malware, as shown in the survey and proposal of [HANS04]. Although a range of aspects can be used, one useful approach classifies malware into two broad categories, based first on how it spreads or propagates to reach the desired targets; and then on the actions or payloads it performs once a target is reached. Earlier approaches to malware classification distinguished between those that need a host program, being parasitic code such as viruses, and those that are independent, self-contained programs run on the system such as worms, trojans, and bots. Another distinction used was between malware that does not replicate, such as trojans and spam , and malware that does, including viruses and worms.

Types of Malicious Software
Propagation mechanisms include: Infection of existing content by viruses that is subsequently spread to other systems Exploit of software vulnerabilities by worms or drive-by-downloads to allow the malware to replicate Social engineering attacks that convince users to bypass security mechanisms to install Trojans or to respond to phishing attacks Payload actions performed by malware once it reaches a target system can include: Corruption of system or data files Theft of service/make the system a zombie agent of attack as part of a botnet Theft of information from the system/keylogging Stealthing/hiding its presence on the system Propagation mechanisms include infection of existing executable or interpreted content by viruses that is subsequently spread to other systems; exploit of software vulnerabilities either locally or over a network by worms or drive-by-downloads to allow the malware to replicate; and social engineering attacks that convince users to bypass security mechanisms to install trojans, or to respond to phishing attacks. Payload actions performed by malware once it reaches a target system can include corruption of system or data files; theft of service in order to make the system a zombie agent of attack as part of a botnet; theft of information from the system, especially of logins, passwords, or other personal details by keylogging or spyware programs; and stealthing where the malware hides its presence on the system from attempts to detect and block it. While early malware tended to use a single means of propagation to deliver a single payload, as it evolved, we see a growth of blended malware that incorporates a range of both propagation mechanisms and payloads that increase its ability to spread, hide, and perform a range of actions on targets. A blended attack uses multiple methods of infection or propagation, to maximize the speed of contagion and the severity of the attack. Some malware even support an update mechanism that allows it to change the range of propagation and payload mechanisms utilized once it is deployed. In the following sections, we survey these various categories of malware, and then follow with a discussion of appropriate countermeasures.

Attack Kits Initially the development and deployment of malware required considerable technical skill by software authors The development of virus-creation toolkits in the early 1990s and then more general attack kits in the 2000s greatly assisted in the development and deployment of malware Toolkits are often known as “crimeware” Include a variety of propagation mechanisms and payload modules that even novices can deploy Variants that can be generated by attackers using these toolkits creates a significant problem for those defending systems against them Widely used toolkits include: Zeus Blackhole Sakura Phoenix Initially, the development and deployment of malware required considerable technical skill by software authors. This changed with the development of virus- creation toolkits in the early 1990s, and then later of more general attack kits in the 2000s, that greatly assisted in the development and deployment of malware [FOSS10]. These toolkits, often known as crimeware , now include a variety of propagation mechanisms and payload modules that even novices can combine, select, and deploy. They can also easily be customized with the latest discovered vulnerabilities in order to exploit the window of opportunity between the publication of a weakness and the widespread deployment of patches to close it. These kits greatly enlarged the population of attackers able to deploy malware. Although the malware created with such toolkits tends to be less sophisticated than that designed from scratch, the sheer number of new variants that can be generated by attackers using these toolkits creates a significant problem for those defending systems against them. The Zeus crimeware toolkit is a prominent, recent, example of such an attack kit, which was used to generate a wide range of very effective, stealthed, malware that facilitates a range of criminal activities, in particular capturing and exploiting banking credentials [BINS10]. Other widely used toolkits include Blackhole, Sakura, and Phoenix [SYMA13].

Attack Sources Another significant malware development is the change from attackers being individuals often motivated to demonstrate their technical competence to their peers to more organized and dangerous attack sources such as: This has significantly changed the resources available and motivation behind the rise of malware and has led to development of a large underground economy involving the sale of attack kits, access to compromised hosts, and to stolen information Politically motivated attackers Criminals Organized crime Organizations that sell their services to companies and nations National government agencies Another significant malware development over the last couple of decades is the change from attackers being individuals, often motivated to demonstrate their technical competence to their peers, to more organized and dangerous attack sources. These include politically motivated attackers, criminals, and organized crime; organizations that sell their services to companies and nations, and national government agencies, as we discuss in Section 8.1. This has significantly changed the resources available and motivation behind the rise of malware, and indeed has led to development of a large underground economy involving the sale of attack kits, access to compromised hosts, and to stolen information.

Advanced Persistent Threats (APTs)
Well-resourced, persistent application of a wide variety of intrusion technologies and malware to selected targets (usually business or political) Typically attributed to state-sponsored organizations and criminal enterprises Differ from other types of attack by their careful target selection and stealthy intrusion efforts over extended periods High profile attacks include Aurora, RSA, APT1, and Stuxnet Advanced Persistent Threats (APTs) have risen to prominence in recent years. These are not a new type of malware, but rather the well-resourced, persistent application of a wide variety of intrusion technologies and malware to selected targets, usually business or political. APTs are typically attributed to state-sponsored organizations, with some attacks likely from criminal enterprises as well. We discuss these categories of intruders further in Section 8.1. APTs differ from other types of attack by their careful target selection, and persistent, often stealthy, intrusion efforts over extended periods. A number of high profile attacks, including Aurora, RSA, APT1, and Stuxnet, are often cited as examples.

APT Characteristics Advanced Persistent Threats
Used by the attackers of a wide variety of intrusion technologies and malware including the development of custom malware if required The individual components may not necessarily be technically advanced but are carefully selected to suit the chosen target Persistent Determined application of the attacks over an extended period against the chosen target in order to maximize the chance of success A variety of attacks may be progressively applied until the target is compromised Threats Threats to the selected targets as a result of the organized, capable, and well-funded attackers intent to compromise the specifically chosen targets The active involvement of people in the process greatly raises the threat level from that due to automated attacks tools, and also the likelihood of successful attacks They are named as a result of these characteristics: • Advanced: Use by the attackers of a wide variety of intrusion technologies and malware, including the development of custom malware if required. The individual components may not necessarily be technically advanced, but are carefully selected to suit the chosen target. • Persistent: Determined application of the attacks over an extended period against the chosen target in order to maximize the chance of success. A variety of attacks may be progressively, and often stealthily, applied until the target is compromised. • Threats: Threats to the selected targets as a result of the organized, capable, and well-funded attackers intent to compromise the specifically chosen targets. The active involvement of people in the process greatly raises the threat level from that due to automated attacks tools, and also the likelihood of successful attack.

APT Attacks Aim: Techniques used: Intent:
Varies from theft of intellectual property or security and infrastructure related data to the physical disruption of infrastructure Techniques used: Social engineering Spear-phishing Drive-by-downloads from selected compromised websites likely to be visited by personnel in the target organization Intent: To infect the target with sophisticated malware with multiple propagation mechanisms and payloads Once they have gained initial access to systems in the target organization a further range of attack tools are used to maintain and extend their access The aim of these attacks varies from theft of intellectual property or security and infrastructure related data to the physical disruption of infrastructure. Techniques used include social engineering, spear-phishing s, and drive-by-downloads from selected compromised websites likely to be visited by personnel in the target organization. The intent is to infect the target with sophisticated malware with multiple propagation mechanisms and payloads. Once they have gained initial access to systems in the target organization, a further range of attack tools are used to maintain and extend their access. As a result, these attacks are much harder to defend against due to this specific targeting and persistence. It requires a combination of technical countermeasures, such as we discuss later in this chapter, as well as awareness training to assist personnel to resist such attacks, as we discuss in Chapter 17. Even with current best practice countermeasures, the use of zero-day exploits and new attack approaches means that some of these attacks are likely to succeed [SYMA13, MAND13]. Thus multiple layers of defense are needed, with mechanisms to detect, respond and mitigate such attacks. These may include monitoring for malware command and control traffic, and detection of exfiltration traffic.

Viruses Piece of software that infects programs
Modifies them to include a copy of the virus Replicates and goes on to infect other content Easily spread through network environments When attached to an executable program a virus can do anything that the program is permitted to do Executes secretly when the host program is run Specific to operating system and hardware Takes advantage of their details and weaknesses The first category of malware propagation concerns parasitic software fragments that attach themselves to some existing executable content. The fragment may be machine code that infects some existing application, utility, or system program, or even the code used to boot a computer system. More recently, the fragment has been some form of scripting code, typically used to support active content within data files such as Microsoft Word documents, Excel spreadsheets, or Adobe PDF documents. A computer virus is a piece of software that can “infect” other programs, or indeed any type of executable content, by modifying them. The modification includes injecting the original code with a routine to make copies of the virus code, which can then go on to infect other content. Computer viruses first appeared in the early 1980s, and the term itself is attributed to Fred Cohen. Cohen is the author of a groundbreaking book on the subject [COHE94]. The Brain virus, first seen in 1986, was one of the first to target MSDOS systems, and resulted in a significant number of infections for this time. Biological viruses are tiny scraps of genetic code—DNA or RNA—that can take over the machinery of a living cell and trick it into making thousands of flawless replicas of the original virus. Like its biological counterpart, a computer virus carries in its instructional code the recipe for making perfect copies of itself. The typical virus becomes embedded in a program, or carrier of executable content, on a computer. Then, whenever the infected computer comes into contact with an uninfected piece of code, a fresh copy of the virus passes into the new location. Thus, the infection can spread from computer to computer, aided by unsuspecting users, who exchange these programs or carrier files on disk or USB stick; or who send them to one another over a network. In a network environment, the ability to access documents, applications, and system services on other computers provides a perfect culture for the spread of such viral code. A virus that attaches to an executable program can do anything that the program is permitted to do. It executes secretly when the host program is run. Once the virus code is executing, it can perform any function, such as erasing files and programs, that is allowed by the privileges of the current user. One reason viruses dominated the malware scene in earlier years was the lack of user authentication and access controls on personal computer systems at that time. This enabled a virus to infect any executable content on the system. The significant quantity of programs shared on floppy disk also enabled its easy, if somewhat slow, spread. The inclusion of tighter access controls on modern operating systems significantly hinders the ease of infection of such traditional, machine executable code, viruses. This resulted in the development of macro viruses that exploit the active content supported by some documents types, such as Microsoft Word or Excel files, or Adobe PDF documents. Such documents are easily modified and shared by users as part of their normal system use, and are not protected by the same access controls as programs. Currently, a viral mode of infection is typically one of several propagation mechanisms used by contemporary malware, which may also include worm and Trojan capabilities.

Virus Components Means by which a virus spreads or propagates
Also referred to as the infection vector Infection mechanism Event or condition that determines when the payload is activated or delivered Sometimes known as a logic bomb Trigger What the virus does (besides spreading) May involve damage or benign but noticeable activity Payload [AYCO06] states that a computer virus has three parts. More generally, many contemporary types of malware also include one or more variants of each of these components: • Infection mechanism : The means by which a virus spreads or propagates, enabling it to replicate. The mechanism is also referred to as the infection vector . • Trigger: The event or condition that determines when the payload is activated or delivered, sometimes known as a logic bomb . • Payload: What the virus does, besides spreading. The payload may involve damage or may involve benign but noticeable activity.

