1. A Windows
system remains unpatched, because the user in charge
doesn’t turn on Microsoft updates. Guess what happens eventually?
2. A Windows or UNIX system (likely Windows, though) is compro-
mised because of a password-guessing attack.This
may be due to the
most stupid possible reason: it has an account with no password, or
the password is “sue”.
3. A UNIX Web server is compromised because it has a piece of trash
PHP code on it that allows a remote user
to execute arbitrary code
on the server.This is not a new paradigm. It is simply a modern vari-
ation on having a backdoor in the server known to the hackers but
not to the administrators. Ultimately, this occurs because users (or
professors) are allowed to have Web software and servers. Compound
that with a policy that says every user is
given a Web site that lasts
forever and is never updated.
These problems should be dealt with by policy and process.
Implementation of process is tricky, of course, because as is often the case,
human failure can be the source of the problem. Still, a
good password policy
and removal of user accounts as goals are crucial components.Third-party
Web-based software is also a problem, and measures including checking the
software in various ways need to be part of the process.
Operations
Challenges
The emphasis in most IT organizations is to do whatever it takes to return to
operations. In the case of botnet infestations, this is a losing proposition.
Without knowing the attack vector and
ensuring you have closed it, you will
re-image the system only to have it get re-infected soon after it is back on the
network. A/V vendors tag the files they find with names unique to that
vendor.The naming convention has become increasingly
a function tag rather
than a unique name. More importantly, the A/V product treats all the files
associated with the found file the same.That is, if
the executable is deleted, all
the associated configuration files are also deleted. In our most recent botnet
infestation, we identified the vast majority of the botnet clients by mining the
infected clients for information. Our clearest picture
of the architecture of this
botnet came from the detail found in the malware’s ini and text files. We’re
suggesting that A/V tools could provide a tremendous intelligence value to
Do'stlaringiz bilan baham: