Risk Training - Security and Technology

Risktraining.info

Security and Technology

Security and Technology

Back to Basics
Viruses, Worms and Trojan Horses
Websites

Back to Basics

One useful skill in Risk Analysis is the ability to step back and look at the very basics of a situation and the components of a system. This gives you the ability to question what each one does and by doing so, hopefully a good deal of basic risks become apparent.

In this section we'll do this on a very basic level just to give some ideas on what can be done, and where things lead. It also acts a good introduction or refresher on some of the basics of technology.

Although this section mainly deals with computers and networks we'll take a brief look at other areas of technology that are open to abuse and should be examined for any potential risks.

Computers and why we use them

The computer has become an everyday item these days to the extent that it would be very hard for some people and a lot of businesses to work properly without them. Because they have become "part of the furniture" their usefulness often isn't realised until something goes wrong with them.

Let's have a look at some of the basic things that we use a traditional desktop computer for:

Word Processing

Accounting

Billing and Invoicing

Databases

Other information storage

Printing

Accessing Networks

Entertainment

These days, with the reliance placed on the computer, it is interesting and often quite scary to think about how easy any of these functions would be to replace within a few hours if you were left without a computer.

Networks and why we use them

These days most computers do not just sit there by themselves, if they are not a part of a proper network then it is highly likely that they will at least have a modem to allow them to access other networks.

So again, let's have a look at some of the things that we use computer networks for:

Printing

Accessing network databases

Communication (Email and Interactive)

On-line transactions

Customer and Supplier communications

General Web Browsing

Entertainment

These days, the most obvious sign and immediate sign of an office computer network failing tends to be the lack of access to printing facilities; however, with Internet access becoming more and more vital to everyday business operations, a lack of Internet access may soon replace broken printing as the primary "user whinge" when a computer network dies.

The evolution of a network

To understand how basic networks work, it is worth looking at how a typical network evolves over time. In this example we will look at one way that a typical office network comes into creation and how larger networks are created from these smaller beginnings.

A "home grown" network nearly always begins when a single computer with a printer attached acquires a "mate". In terms of resources (desk space and costs) it is more practical to share a printer between more than one computer and to do this requires the computers to be networked in some way.

We are now in the situation where a few computers are all linked together and using the same printer via a simple network. What tends to happen next is that there will become a need for files used on one or more machines to be available to others. When a basic mechanism is implemented this network becomes what is called a "workgroup" - A means by which all of the computers become a group.

After a while working in this workgroup environment, it may well become apparent that all of the files would be best kept on just one of the machines so that they can be looked after more easily. This would also allow for the files to be backed up by the owner of the machine, who is probably the person who is the most familiar with the technology (or the one who has most to lose if the files are lost). If this is implemented then the machine with all of the files on it, and probably with the printers attached will become what is known as a "server". Our basic network has now evolved from a basic and unmanaged workgroup to a workgroup that contains a file and printer server.

The next step in the evolution of the network is for people to realise that the server is a valuable facility. This is usually learned the hard way when people accidentally delete files, people unplug the server or there is a disk crash leading to a loss of data. This will often bring about a number of changes to the network which may include the following:

The server will be moved to a more safe environment.

The server hardware will be changed so that it is a more reliable machine.

The disk space on the server will increase.

Files on the server will be backed up in some way.

Some access control mechanisms will be introduced so that only people who should access files can, and so that files will not be accidentally changed or deleted.

This server acquires access to an external network such as the Internet so that computers connected it can all access this.

Someone will gain overall responsibility for managing this server.

Our network is now quite advanced and where it goes from here really depends on the structure of the organisation. In our example now, we are assuming that another department now decides that it wants to link its computers to the existing network. The new department wants access to the bigger printers, the "safe" file store and importantly, the Internet. When more than one department becomes involved it soon becomes apparent that the organisation would be better suited having its own computer (or IT) department. The IT department takes control of the server, and may put a number of smaller departmental servers around the organisation to deal with networked printers. The IT department will have responsibility for making sort the network is reliable, that printers always work, that files are always available and that different departments within the organisation are compartmentalised and secure from one another. It would be embarrassing if anyone within the company had access to the payroll systems, for example. By this point, the connection to the Internet has probably been upgraded so that it runs faster and maybe some access restrictions have been implemented to stop people abusing the link. The IT department has probably by now also implemented electronic mail which will allow the company to communicate not only internally but also with other companies.

