Malicious programs can be introduced (introduced) both intentionally and accidentally into the software used in ISPD during its development, maintenance, modification and configuration. In addition, malicious programs can be introduced during the operation of the ISPD from external storage media or through network interaction, both as a result of unauthorized access and accidentally by users of the ISPD.
Modern malicious programs are based on the use of vulnerabilities in various kinds of software (system, general, application) and various network technologies, have a wide range of destructive capabilities (from unauthorized research of ISPD parameters without interfering with the operation of ISPD, to the destruction of PD and ISPD software) and can act in all types of software (system, application, hardware drivers, etc.).
The presence of malicious programs in the ISPD can contribute to the emergence of hidden, including non-traditional channels of access to information that allow opening, bypassing or blocking the security mechanisms provided in the system, including password and cryptographic protection.
The main types of malware are:
software bookmarks;
classical software (computer) viruses;
Malicious programs that spread over the network (network worms);
Other malicious programs designed to carry out UA.
Software bookmarks include programs, code fragments, instructions that form undeclared software features. Malicious programs can move from one type to another, for example, a software tab can generate a software virus, which, in turn, getting into network conditions, can form a network worm or other malicious program designed to carry out UA.
A brief description of the main malicious programs is as follows. Boot viruses write themselves either to the disk boot sector (boot sector), or to the sector containing the hard drive bootloader (Master Boot Record), or change the pointer to the active boot sector. They are introduced into the computer's memory when booted from an infected disk. In this case, the system loader reads the contents of the first sector of the disk from which the boot is performed, places the read information into memory and transfers control to it (ie, to the virus). After that, the instructions of the virus begin to be executed, which, as a rule, reduces the amount of free memory, copies its code into the freed space and reads its continuation (if any) from disk, intercepts the necessary interrupt vectors (usually INT 13H), reads the original boot sector and transfers control to it.
In the future, the boot virus behaves in the same way as a file virus: it intercepts the operating system's access to disks and infects them, depending on certain conditions, performs destructive actions, causes sound effects or video effects.
The main destructive actions performed by these viruses are:
Destruction of information in sectors of floppy disks and hard drive;
exclusion of the possibility of loading the operating system (the computer "freezes");
Distortion of the bootloader code;
Formatting floppy disks or logical disks of a hard drive;
· Closing access to COM- and LPT-ports;
replacement of characters when printing texts;
Screen twitching
Changing the label of a disk or diskette;
Creation of pseudo-failure clusters;
creation of sound and (or) visual effects (for example, falling
letters on the screen)
Corruption of data files
displaying various messages on the screen;
Disabling peripheral devices (such as keyboards);
Changing the palette of the screen;
filling the screen with extraneous characters or images;
screen blanking and switching to standby mode for keyboard input;
Encryption of hard drive sectors;
Selective destruction of characters displayed on the screen when typing from the keyboard;
Reducing the amount of RAM;
call to print the contents of the screen;
Disk write blocking
Destruction of the partition table (Disk Partition Table), after that the computer can only be booted from a floppy disk;
blocking the launch of executable files;
blocking access to the hard drive.
|
Figure 3. Classification of software viruses and network worms
Most boot viruses overwrite themselves on floppy disks.
The "overwriting" infection method is the simplest: the virus writes its code instead of the code of the infected file, destroying its contents. Naturally, in this case, the file stops working and is not restored. Such viruses detect themselves very quickly, as the operating system and applications stop working quite quickly.
The "companion" category includes viruses that do not modify infected files. The operation algorithm of these viruses is that a duplicate file is created for the infected file, and when the infected file is launched, it is this twin, that is, the virus, that receives control. The most common companion viruses use the DOS feature to execute files with the .COM extension first if there are two files in the same directory with the same name but different name extensions - .COM and .EXE. Such viruses create satellite files for EXE files that have the same name, but with the .COM extension, for example, XCOPY.COM is created for the XCOPY.EXE file. The virus writes to a COM file and does not modify the EXE file in any way. When you run such a file, DOS will first detect and execute the COM file, that is, the virus, which will then run the EXE file. The second group consists of viruses that, when infected, rename the file to some other name, remember it (for subsequent launch of the host file), and write their code to disk under the name of the infected file. For example, the file XCOPY.EXE is renamed to XCOPY.EXD, and the virus is written under the name XCOPY.EXE. On startup, control takes over the virus code, which then launches the original XCOPY, stored under the name XCOPY.EXD. Interestingly, this method seems to work on all operating systems. The third group includes the so-called "Path-companion" viruses. They either write their code under the name of the infected file, but “higher” one level in the prescribed paths (DOS, therefore, will be the first to detect and launch the virus file), or transfer the victim file one subdirectory higher, etc.
There may be other types of companion viruses that use other original ideas or features of other operating systems.
File worms (worms) are, in a sense, a kind of companion virus, but in no way associate their presence with any executable file. When they reproduce, they just copy their code to some disk directories in the hope that these new copies will someday be run by the user. Sometimes these viruses give their copies "special" names to encourage the user to run their copy - for example, INSTALL.EXE or WINSTART.BAT. There are worms that use rather unusual methods, for example, they write copies of themselves to archives (ARJ, ZIP, and others). Some viruses write the command to run the infected file to BAT files. File worms should not be confused with network worms. The former use only the file functions of some operating system, while the latter use network protocols for their reproduction.
Link viruses, like companion viruses, do not change the physical content of files, however, when an infected file is launched, they “force” the OS to execute its code. They achieve this goal by modifying the necessary fields of the file system.
Viruses that infect compiler libraries, object modules, and program source codes are quite exotic and practically uncommon. Viruses that infect OBJ and LIB files write their code to them in the form of an object module or library. The infected file is thus not executable and is not capable of further spread of the virus in its current state. The carrier of a "live" virus becomes a COM or EXE file.
Once controlled, the file virus performs the following general actions:
checks the RAM for the presence of its copy and infects
computer memory, if a copy of the virus is not found (if the virus is resident), searches for uninfected files in the current and (or) root directory by scanning the directory tree of logical drives, and then infects the detected files;
performs additional (if any) functions: destructive
actions, graphic or sound effects, etc. (additional functions of a resident virus may be called some time after activation, depending on the current time, system configuration, internal counters of the virus, or other conditions; in this case, the virus processes the state of the system clock upon activation, sets its own counters, etc.);
Returns control to the main program (if any).
It should be noted that the faster the virus spreads, the more likely the occurrence of an epidemic of this virus, the slower the virus spreads, the more difficult it is to detect (unless, of course, this virus is unknown). Non-resident viruses are often "slow" - most of them infect one or two or three files at startup and do not have time to flood the computer before the anti-virus program is launched (or a new version of the anti-virus configured for this virus appears). There are, of course, non-resident "fast" viruses that, when launched, search for and infect all executable files, however, such viruses are very noticeable: when each infected file is launched, the computer actively works with the hard drive for some (sometimes quite a long time), which unmasks the virus. The rate of spread (infection) of resident viruses is usually higher than that of non-resident viruses - they infect files when they are accessed. As a result, all or almost all files on the disk that are constantly used in work are infected. The rate of spread (infection) of resident file viruses that infect files only when they are launched for execution will be lower than that of viruses that infect files also when they are opened, renamed, changed file attributes, etc.
Thus, the main destructive actions performed by file viruses are associated with damage to files (more often executable or data files), unauthorized launch of various commands (including commands for formatting, deleting, copying, etc.), changing the table of interrupt vectors and etc. At the same time, many destructive actions similar to those indicated for boot viruses can also be performed.
Macroviruses (macroviruses) are programs in languages (macrolanguages) built into some data processing systems (text editors, spreadsheets, etc.). For their reproduction, such viruses use the capabilities of macrolanguages and with their help transfer themselves from one infected file (document or table) to others. The most widely used macro viruses for the Microsoft Office application package.
For the existence of viruses in a particular system (editor), it is necessary to have a macro language built into the system with the following capabilities:
1) linking a program in a macrolanguage to a specific file;
2) copying macro programs from one file to another;
3) gain control of the macro program without user intervention (automatic or standard macros).
These conditions are met by Microsoft Word, Excel, and Microsoft Access applications. They contain macro languages: Word Basic, Visual Basic for Applications. Wherein:
1) macro programs are tied to a specific file or are located inside a file;
2) the macro language allows you to copy files or move macro programs to system service files and editable files;
3) when working with a file under certain conditions (opening, closing, etc.), macro programs (if any) are called, which are defined in a special way or have standard names.
This feature of macro languages is designed for automatic data processing in large organizations or global networks and allows you to organize the so-called "automated workflow". On the other hand, the capabilities of the macro languages of such systems allow the virus to transfer its code to other files and thus infect them.
Most macro viruses are active not only at the moment of opening (closing) a file, but as long as the editor itself is active. They contain all their functions as standard Word/Excel/Office macros. There are, however, viruses that use tricks to hide their code and store their code as non-macros. Three such techniques are known, all of them use the ability of macros to create, edit and execute other macros. As a rule, such viruses have a small (sometimes polymorphic) virus loader macro that calls the built-in macro editor, creates a new macro, fills it with the main virus code, executes and then, as a rule, destroys it (to hide traces of the virus presence). The main code of such viruses is present either in the virus macro itself in the form of text strings (sometimes encrypted), or is stored in the document's variable area.
Network viruses include viruses that actively use the protocols and capabilities of local and global networks for their spread. The main principle of a network virus is the ability to independently transfer its code to a remote server or workstation. At the same time, “full-fledged” network viruses also have the ability to run their code on a remote computer or, at least, “push” the user to launch the infected file.
Malicious programs that ensure the implementation of UA can be:
programs for selecting and opening passwords;
programs that implement threats;
· programs demonstrating the use of undeclared capabilities of the ISPD software and hardware;
computer virus generator programs;
Programs that demonstrate security vulnerabilities
information, etc.
With the increasing complexity and diversity of software, the number of malware is rapidly increasing. Today, more than 120,000 computer virus signatures are known. However, not all of them pose a real threat. In many cases, the elimination of vulnerabilities in system or application software has led to the fact that a number of malicious programs are no longer able to infiltrate them. Often, new malware is the main threat.
Classification of violators
On the basis of belonging to the ISPD, all violators are divided into two groups:
External violators - individuals who do not have the right to stay on the territory of the controlled zone, within which the ISPD equipment is located;
Internal violators - individuals who have the right to stay on the territory of the controlled zone, within which the ISPD equipment is located.
External intruder
As an external violator of information security, an intruder is considered who does not have direct access to the technical means and resources of the system located within the controlled zone.
It is assumed that an external intruder cannot influence the protected information through technical leak channels, since the amount of information stored and processed in the ISPD is insufficient to possibly motivate an external intruder to take actions aimed at leaking information through technical leak channels.
It is assumed that an external intruder can influence the protected information only during its transmission over communication channels.
insider
The capabilities of an insider significantly depend on the restrictive factors operating within the controlled zone, of which the main one is the implementation of a set of organizational and technical measures, including the selection, placement and provision of high professional training of personnel, the admission of individuals inside the controlled zone and control over order carrying out works aimed at preventing and suppressing unauthorized access.
The ISPD ISDN access control system ensures the differentiation of user rights for access to information, software, hardware and other ISPD resources in accordance with the accepted information security policy (rules). Insiders may include (table):
Administrators of specific subsystems or ISPD databases (category II);
Users who are external to a particular AS (category IV);
Persons with the ability to access the data transmission system (category V);
Employees of healthcare facilities who have authorized access for official purposes to the premises where ISPD elements are located, but do not have the right to access them (category VI);
Service personnel (security, engineering and technical services, etc.) (category VII);
Authorized personnel of ISPD developers who, on a contractual basis, have the right to maintain and modify ISPD components (category VIII).
Persons of categories I and II are entrusted with the tasks of administering the ISPD software and hardware and databases to integrate and ensure the interaction of various subsystems that make up the ISPD. Administrators can potentially implement IS threats using the opportunities for direct access to protected information processed and stored in ISPD, as well as to ISPD hardware and software, including security tools used in specific AS, in accordance with the administrative powers established for them.
These persons are well acquainted with the basic algorithms, protocols implemented and used in specific subsystems and ISPDs in general, as well as with the applied security principles and concepts.
It is assumed that they could use standard equipment either to identify vulnerabilities or to implement information security threats. This equipment may be part of the standard facilities, or it may be easily obtained (for example, software obtained from publicly available external sources).
In addition, it is assumed that these persons could have specialized equipment.
For persons of categories I and II, in view of their exclusive role in the ISPD, a set of special organizational and regime measures should be applied for their selection, employment, appointment to a position and control over the performance of functional duties.
It is intended that only proxies will be included in categories I and II, and therefore these persons are excluded from the list of likely perpetrators.
It is assumed that persons in categories III-VIII are likely to be violators.
The capabilities of an insider significantly depend on
from regime operating within the controlled zone
and organizational and technical protection measures, including the admission of individuals to PD and control of the work procedure.
Internal potential violators are divided into eight categories depending on the method of access and authority to access PD.
This article is devoted to the analysis of modern technologies that pose a threat to computer security and the main trends in the development of malicious programs in 2006.
General malware development trends
In 2006, the author discovered and analyzed 49,697 unique varieties of malicious software, 47,907 of which belong to major families. Based on the results of their analysis, a chart was constructed showing the percentage composition of malicious programs by families for the year (Fig. 1).
Rice. 1. Percentage composition of ITW samples by families
As can be seen from the diagram, 37% of all programs studied are malicious programs of the Trojan-Downloader type. This is a stable trend that has been traced since 2005 and is associated with the fact that Trojan-Downloaders are used to install malicious programs, update their versions and restore them if they are removed by an antivirus. Most of the studied cases of computer damage by malware entail the launch of the Trojan-Downloader, due to the use of an exploit or social engineering methods. The next most common are mail and network worms, Trojans of various types, and programs of the Dialer class.
Statistical analysis of the detection dynamics of ITW (in the Wild) samples shows that malware developers have adopted and are actively using a new technology to combat signature scanners. Its technique is extremely simple and consists in the fact that the developer creates hundreds of variants of the same malicious program within a short period of time. The simplest methods for obtaining various options are as follows:
- repacking by different packers and crypters - can be performed periodically or at the time of file request, the set of packers and their parameters can vary randomly. Often, malware authors use modified packers and crypters, which makes them difficult to check;
- recompilation of the file with modifications sufficient to change the signatures of the file by which it is detected;
- placing a malicious file in an installation package created using NSIS (Scriptable Installation System) installers. The presence of the open source code of the installer allows you to slightly modify it, which will make it impossible to automatically unpack and analyze it during an anti-virus scan.