Virus Phases Dormant phase Virus is idle
Will eventually be activated by some event Not all viruses have this stage Triggering phase Virus is activated to perform the function for which it was intended Can be caused by a variety of system events Propagation phase Virus places a copy of itself into other programs or into certain system areas on the disk May not be identical to the propagating version Each infected program will now contain a clone of the virus which will itself enter a propagation phase Execution phase Function is performed May be harmless or damaging During its lifetime, a typical virus goes through the following four phases: • Dormant phase: The virus is idle. The virus will eventually be activated by some event, such as a date, the presence of another program or file, or the capacity of the disk exceeding some limit. Not all viruses have this stage. • Propagation phase: The virus places a copy of itself into other programs or into certain system areas on the disk. The copy may not be identical to the propagating version; viruses often morph to evade detection. Each infected program will now contain a clone of the virus, which will itself enter a propagation phase. • Triggering phase: The virus is activated to perform the function for which it was intended. As with the dormant phase, the triggering phase can be caused by a variety of system events, including a count of the number of times that this copy of the virus has made copies of itself. • Execution phase: The function is performed. The function may be harmless, such as a message on the screen, or damaging, such as the destruction of programs and data files. Most viruses that infect executable program files carry out their work in a manner that is specific to a particular operating system and, in some cases, specific to a particular hardware platform. Thus, they are designed to take advantage of the details and weaknesses of particular systems. Macro viruses though, target specific document types, which are often supported on a variety of systems.

Virus Structure A traditional, machine executable code, virus can be prepended or postpended to some executable program, or it can be embedded into it in some other fashion. The key to its operation is that the infected program, when invoked, will first execute the virus code and then execute the original code of the program. A very general depiction of virus structure is shown in Figure 6.1a. In this case, the virus code, V, is prepended to infected programs, and it is assumed that the entry point to the program, when invoked, is the main action block. The infected program begins with the virus code and works as follows. The first line of code is a jump to the main virus program. The second line is a special marker that is used by the virus to determine whether or not a potential victim program has already been infected with this virus. When the program is invoked, control is immediately transferred to the main virus program. The virus program may first seek out uninfected executable files and infect them. Next, the virus may execute its payload if the required trigger conditions, if any, are met. Finally, the virus transfers control to the original program. If the infection phase of the program is reasonably rapid, a user is unlikely to notice any difference between the execution of an infected and an uninfected program.

A virus such as the one just described is easily detected because an infected
version of a program is longer than the corresponding uninfected one. A way to thwart such a simple means of detecting a virus is to compress the executable file so that both the infected and uninfected versions are of identical length. Figure 6.1b shows in general terms the logic required. The key lines in this virus are labeled with times, and Figure 6.2 illustrates the operation. In this example, the virus does nothing other than propagate. As previously mentioned, the virus may also include one or more payloads. Once a virus has gained entry to a system by infecting a single program, it is in a position to potentially infect some or all other executable files on that system when the infected program executes, depending on the access permissions the infected program has. Thus, viral infection can be completely prevented by blocking the virus from gaining entry in the first place. Unfortunately, prevention is extraordinarily difficult because a virus can be part of any program outside a system. Thus, unless one is content to take an absolutely bare piece of iron and write all one’s own system and application programs, one is vulnerable. Many forms of infection can also be blocked by denying normal users the right to modify programs on the system.

Virus Classifications
Classification by target Classification by concealment strategy Boot sector infector Infects a master boot record or boot record and spreads when a system is booted from the disk containing the virus File infector Infects files that the operating system or shell considers to be executable Macro virus Infects files with macro or scripting code that is interpreted by an application Multipartite virus Infects files in multiple ways Encrypted virus A portion of the virus creates a random encryption key and encrypts the remainder of the virus Stealth virus A form of virus explicitly designed to hide itself from detection by anti-virus software Polymorphic virus A virus that mutates with every infection Metamorphic virus A virus that mutates and rewrites itself completely at each iteration and may change behavior as well as appearance There has been a continuous arms race between virus writers and writers of anti- virus software since viruses first appeared. As effective countermeasures are developed for existing types of viruses, newer types are developed. There is no simple or universally agreed upon classification scheme for viruses. In this section, we follow [AYCO06] and classify viruses along two orthogonal axes: the type of target the virus tries to infect and the method the virus uses to conceal itself from detection by users and anti-virus software. A virus classification by target includes the following categories: • Boot sector infector: Infects a master boot record or boot record and spreads when a system is booted from the disk containing the virus. • File infector: Infects files that the operating system or shell consider to be Executable. • Macro virus: Infects files with macro or scripting code that is interpreted by an application. • Multipartite virus: Infects files in multiple ways. Typically, the multipartite virus is capable of infecting multiple types of files, so that virus eradication must deal with all of the possible sites of infection. A virus classification by concealment strategy includes the following categories: • Encrypted virus: A form of virus that uses encryption to obscure it’s content. A portion of the virus creates a random encryption key and encrypts the remainder of the virus. The key is stored with the virus. When an infected program is invoked, the virus uses the stored random key to decrypt the virus. When the virus replicates, a different random key is selected. Because the bulk of the virus is encrypted with a different key for each instance, there is no constant bit pattern to observe. • Stealth virus : A form of virus explicitly designed to hide itself from detection by anti-virus software. Thus, the entire virus, not just a payload is hidden. It may use code mutation, compression, or rootkit techniques to achieve this. • Polymorphic virus: A form of virus that creates copies during replication that are functionally equivalent but have distinctly different bit patterns, in order to defeat programs that scan for viruses. In this case, the “signature” of the virus will vary with each copy. To achieve this variation, the virus may randomly insert superfluous instructions or interchange the order of independent instructions. A more effective approach is to use encryption. The strategy of the encryption virus is followed. The portion of the virus that is responsible for generating keys and performing encryption/decryption is referred to as the mutation engine . The mutation engine itself is altered with each use. • Metamorphic virus: As with a polymorphic virus, a metamorphic virus mutates with every infection. The difference is that a metamorphic virus rewrites itself completely at each iteration, using multiple transformation techniques, increasing the difficulty of detection. Metamorphic viruses may change their behavior as well as their appearance.

Macro and Scripting Viruses
Very common in mid-1990s Platform independent Infect documents (not executable portions of code) Easily spread Exploit macro capability of MS Office applications More recent releases of products include protection Various anti-virus programs have been developed so these are no longer the predominant virus threat In the mid-1990s, macro or scripting code viruses became by far the most prevalent type of virus. Macro viruses infect scripting code used to support active content in a variety of user document types. Macro viruses are particularly threatening for a number of reasons: 1. A macro virus is platform independent. Many macro viruses infect active content in commonly used applications, such as macros in Microsoft Word documents or other Microsoft Office documents, or scripting code in Adobe PDF documents. Any hardware platform and operating system that supports these applications can be infected. 2. Macro viruses infect documents, not executable portions of code. Most of the information introduced onto a computer system is in the form of documents rather than programs. 3. Macro viruses are easily spread, as the documents they exploit are shared in normal use. A very common method is by electronic mail. 4. Because macro viruses infect user documents rather than system programs, traditional file system access controls are of limited use in preventing their spread, since users are expected to modify them. Macro viruses take advantage of support for active content using a scripting or macro language, embedded in a word processing document or other type of file. Typically, users employ macros to automate repetitive tasks and thereby save keystrokes. They are also used to support dynamic content, form validation, and other useful tasks associated with these documents. Successive releases of MS Office products provide increased protection against macro viruses. For example, Microsoft offers an optional Macro Virus Protection tool that detects suspicious Word files and alerts the customer to the potential risk of opening a file with macros. Various anti-virus product vendors have also developed tools to detect and remove macro viruses. As in other types of viruses, the arms race continues in the field of macro viruses, but they no longer are the predominant virus threat. Another possible host for macro virus–style malware is in Adobe’s PDF documents. These can support a range of embedded components, including Javascript and other types of scripting code. Although recent PDF viewers include measures to warn users when such code is run, the message the user is shown can be manipulated to trick them into permitting its execution. If this occurs, the code could potentially act as a virus to infect other PDF documents the user can access on their system. Alternatively, it can install a Trojan, or act as a worm, as we discuss later [STEV11].

Worms Program that actively seeks out more machines to infect and each infected machine serves as an automated launching pad for attacks on other machines Exploits software vulnerabilities in client or server programs Can use network connections to spread from system to system Spreads through shared media (USB drives, CD, DVD data disks) worms spread in macro or script code included in attachments and instant messenger file transfers Upon activation the worm may replicate and propagate again Usually carries some form of payload First known implementation was done in Xerox Palo Alto Labs in the early 1980s The next category of malware propagation concerns the exploit of software vulnerabilities, such as those we discuss in Chapters 10 and 11 , which are commonly exploited by computer worms. A worm is a program that actively seeks out more machines to infect, and then each infected machine serves as an automated launching pad for attacks on other machines. Worm programs exploit software vulnerabilities in client or server programs to gain access to each new system. They can use network connections to spread from system to system. They can also spread through shared media, such as USB drives or CD and DVD data disks. worms spread in macro or script code included in documents attached to or to instant messenger file transfers. Upon activation, the worm may replicate and propagate again. In addition to propagation, the worm usually carries some form of payload, such as those we discuss later. The concept of a computer worm was introduced in John Brunner’s 1975 SF novel The Shockwave Rider . The first known worm implementation was done in Xerox Palo Alto Labs in the early 1980s. It was nonmalicious, searching for idle systems to use to run a computationally intensive task.

Worm Replication Electronic mail or instant messenger facility
Worm s a copy of itself to other systems Sends itself as an attachment via an instant message service Electronic mail or instant messenger facility Creates a copy of itself or infects a file as a virus on removable media File sharing Worm executes a copy of itself on another system Remote execution capability Worm uses a remote file access or transfer service to copy itself from one system to the other Remote file access or transfer capability Worm logs onto a remote system as a user and then uses commands to copy itself from one system to the other Remote login capability To replicate itself, a worm uses some means to access remote systems. These include the following, most of which are still seen in active use [SYMA13]: • Electronic mail or instant messenger facility: A worm s a copy of itself to other systems, or sends itself as an attachment via an of instant message service, so that its code is run when the or attachment is received or viewed. • File sharing: A worm either creates a copy of itself or infects other suitable files as a virus on removable media such as a USB drive; it then executes when the drive is connected to another system using the autorun mechanism by exploiting some software vulnerability, or when a user opens the infected file on the target system. • Remote execution capability: A worm executes a copy of itself on another system, either by using an explicit remote execution facility or by exploiting a program flaw in a network service to subvert its operations (as we discuss in Chapters 10 and 11 ). • Remote file access or transfer capability: A worm uses a remote file access or transfer service to another system to copy itself from one system to the other, where users on that system may then execute it. • Remote login capability: A worm logs onto a remote system as a user and then uses commands to copy itself from one system to the other, where it then executes. The new copy of the worm program is then run on the remote system where, in addition to any payload functions that it performs on that system, it continues to propagate. A worm typically uses the same phases as a computer virus: dormant, propagation, triggering, and execution. The propagation phase generally performs the following functions: • Search for appropriate access mechanisms to other systems to infect by examining host tables, address books, buddy lists, trusted peers, and other similar repositories of remote system access details; by scanning possible target host addresses; or by searching for suitable removable media devices to use. • Use the access mechanisms found to transfer a copy of itself to the remote system, and cause the copy to be run. The worm may also attempt to determine whether a system has previously been infected before copying itself to the system. In a multiprogramming system, it can also disguise its presence by naming itself as a system process or using some other name that may not be noticed by a system operator. More recent worms can even inject their code into existing processes on the system, and run using additional threads in that process, to further disguise their presence.