Finally in our example company, someone in the Marketing department will probably read an article about having a company website and demand that the IT department build them one. The IT department will then either go their own way and create a server available to people on the Internet via the world wide web (a webserver) or, they will create a website on an Internet Service Provider's systems and transfer data to it as and when it is required.

Beyond traditional IT.

It is easy to fall into the trap of thinking of technology risks as just being computers and networks, there are plenty of other things that can be abused within an organisation. The following is by no means an exhaustive list but does include a few often overlooked items:

Backup Media (tapes, disks, printouts)

Phones, fax machines, mobile phones

Postal franking machines

Other communications equipment (video conferencing etc)

Surveillance

Access Control Systems

Credit Card Systems

High Cost Access Systems (trading systems, quote systems etc)

Digital Signatures (a means of securely "signing" something electronically)

Questions you should be asking about all of these devices include:

Who has non-physical access to this?
Who has physical access to this?
Would you know if someone accessed or used it?
Would you know what they did?
Is the output of this item secure? Can it be accessed or stolen?
Is there a risk/loss/cost or otherwise involved in abuse of this?

Some common risks

This is a section that could go on for ever, however it is worth looking at a small number of scenarios, all of which actually happen a lot more than you may expect. These scenario's will highlight a number of obvious risks and hopefully will require no explanation.

It is very easy these days for a member of staff to be running their own business whilst at your premises, and on your company's time. There is often an assumption that if someone is sitting in front of a computer looking busy then they are working. This may well be the case, but are they working for you? On the simplest level, people may well just be doing a bit of casual stocks and shares trading or maybe placing the odd bet with their Internet bookies. On a more serious scale, they may well be running their own buying and selling business, using your postal services to ship goods, your printers and photocopiers to produce paperwork and your phone and email/web systems to talk to customers.

A member of IT staff or a computer-literate staff member may consider themselves hard done by or may have been made redundant or even sacked. This member of staff may well know electronic ways into your systems, may have planted "back doors" or may use their knowledge of members of staff to get a destructive virus into your systems. On their way out of the building on their last day they may also pop your computer's backup tapes into their pocket just in case they are useful in the future.

A hacker employed by your competition wants to get into your computer systems. They know very little about your organisation so the first thing they do is to have a quick look through your bins. Luckily for them a whole pile of old printed emails have been thrown away and by reading that, the hacker is able to get a pretty good idea of who a number of people within the organisation are, what they do and what their level of competence. The hacker finds a fairly naive and poorly trained user and forges an email to them instructing them to change their password to "letmein" so that their files can be backed up. The user, knowing no better does as they are told and Later on, the hacker will break into the organisation's computer systems using this users identity and the password they have provided.

A company has a good physical security policy and very restrictive access. A concerned employee wants to know what is happening with the company but they cannot gain physical access to the Finance Director's office. Luckily, they are friends with the cleaners, and ask one of them to sneak the Finance Director's laptops disk out for a few minutes, since the cleaner has access to all of the offices. The employee quickly copies the disk and gives it back to the cleaner to pop back in and nobody is any the wiser.

A member of staff waiting for some documents to print spots some interesting looking staff records sitting by the printer. Whilst they are waiting for their own printing to be done they quickly put the staff records into the nearby photocopier, copy them and put the originals back.

A member of IT staff receives some free training from a network supplier and they very nicely offer him a coffee cup, a rather stylish baseball hat and a bottle of wine. A few months later a number of network components need updating and whilst they are not the best price and they don't do the job very well, the IT staff member buys equipment from the supplier he got the free hat from; after all, it's not his money is it...?

Viruses, Worms and Trojan Horses

There is so much published about Viruses, Worms and Trojan Horses that they deserve a section of their own. This section is intended as a very basic introduction so that the risks can be understood but not as a detailed tutorial. Definitions

A virus's job is to infect as many systems as possible and modern viruses are very sophisticated and they are getting harder to detect. There are many rumours that a lot of modern viruses are created by the people who write the anti-virus software; this may well have a grain of truth in it but it may also be the case that the virus writers and the virus prevention writers are at constant "war" with one another, and it's us computer users who end up the victims.

A Virus is a tiny computer program that may or may not cause some damage to a computer system. In some ways, the damage that a virus does is secondary to it's main aim in life which is to spread to other programs and computer systems. A virus will attach itself in a fairly "innocent" way to a program or some other items and when that program is transferred to another system, it will spread itself around to other programs, thus "infecting" a new system. Some viruses do nothing at all to the actual computer other than just sit there but some will actually cause damage to files, slow the computer down or even "explode" on a certain date, wiping everything on the computer system out.

A Macro Virus is similar to a normal virus except that they travel around in documents, spreadsheets or other items that are not traditional virus-transport mechanisms. They received their name because they were traditionally transported in Microsoft Word Macros.

A Worm could well be described as a virus on steroids. Not only does a worm want to spread itself around, it will actively look for various ways to do this and some are very good at doing this. If you receive a worm via email or another means and "trigger" one, it will send itself to every address in your email, and it will often try and distribute itself to every other computer it can see on the network. Consider the spread of a worm like the famous "Iloveyou" worm, that was first reported in Hong Kong and had spread throughout the world bringing down a large percentage of company mail systems within a few hours. There is a good article about the Iloveyou worm on CNN's web site.

Finally, a Trojan Horse is often inserted into some viruses or worms. If a computer becomes infected with a Trojan Horse then it allows someone else to access that computer and its data from somewhere else usually without the real user of the computer having any idea that this is happening. Trojans are often distributed in illegally obtained software.

This has been a fairly simplistic explanation and a number of technicalities have been left out to make the explanations easier. It should be noted that most people simply call these four different types of infection by the generic name "viruses" (or virii for pedants).

Causes

In simplistic terms, the cause of a virus is running a program that has been infected with a virus from elsewhere. A few years ago, it used to be quite simple not to get viruses, you simply didn't run any software or use any disks that you didn't entirely trust.

The problem these days is that often you don't know when you are running a program. If you put a CDROM into a machine, it will often as not run itself without any intervention. If you open up a piece of mail it may run a piece of software without you knowing, if you visit a website it may run something without you asking and sometimes, even doing something as simple as opening up a Word document will cause programs that you didn't know existed to run.

Although it is theoretically possible to try and block all the causes of virus infection; unless you understand the operation of every piece of software om your machine it really isn't practical to be sure that you can block all of the causes of viruses getting into your system.

Effects or What to look for

If you are unlucky, you will spot a virus... Some will do silly things like change words as you type them, flash things on your screen or delete random files and some will do more drastic things such as delete or corrupt all of your files.

The first thing you may know about being infected with some viruses is when you receive a phone call or an email from someone informing you that you have passed them a virus. If you are unlucky, the virus or worm may have also passed on some random (and maybe private) documents to everyone you have ever communicated with via email as well.

A lot of viruses will just sit there and do nothing but happily distributing themselves to other people's systems when they get the chance. If someone receiving a virus has virus protection they may well warn you that you have passed them an infected file.

Scale of Problem

It is not very easy to get proper statistics on viruses since a lot of people effected by them do not even realise it. Organisations like Virus Bulletin and the Wildlist Organization publish statistics that are fairly meaningless unless you are a virus expert. It is very difficult to get anyone to commit to any plain-language statistics but everyone does agree that the scale of the virus problem is "huge".

The following statistics are quoted on the NetTech Solutions site:

1 in 1,400 e-mails contained a virus in 1999

1 in 700 e-mails contained a virus in 2000

1 in 300 e-mails contained a virus in 2001

It is predicted that 1 in 100 e-mails will contain a virus in 2004

External Links:
NetTech Solutions.
Virus Bulletin.
The WildList Organization International.

Prevention

There are a few methods of preventing viruses, the more of these you use, the more protection you will have:

Run a respected virus scanner and enable the continuous protection options.

Consider enabling the email scanning capabilities of your virus scanner if they have them.