These techniques have been known for a long time and can be used in various combinations, which allows the author of a malicious program to easily create hundreds of variants of the same program without using classical polymorphic techniques. You can trace this on the example of Trojan-Downloader. Win32.Zlob. Consider the statistics of its detections over the past 40 days (Fig. 2).
Rice. 2. Trojan-Downloader.Win32.Zlob detection dynamics over 40 days
During this period, the author discovered 2198 ITW samples of Trojan-Downloader.Win32. Zlob, of which 1213 are unique. The graph shows two curves: the number of detections per day and the number of unique file varieties. It can be seen from the graph that approximately every second discovered ITW sample is a unique file, and this dependence remains stable for a month. Based on the classification of Kaspersky Lab, the 1213 samples considered belong to 169 sub-varieties of this malicious program. Such statistics are quite revealing: there are many malicious programs for which dozens of new modifications are discovered every day.
Another characteristic trend can be seen in the example of the Warezov mail worm. During the month, the author recorded 5333 ITW samples, of which 459 are unique. The activity distribution graph is shown in fig. 3.
Rice. 3. Warezov mail worm activity
The spikes on the graph are the periods of epidemics that are associated with the emergence of new varieties of the worm (in this case: Email-Worm.Win32.Warezov.gj, Email-Worm.Win32.Warezov.fb, Email-Worm.Win32.Warezov.hb) . The graph shows that an active epidemic lasts an average of 2-5 days, after which the number of Warezov detections drops to a "background" level of 10-30 samples per day. The appearance of such bursts is quite understandable - a new type of worm is not detected by antiviruses, as a result, the worm infects a lot of PCs and an epidemic begins. It develops rapidly, but during the day the signatures of the worm get into the databases of antiviruses and the epidemic is rapidly declining.
Separately, it should be noted the active distribution of Trojan programs of the Trojan-SPY category - spies that steal users' personal data. Among them, the famous Goldun stands out, carrying out the theft of information about the accounts of the e-gold system. The latest versions of this Trojan actively use rootkit technologies for camouflage and espionage (Fig. 4).
Rice. 4. Graph of Trojan-SPY activity for the last month
An analysis of the technologies used by malware creators shows that no revolutionary new technologies were invented in 2006 - malware developers focus on quantity, not quality. However, there are several new developments that deserve more discussion.
In conclusion, let's consider a summary averaged graph built according to the data of the author's system for automatic monitoring of viral activity (Fig. 5).
Rice. 5. Statistics of the automatic malware detection system for the last 40 days
The graph shows that the automatic system registers on average about 400 new unique varieties of malicious programs per day.
Rootkit technologies
The year 2006 saw the development and improvement of various types of rootkits and rootkit technologies. These technologies are used by many malicious programs, and there are several of them:
- Rootkit technologies for masking, the main purpose of which is to mask the presence of a malicious program and its components on the disk and in memory, as well as to mask keys in the registry. To solve this problem, interception of API functions is most often used, and in modern rootkits there are very sophisticated methods of interception, for example, injecting code into non-exported kernel functions, intercepting an Int2E interrupt, modifying SYSENTER. Separately, it should be noted DKOM-rootkits (Direct Kernel Object Manipulation), which are becoming increasingly popular;
- Rootkit technologies for espionage - as the name suggests, they are used to monitor the user's activities and collect confidential information. The most typical example is Trojan-Spy.Win32.Goldun, which, according to the rootkit principle, intercepts the exchange of applications with the Internet in order to search for details of the user's credit cards in the stream of transmitted information.
Let's take a closer look at DKOM rootkits. The principle of their operation is based on the modification of system structures that describe processes, drivers, threads and descriptors. Such intervention in system structures, of course, is an undocumented and highly incorrect operation, however, after such intervention, the system continues to work more or less stably. The practical consequence of such interference is that the attacker has the opportunity to manipulate the structures of the kernel for his own purposes. For example, for each of the running processes in the kernel, an EPROCESS structure is created that stores a lot of information about the process, in particular its identifier (PID) and process name. These structures form a doubly linked list and are used by API functions that return information about running processes. To mask a process, a DKOM rootkit simply removes its EPROCESS structure from the list. The implementation of such a disguise is extremely simple, and you can find dozens of ready-made implementations with source texts on the Internet. More complex rootkits are not limited to removing the structure of the masked object from the list - they distort the data contained in it. As a result, even if the anti-rootkit can find a disguised process or driver, it will receive incorrect information about it. Due to the ease of implementation, such rootkits are becoming increasingly popular, and it is becoming increasingly difficult to deal with them. Studies have shown that the most effective method of counteracting them is to install a monitor in the system that monitors the startup / shutdown of processes and the loading / unloading of drivers. Comparison of the information collected by such a monitor with the data returned by the system makes it possible to detect the modifications made by the DKOM rootkit, understand their nature, and detect masked processes and drivers.
Hoax programs
The direction of Hoax-programs continues to develop actively, so we can confidently predict the growth of this family in 2007. Literally translated, Hoax is a deception; lie, hoax, untruth. The idea of Hoax programs is to deceive the user, most often for the purpose of making a profit or stealing confidential information. Recently, there has been a tendency to criminalize this industry: if a year ago most Hoax programs performed relatively harmless actions, simulating computer infection with viruses or SpyWare code, then modern ones are increasingly aimed at stealing passwords or confidential information. An example of such a program is shown in Fig. 6.
Rice. 6. Window of the program Hoax.Win32.Delf
As follows from the program window and its description, this is a license generator for Kaspersky Anti-Virus. The program prompts you to enter your email address and password to access your mailbox to receive the generated license. If a gullible user does this and clicks the "Get cipher" button, then the data entered by him will be transmitted to the attacker by e-mail. More than a hundred such programs have been discovered over the past year: these are various "cracks", generators of payment cards for mobile operators, generators of credit card numbers, means of "hacking" mailboxes, etc. A common feature of such programs is the deception of the user, aimed at ensuring that he independently enters some confidential information. The second characteristic feature of Hoax applications is their primitiveness: they contain a lot of errors and incorrectness in the program code. Such programs are often created by novice virus writers.
The development trend of Hoax programs can be seen on the example of Hoax.Win32.Renos (Fig. 7).
Rice. 7. Hoax.Win32.Renos detection dynamics over the last 30 days
It can be seen from the graph that the author detects at least one new unique variant of this malware per day, and in just a month 60 new unique variants are observed, which are included in 18 sub-variants according to the classification of Kaspersky Lab.
Trojans for blackmail and extortion
Programs of this variety first appeared a couple of years ago. Their main goal is to directly blackmail the user and extort money from him for restoring the computer's performance or decrypting information encoded by the Trojan program. Most often, the author receives reports and requests for help from users affected by the Trojan.Win32.Krotten trojan, which extorted 25 WMZ to restore the computer to working order. This Trojan is extremely primitive in design, and all its work comes down to modifying hundreds of keys in the registry (a detailed description of one of its varieties can be found at: http://www.z-oleg.com/secur/virlist/vir1180. php). A feature of this family of Trojans is that it is not enough to search for and destroy a Trojan to cure a computer - it is also necessary to restore the damage caused by it to the system. If the damage to the registry created by the Krotten Trojan is quite easy to repair, then the encrypted information is much more difficult to recover. For example, the creator of the Trojan Gpcode, which encrypts user data, gradually increases the length of the encryption key, thereby challenging anti-virus companies. You can read more about this Trojan in the Blackmailer article at: http://www.viruslist.com/ru/analysis?pubid=188790045 .
Program code injection as a hidden launch method
This technology is most clearly seen in modern Trojan-Downloaders, but gradually it begins to be introduced into other malicious programs. Its technique is relatively simple: a malicious program conditionally consists of two parts - an "injector" and a Trojan code. The task of the "injector" is to unpack and decrypt the Trojan code and inject it into a certain system process. At this stage, the studied malware differs in the method of injecting the Trojan code:
- injection by context substitution - the principle of such injection involves the preparation and decryption of the Trojan code (step 1), the launch of any system process, and when creating a process, it is created in "sleeping" (suspended) mode (step 2). Next, the injector injects the Trojan code into the process memory (moreover, such injection can be performed on top of the machine code of the process), after which it modifies the context of the main thread in such a way that the Trojan code receives control (step 3). After that, the main thread is started and the Trojan code is executed. This method is interesting in that any process manager will show the execution of a legitimate program (say, svchost.exe), but instead of the machine code of a legitimate program, Trojan code will be in memory and executed. This method allows you to bypass firewalls that do not have the means to control the modification of the process memory and the context of its threads (Fig. 8);
Rice. 8. Injection by context substitution
- injection of Trojan threads - this method is ideologically similar to the previous one, but instead of replacing the machine code of the process with a Trojan and executing it in the main thread, an additional thread is created in which the Trojan code is executed (step 2). This method is often used to inject Trojan code into an already existing process without disrupting its operation (Figure 9).
Rice. 9. Introduction by creating a Trojan stream
New methods of stealing WebMoney
At the end of 2006, a new, rather original method of stealing money in the WebMoney system was discovered. It is based on the introduction of a small Trojan program onto the user's computer, which monitors whether the WebMoney program window is open. If it is open, the clipboard is monitored. When it finds text in the buffer that starts with "Z", "R" or "E", the Trojan assumes that this is the recipient's wallet number, which the user copied to the clipboard for input in the WebMoney window. This number is removed from the buffer and replaced with the "Z", "R" or "E" number of the attacker's wallet. The method is extremely simple to implement and can be quite effective, since wallet numbers are most often not entered, but copied through the buffer, and not all users carefully check whether the wallet number was inserted from the buffer. This Trojan is a clear demonstration of the ingenuity of Trojan developers.
Detection of debuggers and virtual PCs
Techniques for dealing with debuggers, emulators and virtual computers have been known for a long time. Their use makes it difficult for a novice to analyze malware, which is why such technologies have been successfully used by malware developers for a long time. However, over the past year, a new trend has emerged: malware has begun to try to determine the type of computer - whether it is real hardware or an emulation created by programs like Virtual PC or VMWare. Such virtual PCs have been actively used and are being used by administrators to study suspicious programs. If there is a check, if it is launched on a virtual PC (or under a debugger, as an option), a malicious program can simply crash its work, which will prevent it from being studied. In addition, such a check would hit systems like Norman Sandbox, since their principle of heuristic analysis, in essence, is to run the program under study on the emulator and examine its operation. At the end of the year, SANS Institute experts Tom Liston and Ed Skoudis published a very interesting report describing the technique for detecting virtual machines and combating detection methods. The document can be downloaded from the SANS website - http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf .
Spambots and Trojan proxies
A spam bot is a stand-alone Trojan designed to automatically send spam from an infected computer. A Trojan proxy is a malicious program with the functions of a proxy server; its functioning on the affected computer allows an attacker to use it as a proxy server to send spam, attack other computers, and perform other illegal actions. Many modern spam bots actively mask their presence using rootkit technologies and protect themselves from deletion. Statistics show that more than 400 ITW varieties of such programs are discovered per month, of which about 130 are new and unique.
A spam bot poses a great threat to corporate networks, as its operation leads to the following consequences:
- high consumption of network traffic - in most cities of Russia there are no unlimited tariffs yet, so the presence of several affected computers on the network can lead to significant financial losses due to traffic consumption;
- many corporate networks use static IP addresses and their own mail servers to access the Internet. Consequently, as a result of the activities of spam bots, these IP addresses will quickly be blacklisted by anti-spam filters, which means that mail servers on the Internet will no longer accept mail from the company's corporate mail server. It is possible to exclude your IP address from the black list, but it is quite difficult, and if there are running spam bots on the network, this will be a temporary measure.
The methods to counter spam bots and Trojan proxies are very simple: you need to block port 25 for all users, and ideally, completely prohibit them from direct communication with the Internet, replacing it with working through proxy servers. For example, in Smolenskenergo, all users access the Internet only through a proxy with a system of filters, and a semi-automatic study of the protocols is carried out daily, which is performed by the system administrator on duty. The analyzer it uses makes it easy to detect anomalies in user traffic and take timely measures to block suspicious activity. In addition, IDS systems (Intrusion Detection System) that study user network traffic give excellent results.
Spreading Malicious Programs Using Internet Messengers
According to the statistics collected during the year, Internet pagers are increasingly being used to inject malicious programs onto users' computers. The implementation technique is a classic social engineering. From the infected computer, on behalf of its owner's ICQ, the malicious program sends out messages calling, under one pretext or another, to open the specified link. The link leads to a Trojan (usually with a meaningful name like picture.pif or flash_movie.exe) or to a site whose pages contain exploits. It should be especially noted that it is links to malicious programs that are distributed, and not their bodies.
Over the past year, several epidemics based on this principle have been recorded. In Russia, the victims were mainly ICQ users, and the programs of the Trojan-PSW category - Trojan programs that steal user passwords - were most often distributed in this way. The author on average receives from one to ten messages per day, and by the end of the year there is an increase in such mailings.
Protection against this type of malware is extremely simple - you should not open such links. However, statistics show that the curiosity of users often outweighs, there more if the messages come from a well-known person. In a corporate environment, an effective measure is to ban the use of Internet pagers, since in terms of security they are an ideal channel for information leakage.
USB flash media
A significant drop in prices for flash media (as well as an increase in their volume and speed) led to a natural effect - a rapid increase in their popularity among users. Accordingly, malware developers began to create programs that infect flash drives. The principle of operation of such programs is extremely simple: two files are created in the root of the disk - the autorun.inf text file and a copy of the malicious program. The autorun file is used to autorun malware when a drive is connected. A classic example of such malware is the Rays mail worm. It is important to note that a digital camera, many cell phones, MP3 players and PDAs can act as carriers of a virus - they are indistinguishable from a flash disk from the point of view of a computer (and, accordingly, a worm). At the same time, the presence of malware does not affect the operation of these devices in any way.
A measure of protection against such programs can be disabling autorun, the use of anti-virus monitors for the timely detection and removal of the virus. In the face of the threat of an influx of viruses and information leakage, many companies take more stringent measures - blocking the ability to connect USB devices using specialized software or blocking USB drivers in the system settings.
Conclusion
In this article, the main directions of development of malicious programs were considered. Their analysis allows us to make several predictions:
- it can be assumed that the direction of masking from signature scanners and protection against launch on virtual computers and emulators will be actively developed. Consequently, various heuristic analyzers, firewalls, and proactive defense systems come to the fore to combat such malware;
- there is a clear criminalization of the malware development industry, the share of spam bots, Trojan proxies, Trojans for stealing passwords and personal data of users is growing. Unlike viruses and worms, such programs can cause significant material damage to users. The development of the industry of Trojan programs that encrypt data to users makes us think about the advisability of periodic backups, which virtually reduces the damage from such a Trojan to zero;
- An analysis of cases of computer infection shows that attackers often hack web servers to place malicious programs on them. Such hacking is much more dangerous than the so-called deface (substitution of the site's home page), since the computers of site visitors can be infected. It can be assumed that this direction will develop very actively;
- Flash drives, digital cameras, MP3 players and PDAs are becoming a growing security threat as they can carry viruses. Many users underestimate the danger posed by, say, a digital camera - however, in 2006 the author happened to study at least 30 incidents related to such devices;
- analysis of the device and the principles of operation of malicious programs shows that it is possible to protect yourself from them without an antivirus - they simply cannot function in a properly configured system. The main protection rule is that the user works under a limited account, which, in particular, does not have permissions to write to system folders, to manage services and drivers, and also to modify system registry keys.
Active Edition from 15.02.2008
"BASIC MODEL OF PERSONAL DATA SECURITY THREATS DURING THEIR PROCESSING IN PERSONAL DATA INFORMATION SYSTEMS" (approved on February 15, 2008 by the FSTEC of the Russian Federation)
5. Threats of unauthorized access to information in the personal data information system
Threats to UA in ISPD with the use of software and software and hardware are implemented during unauthorized, including accidental, access, which results in a violation of confidentiality (copying, unauthorized distribution), integrity (destruction, modification) and availability (blocking) of PD, and include:
threats of access (penetration) into the operating environment of a computer using standard software (operating system tools or general application programs);
Threats of creating abnormal modes of operation of software (software and hardware) means due to deliberate changes in service data, ignoring the restrictions on the composition and characteristics of the processed information provided for in regular conditions, distortion (modification) of the data itself, etc.;
threats of malware introduction (software-mathematical impact).
The composition of the elements of the description of UA threats to information in the ISPD is shown in Figure 3.
In addition, combined threats are possible, which are a combination of these threats. For example, due to the introduction of malicious programs, conditions can be created for unauthorized access to the operating environment of a computer, including through the formation of non-traditional information access channels.
Threats of access (penetration) into the ISPD operating environment using standard software are divided into threats of direct and remote access. Threats of direct access are carried out using software and firmware I / O of the computer. Remote access threats are implemented using network communication protocols.
These threats are implemented with respect to ISPD both on the basis of an automated workplace that is not included in the public communication network, and in relation to all ISPD that are connected to public communication networks and international information exchange networks.
Description of threats of access (penetration) to the operating environment of a computer can formally be represented as follows:
threat of UA in ISPD: =<источник угрозы>, <уязвимость ИСПДн>, <способ реализации угрозы>, <объект воздействия (программа, протокол, данные и др.)>, <деструктивное действие>.
Figure 3. Elements of description of threats to NSD to information in ISPD
Threats of creating abnormal modes of operation of software (software and hardware) means are "Denial of Service" threats. As a rule, these threats are considered in relation to ISPD based on local and distributed information systems, regardless of the connection of information exchange. Their implementation is due to the fact that the development of system or application software does not take into account the possibility of deliberate actions to purposefully change:
data processing conditions (for example, ignoring restrictions on the length of the message packet);
Data presentation formats (with a discrepancy between the modified formats established for processing using network interaction protocols);
Data processing software.
Denial of Service threats result in buffer overflows and blocking of processing procedures, "looping" of processing procedures and "freezing" of the computer, discarding message packets, etc. The description of such threats can formally be presented as follows:
Denial of Service Threat: =<источник угрозы>, <уязвимость ИСПДн>, <способ реализации угрозы>, <объект воздействия (носитель ПДн)>, <непосредственный результат реализации угрозы (переполнение буфера, блокирование процедуры обработки, "зацикливание" обработки и т.п.)>.
It is inappropriate to describe the threats of malicious programs (software-mathematical impact) with the same detail as the above threats. This is due to the fact that, firstly, the number of malicious programs today already significantly exceeds one hundred thousand. Secondly, when organizing information protection in practice, as a rule, it is enough just to know the class of a malicious program, methods and consequences of its introduction (infection). In this regard, the threats of program-mathematical impact (PMI) can be formally represented as follows:
PMV threat in ISPDn: =<класс вредоносной программы (с указанием среды обитания)>, <источник угрозы (носитель вредоносной программы)>, <способ инфицирования>, <объект воздействия (загрузочный сектор, файл и т.п.)>, <описание возможных деструктивных действий>, <дополнительная информация об угрозе (резидентность, скорость распространения, полиморфичность и др.)>.
Below is a general description of the sources of information security threats, vulnerabilities that can be used in the implementation of UA threats, and a description of the results of unauthorized or accidental access. A description of the methods for implementing threats is given when describing threats of access (penetration) to the operating environment of a computer, threats of denial of service and threats of PMA.
Sources of threats to UA in ISPD can be:
intruder;
malware carrier;
hardware bookmark.
Threats to the security of personal data associated with the introduction of hardware bugs are determined in accordance with the regulations of the Federal Security Service of the Russian Federation in the manner prescribed by it.
According to the presence of the right of permanent or one-time access to the controlled area (KZ) of ISPD, violators are divided into two types:
violators who do not have access to ISPD, realizing threats from external public communication networks and (or) international information exchange networks - external violators;
violators who have access to ISPD, including ISPD users who implement threats directly in ISPD, are internal violators.
External intruders can be:
intelligence services of states;
Criminal structures;
competitors (competing organizations);
dishonest partners;
external subjects (individuals).
An external intruder has the following capabilities:
carry out unauthorized access to communication channels that go beyond the office premises;
carry out unauthorized access through workstations connected to public communication networks and (or) international information exchange networks;
carry out unauthorized access to information using special software actions through software viruses, malware, algorithmic or software bookmarks;
Carry out unauthorized access through the elements of the ISPD information infrastructure, which in the course of their life cycle (modernization, maintenance, repair, disposal) are outside the controlled area;
carry out unauthorized access through the information systems of interacting departments, organizations and institutions when they are connected to ISPD.
The capabilities of an insider significantly depend on the regime and organizational and technical protection measures operating within the controlled zone, including the admission of individuals to personal data and control of the work procedure.
Internal potential violators are divided into eight categories depending on the method of access and authority to access PD.
The first category includes persons who have authorized access to ISPD, but do not have access to PD. This type of offenders includes officials who ensure the normal functioning of the ISPD.
have access to fragments of information containing PD and distributed via internal ISPD communication channels;
Have fragments of information about the topology of the ISPD (the communication part of the subnet) and about the communication protocols used and their services;
Have the names and conduct the identification of passwords of registered users;
change the configuration of the ISPD hardware, enter software and hardware bookmarks into it and provide information retrieval using a direct connection to the ISPD hardware.
has all the capabilities of persons of the first category;
Knows at least one legal access name;
It has all the necessary attributes (for example, a password) that provide access to a certain subset of PD;
has confidential data to which it has access.
Its access, authentication and access rights to a certain subset of PD should be regulated by the relevant access control rules.
has all the capabilities of persons of the first and second categories;
Has information about the ISPD topology based on a local and (or) distributed information system through which access is provided, and about the composition of the ISPD technical means;
has the possibility of direct (physical) access to fragments of ISPD technical means.
Possesses complete information about the system and application software used in the ISPD segment (fragment);
Possesses complete information about the technical means and configuration of the ISPD segment (fragment);
has access to information security and logging tools, as well as to individual elements used in the ISPD segment (fragment);
has access to all technical means of the ISPD segment (fragment);
has the rights to configure and administer some subset of the technical means of the ISPD segment (fragment).
Has all the capabilities of persons of the previous categories;
possesses complete information about the system and application software of the ISPD;
possesses full information about technical means and configuration of ISPD;
has access to all technical means of information processing and ISPD data;
has the rights to configure and administer the technical means of ISPD.
The system administrator configures and manages software (software) and equipment, including equipment responsible for the security of the protected object: means of cryptographic information protection, monitoring, registration, archiving, protection against unauthorized access.
has all the capabilities of persons of the previous categories;
has complete information about ISPD;
has access to information security and logging tools and to some of the key elements of ISPD;
Has no access rights to configuring network hardware, except for control (inspection).
The security administrator is responsible for compliance with access control rules, for generating key elements, and changing passwords. The security administrator audits the same object protections as the system administrator.
possesses information about algorithms and programs for processing information on ISPD;
Possesses the ability to introduce errors, undeclared features, software bookmarks, malware into the ISPD software at the stage of its development, implementation and maintenance;
may have any fragments of information about the topology of the ISPD and the technical means of processing and protecting the PD processed in the ISPD.
has the ability to make bookmarks in the technical means of ISPD at the stage of their development, implementation and maintenance;
It can have any fragments of information about the topology of the ISPD and the technical means of processing and protecting information in the ISPD.
The carrier of a malicious program can be a hardware element of a computer or a software container. If the malicious program is not associated with any application program, then the following are considered as its carrier:
Removable media, i.e. floppy disk, optical disc (CD-R, CD-RW), flash memory, releasable hard drive, etc.;
Built-in storage media (hard drives, RAM chips, processor, motherboard chips, chips of devices built into the system unit - video adapter, network card, sound card, modem, input / output devices of magnetic hard and optical drives, power supply, etc.) etc., direct memory access chips, data buses, input / output ports);
chips of external devices (monitor, keyboard, printer, modem, scanner, etc.).
If a malicious program is associated with any application program, with files that have certain extensions or other attributes, with messages transmitted over the network, then its carriers are:
packets of messages transmitted over a computer network;
files (text, graphic, executable, etc.).
5.2. General characteristics of personal data information system vulnerabilitiesVulnerability of the information system of personal data - a flaw or weakness in the system or application software (hardware) of an automated information system that can be used to implement a threat to the security of personal data.
The causes of vulnerabilities are:
errors in the design and development of software (software and hardware) support;
intentional actions to introduce vulnerabilities during the design and development of software (hardware) support;
incorrect software settings, illegal changes in operating modes of devices and programs;
Unauthorized introduction and use of unrecorded programs with subsequent unjustified expenditure of resources (processor load, seizure of RAM and memory on external media);
introduction of malicious programs that create vulnerabilities in software and firmware;
unauthorized unintentional actions of users leading to vulnerabilities;
failures in the operation of hardware and software (caused by power failures, failure of hardware elements as a result of aging and reduced reliability, external influences of electromagnetic fields of technical devices, etc.).
The classification of the main ISPD vulnerabilities is shown in Figure 4.
Figure 4. Classification of software vulnerabilities
Below is a general description of the main groups of ISPD vulnerabilities, including:
vulnerabilities in system software (including network interaction protocols);
application software vulnerabilities (including information security tools).
5.2.1. General characteristics of system software vulnerabilitiesSystem software vulnerabilities must be considered with reference to the architecture of computing systems.
The following vulnerabilities are possible:
in microprograms, in ROM firmware, PROM;
in operating system tools designed to manage local ISPD resources (providing the execution of functions for managing processes, memory, input / output devices, user interface, etc.), drivers, utilities;
In operating system tools designed to perform auxiliary functions - utilities (archiving, defragmentation, etc.), system processing programs (compilers, linkers, debuggers, etc.), programs for providing additional services to the user (special interface options, calculators, games, etc.), libraries of procedures for various purposes (libraries of mathematical functions, input/output functions, etc.);
in the means of communication interaction (network tools) of the operating system.
Vulnerabilities in firmware and operating system tools designed to manage local resources and auxiliary functions can be:
Functions, procedures, changing the parameters of which in a certain way allows them to be used for unauthorized access without detection of such changes by the operating system;
fragments of the program code ("holes", "hatches") introduced by the developer, allowing to bypass the procedures of identification, authentication, integrity checks, etc.;
Errors in programs (in the declaration of variables, functions and procedures, in program codes), which under certain conditions (for example, when performing logical transitions) lead to failures, including failures in the functioning of information security tools and systems.
Vulnerabilities of network interaction protocols are related to the peculiarities of their software implementation and are due to restrictions on the size of the buffer used, deficiencies in the authentication procedure, lack of checks for the correctness of service information, etc. A brief description of these vulnerabilities in relation to protocols is given in Table 2.
table 2
Vulnerabilities of individual protocols of the TCP / IP protocol stack, on the basis of which global public networks operate
| Name of the protocol | Protocol stack layer | Name (characteristic) of the vulnerability | Contents of Information Security Breach |
| FTP (File Transfer Protocol) - protocol for transferring files over a network | 1. Clear text authentication (passwords are sent unencrypted) 2. Default access 3. Two open ports | Possibility to intercept account data (names of registered users, passwords). Getting remote access to hosts | |
| telnet - remote terminal control protocol | Applied, representative, session | Clear text authentication (passwords are sent unencrypted) | Ability to intercept user account data. Getting remote access to hosts |
| UDP - Connectionless Data Transfer Protocol | Transport | No mechanism to prevent buffer overloads | Ability to implement a UDP storm. Packet exchange results in a significant performance degradation of the server |
| ARP - protocol for converting an IP address to a physical address | network | Clear text authentication (information is sent unencrypted) | Ability to intercept user traffic by an attacker |
| RIP - Routing Information Protocol | Transport | No Authentication of Reroute Control Messages | Ability to redirect traffic through the attacker's host |
| TCP - Transmission Control Protocol | Transport | Absence of a mechanism for checking the correctness of filling in the packet's service headers | A significant decrease in the exchange rate and even a complete break in arbitrary connections via the TCP protocol |
| DNS - Mapping protocol for mnemonic names and network addresses | Applied, representative, session | Lack of means of verifying the authentication of received data from the source | DNS server response spoofing |
| IGMP - Routing Message Transfer Protocol | network | No authentication of route parameter change messages | Hanging Win 9x/NT/200 systems |
| SMTP is a protocol for providing a service for delivering messages via e-mail. | Applied, representative, session | Possibility to forge e-mail messages, as well as the address of the sender of the message | |
| SNMP - protocol for managing routers in networks | Applied, representative, session | No support for message header authentication | Possibility of network bandwidth congestion |
To systematize the description of many vulnerabilities, a single database of vulnerabilities CVE (Common Vulnerabilities and Exposures) is used, which was developed by specialists from many well-known companies and organizations, such as MItrE, ISS, Cisco, BindView, Axent, NFR, L-3, CyberSafe, CERT, Carnegie Mellon University, SANS Institute, etc. This database is constantly updated and used in the formation of databases of numerous security analysis software tools and, above all, network scanners.
5.2.2. General characteristics of application software vulnerabilitiesApplication software includes general use applications and special application programs.
Public application programs - text and graphic editors, media programs (audio and video players, software for receiving television programs, etc.), database management systems, public software platforms for developing software products (such as Delphi, Visual Basic ), means of protecting public information, etc.