Target Discovery Scanning strategies that a worm can use:
Scanning (or fingerprinting) First function in the propagation phase for a network worm Searches for other systems to infect Scanning strategies that a worm can use: Random Each compromised host probes random addresses in the IP address space using a different seed This produces a high volume of Internet traffic which may cause generalized disruption even before the actual attack is launched Hit-list The attacker first compiles a long list of potential vulnerable machines Once the list is compiled the attacker begins infecting machines on the list Each infected machine is provided with a portion of the list to scan This results in a very short scanning period which may make it difficult to detect that infection is taking place Topological This method uses information contained on an infected victim machine to find more hosts to scan Local subnet If a host can be infected behind a firewall that host then looks for targets in its own local network The host uses the subnet address structure to find other hosts that would otherwise be protected by the firewall The first function in the propagation phase for a network worm is for it to search for other systems to infect, a process known as scanning or fingerprinting. For such worms, which exploit software vulnerabilities in remotely accessible network services, it must identify potential systems running the vulnerable service, and then infect them. Then, typically, the worm code now installed on the infected machines repeats the same scanning process, until a large distributed network of infected machines is created. [MIRK04] lists the following types of network address scanning strategies that such a worm can use: • Random: Each compromised host probes random addresses in the IP address space, using a different seed. This technique produces a high volume of Internet traffic, which may cause generalized disruption even before the actual attack is launched. • Hit-List: The attacker first compiles a long list of potential vulnerable machines. This can be a slow process done over a long period to avoid detection that an attack is underway. Once the list is compiled, the attacker begins infecting machines on the list. Each infected machine is provided with a portion of the list to scan. This strategy results in a very short scanning period, which may make it difficult to detect that infection is taking place. • Topological: This method uses information contained on an infected victim machine to find more hosts to scan. • Local subnet: If a host can be infected behind a firewall, that host then looks for targets in its own local network. The host uses the subnet address structure to find other hosts that would otherwise be protected by the firewall.

A well-designed worm can spread rapidly and infect massive numbers of hosts. It is
useful to have a general model for the rate of worm propagation. Computer viruses and worms exhibit similar self-replication and propagation behavior to biological viruses. Thus we can look to classic epidemic models for understanding computer virus and worm propagation behavior. Figure 6.3 shows the dynamics of worm propagation using this model. Propagation proceeds through three phases. In the initial phase, the number of hosts increases exponentially. To see that this is so, consider a simplified case in which a worm is launched from a single host and infects two nearby hosts. Each of these hosts infects two more hosts, and so on. This results in exponential growth. After a time, infecting hosts waste some time attacking already infected hosts, which reduces the rate of infection. During this middle phase, growth is approximately linear, but the rate of infection is rapid. When most vulnerable computers have been infected, the attack enters a slow finish phase as the worm seeks out those remaining hosts that are difficult to identify. A well-designed worm can spread rapidly and infect massive numbers of hosts. It is useful to have a general model for the rate of worm propagation. Computer viruses and worms exhibit similar self-replication and propagation behavior to biological viruses. Thus we can look to classic epidemic models for understanding computer virus and worm propagation behavior. Figure 6.3 shows the dynamics of worm propagation using this model. Propagation proceeds through three phases. In the initial phase, the number of hosts increases exponentially. To see that this is so, consider a simplified case in which a worm is launched from a single host and infects two nearby hosts. Each of these hosts infects two more hosts, and so on. This results in exponential growth. After a time, infecting hosts waste some time attacking already infected hosts, which reduces the rate of infection. During this middle phase, growth is approximately linear, but the rate of infection is rapid. When most vulnerable computers have been infected, the attack enters a slow finish phase as the worm seeks out those remaining hosts that are difficult to identify. Clearly, the objective in countering a worm is to catch the worm in its slow start phase, at a time when few hosts have been infected. Zou, et al [ZOU05] describe a model for worm propagation based on an analysis of network worm attacks at that time. The speed of propagation and the total number of hosts infected depend on a number of factors, including the mode of propagation, the vulnerability or vulnerabilities exploited, and the degree of similarity to preceding attacks. For the latter factor, an attack that is a variation of a recent previous attack may be countered more effectively than a more novel attack. Zou’s model agrees closely with Figure 6.3. Clearly, the objective in countering a worm is to catch the worm in its slow start phase, at a time when few hosts have been infected.

Morris Worm Earliest significant worm infection
Released by Robert Morris in 1988 Designed to spread on UNIX systems Attempted to crack local password file to use login/password to logon to other systems Exploited a bug in the finger protocol which reports the whereabouts of a remote user Exploited a trapdoor in the debug option of the remote process that receives and sends mail Successful attacks achieved communication with the operating system command interpreter Sent interpreter a bootstrap program to copy worm over Arguably, the earliest significant, and hence well-known, worm infection was released onto the Internet by Robert Morris in 1988 [ORMA03]. The Morris worm was designed to spread on UNIX systems and used a number of different techniques for propagation. When a copy began execution, its first task was to discover other hosts known to this host that would allow entry from this host. The worm performed this task by examining a variety of lists and tables, including system tables that declared which other machines were trusted by this host, users’ mail forwarding files, tables by which users gave themselves permission for access to remote accounts, and from a program that reported the status of network connections. For each discovered host, the worm tried a number of methods for gaining access: 1. It attempted to log on to a remote host as a legitimate user. In this method, the worm first attempted to crack the local password file and then used the discovered passwords and corresponding user IDs. The assumption was that many users would use the same password on different systems. To obtain the passwords, the worm ran a password-cracking program that tried a. Each user’s account name and simple permutations of it b. A list of 432 built-in passwords that Morris thought to be likely candidates c. All the words in the local system dictionary 2. It exploited a bug in the UNIX finger protocol, which reports the whereabouts of a remote user. 3. It exploited a trapdoor in the debug option of the remote process that receives and sends mail. If any of these attacks succeeded, the worm achieved communication with the operating system command interpreter. It then sent this interpreter a short bootstrap program, issued a command to execute that program, and then logged off. The bootstrap program then called back the parent program and downloaded the remainder of the worm. The new worm was then executed.

Recent Worm Attacks Melissa 1998 e-mail worm
first to include virus, worm and Trojan in one package Code Red July 2001 exploited Microsoft IIS bug probes random IP addresses consumes significant Internet capacity when active Code Red II August 2001 also targeted Microsoft IIS installs a backdoor for access Nimda September 2001 had worm, virus and mobile code characteristics spread using , Windows shares, Web servers, Web clients, backdoors SQL Slammer Early 2003 exploited a buffer overflow vulnerability in SQL server compact and spread rapidly Sobig.F Late 2003 exploited open proxy servers to turn infected machines into spam engines Mydoom 2004 mass-mailing worm installed a backdoor in infected machines Warezov 2006 creates executables in system directories sends itself as an attachment can disable security related products Conficker (Downadup) November 2008 exploits a Windows buffer overflow vulnerability most widespread infection since SQL Slammer Stuxnet 2010 restricted rate of spread to reduce chance of detection targeted industrial control systems The Melissa worm that appeared in 1998 was the first of a new generation of malware that included aspects of virus, worm, and Trojan in one package [CASS01]. Melissa made use of a Microsoft Word macro embedded in an attachment. If the recipient opens the attachment, the Word macro is activated. Then it sends itself to everyone on the mailing list in the user’s package, propagating as a worm; and 2. does local damage on the user’s system, including disabling some security tools, and also copying itself into other documents, propagating as a virus; and 3. if a trigger time was seen, it displayed a Simpson quote as its payload. In 1999, a more powerful version of this virus appeared. This version could be activated merely by opening an that contains the virus, rather than by opening an attachment. The virus uses the Visual Basic scripting language supported by the package. Melissa propagates itself as soon as it is activated (either by opening an attachment or by opening the ) to all of the addresses known to the infected host. As a result, whereas viruses used to take months or years to propagate, this next generation of malware could do so in hours. [CASS01] notes that it took only three days for Melissa to infect over 100,000 computers, compared to the months it took the Brain virus to infect a few thousand computers a decade before. This makes it very difficult for anti-virus software to respond to new attacks before much damage is done. The Code Red worm first appeared in July Code Red exploits a security hole in the Microsoft Internet Information Server (IIS) to penetrate and spread. It also disables the system file checker in Windows. The worm probes random IP addresses to spread to other hosts. During a certain period of time, it only spreads. It then initiates a denial-of-service attack against a government Web site by flooding the site with packets from numerous hosts. The worm then suspends activities and reactivates periodically. In the second wave of attack, Code Red infected nearly 360,000 servers in 14 hours. In addition to the havoc it caused at the targeted server, Code Red consumed enormous amounts of Internet capacity, disrupting service Code Red II is another, distinct, variant that first appeared in August 2001, and also targeted Microsoft IIS. It tried to infect systems on the same subnet as the infected system. Also, this newer worm installs a backdoor, allowing a hacker to remotely execute commands on victim computers. The Nimda worm that appeared in September 2001 also has worm, virus, and mobile code characteristics. It spread using a variety of distribution methods: • A user on a vulnerable host opens an infected attachment; Nimda looks for addresses on the host and then sends copies of itself to those addresses. • Windows shares: Nimda scans hosts for unsecured Windows file shares; it can then use NetBIOS86 as a transport mechanism to infect files on that host in the hopes that a user will run an infected file, which will activate Nimda on that host. • Web servers: Nimda scans Web servers, looking for known vulnerabilities in Microsoft IIS. If it finds a vulnerable server, it attempts to transfer a copy of itself to the server and infects it and its files. Web clients: If a vulnerable Web client visits a Web server that has been infected by Nimda, the client’s workstation will become infected. • Backdoors: If a workstation was infected by earlier worms, such as “Code Red II,” then Nimda will use the backdoor access left by these earlier infections to access the system. In early 2003, the SQL Slammer worm appeared. This worm exploited a buffer overflow vulnerability in Microsoft SQL server. The Slammer was extremely compact and spread rapidly, infecting 90% of vulnerable hosts within 10 minutes. This rapid spread caused significant congestion on the Internet. Late 2003 saw the arrival of the Sobig.F worm, which exploited open proxy servers to turn infected machines into spam engines. At its peak, Sobig.F reportedly accounted for one in every 17 messages and produced more than one million copies of itself within the first 24 hours. Mydoom is a mass-mailing worm that appeared in It followed a growing trend of installing a backdoor in infected computers, thereby enabling hackers to gain remote access to data such as passwords and credit card numbers. Mydoom replicated up to 1,000 times per minute and reportedly flooded the Internet with 100 million infected messages in 36 hours. The Warezov family of worms appeared in 2006 [KIRK06]. When the worm is launched, it creates several executables in system directories and sets itself to run every time Windows starts by creating a registry entry. Warezov scans several types of files for addresses and sends itself as an attachment. Some variants are capable of downloading other malware, such as Trojan horses and adware. Many variants disable security-related products and/or disable their updating capability. The Conficker (or Downadup) worm was first detected in November 2008 and spread quickly to become one of the most widespread infections since SQL Slammer in 2003 [LAWT09]. It spread initially by exploiting a Windows buffer overflow vulnerability, though later versions could also spread via USB drives and network file shares. In 2010, it still comprised the second most common family of malware observed by Symantec [SYMA13], even though patches were available from Microsoft to close the main vulnerabilities it exploits. In 2010, the Stuxnet worm was detected, though it had been spreading quietly for some time previously [CHEN11, KUSH13]. Unlike many previous worms, it deliberately restricted its rate of spread to reduce its chance of detection. It also targeted industrial control systems, most likely those associated with the Iranian nuclear program, with the likely aim of disrupting the operation of their equipment. It supported a range of propagation mechanisms, including via USB drives, network file shares, and using no less than four unknown, zero-day vulnerability exploits. Considerable debate resulted from the size and complexity of its code, the use of an unprecedented four zero-day exploits, and the cost and effort apparent in its development. There are claims that it appears to be the first serious use of a cyberwarfare weapon against a nation’s physical infrastructure. The researchers at Symantec who analyzed Stuxnet noted that while they were expecting to find espionage, they never expected to see malware with targeted sabotage as its aim. As a result, greater attention is now being directed at the use of malware as a weapon by a number of nations. In late 2011 the Duqu worm was discovered, which uses code related to that in Stuxnet. Its aim is different, being cyber-espionage, though it appears to also target the Iranian nuclear program. Another prominent, recent, cyber-espionage worm is the Flame family, which was discovered in 2012 and appears to target Middle-Eastern countries. Despite the specific target areas for these various worms, their infection strategies have been so successful that they have been identified on computer systems in a very large number of countries, including on systems kept physically isolated from the general Internet. This reinforces the need for significantly improved countermeasures to resist such infections.