Update your anti-virus software regularly, enable auto-update and do it at least once a week if not more often.

Educate yourself as to the causes of viruses.

Do not install software unless you are completely sure that it is safe.

Do not open email attachments unless you are sure that they are from a safe source.

Be careful of running any software from your browser.

Delete chain emails and junk email. Do not forward or reply to any of them.

Keep your Web Browser and Email software up to date.

Keep your Operating System up to date.

Backup your important files - CD's are cheap enough to keep for ever and large enough to hold most of your important files.

Consider having a non-network connected PC to scan floppy-disks and CDROMs before they are allowed to be used on a network connected system.

Some good and well respected anti-virus software can be found from the following external pages:

Procedures

The company Security Policy should detail procedures for dealing with viruses. Points to be addressed include:

What measures should be employed to protect against viruses.

What software installation and external media policies are there.

What education staff will receive on viruses.

What do do when a virus is found.

Disciplinary procedures for people causing a virus infection.

There has to be a fine balance between staff education, making your staff realise that they have to report viruses and having a disciplinary procedure that can deal with staff that deliberately put your company at risk.

It is very tempting to "test" a virus scanner with a number of viruses. This is not really a sensible thing to do but it is natural to want to see if they do actually work. If you are going to test a virus scanner with "live" viruses, make sure it is done on a non network-connected machine and that the machine is wiped out and re-installed afterwards.

Cure

The easiest cure for a virus attack is not to catch the virus in the first place. A lot of virus infections are simply impossible to recover from. Although it may well be possible to salvage some data files the systems will often have to be completely erased, and re-installed from scratch.

Some of the virus scanner manufacturers (Sophos is a good one for this) will bring out free virus-cures that may well help to rid a system of an individual virus but bear in mind that this is only possible with some of the viruses and, by the time you have actually spotted the infection it may well be too late.

If a virus is found on a network connected machine, the machine should be disconnected from the network, a note made of what virus the machine is infected with and then the machine should be switched off and dealt with by someone experienced in virus removal.

Websites

These days a website is vitally important to a company as its presence on the Internet. The site may range from just a couple of pages with some very basic information on the company to a massive commerce enabled site that extends the full range of business to the World Wide Web.

Whilst this document is not a guide to websites, it is worth looking at some of the Risk and Security aspects of something that has this much exposure.

Hows and Whys

In real terms, a website is actually a collection of pages and programs that is stored on a webserver. A webserver is a computer connected to the Internet that can be accessed by a web browser.

A webserver can either be "in-house" which means it is on your company premises and managed by your own staff or it can be hosted by an Internet Service Provider (ISP). If your site is hosted by an ISP then your own staff or a third-party web design company will manage the content of the site but the ISP will manage the server and the network connections to it. In some cases, a whole webserver may be dedicated to a single website but if your webserver is hosted by an ISP then it is likely that a large number of websites will share a single webserver and the content of your site will probably be uploaded using a mechanism called "ftp" (file transport protocol) which is built into a lot of web design programs.

In order to conduct secure transactions or simply to prove to people's browsers that the site they are visiting is really yours, your site may need a certificate which is issued by a trusted certificate authority. Use of this certificate for any important transactions ensures that your site won't be hijacked by various common hacks.

A website is the most widely available view of your company that can possibly exist. Hundreds of millions of people have access to it via the Internet so it is well worth bearing this in mind and considering various high-level risks such as:

Damage to trading should the site be unavailable.

Damage to reputation should the site be altered.

Damage to both reputation and customer confidence should any commercial or financial information be compromised via the site.

Website attacks

The glorified Hollywood image of the hacker is not at all accurate in these days of easy access to "hacking tools". Today a hacker is far more likely to be an unskilled teenager than a hero hacking for some idealistic cause.

One point that should be mentioned briefly, however, is that statistics show a hacker is far more likely to be a member of your own staff than someone from outside; this is well worth thinking about and remembering.

Because a website is on the Internet, it may unwittingly become a target for "random" hackers. A lot of website attacks are simply because a hacker has found that your webserver is vulnerable to some exploit or other and has used it to break into the site.