Special application programs are programs that are developed in the interests of solving specific application problems in this ISPD (including information security software developed for a specific ISPD).
Application software vulnerabilities can be:
functions and procedures related to different application programs and incompatible with each other (not functioning in the same operating environment) due to conflicts related to the allocation of system resources;
Functions, procedures, changing the parameters of which in a certain way allows using them to penetrate the ISPD operating environment and call the regular functions of the operating system, perform unauthorized access without detecting such changes by the operating system;
fragments of program code ("holes", "hatches") introduced by the developer, allowing bypassing the identification, authentication, integrity check, etc. procedures provided for in the operating system;
lack of necessary protection means (authentication, integrity checks, message format checks, blocking of unauthorized modified functions, etc.);
Errors in programs (in the declaration of variables, functions and procedures, in program codes), which under certain conditions (for example, when performing logical transitions) lead to failures, including failures in the functioning of information security tools and systems, to the possibility of unauthorized access to information.
Vulnerability data for commercially developed and distributed application software is collected, summarized and analyzed in the CVE database<*>.
<*>Conducted by a foreign company CERT on a commercial basis.
5.3. General characteristics of threats of direct access to the operating environment of the personal data information systemThreats of access (penetration) to the operating environment of a computer and unauthorized access to PD are associated with access to:
to information and commands stored in the basic input / output system (BIOS) of ISPD, with the ability to intercept control of the operating system boot and obtain the rights of a trusted user;
into the operating environment, i.e. into the operating environment of the local operating system of a separate ISPD technical tool with the ability to perform unauthorized access by calling regular operating system programs or launching specially designed programs that implement such actions;
to the environment for the functioning of application programs (for example, to a local database management system);
directly to the user's information (to files, text, audio and graphic information, fields and records in electronic databases) and are due to the possibility of violating its confidentiality, integrity and availability.
These threats can be implemented in the case of obtaining physical access to the ISPD or, at least, to the means of entering information into the ISPD. They can be grouped according to the terms of implementation into three groups.
The first group includes threats implemented during the loading of the operating system. These threats to information security are aimed at intercepting passwords or identifiers, modifying the software of the basic input / output system (BIOS), intercepting boot control with changing the necessary technological information to receive UA in the ISPD operating environment. Most often, such threats are implemented using alienated media.
The second group is threats that are implemented after loading the operating environment, regardless of which application program is launched by the user. These threats are usually aimed at performing directly unauthorized access to information. When gaining access to the operating environment, an intruder can use both the standard functions of the operating system or some public application program (for example, database management systems), and programs specially created to perform unauthorized access, for example:
registry viewers and modifications;
Programs for searching texts in text files by keywords and copying;
special programs for viewing and copying records in databases;
programs for quickly viewing graphic files, editing or copying them;
programs to support the possibilities of reconfiguration of the software environment (ISPD settings in the interests of the offender), etc.
Finally, the third group includes threats, the implementation of which is determined by which of the application programs is launched by the user, or by the fact that any of the application programs is launched. Most of these threats are malware injection threats.
5.4. General characteristics of personal data security threats implemented using internetworking protocolsIf ISPD is implemented on the basis of a local or distributed information system, then information security threats can be realized in it by using internetworking protocols. At the same time, NSD to PD can be provided or the threat of denial of service can be realized. Threats are especially dangerous when ISPD is a distributed information system connected to public networks and (or) networks of international information exchange. The classification scheme for threats implemented over the network is shown in Figure 5. It is based on the following seven primary classification features.
1. The nature of the threat. On this basis, threats can be passive and active. A passive threat is a threat, the implementation of which does not directly affect the operation of the ISPD, but the established rules for restricting access to PD or network resources may be violated. An example of such threats is the "Network traffic analysis" threat, which is aimed at listening to communication channels and intercepting transmitted information.
An active threat is a threat associated with an impact on ISPD resources, the implementation of which directly affects the operation of the system (configuration change, disruption of performance, etc.), and in violation of the established rules for restricting access to PD or network resources. An example of such threats is the Denial of Service threat, marketed as a "TCP request storm".
2. The purpose of the implementation of the threat. On this basis, threats can be aimed at violating the confidentiality, integrity, and availability of information (including violating the operability of the ISPD or its elements).
3. The condition for the start of the process of implementing the threat. On this basis, a threat can be realized:
upon request from the object against which the threat is being implemented. In this case, the intruder is waiting for the transmission of a request of a certain type, which will be the condition for the start of unauthorized access;
Figure 5. Classification scheme of threats using internetworking protocols
Upon the occurrence of an expected event at the facility against which the threat is being implemented. In this case, the intruder constantly monitors the state of the ISPD operating system and, if a certain event occurs in this system, unauthorized access begins;
unconditional impact. In this case, the beginning of the implementation of unauthorized access is unconditional in relation to the purpose of access, that is, the threat is realized immediately and regardless of the state of the system.
4. Availability of feedback from ISPD. On this basis, the process of implementing a threat can be with or without feedback. The threat implemented in the presence of feedback from the ISPD is characterized by the fact that some requests transmitted to the ISPD require the intruder to receive a response. Consequently, there is a feedback between the intruder and ISPD, which allows the intruder to adequately respond to all changes occurring in ISPD. Unlike threats implemented in the presence of feedback from the ISPD, when implementing threats without feedback, it is not required to respond to any changes occurring in the ISPD.
5. The location of the intruder relative to ISPD. In accordance with this feature, the threat is realized both intra-segment and inter-segment. Network segment - a physical association of hosts (ISPD hardware or communication elements having a network address). For example, the ISPD segment forms a set of hosts connected to the server according to the "common bus" scheme. In the case when there is an intra-segment threat, the intruder has physical access to the ISPD hardware elements. If there is an inter-segment threat, then the intruder is located outside the ISDN, realizing the threat from another network or from another ISDN segment.
6. The level of the reference model of interaction of open systems<*>(ISO/OSI) on which the threat is implemented. On this basis, a threat can be implemented at the physical, channel, network, transport, session, presentation, and application levels of the ISO/OSI model.
<*>The International Organization for Standardization (ISO) has adopted the ISO 7498 standard, which describes Open Systems Interconnection (OSI).
7. The ratio of the number of offenders and ISPD elements against which the threat is being implemented. On this basis, a threat can be classified as a threat implemented by one intruder with respect to one ISPD technical means (one-to-one threat), with respect to several ISPD technical means at once (one-to-many threat) or by several intruders from different computers with respect to one or several technical means of ISPD (distributed or combined threats).
Taking into account the classification carried out, it is possible to single out the seven most frequently implemented threats at the present time.
1. Analysis of network traffic (Figure 6).
Figure 6. Scheme of implementation of the "Network traffic analysis" threat
This threat is implemented using a special packet analyzer program (sniffer), which intercepts all packets transmitted over a network segment and singles out among them those in which the user ID and password are transmitted. During the implementation of the threat, the intruder studies the logic of the network - that is, seeks to obtain a one-to-one correspondence between the events occurring in the system and the commands sent by the hosts at the time of the occurrence of these events. In the future, this allows an attacker, based on setting the appropriate commands, to obtain, for example, privileged rights to act in the system or expand his powers in it, intercept the stream of transmitted data exchanged between components of the network operating system in order to extract confidential or identification information (for example, static passwords users to access remote hosts via FTP and TELNET protocols that do not provide for encryption), its substitution, modification, etc.
2. Network scanning.
The essence of the threat implementation process is to send requests to the network services of ISPD hosts and analyze the responses from them. The goal is to identify the protocols used, the available ports of network services, the laws for the formation of connection identifiers, the definition of active network services, the selection of user identifiers and passwords.
3. The threat of password exposure.
The purpose of the threat implementation is to obtain UA by overcoming password protection. An attacker can implement a threat using a variety of methods, such as simple enumeration, enumeration using special dictionaries, installing malware to intercept the password, substituting a trusted network object (IP spoofing) and sniffing packets. Basically, to implement the threat, special programs are used that try to gain access to the host by successively guessing passwords. If successful, the attacker can create a "pass" for himself for future access, which will work even if the access password is changed on the host.
4. Substitution of a trusted network object and transmission of messages on its behalf via communication channels with the assignment of its access rights (Figure 7).
Figure 7. Scheme of implementation of the threat "Substitution of a trusted network object"
Such a threat is effectively implemented in systems where unstable algorithms for identifying and authenticating hosts, users, etc. are used. A trusted object is a network object (computer, firewall, router, etc.) legally connected to the server.
Two varieties of the process of implementing this threat can be distinguished: with and without establishing a virtual connection.
The implementation process with the establishment of a virtual connection consists in assigning the rights of a trusted subject of interaction, which allows an intruder to conduct a session with a network object on behalf of a trusted subject. Implementation of this type of threat requires overcoming the message identification and authentication system (for example, attacking the rsh service of a UNIX host).
The process of implementing a threat without establishing a virtual connection can take place in networks that identify transmitted messages only by the sender's network address. The essence lies in the transmission of service messages on behalf of network control devices (for example, on behalf of routers) about changing routing and address data. In this case, it must be borne in mind that the only identifiers of subscribers and connections (according to the TCP protocol) are two 32-bit parameters Initial Sequence Number - ISS (sequence number) and Acknowledgment Number - ACK (acknowledgment number). Therefore, to generate a fake TCP packet, the attacker needs to know the current identifiers for this connection - ISSa and ISSb, where:
ISSa - some numerical value that characterizes the sequence number of the sent TCP packet, the established TCP connection initiated by host A;
ISSb - some numerical value that characterizes the sequence number of the sent TCP packet, the established TCP connection initiated by host B.
The ACK (TCP Connection Acknowledgment Number) value is defined as the value of the number received from the ISS responder (sequence number) plus one ACKb = ISSa + 1.
As a result of the implementation of the threat, the violator receives the access rights set by his user for a trusted subscriber to the ISPD technical tool - the target of the threats.
5. Imposing a false network route.
This threat is realized in one of two ways: by intra-segment or inter-segment imposition. The possibility of imposing a false route is due to the shortcomings inherent in routing algorithms (in particular, due to the problem of identifying network control devices), as a result of which you can get, for example, to a host or an attacker's network, where you can enter the operating environment of a technical tool as part of an ISPD . The implementation of the threat is based on the unauthorized use of routing protocols (RIP, OSPF, LSP) and network management (ICMP, SNMP) to make changes to the routing tables. In this case, the intruder needs to send a control message on behalf of the network control device (for example, a router) (Figures 8 and 9).
Figure 8. Scheme of the implementation of the attack "Imposing a false route" (intra-segment) using the ICMP protocol to disrupt communication
Figure 9. Scheme of implementation of the "False route imposition" threat (inter-segment) in order to intercept traffic
6. Introduction of a false network object.
This threat is based on exploiting weaknesses in remote search algorithms. In the event that network objects do not initially have address information about each other, various remote search protocols are used (for example, SAP in Novell NetWare networks; ARP, DNS, WINS in networks with a TCP / IP protocol stack), consisting in the transmission of special inquiries and receiving answers to them with the required information. In this case, it is possible for the violator to intercept the search query and issue a false answer to it, the use of which will lead to the required change in the routing and address data. In the future, the entire flow of information associated with the victim object will pass through the false network object (Figures 10 - 13).
Figure 10. Scheme of the implementation of the threat "Injection of a fake ARP server"
Figure 11. Scheme of the implementation of the threat "Injection of a fake DNS server" by intercepting a DNS request
Figure 12. Scheme of the implementation of the "false DNS server injection" threat by a storm of DNS responses on a network computer
Figure 13. Scheme of the implementation of the threat "Injection of a fake DNS server" by a storm of DNS responses to the DNS server
7. Denial of service.
These threats are based on flaws in network software, its vulnerabilities that allow the intruder to create conditions when the operating system is unable to process incoming packets.
Several types of such threats can be distinguished:
a) latent denial of service caused by the involvement of part of the ISPD resources for processing packets transmitted by an attacker with a decrease in the bandwidth of communication channels, the performance of network devices, and a violation of the requirements for request processing time. Examples of the implementation of threats of this kind are: a directed storm of echo requests via the ICMP protocol (Ping flooding), a storm of requests to establish TCP connections (SYN-flooding), a storm of requests to an FTP server;
b) an explicit denial of service caused by the exhaustion of ISPD resources during the processing of packets transmitted by an attacker (occupation of the entire bandwidth of communication channels, overflow of service request queues), in which legal requests cannot be transmitted through the network due to the unavailability of the transmission medium or receive denial of service due to full request queues, memory disk space, etc. Examples of threats of this type are ICMP broadcast echo request storm (Smurf), directed storm (SYN-flooding), mail server message storm (Spam);
c) an explicit denial of service caused by a violation of the logical connectivity between the ISPD technical means when the violator transmits control messages on behalf of network devices, leading to a change in routing and address data (for example, ICMP Redirect Host, DNS-flooding) or identification and authentication information;
D) an explicit denial of service caused by an attacker transmitting packets with non-standard attributes (threats of the "Land", "TearDrop", "Bonk", "Nuke", "UDP-bomb" type) or having a length exceeding the maximum allowable size (threat of the type "Ping Death"), which can lead to failure of network devices involved in processing requests, provided there are errors in programs that implement network exchange protocols.
The result of the implementation of this threat may be a disruption in the performance of the corresponding service for providing remote access to PD in the ISPD, the transfer from one address of so many requests for connection to the technical facility as part of the ISPD, which can "accommodate" the traffic as much as possible (directed "storm of requests"), which entails an overflow of the request queue and the failure of one of the network services or a complete shutdown of the computer due to the inability of the system to do anything other than process requests.
8. Remote application launch.
The threat lies in the desire to launch various previously embedded malicious programs on the ISPD host: bookmark programs, viruses, "network spies", the main purpose of which is to violate the confidentiality, integrity, availability of information and complete control over the operation of the host. In addition, unauthorized launch of user application programs is possible for unauthorized obtaining of the data necessary for the violator, for launching processes controlled by the application program, etc.
There are three subclasses of these threats:
1) distribution of files containing unauthorized executable code;
2) remote launch of the application by overflowing the buffer of application servers;
3) remote launch of the application by using the remote system management capabilities provided by hidden software and hardware tabs or by standard tools used.
Typical threats of the first of these subclasses are based on the activation of distributed files when they are accidentally accessed. Examples of such files are: files containing executable code in the form of macros (Microsoft Word, Excel documents, etc.); html documents containing executable code in the form of ActiveX controls, Java applets, interpreted scripts (for example, JavaScript texts); files containing executable program codes. For distribution of files, e-mail, file transfer, network file system services can be used.