Worm Technology Multiplatform Multi-exploit Ultrafast spreading
Polymorphic Metamorphic The state of the art in worm technology includes the following: • Multiplatform: Newer worms are not limited to Windows machines but can attack a variety of platforms, especially the popular varieties of UNIX; or exploit macro or scripting languages supported in popular document types. • Multi-exploit: New worms penetrate systems in a variety of ways, using exploits against Web servers, browsers, , file sharing, and other network-based applications; or via shared media. • Ultrafast spreading: Exploit various techniques to optimize the rate of spread of a worm to maximize its likelihood of locating as many vulnerable machines as possible in a short time period. • Polymorphic: To evade detection, skip past filters, and foil real-time analysis, worms adopt the virus polymorphic technique. Each copy of the worm has new code generated on the fly using functionally equivalent instructions and encryption techniques. • Metamorphic: In addition to changing their appearance, metamorphic worms have a repertoire of behavior patterns that are unleashed at different stages of propagation. • Transport vehicles: Because worms can rapidly compromise a large number of systems, they are ideal for spreading a wide variety of malicious payloads, such as distributed denial-of-service bots, rootkits, spam generators, and spyware. • Zero-day exploit : To achieve maximum surprise and distribution, a worm should exploit an unknown vulnerability that is only discovered by the general network community when the worm is launched.

Mobile Code Programs that can be shipped unchanged to a variety of platforms Transmitted from a remote system to a local system and then executed on the local system Often acts as a mechanism for a virus, worm, or Trojan horse Takes advantage of vulnerabilities to perform its own exploits Popular vehicles include Java applets, ActiveX, JavaScript and VBScript Mobile code refers to programs (e.g., script, macro, or other portable instruction) that can be shipped unchanged to a heterogeneous collection of platforms and execute with identical semantics [JANS08]. Mobile code is transmitted from a remote system to a local system and then executed on the local system without the user’s explicit instruction [SOUP13]. Mobile code often acts as a mechanism for a virus, worm, or Trojan horse to be transmitted to the user’s workstation. In other cases, mobile code takes advantage of vulnerabilities to perform its own exploits, such as unauthorized data access or root compromise. Popular vehicles for mobile code include Java applets, ActiveX, JavaScript, and VBScript. The most common ways of using mobile code for malicious operations on local system are cross-site scripting, interactive and dynamic Web sites, attachments, and downloads from untrusted sites or of untrusted software.

Mobile Phone Worms First discovery was Cabir worm in 2004
Then Lasco and CommWarrior in 2005 Communicate through Bluetooth wireless connections or MMS Target is the smartphone Can completely disable the phone, delete data on the phone, or force the device to send costly messages CommWarrior replicates by means of Bluetooth to other phones, sends itself as an MMS file to contacts and as an auto reply to incoming text messages Worms first appeared on mobile phones with the discovery of the Cabir worm in 2004, and then Lasco and CommWarrior in These worms communicate through Bluetooth wireless connections or via the multimedia messaging service (MMS). The target is the smartphone, which is a mobile phone that permits users to install software applications from sources other than the cellular network operator. All these early mobile worms targeted mobile phones using the Symbian operating system. More recent malware targets Android and iPhone systems. Mobile phone malware can completely disable the phone, delete data on the phone, or force the device to send costly messages to premium-priced numbers. The CommWarrior worm replicates by means of Bluetooth to other phones in the receiving area. It also sends itself as an MMS file to numbers in the phone’s address book and in automatic replies to incoming text messages and MMS messages. In addition, it copies itself to the removable memory card and inserts itself into the program installation files on the phone. Although these examples demonstrate that mobile phone worms are possible, the vast majority of mobile phone malware observed use trojan apps to install themselves [SYMA13].

Drive-By-Downloads Exploits browser vulnerabilities to download and installs malware on the system when the user views a Web page controlled by the attacker In most cases does not actively propagate Spreads when users visit the malicious Web page Another approach to exploiting software vulnerabilities involves the exploit of bugs in user applications to install malware. A common technique exploits browser vulnerabilities so that when the user views a Web page controlled by the attacker, it contains code that exploits the browser bug to download and install malware On the system without the user’s knowledge or consent. This is known as a drive-bydownload and is a common exploit in recent attack kits. In most cases, this malware does not actively propagate as a worm does, but rather waits for unsuspecting users to visit the malicious Web page in order to spread to their systems. In general, drive-by-download attacks are aimed at anyone who visits a compromised site and is vulnerable to the exploits used. Watering-hole attacks are a variant of this used in highly targeted attacks [SYMA13]. The attacker researches their intended victims to identify web sites they are likely to visit, and then scans these sites to identify those with vulnerabilities that allow their compromise with a drive-by-download attack. They then wait for one of their intended victims to visit one of the compromised sites. Their attack code may even be written so that it will only infect systems belonging to the target organization, and take no action for other visitors to the site. This greatly increases the likelihood of the site compromise remaining undetected. Malvertising is another technique used to place malware on websites without actually compromising them [SYMA13]. The attacker pays for advertisements that are highly likely to be placed on their intended target websites, and which incorporate malware in them. Using these malicious adds, attackers can infect visitors to sites displaying them. Again, the malware code may be dynamically generated to either reduce the chance of detection, or to only infect specific systems. Related variants can exploit bugs in common clients, such as the Klez mass-mailing worm seen in October 2001, which targeted a bug in the HTML handling in Microsoft’s Outlook and Outlook Express programs to automatically run itself. Or, such malware may target common PDF viewers to also download and install malware without the user’s consent when they view a malicious PDF document [STEV11]. Such documents may be spread by spam , or be part of a targeted phishing attack, as we discuss in the next section.

Clickjacking Also known as a user-interface (UI) redress attack
Using a similar technique, keystrokes can also be hijacked A user can be led to believe they are typing in the password to their or bank account, but are instead typing into an invisible frame controlled by the attacker Vulnerability used by an attacker to collect an infected user’s clicks The attacker can force the user to do a variety of things from adjusting the user’s computer setters to unwittingly sending the user to Web sites that might have malicious code By taking advantage of Adobe Flash or JavaScript an attacker could even place a button under or over a legitimate button making it difficult for users to detect A typical attack uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page The attacker is hijacking clicks meant for one page and routing them to another page Clickjacking, also known as a user-interface (UI) redress attack , is a vulnerability used by an attacker to collect an infected user’s clicks. The attacker can force the user to do a variety of things from adjusting the user’s computer settings to unwittingly sending the user to Web sites that might have malicious code. Also, by taking advantage of Adobe Flash or JavaScript, an attacker could even place a button under or over a legitimate button, making it difficult for users to detect. A typical attack uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page. Thus, the attacker is hijacking clicks meant for one page and routing them to another page, most likely owned by another application, domain, or both. Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they are typing in the password to their or bank account, but are instead typing into an invisible frame controlled by the attacker. There is a wide variety of techniques for accomplishing a clickjacking attack, and new techniques are developed as defenses to older techniques are put in place. [NIEM11] and [STON10] are useful discussions.