The threats of the second subclass exploit the shortcomings of programs that implement network services (in particular, the lack of buffer overflow control). By adjusting system registers, it is sometimes possible to switch the processor after a buffer overflow interrupt to the execution of code contained outside the buffer boundary. An example of the implementation of such a threat is the introduction of the well-known "Morris virus".
With threats of the third subclass, the intruder uses the remote system control capabilities provided by hidden components (for example, "Trojan" programs such as Back Orifice, Net Bus) or standard computer network management and administration tools (Landesk Management Suite, Managewise, Back Orifice, etc.). ). As a result of their use, it is possible to achieve remote control over the station in the network.
Schematically, the main stages of the work of these programs are as follows:
installation in memory;
waiting for a request from a remote host running a client program and exchanging readiness messages with it;
Transfer of intercepted information to the client or giving him control over the attacked computer.
Possible consequences from the implementation of threats of various classes are shown in Table 3.
Table 3
Possible consequences of the implementation of threats of various classes
| N p / p | Attack type | Possible consequences | |
| 1 | Network traffic analysis | Investigation of network traffic characteristics, interception of transmitted data, including user IDs and passwords | |
| 2 | Network Scan | Definition of protocols, available ports of network services, rules for generating connection identifiers, active network services, user IDs and passwords | |
| 3 | "Password" attack | Performing any destructive action related to gaining unauthorized access | |
| 4 | Spoofing a trusted network object | Changing the route of messages, unauthorized change of routing and address data. Unauthorized access to network resources, imposition of false information | |
| 5 | Imposing a false route | Unauthorized change of routing and address data, analysis and modification of transmitted data, imposition of false messages | |
| 6 | Injection of a mock network object | Interception and viewing of traffic. Unauthorized access to network resources, imposition of false information | |
| 7 | Denial of Service | Partial resource exhaustion | Decreased bandwidth of communication channels, performance of network devices. Performance degradation of server applications |
| Complete exhaustion of resources | The impossibility of transmitting messages due to lack of access to the transmission medium, refusal to establish a connection. Refusal to provide a service (e-mail, file, etc.) | ||
| Violation of logical connectivity between attributes, data, objects | The impossibility of transmitting messages due to the lack of correct routing and address data. Inability to receive services due to unauthorized modification of identifiers, passwords, etc. | ||
| Using bugs in programs | Malfunction of network devices | ||
| 8 | Remote application launch | By sending files containing destructive executable code, virus infection | Violation of confidentiality, integrity, availability of information |
| By buffer overflow of the server application | |||
| By using the remote system management capabilities provided by hidden software and hardware tabs or by standard tools used | Hidden system management | ||
The threat realization process generally consists of four stages:
collection of information;
intrusions (penetration into the operating environment);
implementation of unauthorized access;
elimination of traces of unauthorized access.
At the stage of collecting information, the violator may be interested in various information about ISPD, including:
a) the topology of the network in which the system operates. In this case, the area around the network can be explored (for example, the intruder may be interested in the addresses of trusted, but less secure hosts). Simple commands can be used to determine if a host is reachable (for example, the ping command to send ICMP ECHO_REQUEST requests and wait for ICMP ECHO_REPLY responses). There are parallel host availability tools (such as fping) that can scan a large area of the address space for host availability in a short amount of time. The network topology is often determined based on the "node count" (distance between hosts). Techniques such as "ttL modulations" and route entries can be used.
The "ttL modulation" method is implemented by the traceroute program (for Windows NT - tracert.exe) and consists in modulating the ttL field of IP packets. The ICMP packets generated by the ping command can be used to record the route.
The collection of information can also be based on requests:
to the DNS server about the list of registered (and probably active) hosts;
to a router based on the RIP protocol about known routes (information about the network topology);
To incorrectly configured devices that support the SNMP protocol (network topology information).
If the ISPD is located behind a firewall (ME), it is possible to collect information about the ME configuration and about the ISPD topology behind the ME, including by sending packets to all ports of all supposed hosts of the internal (protected) network;
b) about the type of operating system (OS) in ISPD. The best-known way to determine the type of host OS is based on the fact that different types of OS implement the RFC requirements for the TCP/IP stack in different ways. This allows an intruder to remotely identify the type of OS installed on the ISPD host by sending specially crafted requests and analyzing the received responses.
There are special tools that implement these methods, in particular, Nmap and QueSO. One can also note such a method for determining the type of OS as the simplest request to establish a connection via the telnet remote access protocol (telnet connection), as a result of which the OS type of the host can be determined by the "appearance" of the response. The presence of certain services can also serve as an additional indication of the host OS type;
C) services running on hosts. The definition of services running on a host is based on the "open ports" method to collect information about the availability of a host. For example, to determine the availability of a UDP port, you need to get a response in response to sending a UDP packet to the corresponding port:
if the response is ICMP PORT UNREACHEBLE, then the corresponding service is unavailable;
if this message is not received, then the port is "open".
There are quite a few variations on how this method can be used, depending on the protocol in use in the TCP/IP protocol stack.
Many software tools have been developed to automate the collection of information about ISPD. As an example, the following can be noted:
1) Strobe, Portscanner - optimized tools for determining available services based on polling TCP ports;
2) Nmap is a tool for scanning available services for Linux, FreeBSD, OpenBSD, Solaris, Windows NT. It is currently the most popular means of scanning network services;
3) Queso is a highly accurate means of determining the OS of a network host based on sending a chain of correct and incorrect TCP packets, analyzing the response and comparing it with many known responses from various OS. This tool is also a popular scanning tool today;
4) Cheops - network topology scanner allows you to get the network topology, including a picture of the domain, IP address areas, etc. This determines the host OS, as well as possible network devices (printers, routers, etc.);
5) Firewalk - a scanner that uses the methods of the traceroute program to analyze the response to IP packets to determine the firewall configuration and build the network topology.
At the invasion stage, the presence of typical vulnerabilities in system services or errors in system administration is investigated. Successful exploitation of vulnerabilities typically results in an attacker's process gaining privileged execution mode (access to the privileged execution mode of a shell), injecting an illegal user account into the system, obtaining a password file, or disrupting the attacked host.
This stage of development of the threat, as a rule, is multi-phase. The phases of the threat implementation process may include, for example:
establishing communication with the host against which the threat is being implemented;
Vulnerability detection;
the introduction of a malicious program in the interests of empowerment, etc.
Threats implemented at the intrusion stage are divided into layers of the TCP / IP protocol stack, since they are formed at the network, transport or application level, depending on the intrusion mechanism used.
Typical threats implemented at the network and transport levels include the following:
a) a threat aimed at replacing a trusted object;
b) a threat aimed at creating a false route in the network;
C) threats aimed at creating a false object using the shortcomings of remote search algorithms;
D) denial-of-service threats based on IP defragmentation, on the formation of incorrect ICMP requests (for example, the "Ping of Death" and "Smurf" attacks), on the formation of incorrect TCP requests ("Land" attack), on creating a "storm" of packets with connection requests ("SYN Flood" attacks), etc.
Typical threats implemented at the application level include threats aimed at unauthorized launch of applications, threats, the implementation of which is associated with the introduction of software bookmarks (such as a "Trojan horse"), with the identification of passwords for access to a network or to a specific host, etc.
If the implementation of the threat did not bring the violator the highest access rights in the system, attempts to extend these rights to the maximum possible level are possible. For this, vulnerabilities of not only network services, but also vulnerabilities of the system software of ISPDN hosts can be used.
At the stage of implementation of unauthorized access, the actual achievement of the goal of implementing the threat is carried out:
violation of confidentiality (copying, illegal distribution);
Violation of integrity (destruction, change);
accessibility violation (blocking).
At the same stage, after these actions, as a rule, the so-called "back door" is formed in the form of one of the services (daemons) serving a certain port and executing the intruder's commands. "Back door" is left in the system in the interests of ensuring:
the ability to gain access to the host, even if the administrator eliminates the vulnerability used to successfully implement the threat;
the ability to access the host as discreetly as possible;
The ability to gain access to the host quickly (without repeating the process of implementing the threat).
"Back door" allows an intruder to inject a malicious program into a network or onto a specific host, for example, a "password analyzer" (password sniffer) - a program that extracts user IDs and passwords from network traffic when high-level protocols (ftp, telnet, rlogin, etc.) .d.). Malware injection targets can be authentication and identification programs, network services, operating system kernel, file system, libraries, etc.
Finally, at the stage of elimination of traces of the implementation of the threat, an attempt is made to destroy the traces of the intruder's actions. This removes the corresponding entries from all possible audit logs, including records about the fact that information was collected.
5.5. General characteristics of threats of software and mathematical influencesSoftware-mathematical impact is an impact with the help of malicious programs. A program with potentially dangerous consequences or a malicious program is some independent program (a set of instructions) that is capable of performing any non-empty subset of the following functions:
Hide signs of your presence in the computer software environment;
Have the ability to self-duplication, associate themselves with other programs and (or) transfer their fragments to other areas of RAM or external memory;
destroy (arbitrarily distort) program code in RAM;
perform destructive functions (copying, deleting, blocking, etc.) without user initiation (user program in the normal mode of its execution);
Save fragments of information from RAM in some areas of external memory of direct access (local or remote);
Distort arbitrarily, block and (or) replace the array of information output to external memory or to the communication channel, resulting from the operation of application programs, or data arrays already in external memory.
Malicious programs can be introduced (introduced) both intentionally and accidentally into the software used in ISPD during its development, maintenance, modification and configuration. In addition, malicious programs can be introduced during the operation of the ISPD from external storage media or through network interaction, both as a result of unauthorized access and accidentally by users of the ISPD.
Modern malicious programs are based on the use of vulnerabilities in various kinds of software (system, general, application) and various network technologies, have a wide range of destructive capabilities (from unauthorized research of ISPD parameters without interfering with the operation of ISPD, to the destruction of PD and ISPD software) and can act in all types of software (system, application, hardware drivers, etc.).
The presence of malicious programs in the ISPD can contribute to the emergence of hidden, including non-traditional channels of access to information that allow opening, bypassing or blocking the security mechanisms provided in the system, including password and cryptographic protection.
The main types of malware are:
software bookmarks;
classic software (computer) viruses;
malicious programs that spread over the network (network worms);
Other malicious programs designed to carry out UA.
Software bookmarks include programs, code fragments, instructions that form undeclared software features. Malicious programs can move from one type to another, for example, a software tab can generate a software virus, which, in turn, getting into network conditions, can form a network worm or other malicious program designed to carry out UA.
The classification of software viruses and network worms is shown in Figure 14. A brief description of the main malicious programs is as follows. Boot viruses write themselves either to the disk boot sector (boot sector), or to the sector containing the hard drive bootloader (Master Boot Record), or change the pointer to the active boot sector. They are introduced into the computer's memory when booted from an infected disk. In this case, the system loader reads the contents of the first sector of the disk from which the boot is performed, places the read information into memory and transfers control to it (ie, to the virus). After that, the instructions of the virus begin to be executed, which, as a rule, reduces the amount of free memory, copies its code into the freed space and reads its continuation (if any) from disk, intercepts the necessary interrupt vectors (usually INT 13H), reads the original boot sector and transfers control to it.
In the future, the boot virus behaves in the same way as a file virus: it intercepts the operating system's access to disks and infects them, depending on certain conditions, performs destructive actions, causes sound effects or video effects.
The main destructive actions performed by these viruses are:
destruction of information in sectors of floppy disks and hard drive;
Exclusion of the possibility of loading the operating system (the computer "freezes");
bootloader code corruption;
formatting floppy disks or logical disks of a hard drive;
closing access to COM and LPT ports;
replacing characters when printing texts;
screen twitching;
changing the label of a disk or diskette;
creation of pseudo-failed clusters;
creation of sound and (or) visual effects (for example, falling letters on the screen);
corruption of data files;
displaying various messages on the screen;
Disabling peripherals (such as keyboards);
changing the palette of the screen;
Filling the screen with extraneous characters or images;
screen blanking and keyboard input standby mode;
hard drive sector encryption;
selective destruction of characters displayed on the screen when typing from the keyboard;
reduction in the amount of RAM;
call to print the contents of the screen;
disk write blocking;
destruction of the partition table (Disk Partition Table), after that the computer can only be booted from a floppy disk;
blocking the launch of executable files;
Blocking access to the hard drive.
Figure 14. Classification of software viruses and network worms
Most boot viruses overwrite themselves on floppy disks.
The "overwriting" infection method is the simplest: the virus writes its own code instead of the code of the infected file, destroying its contents. Naturally, in this case, the file stops working and is not restored. Such viruses detect themselves very quickly, as the operating system and applications stop working quite quickly.
The "companion" category includes viruses that do not modify infected files. The operation algorithm of these viruses is that a duplicate file is created for the infected file, and when the infected file is launched, it is this twin, that is, the virus, that receives control. The most common companion viruses use the DOS feature to execute files with the .COM extension first if there are two files in the same directory with the same name but different name extensions - .COM and .EXE. Such viruses create satellite files for EXE files that have the same name, but with the .COM extension, for example, XCOPY.COM is created for the XCOPY.EXE file. The virus writes to a COM file and does not modify the EXE file in any way. When you run such a file, DOS will first detect and execute the COM file, that is, the virus, which will then run the EXE file. The second group consists of viruses that, when infected, rename the file to some other name, remember it (for subsequent launch of the host file), and write their code to disk under the name of the infected file. For example, the file XCOPY.EXE is renamed to XCOPY.EXD, and the virus is written under the name XCOPY.EXE. On startup, control takes over the virus code, which then launches the original XCOPY, stored under the name XCOPY.EXD. Interestingly, this method seems to work on all operating systems. The third group includes the so-called "Path-companion" viruses. They either write their code under the name of the infected file, but "higher" one level in the prescribed paths (DOS, therefore, will be the first to detect and launch the virus file), or move the victim file one subdirectory higher, etc.
There may be other types of companion viruses that use other original ideas or features of other operating systems.
File worms (worms) are, in a sense, a kind of companion virus, but in no way associate their presence with any executable file. When they reproduce, they just copy their code to some disk directories in the hope that these new copies will someday be run by the user. Sometimes these viruses give their copies "special" names to encourage the user to run their copy - for example, INSTALL.EXE or WINSTART.BAT. There are worms that use rather unusual methods, for example, they write copies of themselves to archives (ARJ, ZIP, and others). Some viruses write the command to run the infected file to BAT files. File worms should not be confused with network worms. The former use only the file functions of some operating system, while the latter use network protocols for their reproduction.
Link viruses, like companion viruses, do not change the physical content of files, however, when an infected file is launched, they "force" the OS to execute its code. They achieve this goal by modifying the necessary fields of the file system.