Social Engineering Spam Trojan horse Mobile phone trojans
“Tricking” users to assist in the compromise of their own systems Spam Unsolicited bulk Significant carrier of malware Used for phishing attacks Trojan horse Program or utility containing harmful hidden code Used to accomplish functions that the attacker could not accomplish directly Mobile phone trojans First appeared in 2004 (Skuller) Target is the smartphone The final category of malware propagation we consider involves social engineering, , or permits the installation and execution of some Trojan horse program or information. This can occur when a user views and responds to some SPAM “tricking” users to assist in the compromise of their own systems or personal scripting code. Spam (Unsolicited Bulk) With the explosive growth of the Internet over the last few decades, the widespread A number of recent estimates suggest that spam may account for 90% or of , has come the rise of unsolicited bulk , commonly known as spam. use of , and the extremely low cost required to send large volumes s out of this flood. In response to this explosive growth, there has been the needed to relay this traffic, and on users who need to filter their legitimate more of all sent. This imposes significant costs on both the network infrastructure techniques to sneak their content through, and with the defenders efforts to block filter spam s. This has led to an arms race between the spammers devising equally rapid growth of the anti-spam industry that provides products to detect and them [KREI09]. is the rapid growth of attacks, including spam, spread via social media networks. In recent years, the volume of spam has started to decline. One reason This reflects the rapid growth in use of these networks, which form a new arena for attackers to exploit [SYMA13]. sent by botnets using compromised user systems, as we discuss in Section A While some spam is sent from legitimate mail servers, most recent spam is scams, such as stock scams or money mule job ads. But spam is also a significant the recipient to purchase some product online, such as pharmaceuticals, or used in significant portion of spam content is just advertising, trying to convince discussed in the previous section. Or, it may have an attached Trojan horse program may exploit a software vulnerability to install malware on the user’s system, as we carrier of malware. The may have an attached document, which, if opened, order to install themselves, as we discuss next. Finally the spam may be used in a trojans avoid the need for user agreement by exploiting a software vulnerability in or scripting code that, if run, also installs malware on the user’s system. Some the user’s login and password details; or to complete some form with sufficient some legitimate service, such as an online banking site, where it attempts to capture phishing attack, typically directing the user either to a fake Web site that mirrors many cases, it requires the user’s active choice to view the and any attached All of these uses make spam s a significant security concern. However, in personal details to allow the attacker to impersonate the user in an identity theft. to occur. document, or to permit the installation of some program, in order for the compromise Trojan Horses hidden code that, when invoked, performs some unwanted or harmful function. A Trojan horse is a useful, or apparently useful, program or utility containing Trojan horse programs can be used to accomplish functions indirectly that horse program that, when executed, scans the user’s files for the desired sensitive personal information stored in the files of a user, an attacker could create a Trojan the attacker could not accomplish directly. For example, to gain access to sensitive, information and sends a copy of it to the attacker via a Web form or or text distribution site or app store. This approach has been used recently with utilities into a game or useful utility program, and making it available via a known software message. The author could then entice users to run the program by incorporating it searches for banking credentials. Hence, users need to take precautions to validate which are actually malicious trojans, often carrying payloads such as spyware that that “claim” to be the latest anti-virus scanner, or security update, for systems, but the source of any software they install. Trojan horses fit into one of three models: • Continuing to perform the function of the original program and additionally performing a separate malicious activity function to perform malicious activity (e.g., a Trojan horse version of a login • Continuing to perform the function of the original program but modifying the processes that are malicious) Trojan horse version of a process listing program that does not display certain program that collects passwords) or to disguise other malicious activity (e.g., a original program • Performing a malicious function that completely replaces the function of the Some Trojans avoid the requirement for user assistance by exploiting some software of such an attack was the Hydraq Trojan used in Operation Aurora in 2009 and early some features of a worm, but unlike it, they do not replicate. A prominent example vulnerability to enable their automatic installation and execution. In this they share using either spam or via a compromised Web site using a “watering-hole” attack. several high-profile companies [SYMA13]. It was typically distributed 2010. This exploited a vulnerability in Internet Explorer to install itself, and targeted Mobile Phone Trojans Symbian phones. More recently, a significant number of Trojans have been with mobile worms, the target is the smartphone, and the early mobile Trojans targeted Mobile phone Trojans also first appeared in 2004 with the discovery of Skuller. As distributed via one or more of the app marketplaces for the target phone O/S. detected that target Android phones and Apple iPhones. These Trojans are usually In 2011, Google removed a number of apps from the Android Market that full access to the system to monitor data and install additional code. However, this is that exploited vulnerabilities in some versions of Android used at this time to gain were Trojans containing the DroidDream malware. This is a powerful zombie agent 90% of these resulted in the compromised phone being added to a botnet, often over 1200 malware samples found in various Android marketplaces, and noted that just one of 49 families of Android malware analyzed in [ZHOU12]. They reviewed able to detect all of these families. Hence, further development of these products They further noted that none of the mobile anti-virus products they tested were with support for accessing premium services or for harvesting user information. was clearly needed, especially given the rapid evolution of this category of malware. iPhone Trojans seen to date target “jail-broken” phones, and are distributed via The tighter controls that Apple impose on their app store, mean that most means used to “jail-break” the phones. But they also provided a path that malware form of graphic or PDF vulnerability. Indeed these vulnerabilities were the main unofficial sites. However a number of versions of the iPhone O/S contained some how difficult it is, for even well resourced organizations, to write secure software new variants continued to be discovered. This is yet another illustration of just could use to target the phones. While Apple has fixed a number of these vulnerabilities, Chapters 10 and 11. within a complex system, such as an operating system. We return to this topic in

Payload System Corruption
Chernobyl virus First seen in 1998 Windows 95 and 98 virus Infects executable files and corrupts the entire file system when a trigger date is reached Klez Mass mailing worm infecting Windows 95 to XP systems On trigger date causes files on the hard drive to become empty Ransomware Encrypts the user’s data and demands payment in order to access the key needed to recover the information PC Cyborg Trojan (1989) Gpcode Trojan (2006 Once malware is active on the target system, the next concern is what actions it will take on this system. That is, what payload does it carry. Some malware has a nonexistent or nonfunctional payload. Its only purpose, either deliberate or due to accidental early release, is to spread. More commonly, it carries one or more payloads that perform covert actions for the attacker. An early payload seen in a number of viruses and worms resulted in data destruction on the infected system when certain trigger conditions were met [WEAV03]. A related payload is one that displays unwanted messages or content on the user’s system when triggered. More seriously, another variant attempts to inflict real-world damage on the system. All of these actions target the integrity of the computer system’s software or hardware, or of the user’s data. These changes may not occur immediately, but only when specific trigger conditions are met that satisfy their logic-bomb code. The Chernobyl virus is an early example of a destructive parasitic memory-resident Windows-95 and 98 virus, that was first seen in It infects executable files when they’re opened. And when a trigger date is reached, it deletes data on the infected system by overwriting the first megabyte of the hard drive with zeroes, resulting in massive corruption of the entire file system. This first occurred on April 26, 1999, when estimates suggest more than one million computers were affected. Similarly, the Klez mass-mailing worm is an early example of a destructive worm infecting Windows-95 to XP systems, and was first seen in October It spreads by ing copies of itself to addresses found in the address book and in files on the system. It can stop and delete some anti-virus programs running on the system. On trigger dates, being the 13th of several months each year, it causes files on the local hard drive to become empty. As an alternative to just destroying data, some malware encrypts the user’s data, and demands payment in order to access the key needed to recover this information. This is sometimes known as ransomware . The PC Cyborg Trojan seen in 1989 was an early example of this. However, around mid-2006, a number of worms and trojans appeared, such as the Gpcode Trojan, that used public-key cryptography with increasingly larger key sizes to encrypt data. The user needed to pay a ransom, or to make a purchase from certain sites, in order to receive the key to decrypt this data. While earlier instances used weaker cryptography that could be cracked without paying the ransom, the later versions using public-key cryptography with large key sizes could not be broken this way. [SYMA13] notes that ransomware is a growing challenge, often spread via “drive-by-downloads.”

Payload System Corruption
Real-world damage Causes damage to physical equipment Chernobyl virus rewrites BIOS code Stuxnet worm Targets specific industrial control system software There are concerns about using sophisticated targeted malware for industrial sabotage Logic bomb Code embedded in the malware that is set to “explode” when certain conditions are met A further variant of system corruption payloads aims to cause damage to physical equipment. The infected system is clearly the device most easily targeted. The Chernobyl virus mentioned above not only corrupts data, but attempts to rewrite the BIOS code used to initially boot the computer. If it is successful, the boot process fails, and the system is unusable until the BIOS chip is either re-programmed or replaced. More recently, the Stuxnet worm that we discussed previously targets some specific industrial control system software as its key payload [CHEN11, KUSH13]. If control systems using certain Siemens industrial control software with a specific configuration of devices are infected, then the worm replaces the original control code with code that deliberately drives the controlled equipment outside its normal operating range, resulting in the failure of the attached equipment. The centrifuges used in the Iranian uranium enrichment program were strongly suspected as the target, with reports of much higher than normal failure rates observed in them over the period when this worm was active. As noted in our earlier discussion, this has raised concerns over the use of sophisticated targeted malware for industrial sabotage. A key component of data corrupting malware is the logic bomb. The logic bomb is code embedded in the malware that is set to “explode” when certain conditions are met. Examples of conditions that can be used as triggers for a logic bomb are the presence or absence of certain files or devices on the system, a particular day of the week or date, a particular version or configuration of some software, or a particular user running the application. Once triggered, a bomb may alter or delete data or entire files, cause a machine halt, or do some other damage. A striking example of how logic bombs can be employed was the case of Tim Lloyd, who was convicted of setting a logic bomb that cost his employer, Omega Engineering, more than $10 million, derailed its corporate growth strategy, and eventually led to the layoff of 80 workers [GAUD00]. Ultimately, Lloyd was sentenced to 41 months in prison and ordered to pay $2 million in restitution.

Payload – Attack Agents Bots
Takes over another Internet attached computer and uses that computer to launch or manage attacks Botnet - collection of bots capable of acting in a coordinated manner Uses: Distributed denial-of-service (DDoS) attacks Spamming Sniffing traffic Keylogging Spreading new malware Installing advertisement add-ons and browser helper objects (BHOs) Attacking IRC chat networks Manipulating online polls/games The next category of payload we discuss is where the malware subverts the computational and network resources of the infected system for use by the attacker. Such a system is known as a bot (robot), zombie or drone, and secretly takes over another Internet-attached computer and then uses that computer to launch or manage attacks that are difficult to trace to the bot’s creator. The bot is typically planted on hundreds or thousands of computers belonging to unsuspecting third parties. The collection of bots often is capable of acting in a coordinated manner; such a collection is referred to as a botnet . This type of payload attacks the integrity and availability of the infected system. Uses of Bots [HONE05] lists the following uses of bots: • Distributed denial-of-service (DDoS) attacks: A DDoS attack is an attack on a computer system or network that causes a loss of service to users. We examine DDoS attacks in Chapter 7 . • Spamming: With the help of a botnet and thousands of bots, an attacker is able to send massive amounts of bulk (spam). • Sniffing traffic: Bots can also use a packet sniffer to watch for interesting cleartext data passing by a compromised machine. The sniffers are mostly used to retrieve sensitive information like usernames and passwords. Keylogging: If the compromised machine uses encrypted communication channels (e.g. HTTPS or POP3S), then just sniffing the network packets on the victim’s computer is useless because the appropriate key to decrypt the packets is missing. But by using a keylogger, which captures keystrokes on the infected machine, an attacker can retrieve sensitive information. • Spreading new malware: Botnets are used to spread new bots. This is very easy since all bots implement mechanisms to download and execute a file via HTTP or FTP. A botnet with 10,000 hosts that acts as the start base for a worm or mail virus allows very fast spreading and thus causes more harm. • Installing advertisement add-ons and browser helper objects (BHOs): Botnets can also be used to gain financial advantages. This works by setting up a fake Web site with some advertisements: The operator of this Web site negotiates a deal with some hosting companies that pay for clicks on ads. With the help of a botnet, these clicks can be “automated” so that instantly a few thousand bots click on the pop-ups. This process can be further enhanced if the bot hijacks the start-page of a compromised machine so that the “clicks” are executed each time the victim uses the browser. • Attacking IRC chat networks: Botnets are also used for attacks against Internet Relay Chat (IRC) networks. Popular among attackers is especially the so-called clone attack: In this kind of attack, the controller orders each bot to connect a large number of clones to the victim IRC network. The victim is flooded by service requests from thousands of bots or thousands of channeljoins by these cloned bots. In this way, the victim IRC network is brought down, similar to a DDoS attack. • Manipulating online polls/games: Online polls/games are getting more and more attention and it is rather easy to manipulate them with botnets. Since every bot has a distinct IP address, every vote will have the same credibility as a vote cast by a real person. Online games can be manipulated in a similar way.

Remote Control Facility
Distinguishes a bot from a worm Worm propagates itself and activates itself Bot is initially controlled from some central facility Typical means of implementing the remote control facility is on an IRC server Bots join a specific channel on this server and treat incoming messages as commands More recent botnets use covert communication channels via protocols such as HTTP Distributed control mechanisms use peer-to-peer protocols to avoid a single point of failure The remote control facility is what distinguishes a bot from a worm. A worm propagates itself and activates itself, whereas a bot is controlled by some form of commandand- control (C&C) server network. This contact does not need to be continuous, but can be initiated periodically when the bot observes it has network access. An early means of implementing the remote control facility used an IRC server. All bots join a specific channel on this server and treat incoming messages as commands. More recent botnets tend to avoid IRC mechanisms and use covert communication channels via protocols such as HTTP. Distributed control mechanisms, using peer-to-peer protocols, are also used, to avoid a single point of failure. Originally these C&C servers used fixed addresses, which meant they could be located and potentially taken over or removed by law enforcement agencies. Some more recent malware families have used techniques such as the automatic generation of very large numbers of server domain names that the malware will try to contact. If one server name is compromised, the attackers can setup a new server at another name they know will be tried. To defeat this requires security analysts to reverse engineer the name generation algorithm, and to then attempt to gain control over all of the extremely large number of possible domains. Another technique used to hide the servers is fast-flux DNS, where the address associated with a given server name is changed frequently, often every few minutes, to rotate over a large number of server proxies, usually other members of the botnet. Such approaches hinder attempts by law enforcement agencies to respond to the botnet threat. Once a communications path is established between a control module and the bots, the control module can manage the bots. In its simplest form, the control module simply issues command to the bot that causes the bot to execute routines that are already implemented in the bot. For greater flexibility, the control module can issue update commands that instruct the bots to download a file from some Internet location and execute it. The bot in this latter case becomes a more general purpose tool that can be used for multiple attacks. The control module can also collect information gathered by the bots that the attacker can then exploit.

Payload – Information Theft Keyloggers and Spyware
Captures keystrokes to allow attacker to monitor sensitive information Typically uses some form of filtering mechanism that only returns information close to keywords (“login”, “password”) Spyware Subverts the compromised machine to allow monitoring of a wide range of activity on the system Monitoring history and content of browsing activity Redirecting certain Web page requests to fake sites Dynamically modifying data exchanged between the browser and certain Web sites of interest We now consider payloads where the malware gathers data stored on the infected system for use by the attacker. A common target is the user’s login and password credentials to banking, gaming, and related sites, which the attacker then uses to impersonate the user to access these sites for gain. Less commonly, the payload may target documents or system configuration details for the purpose of reconnaissance or espionage. These attacks target the confidentiality of this information. Credential Theft, Keyloggers, and Spyware Typically, users send their login and password credentials to banking, gaming, and related sites over encrypted communication channels (e.g., HTTPS or POP3S), which protects them from capture by monitoring network packets. To bypass this, an attacker can install a keylogger , which captures keystrokes on the infected machine to allow an attacker to monitor this sensitive information. Since this would result in the attacker receiving a copy of all text entered on the compromised machine, keyloggers typical implement some form of filtering mechanism that only returns information close to desired keywords (e.g., “login” or “password” or “paypal.com”). In response to the use of keyloggers, some banking and other sites switched to using a graphical applet to enter critical information, such as passwords. Since these do not use text entered via the keyboard, traditional keyloggers do not capture this information. In response, attackers developed more general spyware payloads, which subvert the compromised machine to allow monitoring of a wide range of activity on the system. This may include monitoring the history and content of browsing activity, redirecting certain Web page requests to fake sites controlled by the attacker, and dynamically modifying data exchanged between the browser and certain Web sites of interest. All of which can result in significant compromise of the user’s personal information. The Zeus banking Trojan, created from its crimeware toolkit, is a prominent example of such spyware that has been widely deployed in recent years [BINS10]. It steals banking and financial credentials using both a keylogger and capturing and possibly altering form data for certain Web sites. It is typically deployed using either spam s or via a compromised Web site in a “drive-by-download.”

Payload – Information Theft Phishing
Exploits social engineering to leverage the user’s trust by masquerading as communication from a trusted source Include a URL in a spam e- mail that links to a fake Web site that mimics the login page of a banking, gaming, or similar site Suggests that urgent action is required by the user to authenticate their account Attacker exploits the account using the captured credentials Spear-phishing Recipients are carefully researched by the attacker is crafted to specifically suit its recipient, often quoting a range of information to convince them of its authenticity Another approach used to capture a user’s login and password credentials is to include a URL in a spam that links to a fake Web site controlled by the attacker, but which mimics the login page of some banking, gaming, or similar site. This is normally included in some message suggesting that urgent action is required by the user to authenticate their account, to prevent it being locked. If the user is careless, and doesn’t realize that they are being conned, then following the link and supplying the requested details will certainly result in the attackers exploiting their account using the captured credentials. More generally, such a spam may direct a user to a fake Web site controlled by the attacker, or to complete some enclosed form and return to an accessible to the attacker, which is used to gather a range of private, personal, information on the user. Given sufficient details, the attacker can then “assume” the user’s identity for the purpose of obtaining credit, or sensitive access to other resources. This is known as a phishing attack and exploits social engineering to leverage user’s trust by masquerading as communications from a trusted source [GOLD10]. Such general spam s are typically widely distributed to very large numbers of users, often via a botnet. While the content will not match appropriate trusted sources for a significant fraction of the recipients, the attackers rely on it reaching sufficient users of the named trusted source, a gullible portion of whom will respond, for it to be profitable. A more dangerous variant of this is the spear-phishing attack. This again is an claiming to be from a trusted source. However, the recipients are carefully researched by the attacker, and each is carefully crafted to suit its recipient specifically, often quoting a range of information to convince them of its authenticity. This greatly increases the likelihood of the recipient responding as desired by the attacker. This type of attack is particularly used in industrial and other forms of espionage by well-resourced organizations [SYMA13]. Reconnaissance and Espionage Credential theft and identity theft are special cases of a more general reconnaissance payload, which aims to obtain certain types of desired information and return this to the attacker. These special cases are certainly the most common; however, other targets are known. Operation Aurora in 2009 used a Trojan to gain access to and potentially modify source code repositories at a range of high tech, security, and defense contractor companies [SYMA13]. The Stuxnet worm discovered in 2010 included capture of hardware and software configuration details in order to determine whether it had compromised the specific desired target systems. Early versions of this worm returned this same information, which was then used to develop the attacks deployed in later versions [CHEN11, KUSH13]. APT attacks may result in the loss of large volumes of sensitive information, which is sent, exfiltrated from the target organization, to the attackers. To detect and block such data exfiltration requires suitable “data-loss” technical countermeasures that manage either access to such information, or its transmission across the organization’s network perimeter.

Worm Countermeasures Considerable overlap in techniques for dealing with viruses and worms Once a worm is resident on a machine anti-virus software can be used to detect and possibly remove it Perimeter network activity and usage monitoring can form the basis of a worm defense Worm defense approaches include: Signature-based worm scan filtering Filter-based worm containment Payload-classification-based worm containment Threshold random walk (TRW) scan detection Rate limiting Rate halting There is considerable overlap in techniques for dealing with viruses and worms. Once a worm is resident on a machine, anti-virus software can be used to detect it, and possibly remove it. In addition, because worm propagation generates considerable network activity, perimeter network activity and usage monitoring can form the basis of a worm defense. Following [JHI07], we list six classes of worm defense that address the network activity it may generate: A. Signature-based worm scan filtering: This type of approach generates a worm signature, which is then used to prevent worm scans from entering/leaving a network/host. Typically, this approach involves identifying suspicious flows and generating a worm signature. This approach is vulnerable to the use of polymorphic worms: Either the detection software misses the worm or, if it is sufficiently sophisticated to deal with polymorphic worms, the scheme may take a long time to react. [NEWS05] is an example of this approach. B. Filter-based worm containment: This approach is similar to class A but focuses on worm content rather than a scan signature. The filter checks a message to determine if it contains worm code. An example is Vigilante [COST05], which relies on collaborative worm detection at end hosts. This approach can be quite effective but requires efficient detection algorithms and rapid alert dissemination. C. Payload-classification-based worm containment: These network-based techniques examine packets to see if they contain a worm. Various anomaly detection techniques can be used, but care is needed to avoid high levels of false positives or negatives. An example of this approach is reported in [CHIN05], which looks for exploit code in network flows. This approach doesnot generate signatures based on byte patterns but rather looks for control and data flow structures that suggest an exploit. D. Threshold random walk (TRW) scan detection: TRW exploits randomness in picking destinations to connect to as a way of detecting if a scanner is in operation [JUNG04]. TRW is suitable for deployment in high-speed, low-cost network devices. It is effective against the common behavior seen in worm scans. E. Rate limiting: This class limits the rate of scanlike traffic from an infected host. Various strategies can be used, including limiting the number of new machines a host can connect to in a window of time, detecting a high connection failure rate, and limiting the number of unique IP addresses a host can scan in a window of time. [CHEN04] is an example. This class of countermeasures may introduce longer delays for normal traffic. This class is also not suited for slow, stealthy worms that spread slowly to avoid detection based on activity level. F. Rate halting: This approach immediately blocks outgoing traffic when a threshold is exceeded either in outgoing connection rate or in diversity of connection attempts [JHI07]. The approach must include measures to quickly unblock mistakenly blocked hosts in a transparent way. Rate halting can integrate with a signature- or filter-based approach so that once a signature or filter is generated, every blocked host can be unblocked. Rate halting appears to offer a very effective countermeasure. As with rate limiting, rate halting techniques are not suitable for slow, stealthy worms.