Viruses that infect compiler libraries, object modules, and program source codes are quite exotic and practically uncommon. Viruses that infect OBJ and LIB files write their code to them in the form of an object module or library. The infected file is thus not executable and is not capable of further spread of the virus in its current state. The carrier of a "live" virus is a COM or EXE file.
Once controlled, the file virus performs the following general actions:
Checks RAM for the presence of a copy of itself and infects the computer's memory if a copy of the virus is not found (if the virus is resident), searches for uninfected files in the current and (or) root directory by scanning the directory tree of logical drives, and then infects the detected files ;
performs additional (if any) functions: destructive actions, graphic or sound effects, etc. (additional functions of a resident virus may be called some time after activation, depending on the current time, system configuration, internal counters of the virus, or other conditions; in this case, the virus processes the state of the system clock upon activation, sets its own counters, etc.);
It should be noted that the faster the virus spreads, the more likely the occurrence of an epidemic of this virus, the slower the virus spreads, the more difficult it is to detect (unless, of course, this virus is unknown). Non-resident viruses are often "slow" - most of them infect one or two or three files at startup and do not have time to flood the computer before the anti-virus program is launched (or a new version of the anti-virus configured for this virus appears). Of course, there are non-resident "fast" viruses that, when launched, search for and infect all executable files, but such viruses are very noticeable: when each infected file is launched, the computer actively works with the hard drive for some (sometimes quite a long time), which unmasks the virus. The rate of spread (infection) of resident viruses is usually higher than that of non-resident ones - they infect files when they are accessed. As a result, all or almost all files on the disk that are constantly used in work are infected. The rate of spread (infection) of resident file viruses that infect files only when they are launched for execution will be lower than that of viruses that infect files also when they are opened, renamed, changed file attributes, etc.
Thus, the main destructive actions performed by file viruses are associated with damage to files (more often executable or data files), unauthorized launch of various commands (including commands for formatting, deleting, copying, etc.), changing the table of interrupt vectors and etc. At the same time, many destructive actions similar to those indicated for boot viruses can also be performed.
Macroviruses (macroviruses) are programs in languages (macrolanguages) built into some data processing systems (text editors, spreadsheets, etc.). For their reproduction, such viruses use the capabilities of macrolanguages and with their help transfer themselves from one infected file (document or table) to others. The most widely used macro viruses for the Microsoft Office application package.
For the existence of viruses in a particular system (editor), it is necessary to have a macro language built into the system with the following capabilities:
1) linking a program in a macrolanguage to a specific file;
2) copying macro programs from one file to another;
3) gain control of the macro program without user intervention (automatic or standard macros).
These conditions are met by Microsoft Word, Excel, and Microsoft Access applications. They contain macro languages: Word Basic, Visual Basic for Applications. Wherein:
1) macro programs are tied to a specific file or are located inside a file;
2) the macro language allows you to copy files or move macro programs to system service files and editable files;
3) when working with a file under certain conditions (opening, closing, etc.), macro programs (if any) are called, which are defined in a special way or have standard names.
This feature of macro languages is designed for automatic data processing in large organizations or global networks and allows you to organize the so-called "automated workflow". On the other hand, the capabilities of the macro languages of such systems allow the virus to transfer its code to other files and thus infect them.
Most macro viruses are active not only at the moment of opening (closing) a file, but as long as the editor itself is active. They contain all their functions as standard Word/Excel/Office macros. There are, however, viruses that use tricks to hide their code and store their code as non-macros. Three such techniques are known, all of them use the ability of macros to create, edit and execute other macros. As a rule, such viruses have a small (sometimes polymorphic) virus loader macro that calls the built-in macro editor, creates a new macro, fills it with the main virus code, executes and then, as a rule, destroys it (to hide traces of the presence of the virus). The main code of such viruses is present either in the virus macro itself in the form of text strings (sometimes encrypted), or is stored in the document's variable area.
Network viruses include viruses that actively use the protocols and capabilities of local and global networks for their spread. The main principle of a network virus is the ability to independently transfer its code to a remote server or workstation. At the same time, "full-fledged" network viruses also have the ability to run their own code on a remote computer or, at least, "push" the user to launch the infected file.
Malicious programs that ensure the implementation of UA can be:
programs for selecting and opening passwords;
programs that implement threats;
Programs demonstrating the use of undeclared capabilities of ISPD software and hardware;
computer virus generator programs;
programs that demonstrate the vulnerabilities of information security tools, etc.
With the increasing complexity and diversity of software, the number of malware is rapidly increasing. Today, more than 120,000 computer virus signatures are known. However, not all of them pose a real threat. In many cases, the elimination of vulnerabilities in system or application software has led to the fact that a number of malicious programs are no longer able to infiltrate them. Often, new malware is the main threat.
5.6. General characteristics of non-traditional information channelsAn unconventional information channel is a channel for covert transmission of information using traditional communication channels and special transformations of the transmitted information that are not related to cryptographic ones.
To form non-traditional channels, methods can be used:
computer steganography;
Based on the manipulation of various characteristics of the ISPD, which can be obtained sanctioned (for example, the processing time of various requests, the amount of available memory or readable file or process identifiers, etc.).
Computer steganography methods are designed to hide the fact of a message being transmitted by embedding hidden information into seemingly harmless data (text, graphics, audio or video files) and include two groups of methods based on:
On the use of special properties of computer formats for storing and transmitting data;
On the redundancy of audio, visual or textual information from the standpoint of the psychophysiological characteristics of human perception.
The classification of computer steganography methods is shown in Figure 15. Their comparative characteristics are given in Table 4.
The greatest development and application is currently found in methods of hiding information in graphic stegocontainers. This is due to the relatively large amount of information that can be placed in such containers without noticeable image distortion, the presence of a priori information about the size of the container, the existence in most real images of texture regions that have a noise structure and are well suited for embedding information, the elaboration of digital image processing methods and digital image formats. Currently, there are a number of both commercial and free software products available to the average user that implement well-known steganographic methods of hiding information. In this case, graphic and audio containers are mainly used.
Figure 15. Classification of methods of steganographic information transformation (STI)
Table 4
Comparative characteristics of steganographic methods of information transformation
| Steganographic method | Brief description of the method | disadvantages | Advantages |
| Techniques for Hiding Information in Audio Containers | |||
| Based on writing a message to the least significant bits of the original signal. The container is usually an uncompressed audio signal. | Low secrecy of message transmission. Low resistance to distortion. Used only for certain audio file formats | ||
| Spectrum-based concealment method | Based on the generation of pseudo-random noise, which is a function of the embedded message, and mixing the resulting noise into the main signal-container as an additive component. Encoding information streams by scattering encoded data over the frequency spectrum | ||
| Echo hiding method | Based on the use of the audio signal itself as a noise-like signal, delayed for various periods of time depending on the embedded message ("dialer echo") | Low container utilization rate. Significant computational cost | Relatively high secrecy of the message |
| Hiding method in signal phase | Based on the fact that the human ear is insensitive to the absolute value of the phase of the harmonics. The audio signal is split into a sequence of segments, the message is embedded by modifying the phase of the first segment | Small container utilization rate | Has a significantly higher stealth than NZB concealment methods |
| Techniques for Hiding Information in Text Containers | |||
| Space based hiding method | Based on inserting spaces at the end of lines, after punctuation marks, between words when aligning the length of lines | The methods are sensitive to transferring text from one format to another. Possible message loss. Low stealth | Sufficiently large throughput |
| Hiding method based on syntactic features of the text | Based on the fact that punctuation rules allow for ambiguity in the placement of punctuation marks | Very low throughput. Complexity of message detection | There is the potential to choose a method that would require very complex procedures to resolve the message. |
| Hiding method based on synonyms | Based on the insertion of information into the text by alternating words from any group of synonyms | Difficult in relation to the Russian language due to the large variety of shades in different synonyms | One of the most promising methods Has a relatively high secrecy of the message |
| Hiding method based on the use of errors | It is based on disguising information bits as natural errors, typos, violations of the rules for writing combinations of vowels and consonants, replacing Cyrillic with similar-looking Latin letters, etc. | Low throughput. Quickly revealed in statistical analysis | Very easy to use. High secrecy in human analysis |
| Hiding method based on quasi-text generation | Based on the generation of a text container using a set of rules for constructing sentences. Symmetric cryptography is used | Low throughput. The meaninglessness of the created text | Stealth is determined by encryption methods and is usually very high |
| Hiding method based on the use of font features | Based on the insertion of information by changing the font type and size of letters, as well as the possibility of embedding information in blocks with identifiers unknown to the browser | Easily detected when converting the scale of the document, with statistical steganalysis | High container utilization rate |
| Hiding method based on the use of document and file code | Based on the placement of information in reserved and unused fields of variable length | Low stealth with known file format | Easy to use |
| Hiding method based on the use of jargon | Based on changing the meanings of words | Low throughput. Narrowly specialized. Low Stealth | Easy to use |
| Hiding method based on the use of word length alternation | Based on the generation of text - a container with the formation of words of a certain length according to a known coding rule | Complexity of container and message formation | Sufficiently high secrecy when analyzed by a person |
| Hiding method based on the use of first letters | Based on the introduction of a message in the first letters of the words of the text with the selection of words | Difficulty in writing a message. Low message secrecy | Gives greater freedom of choice to the operator inventing the message |
| Techniques for Hiding Information in Graphics Containers | |||
| Hiding method in least significant bits | Based on writing a message to the least significant bits of the original image | Low secrecy of message transmission. Low distortion resistance | Sufficiently high container capacity (up to 25%) |
| Hiding method based on modification of the index representation format | Based on the reduction (replacement) of the color palette and the ordering of colors in pixels with neighboring numbers | Applies primarily to compressed images. Low secrecy of message transmission | Relatively high container capacity |
| Hiding method based on the use of the autocorrelation function | Based on autocorrelation search for areas containing similar data | Complexity of calculations | Resistant to most non-linear container transformations |
| Hiding method based on the use of non-linear modulation of the embedded message | Based on the modulation of a pseudo-random signal by a signal containing hidden information | ||
| Hiding method based on the use of sign modulation of the embedded message | Based on the modulation of a pseudo-random signal by a bipolar signal containing hidden information | Low detection accuracy. distortion | Sufficiently high secrecy of the message |
| Wavelet Transform Concealing Method | Based on the features of wavelet transforms | Complexity of calculations | High stealth |
| Hiding method based on the use of discrete cosine transform | Based on the features of the discrete cosine transform | Complexity calculation | High stealth |
In non-traditional information channels based on the manipulation of various characteristics of the ISPD resources, some shared resources are used for data transmission. At the same time, in channels that use time characteristics, modulation is carried out according to the busy time of the shared resource (for example, by modulating the busy time of the processor, applications can exchange data).
In memory channels, a resource is used as an intermediate buffer (for example, applications can exchange data by placing them in the names of the files and directories they create). Database and knowledge channels use dependencies between data that originate in relational databases and knowledge.
Non-traditional information channels can be formed at various levels of ISPD functioning:
at the hardware level;
at the level of microcodes and device drivers;
at the operating system level;
at the level of application software;
at the level of functioning of data transmission channels and communication lines.
These channels can be used both for covert transmission of copied information, and for covert transmission of commands to perform destructive actions, launch applications, etc.
To implement channels, as a rule, it is necessary to introduce a software or hardware-software tab into the automated system that ensures the formation of an unconventional channel.
An unconventional information channel can exist continuously in the system or be activated once or under specified conditions. In this case, the existence of feedback with the subject of NSD is possible.
5.7. General characteristics of the results of unauthorized or accidental accessRealization of UA threats to information can lead to the following types of violation of its security:
violation of confidentiality (copying, illegal distribution);
Violation of integrity (destruction, change);
accessibility violation (blocking).
Violation of confidentiality can be carried out in case of information leakage:
copying it on alienable media;
its transmission over data transmission channels;
when viewing or copying it during the repair, modification and disposal of software and hardware;
during "garbage collection" by the offender during the operation of the ISPD.
Violation of the integrity of information is carried out due to the impact (modification) on programs and user data, as well as technological (system) information, including:
microprograms, data and device drivers of the computing system;
programs, data and device drivers that ensure the loading of the operating system;
programs and data (descriptors, descriptors, structures, tables, etc.) of the operating system;
application software programs and data;
Programs and data of special software;
Intermediate (operational) values of programs and data in the process of their processing (reading / writing, receiving / transmitting) by means and devices of computer technology.
Violation of the integrity of information in the ISPD can also be caused by the introduction of a malicious software-hardware bookmark into it or the impact on the information security system or its elements.
In addition, in ISPD, it is possible to influence technological network information, which can ensure the operation of various means of managing a computer network:
network configuration;
addresses and routing of data transmission in the network;
functional network control;
information security on the network.
Violation of the availability of information is ensured by the formation (modification) of the initial data, which, during processing, cause incorrect functioning, hardware failures or seizure (loading) of the system's computing resources that are necessary for the execution of programs and the operation of the equipment.
These actions can lead to a violation or failure of the functioning of almost any technical means of ISPD:
means of information processing;
means of input/output of information;
means of information storage;
Equipment and transmission channels;
means of information protection.
Malicious programs introduced over the network include viruses that actively use the protocols and capabilities of local and global networks to spread. The main principle of a network virus is the ability to independently transfer its code to a remote server or workstation. At the same time, “full-fledged” network viruses also have the ability to run their code on a remote computer or, at least, “push” the user to launch the infected file.
Malicious programs that ensure the implementation of UA can be:
programs for selecting and opening passwords;
programs that implement threats;
programs demonstrating the use of undeclared capabilities of ISPD software and hardware;
computer virus generator programs;
programs that demonstrate the vulnerabilities of information security tools, etc.
If the Institution processed PD is not sent over public networks and international exchange, anti-virus protection is installed, then the likelihood of a threat being realized is is unlikely.
In all other cases, the likelihood of the threat realizing must be assessed.
A generalized list of the likelihood of threats for different types of ISPD is presented in Table 13.
Table 13
|
ISPD type |
Probability of the threat |
Coeff. probability of realization of the threat by the intruder |
|
Autonomous IC Type I |
unlikely | |
|
Autonomous IC Type II | ||
|
Autonomous IC Type III |
unlikely | |
|
Autonomous IC Type IV | ||
|
Autonomous IC V type |
unlikely | |
|
Autonomous IC Type VI | ||
|
LIS type I |
unlikely | |
|
LIS type II | ||
|
Distributed IC Type I |
unlikely | |
|
Distributed IC type II |
Feasibility of Threats
Based on the results of assessing the level of security (Y 1) (Section 7) and the probability of the threat (Y 2) (Section 9), the threat feasibility coefficient (Y) is calculated and the possibility of the threat being realized is determined (Table 4). Threat feasibility factor Y will be determined by the ratio Y= (Y 1 +Y 2)/20
A generalized list of assessing the feasibility of UBPD for different types of ISPD is presented in tables 14-23.