Payload – Stealthing Backdoor
Also known as a trapdoor Secret entry point into a program allowing the attacker to gain access and bypass the security access procedures Maintenance hook is a backdoor used by Programmers to debug and test programs Difficult to implement operating system controls for backdoors in applications The final category of payload we discuss concerns techniques used by malware to hide its presence on the infected system, and to provide covert access to that system. This type of payload also attacks the integrity of the infected system. Backdoor A backdoor , also known as a trapdoor , is a secret entry point into a program that allows someone who is aware of the backdoor to gain access without going through the usual security access procedures. Programmers have used backdoors legitimately for many years to debug and test programs; such a backdoor is called a maintenance hook . This usually is done when the programmer is developing an application that has an authentication procedure, or a long setup, requiring the user to enter many different values to run the application. To debug the program, the developer may wish to gain special privileges or to avoid all the necessary setup and authentication. The programmer may also want to ensure that there is a method of activating the program should something be wrong with the authentication procedure that is being built into the application. The backdoor is code that recognizes some special sequence of input or is triggered by being run from a certain user ID or by an unlikely sequence of events. Backdoors become threats when unscrupulous programmers use them to gain unauthorized access. The backdoor was the basic idea for the vulnerability portrayed in the movie War Games . Another example is that during the development of Multics, penetration tests were conducted by an Air Force “tiger team” (simulating adversaries). One tactic employed was to send a bogus operating system update to a site running Multics. The update contained a Trojan horse that could be activated by a backdoor and that allowed the tiger team to gain access. The threat was so well implemented that the Multics developers could not find it, even after they were informed of its presence [ENGE80]. In more recent times, a backdoor is usually implemented as a network service listening on some non-standard port that the attacker can connect to and issue commands through to be run on the compromised system. It is difficult to implement operating system controls for backdoors in applications. Security measures must focus on the program development and software update activities, and on programs that wish to offer a network service.

Payload - Stealthing Rootkit
Set of hidden programs installed on a system to maintain covert access to that system Hides by subverting the mechanisms that monitor and report on the processes, files, and registries on a computer Gives administrator (or root) privileges to attacker Can add or change programs and files, monitor processes, send and receive network traffic, and get backdoor access on demand A rootkit is a set of programs installed on a system to maintain covert access to that system with administrator (or root) privileges, while hiding evidence of its presence to the greatest extent possible. This provides access to all the functions and services of the operating system. The rootkit alters the host’s standard functionality in a malicious and stealthy way. With root access, an attacker has complete control of the system and can add or change programs and files, monitor processes, send and receive network traffic, and get backdoor access on demand. A rootkit can make many changes to a system to hide its existence, making it difficult for the user to determine that the rootkit is present and to identify what changes have been made. In essence, a rootkit hides by subverting the mechanisms that monitor and report on the processes, files, and registries on a computer.

Rootkit Classification Characteristics
Persistent Memory based User mode Kernel mode Virtual machine based External mode A rootkit can be classified using the following characteristics: • Persistent: Activates each time the system boots. The rootkit must store code in a persistent store, such as the registry or file system, and configure a method by which the code executes without user intervention. This means it is easier to detect, as the copy in persistent storage can potentially be scanned. • Memory based: Has no persistent code and therefore cannot survive a reboot. However, because it is only in memory, it can be harder to detect. • User mode: Intercepts calls to APIs (application program interfaces) and modifies returned results. For example, when an application performs a directory listing, the return results don’t include entries identifying the files associated with the rootkit. • Kernel mode: Can intercept calls to native APIs in kernel mode. The rootkit can also hide the presence of a malware process by removing it from the kernel’s list of active processes. • Virtual machine based: This type of rootkit installs a lightweight virtual machine monitor, and then runs the operating system in a virtual machine above it. The rootkit can then transparently intercept and modify states and events occurring in the virtualized system. • External mode: The malware is located outside the normal operation mode of the targeted system, in BIOS or system management mode, where it can directly access hardware. This classification shows a continuing arms race between rootkit authors, who exploit ever more stealthy mechanisms to hide their code, and those who develop mechanisms to harden systems against such subversion, or to detect when it has occurred. Much of this advance is associated with finding “layer-below” forms of attack. The early rootkits worked in user mode, modifying utility programs and libraries in order to hide their presence. The changes they made could be detected by code in the kernel, as this operated in the layer below the user. Later-generation rootkits used more stealthy techniques, as we discuss next.

The next generation of rootkits moved down a layer, making changes inside the
kernel and co-existing with the operating systems code, in order to make their detection much harder. Any “anti-virus” program would now be subject to the same “low-level” modifications that the rootkit uses to hide its presence. However, methods were developed to detect these changes. Programs operating at the user level interact with the kernel through system calls. Thus, system calls are a primary target of kernel-level rootkits to achieve concealment. As an example of how rootkits operate, we look at the implementation of system calls in Linux. In Linux, each system call is assigned a unique syscall number . When a user-mode process executes a system call, the process refers to the system call by this number. The kernel maintains a system call table with one entry per system call routine; each entry contains a pointer to the corresponding routine. The syscall number serves as an index into the system call table. [LEVI06] lists three techniques that can be used to change system calls: • Modify the system call table: The attacker modifies selected syscall addresses stored in the system call table. This enables the rootkit to direct a system call away from the legitimate routine to the rootkit’s replacement. Figure 6.5 shows how the knark rootkit achieves this. Modify system call table targets: The attacker overwrites selected legitimate system call routines with malicious code. The system call table is not changed. • Redirect the system call table: The attacker redirects references to the entire system call table to a new table in a new kernel memory location.

Windows Defender Flaw (Oct 17)
CyberArk Labs revealed vulnerability that allows malware to completely bypass Windows Defender. It could impact tens of millions of devices running on Windows 10 and 8.1. In order to abuse Windows Defender an attacker would have to implement the SMB protocol and create a 'pseudo-server' that can differentiate Windows Defender's request from normal requests. The group goes on to explain this creates a means to trick the system into scanning a different file than the one actually carrying malware. This means attackers could execute known malware behind the pretence of a legitimate file fed from an server message block (SMB) server, according to CyberArk Labs. A malicious file served in this way can be clicked on, and Windows Defender will scan a completely different and innocuous file – missing the malicious file. Despite this Windows will still load the real, malicious file. The technique therefore represents a means to circumvent Windows Defender. Microsoft downplay it "The technique described has limited practical applicability. To be successful, an attacker would first need to convince a user to give manual consent to execute an unknown binary from an untrusted remote location. The user would also need to click through additional warnings in order to grant the attacker Administrator privileges. Should the attacker successfully convince a user to carry out the manual steps mentioned, Windows Defender Antivirus and Windows Defender Advanced Threat Protection will detect further actions by the attacker."

Malware Countermeasure Approaches
Policy Awareness Vulnerability mitigation Threat mitigation Four main elements of prevention: Ideal solution to the threat of malware is prevention If prevention fails, technical mechanisms can be used to support the following threat mitigation options: Detection Identification Removal The ideal solution to the threat of malware is prevention: Do not allow malware to get into the system in the first place, or block the ability of it to modify the system. This goal is, in general, nearly impossible to achieve, although taking suitable countermeasures to harden systems and users in preventing infection can significantly reduce the number of successful malware attacks. [SOUP13] suggests there are four main elements of prevention: policy, awareness, vulnerability mitigation, and threat mitigation. Having a suitable policy to address malware prevention provides a basis for implementing appropriate preventative countermeasures. One of the first countermeasures that should be employed is to ensure all systems are as current as possible, with all patches applied, in order to reduce the number of vulnerabilities that might be exploited on the system. The next is to set appropriate access controls on the applications and data stored on the system, to reduce the number of files that any user can access, and hence potentially infect or corrupt, as a result of them executing some malware code. These measures directly target the key propagation mechanisms used by worms, viruses, and some trojans. The third common propagation mechanism, which targets users in a social engineering attack, can be countered using appropriate user awareness and training. This aims to equip users to be more aware of these attacks, and less likely to take actions that result in their compromise. [SOUP13] provides examples of suitable awareness issues. If prevention fails, then technical mechanisms can be used to support the following threat mitigation options: • Detection: Once the infection has occurred, determine that it has occurred and locate the malware. • Identification: Once detection has been achieved, identify the specific malware that has infected the system. • Removal: Once the specific malware has been identified, remove all traces of malware virus from all infected systems so that it cannot spread further. If detection succeeds but either identification or removal is not possible, then the alternative is to discard any infected or malicious files and reload a clean backup version. In the case of some particularly nasty infections, this may require a complete wipe of all storage, and rebuild of the infected system from known clean media. To begin, let us consider some requirements for effective malware countermeasures: • Generality: The approach taken should be able to handle a wide variety of attacks. • Timeliness: The approach should respond quickly so as to limit the number of infected programs or systems and the consequent activity. • Resiliency: The approach should be resistant to evasion techniques employed by attackers to hide the presence of their malware. • Minimal denial-of-service costs: The approach should result in minimal reduction in capacity or service due to the actions of the countermeasure software, and should not significantly disrupt normal operation. • Transparency: The countermeasure software and devices should not require modification to existing (legacy) OSs, application software, and hardware. • Global and local coverage: The approach should be able to deal with attack sources both from outside and inside the enterprise network. Achieving all these requirements often requires the use of multiple approaches. Detection of the presence of malware can occur in a number of locations. It may occur on the infected system, where some host-based “anti-virus” program is running, monitoring data imported into the system, and the execution and behavior of programs running on the system. Or, it may take place as part of the perimeter security mechanisms used in an organization’s firewall and intrusion detection systems (IDS). Lastly, detection may use distributed mechanisms that gather data from both host-based and perimeter sensors, potentially over a large number of networks and organizations, in order to obtain the largest scale view of the movement of malware. We now consider each of these approaches in more detail.