Table 14 - Autonomous IC Type I
|
Type of PD security threats |
Possibility of implementation |
|
|
2.1.1. PC theft | ||
|
2.3.6. Disaster | ||
Table 15 - Autonomous IS Type II
|
Type of PD security threats |
Threat feasibility ratio (Y) |
Possibility of implementation |
|
1. Threats from leakage through technical channels. |
||
|
1.1. Threats of leakage of acoustic information | ||
|
1.2. Threats of species information leakage | ||
|
1.3. Threats of information leakage through PEMIN channels | ||
|
2. Threats of unauthorized access to information. |
||
|
2.1. Threats of destruction, theft of ISPD hardware of information carriers by means of physical access to ISPD elements |
||
|
2.1.1. PC theft | ||
|
2.1.2. Media theft | ||
|
2.1.3. Theft of keys and access attributes | ||
|
2.1.4. Theft, modification, destruction of information | ||
|
2.1.5. Disablement of PC nodes, communication channels | ||
|
2.1.6. Unauthorized access to information during maintenance (repair, destruction) of PC nodes | ||
|
2.1.7. Unauthorized disabling of protections | ||
|
2.2. Threats of theft, unauthorized modification or blocking of information due to unauthorized access (UAS) using software, hardware and software (including software and mathematical influences). |
||
|
2.2.1. Actions of malware (viruses) | ||
|
2.2.3. Installation of non-work related software | ||
|
2.3. Threats of unintentional actions of users and violations of the security of the functioning of ISPD and SZPDn in its composition due to software failures, as well as from non-anthropogenic threats (hardware failures due to unreliable elements, power failures) and natural (lightning strikes, fires, floods and etc.) character. |
||
|
2.3.1. Loss of keys and access attributes | ||
|
2.3.2. Unintentional modification (destruction) of information by employees | ||
|
2.3.3. Inadvertent disabling of protections | ||
|
2.3.4. Failure of hardware and software | ||
|
2.3.5. Power failure | ||
|
2.3.6. Disaster | ||
|
2.4. Threats of deliberate actions by insiders |
||
|
2.4.1. Access to information, modification, destruction of persons not allowed to process it | ||
|
2.4.2. Disclosure of information, modification, destruction by employees admitted to its processing | ||
|
2.5. Threats of unauthorized access through communication channels. |
||
|
2.5.1. Threat "Analysis of network traffic" with the interception of information transmitted from ISPD and received from external networks: | ||
|
2.5.1.1. Interception outside the controlled zone | ||
|
2.5.1.2. Interception within the controlled zone by external intruders | ||
|
2.5.1.3. Interception within the controlled zone by insiders. | ||
|
2.5.2. Scanning threats aimed at identifying the type or types of operating systems used, network addresses of ISPD workstations, network topology, open ports and services, open connections, etc. | ||
|
2.5.3 Threats of revealing passwords over the network | ||
|
2.5.4 Threats imposing a false network route | ||
|
2.5.5 Threats of spoofing a trusted object in the network | ||
|
2.5.6 Threats of introducing a false object both in ISPD and in external networks | ||
|
2.5.7 Denial of Service Threats | ||
|
2.5.8 Threats of remote application launch | ||
|
2.5.9. Threats of introducing malware over the network | ||
Table 16 - Autonomous IS type III
|
Type of PD security threats |
Threat feasibility ratio (Y) |
Possibility of implementation |
|
1. Threats from leakage through technical channels. |
||
|
1.1. Threats of leakage of acoustic information | ||
|
1.2. Threats of species information leakage | ||
|
1.3. Threats of information leakage through PEMIN channels | ||
|
2. Threats of unauthorized access to information. |
||
|
2.1. Threats of destruction, theft of ISPD hardware of information carriers by means of physical access to ISPD elements |
||
|
2.1.1. PC theft | ||
|
2.1.2. Media theft | ||
|
2.1.3. Theft of keys and access attributes | ||
|
2.1.4. Theft, modification, destruction of information | ||
|
2.1.5. Disablement of PC nodes, communication channels | ||
|
2.1.6. Unauthorized access to information during maintenance (repair, destruction) of PC nodes | ||
|
2.1.7. Unauthorized disabling of protections | ||
|
2.2. Threats of theft, unauthorized modification or blocking of information due to unauthorized access (UAS) using software, hardware and software (including software and mathematical influences). |
||
|
2.2.1. Actions of malware (viruses) | ||
|
2.2.3. Installation of non-work related software | ||
|
2.3. Threats of unintentional actions of users and violations of the security of the functioning of ISPD and SZPDn in its composition due to software failures, as well as from non-anthropogenic threats (hardware failures due to unreliable elements, power failures) and natural (lightning strikes, fires, floods and etc.) character. |
||
|
2.3.1. Loss of keys and access attributes | ||
|
2.3.2. Unintentional modification (destruction) of information by employees | ||
|
2.3.3. Inadvertent disabling of protections | ||
|
2.3.4. Failure of hardware and software | ||
|
2.3.5. Power failure | ||
|
2.3.6. Disaster | ||
|
2.4. Threats of deliberate actions by insiders |
||
|
2.4.1. Access to information, modification, destruction of persons not allowed to process it | ||
|
2.4.2. Disclosure of information, modification, destruction by employees admitted to its processing | ||
|
2.5. Threats of unauthorized access through communication channels. |
||
|
2.5.1. Threat "Analysis of network traffic" with the interception of information transmitted from ISPD and received from external networks: | ||
|
2.5.1.1. Interception outside the controlled zone | ||
|
2.5.1.2. Interception within the controlled zone by external intruders | ||
|
2.5.1.3. Interception within the controlled zone by insiders. | ||
|
2.5.2. Scanning threats aimed at identifying the type or types of operating systems used, network addresses of ISPD workstations, network topology, open ports and services, open connections, etc. | ||
|
2.5.3 Threats of revealing passwords over the network | ||
|
2.5.4 Threats imposing a false network route | ||
|
2.5.5 Threats of spoofing a trusted object in the network | ||
|
2.5.6 Threats of introducing a false object both in ISPD and in external networks | ||
|
2.5.7 Denial of Service Threats | ||
|
2.5.8 Threats of remote application launch | ||
|
2.5.9. Threats of introducing malware over the network | ||
Table 17 - Autonomous IS type IV
|
Type of PD security threats |
Threat feasibility ratio (Y) |
Possibility of implementation |
|
1. Threats from leakage through technical channels. |
||
|
1.1. Threats of leakage of acoustic information | ||
|
1.2. Threats of species information leakage | ||
|
1.3. Threats of information leakage through PEMIN channels | ||
|
2. Threats of unauthorized access to information. |
||
|
2.1. Threats of destruction, theft of ISPD hardware of information carriers by means of physical access to ISPD elements |
||
|
2.1.1. PC theft | ||
|
2.1.2. Media theft | ||
|
2.1.3. Theft of keys and access attributes | ||
|
2.1.4. Theft, modification, destruction of information | ||
|
2.1.5. Disablement of PC nodes, communication channels | ||
|
2.1.6. Unauthorized access to information during maintenance (repair, destruction) of PC nodes | ||
|
2.1.7. Unauthorized disabling of protections | ||
|
2.2. Threats of theft, unauthorized modification or blocking of information due to unauthorized access (UAS) using software, hardware and software (including software and mathematical influences). |
||
|
2.2.1. Actions of malware (viruses) | ||
|
2.2.3. Installation of non-work related software | ||
|
2.3. Threats of unintentional actions of users and violations of the security of the functioning of ISPD and SZPDn in its composition due to software failures, as well as from non-anthropogenic threats (hardware failures due to unreliable elements, power failures) and natural (lightning strikes, fires, floods and etc.) character. |
||
|
2.3.1. Loss of keys and access attributes | ||
|
2.3.2. Unintentional modification (destruction) of information by employees | ||
|
2.3.3. Inadvertent disabling of protections | ||
|
2.3.4. Failure of hardware and software | ||
|
2.3.5. Power failure | ||
|
2.3.6. Disaster | ||
|
2.4. Threats of deliberate actions by insiders |
||
|
2.4.1. Access to information, modification, destruction of persons not allowed to process it | ||
|
2.4.2. Disclosure of information, modification, destruction by employees admitted to its processing | ||
|
2.5. Threats of unauthorized access through communication channels. |
||
|
2.5.1. Threat "Analysis of network traffic" with the interception of information transmitted from ISPD and received from external networks: | ||
|
2.5.1.1. Interception outside the controlled zone | ||
|
2.5.1.2. Interception within the controlled zone by external intruders | ||
|
2.5.1.3. Interception within the controlled zone by insiders. | ||
|
2.5.2. Scanning threats aimed at identifying the type or types of operating systems used, network addresses of ISPD workstations, network topology, open ports and services, open connections, etc. | ||
|
2.5.3 Threats of revealing passwords over the network | ||
|
2.5.4 Threats imposing a false network route | ||
|
2.5.5 Threats of spoofing a trusted object in the network | ||
|
2.5.6 Threats of introducing a false object both in ISPD and in external networks | ||
|
2.5.7 Denial of Service Threats | ||
|
2.5.8 Threats of remote application launch | ||
|
2.5.9. Threats of introducing malware over the network | ||
Table 18 - Autonomous IC V type
|
Type of PD security threats |
Threat feasibility ratio (Y) |
Possibility of implementation |
|
1. Threats from leakage through technical channels. |
||
|
1.1. Threats of leakage of acoustic information | ||
|
1.2. Threats of species information leakage | ||
|
1.3. Threats of information leakage through PEMIN channels | ||
|
2. Threats of unauthorized access to information. |
||
|
2.1. Threats of destruction, theft of ISPD hardware of information carriers by means of physical access to ISPD elements |
||
|
2.1.1. PC theft | ||
|
2.1.2. Media theft | ||
|
2.1.3. Theft of keys and access attributes | ||
|
2.1.4. Theft, modification, destruction of information | ||
|
2.1.5. Disablement of PC nodes, communication channels | ||
|
2.1.6. Unauthorized access to information during maintenance (repair, destruction) of PC nodes | ||
|
2.1.7. Unauthorized disabling of protections | ||
|
2.2. Threats of theft, unauthorized modification or blocking of information due to unauthorized access (UAS) using software, hardware and software (including software and mathematical influences). |
||
|
2.2.1. Actions of malware (viruses) | ||
|
2.2.3. Installation of non-work related software | ||
|
2.3. Threats of unintentional actions of users and violations of the security of the functioning of ISPD and SZPDn in its composition due to software failures, as well as from non-anthropogenic threats (hardware failures due to unreliable elements, power failures) and natural (lightning strikes, fires, floods and etc.) character. |
||
|
2.3.1. Loss of keys and access attributes | ||
|
2.3.2. Unintentional modification (destruction) of information by employees | ||
|
2.3.3. Inadvertent disabling of protections | ||
|
2.3.4. Failure of hardware and software | ||
|
2.3.5. Power failure | ||
|
2.3.6. Disaster | ||
|
2.4. Threats of deliberate actions by insiders |
||
|
2.4.1. Access to information, modification, destruction of persons not allowed to process it | ||
|
2.4.2. Disclosure of information, modification, destruction by employees admitted to its processing | ||
|
2.5. Threats of unauthorized access through communication channels. |
||
|
2.5.1. Threat "Analysis of network traffic" with the interception of information transmitted from ISPD and received from external networks: | ||
|
2.5.1.1. Interception outside the controlled zone | ||
|
2.5.1.2. Interception within the controlled zone by external intruders | ||
|
2.5.1.3. Interception within the controlled zone by insiders. | ||
|
2.5.2. Scanning threats aimed at identifying the type or types of operating systems used, network addresses of ISPD workstations, network topology, open ports and services, open connections, etc. | ||
|
2.5.3 Threats of revealing passwords over the network | ||
|
2.5.4 Threats imposing a false network route | ||
|
2.5.5 Threats of spoofing a trusted object in the network | ||
|
2.5.6 Threats of introducing a false object both in ISPD and in external networks | ||
|
2.5.7 Denial of Service Threats | ||
|
2.5.8 Threats of remote application launch | ||
|
2.5.9. Threats of introducing malware over the network | ||
Table 19 - Autonomous IC Type VI
|
Type of PD security threats |
Threat feasibility ratio (Y) |
Possibility of implementation |
|
1. Threats from leakage through technical channels. |
||
|
1.1. Threats of leakage of acoustic information | ||
|
1.2. Threats of species information leakage | ||
|
1.3. Threats of information leakage through PEMIN channels | ||
|
2. Threats of unauthorized access to information. |
||
|
2.1. Threats of destruction, theft of ISPD hardware of information carriers by means of physical access to ISPD elements |
||
|
2.1.1. PC theft | ||
|
2.1.2. Media theft | ||
|
2.1.3. Theft of keys and access attributes | ||
|
2.1.4. Theft, modification, destruction of information | ||
|
2.1.5. Disablement of PC nodes, communication channels | ||
|
2.1.6. Unauthorized access to information during maintenance (repair, destruction) of PC nodes | ||
|
2.1.7. Unauthorized disabling of protections | ||
|
2.2. Threats of theft, unauthorized modification or blocking of information due to unauthorized access (UAS) using software, hardware and software (including software and mathematical influences). |
||
|
2.2.1. Actions of malware (viruses) | ||
|
2.2.3. Installation of non-work related software | ||
|
2.3. Threats of unintentional actions of users and violations of the security of the functioning of ISPD and SZPDn in its composition due to software failures, as well as from non-anthropogenic threats (hardware failures due to unreliable elements, power failures) and natural (lightning strikes, fires, floods and etc.) character. |
||
|
2.3.1. Loss of keys and access attributes | ||
|
2.3.2. Unintentional modification (destruction) of information by employees | ||
|
2.3.3. Inadvertent disabling of protections | ||
|
2.3.4. Failure of hardware and software | ||
|
2.3.5. Power failure | ||
|
2.3.6. Disaster | ||
|
2.4. Threats of deliberate actions by insiders |
||
|
2.4.1. Access to information, modification, destruction of persons not allowed to process it | ||
|
2.4.2. Disclosure of information, modification, destruction by employees admitted to its processing | ||
|
2.5. Threats of unauthorized access through communication channels. |
||
|
2.5.1. Threat "Analysis of network traffic" with the interception of information transmitted from ISPD and received from external networks: | ||
|
2.5.1.1. Interception outside the controlled zone | ||
|
2.5.1.2. Interception within the controlled zone by external intruders | ||
|
2.5.1.3. Interception within the controlled zone by insiders. | ||
|
2.5.2. Scanning threats aimed at identifying the type or types of operating systems used, network addresses of ISPD workstations, network topology, open ports and services, open connections, etc. | ||
|
2.5.3 Threats of revealing passwords over the network | ||
|
2.5.4 Threats imposing a false network route | ||
|
2.5.5 Threats of spoofing a trusted object in the network | ||
|