Generations of Anti-Virus Software
First generation: simple scanners Requires a malware signature to identify the malware Limited to the detection of known malware Second generation: heuristic scanners Uses heuristic rules to search for probable malware instances Another approach is integrity checking Third generation: activity traps Memory-resident programs that identify malware by its actions rather than its structure in an infected program Fourth generation: full-featured protection Packages consisting of a variety of anti-virus techniques used in conjunction Include scanning and activity trap components and access control capability The first location where anti-virus software is used is on each end system. This gives the software the maximum access to information on not only the behavior of the malware as it interacts with the targeted system, but also the smallest overall view of malware activity. The use of anti-virus software on personal computers is now widespread, in part caused by the explosive growth in malware volume and activity. This software can be regarded as a form of host-based intrusion detection system, which we discuss more generally in Section 8.4. Advances in virus and other malware technology, and in antivirus technology and other countermeasures, go hand in hand. Early malware used relatively simple and easily detected code, and hence could be identified and purged with relatively simple anti-virus software packages. As the malware arms race has evolved, both the malware code and, necessarily, anti-virus software have grown more complex and sophisticated. [STEP93] identifies four generations of anti-virus software: • First generation: simple scanners • Second generation: heuristic scanners Third generation: activity traps • Fourth generation: full-featured protection A first-generation scanner requires a malware signature to identify the malware. The signature may contain “wildcards” but matches essentially the same structure and bit pattern in all copies of the malware. Such signature-specific scanners are limited to the detection of known malware. Another type of first-generation scanner maintains a record of the length of programs and looks for changes in length as a result of virus infection. A second-generation scanner does not rely on a specific signature. Rather, the scanner uses heuristic rules to search for probable malware instances. One class of such scanners looks for fragments of code that are often associated with malware. For example, a scanner may look for the beginning of an encryption loop used in a polymorphic virus and discover the encryption key. Once the key is discovered, the scanner can decrypt the malware to identify it, then remove the infection and return the program to service. Another second-generation approach is integrity checking. A checksum can be appended to each program. If malware alters or replaces some program without changing the checksum, then an integrity check will catch this change. To counter malware that is sophisticated enough to change the checksum when it alters a program, an encrypted hash function can be used. The encryption key is stored separately from the program so that the malware cannot generate a new hash code and encrypt that. By using a hash function rather than a simpler checksum, the malware is prevented from adjusting the program to produce the same hash code as before. If a protected list of programs in trusted locations is kept, this approach can also detect attempts to replace or install rogue code or programs in these locations. Third-generation programs are memory-resident programs that identify malware by its actions rather than its structure in an infected program. Such programs have the advantage that it is not necessary to develop signatures and heuristics for a wide array of malware. Rather, it is necessary only to identify the small set of actions that indicate malicious activity is being attempted and then to intervene. Fourth-generation products are packages consisting of a variety of anti-virus techniques used in conjunction. These include scanning and activity trap components. In addition, such a package includes access control capability, which limits the ability of malware to penetrate a system and then limits the ability of a malware to update files in order to propagate. The arms race continues. With fourth-generation packages, a more comprehensive defense strategy is employed, broadening the scope of defense to more general-purpose computer security measures. These include more sophisticated anti-virus approaches. We now highlight two of the most important.

Generic Decryption (GD)
Enables the anti-virus program to easily detect complex polymorphic viruses and other malware while maintaining fast scanning speeds Executable files are run through a GD scanner which contains the following elements: CPU emulator: A software-based virtual computer. Instructions in an executable file are interpreted by the emulator rather than executed on the underlying processor. The emulator includes software versions of all registers and other processor hardware, so that the underlying processor is unaffected by programs interpreted on the emulator. Virus signature scanner: A module that scans the target code looking for known malware signatures. Emulation control module: Controls the execution of the target code. At the start of each simulation, the emulator begins interpreting instructions in the target code, one at a time. Thus, if the code includes a decryption routine that decrypts and hence exposes the malware, that code is interpreted. In effect, the malware does the work for the anti-virus program by exposing itself. Periodically, the control module interrupts interpretation to scan the target code for malware signatures. During interpretation, the target code can cause no damage to the actual personal computer environment, because it is being interpreted in a completely controlled environment. The most difficult design issue with a GD scanner is to determine how long to run each interpretation Generic decryption (GD) technology enables the antivirus program to easily detect even the most complex polymorphic viruses and other malware, while maintaining fast scanning speeds [NACH97]. Recall that when a file containing a polymorphic virus is executed, the virus must decrypt itself to activate. In order to detect such a structure, executable files are run through a GD scanner, which contains the following elements: • CPU emulator: A software-based virtual computer. Instructions in an executable file are interpreted by the emulator rather than executed on the underlying processor. The emulator includes software versions of all registers and other processor hardware, so that the underlying processor is unaffected by programs interpreted on the emulator. • Virus signature scanner: A module that scans the target code looking for known malware signatures. • Emulation control module: Controls the execution of the target code. At the start of each simulation, the emulator begins interpreting instructions in the target code, one at a time. Thus, if the code includes a decryption routine that decrypts and hence exposes the malware, that code is interpreted. In effect, the malware does the work for the anti-virus program by exposing itself. Periodically, the control module interrupts interpretation to scan the target code for malware signatures. During interpretation, the target code can cause no damage to the actual personal computer environment, because it is being interpreted in a completely controlled environment. The most difficult design issue with a GD scanner is to determine how long to run each interpretation. Typically, malware elements are activated soon after a program begins executing, but this need not be the case. The longer the scanner emulates a particular program, the more likely it is to catch any hidden malware. However, the anti-virus program can take up only a limited amount of time and resources before users complain of degraded system performance.

Generic Decryption (GD)
Enables the anti-virus program to easily detect complex polymorphic viruses and other malware while maintaining fast scanning speeds Executable files are run through a GD scanner which contains the following elements: CPU emulator Virus signature scanner Emulation control module The most difficult design issue with a GD scanner is to determine how long to run each interpretation Generic decryption (GD) technology enables the antivirus program to easily detect even the most complex polymorphic viruses and other malware, while maintaining fast scanning speeds [NACH97]. Recall that when a file containing a polymorphic virus is executed, the virus must decrypt itself to activate. In order to detect such a structure, executable files are run through a GD scanner, which contains the following elements: • CPU emulator: A software-based virtual computer. Instructions in an executable file are interpreted by the emulator rather than executed on the underlying processor. The emulator includes software versions of all registers and other processor hardware, so that the underlying processor is unaffected by programs interpreted on the emulator. • Virus signature scanner: A module that scans the target code looking for known malware signatures. • Emulation control module: Controls the execution of the target code. At the start of each simulation, the emulator begins interpreting instructions in the target code, one at a time. Thus, if the code includes a decryption routine that decrypts and hence exposes the malware, that code is interpreted. In effect, the malware does the work for the anti-virus program by exposing itself. Periodically, the control module interrupts interpretation to scan the target code for malware signatures. During interpretation, the target code can cause no damage to the actual personal computer environment, because it is being interpreted in a completely controlled environment. The most difficult design issue with a GD scanner is to determine how long to run each interpretation. Typically, malware elements are activated soon after a program begins executing, but this need not be the case. The longer the scanner emulates a particular program, the more likely it is to catch any hidden malware. However, the anti-virus program can take up only a limited amount of time and resources before users complain of degraded system performance.

Host-Based Behavior-Blocking Software
Integrates with the operating system of a host computer and monitors program behavior in real time for malicious action Blocks potentially malicious actions before they have a chance to affect the system Blocks software in real time so it has an advantage over anti-virus detection techniques such as fingerprinting or heuristics Unlike heuristics or fingerprint based scanners, behavior-blocking software integrates with the operating system of a host computer and monitors program behavior in real time for malicious actions [CONR02, NACH02]. The behavior blocking software then blocks potentially malicious actions before they have a chance to affect the system. Monitored behaviors can include • Attempts to open, view, delete, and/or modify files; • Attempts to format disk drives and other unrecoverable disk operations; • Modifications to the logic of executable files or macros; • Modification of critical system settings, such as start-up settings; • Scripting of and instant messaging clients to send executable content; and • Initiation of network communications. Because a behavior blocker can block suspicious software in real time, it has an advantage over such established anti-virus detection techniques as fingerprinting or heuristics. There are literally trillions of different ways to obfuscate and rearrange the instructions of a virus or worm, many of which will evade detection by a fingerprint scanner or heuristic. But eventually, malicious code must make a well-defined request to the operating system. Given that the behavior blocker can intercept all such requests, it can identify and block malicious actions regardless of how obfuscated the program logic appears to be. Behavior blocking alone has limitations. Because the malicious code must run on the target machine before all its behaviors can be identified, it can cause harm before it has been detected and blocked. For example, a new item of malware might shuffle a number of seemingly unimportant files around the hard drive before modifying a single file and being blocked. Even though the actual modification was blocked, the user may be unable to locate his or her files, causing a loss to productivity or possibly worse. Limitations Because malicious code must run on the target machine before all its behaviors can be identified, it can cause harm before it has been detected and blocked

Perimeter Scanning Approaches
Anti-virus software typically included in and Web proxy services running on an organization’s firewall and IDS May also be included in the traffic analysis component of an IDS May include intrusion prevention measures, blocking the flow of any suspicious traffic Approach is limited to scanning malware Ingress monitors Located at the border between the enterprise network and the Internet One technique is to look for incoming traffic to unused local IP addresses Egress monitors Located at the egress point of individual LANs as well as at the border between the enterprise network and the Internet Monitors outgoing traffic for signs of scanning or other suspicious behavior The next location where anti-virus software is used is on an organization’s firewall and IDS. It is typically included in and Web proxy services running on these systems. It may also be included in the traffic analysis component of an IDS. This gives the anti-virus software access to malware in transit over a network connection to any of the organization’s systems, providing a larger scale view of malware activity. This software may also include intrusion prevention measures, blocking the flow of any suspicious traffic, thus preventing it reaching and compromising some target system, either inside or outside the organization. However, this approach is limited to scanning the malware content, as it does not have access to any behavior observed when it runs on an infected system. Two types of monitoring software may be used: • Ingress monitors: These are located at the border between the enterprise network and the Internet. They can be part of the ingress filtering software of a border router or external firewall or a separate passive monitor. A honeypot can also capture incoming malware traffic. An example of a detection technique for an ingress monitor is to look for incoming traffic to unused local IP addresses. • Egress monitors: These can be located at the egress point of individual LANs on the enterprise network as well as at the border between the enterprise network and the Internet. In the former case, the egress monitor can be part of the egress filtering software of a LAN router or switch. As with ingress monitors, the external firewall or a honeypot can house the monitoring software. Indeed, the two types of monitors can be collocated. The egress monitor is designed to catch the source of a malware attack by monitoring outgoing traffic for signs of scanning or other suspicious behavior. Perimeter monitoring can also assist in detecting and responding to botnet activity by detecting abnormal traffic patterns associated with this activity. Once bots are activated and an attack is underway, such monitoring can be used to detect the attack. However, the primary objective is to try to detect and disable the botnet during its construction phase, using the various scanning techniques we have just discussed, identifying and blocking the malware that is used to propagate this type of payload. Two types of monitoring software

Finally….lab class 2. Information Gathering Techniques
2.1 Open Web Information Gathering 2.1.1 Google Hacking 2.2 Netcraft & Goohost 2.2.1 Netcraft 2.2.2 Goohost 2.2.3 Whois Reconnaissance 2.3 OWASP Joomla! Vulnerability Scanner Joomla! Command Line Scan WPScan-Wordpress Security Scanner Plecost WhatWeb BlindElephant-Web Application Fingerprinter Intrusion Detection Systems Detection 2.4 Homework: How to Change Your MAC Address How to change your MAC address on Windows How to change your MAC address on Linux 2.5 Documentation of Penetration Tests Chapter 6 summary.

Database and Cloud Security

Similar presentations

Presentation on theme: "Database and Cloud Security"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Database and Cloud Security

Similar presentations

Presentation on theme: "Database and Cloud Security"— Presentation transcript:

Similar presentations

About project

Feedback