2.5.6 Threats of introducing a false object both in ISPD and in external networks | ||
|
2.5.7 Denial of Service Threats | ||
|
2.5.8 Threats of remote application launch | ||
|
2.5.9. Threats of introducing malware over the network | ||
Table 20 - Type I LIS
|
Type of PD security threats |
Threat feasibility ratio (Y) |
Possibility of implementation |
|
1. Threats from leakage through technical channels. |
||
|
1.1. Threats of leakage of acoustic information | ||
|
1.2. Threats of species information leakage | ||
|
1.3. Threats of information leakage through PEMIN channels | ||
|
2. Threats of unauthorized access to information. |
||
|
2.1. Threats of destruction, theft of ISPD hardware of information carriers by means of physical access to ISPD elements |
||
|
2.1.1. PC theft | ||
|
2.1.2. Media theft | ||
|
2.1.3. Theft of keys and access attributes | ||
|
2.1.4. Theft, modification, destruction of information | ||
|
2.1.5. Disablement of PC nodes, communication channels | ||
|
2.1.6. Unauthorized access to information during maintenance (repair, destruction) of PC nodes | ||
|
2.1.7. Unauthorized disabling of protections | ||
|
2.2. Threats of theft, unauthorized modification or blocking of information due to unauthorized access (UAS) using software, hardware and software (including software and mathematical influences). |
||
|
2.2.1. Actions of malware (viruses) | ||
|
2.2.3. Installation of non-work related software | ||
|
2.3. Threats of unintentional actions of users and violations of the security of the functioning of ISPD and SZPDn in its composition due to software failures, as well as from non-anthropogenic threats (hardware failures due to unreliable elements, power failures) and natural (lightning strikes, fires, floods and etc.) character. |
||
|
2.3.1. Loss of keys and access attributes | ||
|
2.3.2. Unintentional modification (destruction) of information by employees | ||
|
2.3.3. Inadvertent disabling of protections | ||
|
2.3.4. Failure of hardware and software | ||
|
2.3.5. Power failure | ||
|
2.3.6. Disaster | ||
|
2.4. Threats of deliberate actions by insiders |
||
|
2.4.1. Access to information, modification, destruction of persons not allowed to process it | ||
|
2.4.2. Disclosure of information, modification, destruction by employees admitted to its processing | ||
|
2.5. Threats of unauthorized access through communication channels. |
||
|
2.5.1. Threat "Analysis of network traffic" with the interception of information transmitted from ISPD and received from external networks: | ||
|
2.5.1.1. Interception outside the controlled zone | ||
|
2.5.1.2. Interception within the controlled zone by external intruders | ||
|
2.5.1.3. Interception within the controlled zone by insiders. | ||
|
2.5.2. Scanning threats aimed at identifying the type or types of operating systems used, network addresses of ISPD workstations, network topology, open ports and services, open connections, etc. | ||
|
2.5.3 Threats of revealing passwords over the network | ||
|
2.5.4 Threats imposing a false network route | ||
|
2.5.5 Threats of spoofing a trusted object in the network | ||
|
2.5.6 Threats of introducing a false object both in ISPD and in external networks | ||
|
2.5.7 Denial of Service Threats | ||
|
2.5.8 Threats of remote application launch | ||
|
2.5.9. Threats of introducing malware over the network | ||
Table 21 - Type II LIS
|
Type of PD security threats |
Threat feasibility ratio (Y) |
Possibility of implementation |
|
1. Threats from leakage through technical channels. |
||
|
1.1. Threats of leakage of acoustic information | ||
|
1.2. Threats of species information leakage | ||
|
1.3. Threats of information leakage through PEMIN channels | ||
|
2. Threats of unauthorized access to information. |
||
|
2.1. Threats of destruction, theft of ISPD hardware of information carriers by means of physical access to ISPD elements |
||
|
2.1.1. PC theft | ||
|
2.1.2. Media theft | ||
|
2.1.3. Theft of keys and access attributes | ||
|
2.1.4. Theft, modification, destruction of information | ||
|
2.1.5. Disablement of PC nodes, communication channels | ||
|
2.1.6. Unauthorized access to information during maintenance (repair, destruction) of PC nodes | ||
|
2.1.7. Unauthorized disabling of protections | ||
|
2.2. Threats of theft, unauthorized modification or blocking of information due to unauthorized access (UAS) using software, hardware and software (including software and mathematical influences). |
||
|
2.2.1. Actions of malware (viruses) | ||
|
2.2.3. Installation of non-work related software | ||
|
2.3. Threats of unintentional actions of users and violations of the security of the functioning of ISPD and SZPDn in its composition due to software failures, as well as from non-anthropogenic threats (hardware failures due to unreliable elements, power failures) and natural (lightning strikes, fires, floods and etc.) character. |
||
|
2.3.1. Loss of keys and access attributes | ||
|
2.3.2. Unintentional modification (destruction) of information by employees | ||
|
2.3.3. Inadvertent disabling of protections | ||
|
2.3.4. Failure of hardware and software | ||
|
2.3.5. Power failure | ||
|
2.3.6. Disaster | ||
|
2.4. Threats of deliberate actions by insiders |
||
|
2.4.1. Access to information, modification, destruction of persons not allowed to process it | ||
|
2.4.2. Disclosure of information, modification, destruction by employees admitted to its processing | ||
|
2.5. Threats of unauthorized access through communication channels. |
||
|
2.5.1. Threat "Analysis of network traffic" with the interception of information transmitted from ISPD and received from external networks: | ||
|
2.5.1.1. Interception outside the controlled zone | ||
|
2.5.1.2. Interception within the controlled zone by external intruders | ||
|
2.5.1.3. Interception within the controlled zone by insiders. | ||
|
2.5.2. Scanning threats aimed at identifying the type or types of operating systems used, network addresses of ISPD workstations, network topology, open ports and services, open connections, etc. | ||
|
2.5.3 Threats of revealing passwords over the network | ||
|
2.5.4 Threats imposing a false network route | ||
|
2.5.5 Threats of spoofing a trusted object in the network | ||
|
2.5.6 Threats of introducing a false object both in ISPD and in external networks | ||
|
2.5.7 Denial of Service Threats | ||
|
2.5.8 Threats of remote application launch | ||
|
2.5.9. Threats of introducing malware over the network | ||
Table 22 - Distributed IC type I
|
Type of PD security threats |
Threat feasibility ratio (Y) |
Possibility of implementation |
|
1. Threats from leakage through technical channels. |
||
|
1.1. Threats of leakage of acoustic information | ||
|
1.2. Threats of species information leakage | ||
|
1.3. Threats of information leakage through PEMIN channels | ||
|
2. Threats of unauthorized access to information. |
||
|
2.1. Threats of destruction, theft of ISPD hardware of information carriers by means of physical access to ISPD elements |
||
|
2.1.1. PC theft | ||
|
2.1.2. Media theft | ||
|
2.1.3. Theft of keys and access attributes | ||
|
2.1.4. Theft, modification, destruction of information | ||
|
2.1.5. Disablement of PC nodes, communication channels | ||
|
2.1.6. Unauthorized access to information during maintenance (repair, destruction) of PC nodes | ||
|
2.1.7. Unauthorized disabling of protections | ||
|
2.2. Threats of theft, unauthorized modification or blocking of information due to unauthorized access (UAS) using software, hardware and software (including software and mathematical influences). |
||
|
2.2.1. Actions of malware (viruses) | ||
|
2.2.3. Installation of non-work related software | ||
|
2.3. Threats of unintentional actions of users and violations of the security of the functioning of ISPD and SZPDn in its composition due to software failures, as well as from non-anthropogenic threats (hardware failures due to unreliable elements, power failures) and natural (lightning strikes, fires, floods and etc.) character. |
||
|
2.3.1. Loss of keys and access attributes | ||
|
2.3.2. Unintentional modification (destruction) of information by employees | ||
|
2.3.3. Inadvertent disabling of protections | ||
|
2.3.4. Failure of hardware and software | ||
|
2.3.5. Power failure | ||
|
2.3.6. Disaster | ||
|
2.4. Threats of deliberate actions by insiders |
||
|
2.4.1. Access to information, modification, destruction of persons not allowed to process it | ||
|
2.4.2. Disclosure of information, modification, destruction by employees admitted to its processing | ||
|
2.5. Threats of unauthorized access through communication channels. |
||
|
2.5.1. Threat "Analysis of network traffic" with the interception of information transmitted from ISPD and received from external networks: | ||
|
2.5.1.1. Interception outside the controlled zone | ||
|
2.5.1.2. Interception within the controlled zone by external intruders | ||
|
2.5.1.3. Interception within the controlled zone by insiders. | ||
|
2.5.2. Scanning threats aimed at identifying the type or types of operating systems used, network addresses of ISPD workstations, network topology, open ports and services, open connections, etc. | ||
|
2.5.3 Threats of revealing passwords over the network | ||
|
2.5.4 Threats imposing a false network route | ||
|
2.5.5 Threats of spoofing a trusted object in the network | ||
|
2.5.6 Threats of introducing a false object both in ISPD and in external networks | ||
|
2.5.7 Denial of Service Threats | ||
|
2.5.8 Threats of remote application launch | ||
|
2.5.9. Threats of introducing malware over the network | ||
Table 23 - Distributed IS type II
|
Type of PD security threats |
Threat feasibility ratio (Y) |
Possibility of implementation |
|
1. Threats from leakage through technical channels. |
||
|
1.1. Threats of leakage of acoustic information | ||
|
1.2. Threats of species information leakage | ||
|
1.3. Threats of information leakage through PEMIN channels | ||
|
2. Threats of unauthorized access to information. |
||
|
2.1. Threats of destruction, theft of ISPD hardware of information carriers by means of physical access to ISPD elements |
||
|
2.1.1. PC theft | ||
|
2.1.2. Media theft | ||
|
2.1.3. Theft of keys and access attributes | ||
|
2.1.4. Theft, modification, destruction of information | ||
|
2.1.5. Disablement of PC nodes, communication channels | ||
|
2.1.6. Unauthorized access to information during maintenance (repair, destruction) of PC nodes | ||
|
2.1.7. Unauthorized disabling of protections | ||
|
2.2. Threats of theft, unauthorized modification or blocking of information due to unauthorized access (UAS) using software, hardware and software (including software and mathematical influences). |
||
|
2.2.1. Actions of malware (viruses) | ||
|
2.2.3. Installation of non-work related software | ||
|
2.3. Threats of unintentional actions of users and violations of the security of the functioning of ISPD and SZPDn in its composition due to software failures, as well as from non-anthropogenic threats (hardware failures due to unreliable elements, power failures) and natural (lightning strikes, fires, floods and etc.) character. |
||
|
2.3.1. Loss of keys and access attributes | ||
|
2.3.2. Unintentional modification (destruction) of information by employees | ||
|
2.3.3. Inadvertent disabling of protections | ||
|
2.3.4. Failure of hardware and software | ||
|
2.3.5. Power failure | ||
|
2.3.6. Disaster | ||
|
2.4. Threats of deliberate actions by insiders |
||
|
2.4.1. Access to information, modification, destruction of persons not allowed to process it | ||
|
2.4.2. Disclosure of information, modification, destruction by employees admitted to its processing | ||
|
2.5. Threats of unauthorized access through communication channels. |
||
|
2.5.1. Threat "Analysis of network traffic" with the interception of information transmitted from ISPD and received from external networks: | ||
|
2.5.1.1. Interception outside the controlled zone | ||
|
2.5.1.2. Interception within the controlled zone by external intruders | ||
|
2.5.1.3. Interception within the controlled zone by insiders. | ||
|
2.5.2. Scanning threats aimed at identifying the type or types of operating systems used, network addresses of ISPD workstations, network topology, open ports and services, open connections, etc. | ||
|
2.5.3 Threats of revealing passwords over the network | ||
|
2.5.4 Threats imposing a false network route | ||
|
2.5.5 Threats of spoofing a trusted object in the network | ||
|
2.5.6 Threats of introducing a false object both in ISPD and in external networks | ||
|
2.5.7 Denial of Service Threats | ||
The threat lies in the desire to launch various previously embedded malicious programs on the ISPD host: bookmark programs, viruses, "network spies", the main purpose of which is to violate the confidentiality, integrity, availability of information and complete control over the operation of the host. In addition, unauthorized launch of user application programs is possible for unauthorized obtaining of the data necessary for the violator, for launching processes controlled by the application program, etc.
There are three subclasses of these threats:
distribution of files containing unauthorized executable code;
remote launch of the application by overflowing the buffer of application servers;
remote launch of the application by using the remote system management capabilities provided by hidden software and hardware tabs, or by standard tools used.
Typical threats of the first of these subclasses are based on the activation of distributed files when they are accidentally accessed. Examples of such files are: files containing executable code in the form of documents containing executable code in the form of ActiveX controls, Java applets, interpreted scripts (for example, JavaScript texts); files containing executable program codes. For distribution of files, e-mail, file transfer, network file system services can be used.
The threats of the second subclass exploit the shortcomings of programs that implement network services (in particular, the lack of buffer overflow control). By adjusting system registers, it is sometimes possible to switch the processor after a buffer overflow interrupt to the execution of code contained outside the buffer boundary. An example of the implementation of such a threat is the introduction of the well-known "Morris virus".
With threats of the third subclass, the intruder uses the remote system control capabilities provided by hidden components (for example, "Trojan" programs such as Back. Orifice, Net Bus), or regular means of managing and administering computer networks (Landesk Management Suite, Managewise, Back Orifice, etc.). P.). As a result of their use, it is possible to achieve remote control over the station in the network.
If the Institution processed PD is not sent over public networks and international exchange, anti-virus protection is installed, then the likelihood of a threat being realized is is unlikely.
In all other cases, the likelihood of the threat realizing must be assessed.
A generalized list of the likelihood of threats for different types of ISPD is presented in Table 12.
Table 12
|
ISPD type |
Probability of the threat |
Coeff. probability of realization of the threat by the intruder |
|
Autonomous IC Type I |
unlikely | |
|
Autonomous IC Type II | ||
|
Autonomous IC Type III |
unlikely | |
|
Autonomous IC Type IV | ||
|
Autonomous IC V type |
unlikely | |
|
Autonomous IC Type VI | ||
|
LIS type I |
unlikely | |
|
LIS type II | ||
|
Distributed IC Type I |
unlikely | |
|
Distributed IC type II |
