Security Consultant Scenario INFO Term Project. Brad S. Brady. Drexel University

Transcription

1 Security Consultant Scenario INFO Term Project Drexel University Author Note This paper was prepared for INFO taught by Dr. Scott White.

2 Table of Contents ABSTRACT.1 THE INTERVIEW...2 THE SCENARIO.2 RESEARCHING THE SPYWARE.3 REMOVING THE EXISTING SPYWARE 3 PROTECTING THE WORKSTATIONS FROM FURTHER SPYWARE ATTACKS.4 EMPLOYEE TRAINING.6 CONCLUSION.7 REFERENCES.9

3 Abstract The purpose of this paper is that as an information security consultant, I am asked to provide an example scenario in which a company, an international investment firm, may be attacked. After giving the potential scenario attack, I will provide how the attack may occur through the organizations server and infect vulnerable workstations and from whom the attack could occur from. I will explain in detail what to do with infected workstations as far as detection of spyware, researching the spyware to better understand the threat assessment and how it occurred and best practices for removing and preventing it from occurring. Last I will explain how I would defend against further attacks and what training is needed to provide to employees about not opening questionable attachments or links. For the purposes of this paper I am basing my scenario off the investment firm having 250+ Windows workstations (Windows 7 Enterprise) and using Windows 2008 server R2 for file server, Exchange 2013, print server, DNS server, virus management, etc.

4 The Interview An international investment company has requested an interview with me for a potential security consulting position. During the interview process I am asked to give a scenario in which their company may be attacked. I am also asked what I would do to determine who attacked them and how they attacked them. In addition to their specific questions I will provide them with ways to prevent similar attacks in the future. The Scenario For my scenario, I give my interviewers an example of a malicious software or malware attack, where a program is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim s data, applications, or operating system or otherwise annoying or disrupting the victim (Stallings & Brown, 2012). I inform the people interviewing me that malware is designed to damage, destroy, or deny service to the target systems (Whitman & Mattord, 2012). To be a little more specific the type of malware I would imagine a hacker would use on an investment firm to gain access to sensitive information would most likely be a form of spyware. For those in the interview, I explain what

5 spyware is exactly and how spyware is not always malicious software that just tracks our Internet habits but has evolved into Malware that can cause significant damage to a company s data. Spyware collects information from a computer and transmits that information to another system by monitoring key strokes, screen data, and or network traffic or by scanning files on the system for sensitive information. Researching the Spyware After the spyware has been detected on the system(s) it is a good idea to research what exactly that particular spyware can do to a system. Using an anti-malware program such as Norton to provide the name of the cookie, executable file, DLL etc. on the infected PC(s). Once the name of the spyware has been determined, perform a search (Google it) with the name of the infected file. This search will typically find the technical description of the spyware in addition to the threat assessment of that particular spyware. Websites such as SpywareInfo.com is also a great site for finding information out about that particular spyware as well as informative forums and tutorials on the most successful ways to remove the spyware from the computer. Removing the Existing Spyware In my experience, most freeware tools are not very reliable when it comes to removing malicious software such as spyware and the best way to remove spyware is by installing a commercial spyware and removal software such as Symantec Endpoint Protection (Symantec Endpoint Protection, 2013) or Barracuda (Barracuda Web Filter, 2013). Before installing any

6 spyware removal software, it is important to cleanup as much of the spyware as possible by using tools such as Norton Power Eraser. It is also a good idea to create a system restore point in case during the removal process something goes wrong, you can always return the system to its former state (Tittel, n.d.). The following steps are used to remove spyware from a Windows based machine: Shut down all open applications Delete temporary Internet files Run spyware removal application (i.e. Norton Power Eraser) from external device (USB drive) Run an antispyware program such as Norton s or Barracuda which runs a system scan and create and save a log file with time/date stamp to the My Documents folder. View results and select any potential infected files and select delete, quarantine or fix/repair this file(s). Reboot machine and see if everything appears to be working correctly. If not perform a system restore. If the system doesn t boot at all press F8 during the boot process and select Last Known Good Configuration. After the system boots, then roll back the machine to the restore point.

7 Protecting the Workstations from further Spyware Attacks The first line of defense for any organization is to protect themselves from the threat of spyware is by using a firewall. Many organizations to not make proper use of their firewall and therefore leave their systems vulnerable to malicious attacks and risk data and sensitive information from being compromised. Since the investment company has workstations, using group policy is the most effective and efficient way In order to protect the corporate server vulnerabilities (Exchange 2013) from spyware and ing it out to employees, Microsoft (Microsoft, 2013) offers several anti-malware protections in Exchange 2013: Built-in anti-malware protection: This basic service can be turned off, replaced or paired with a cloud-based service to provide a layered defense from spyware threats. Cloud-hosted anti-malware protection: It is recommended to purchase the Microsoft Forefront Online Protection of Exchange (FOPE) hosted filtering service. This service leverages partnerships with the best of breed anti-malware engines, providing efficient, cost effective, multi layered anti-malware protection. Third-party anti-malware protection: You may also want to use a third-party antimalware protection program such as Barracuda in addition to the anti-malware programs provided by Microsoft.

8 Employee Training Odds are spyware is going to slip through even the best most comprehensive antimalware protection there is on the market. That being said, one of the best ways to prevent spyware is to educate users on the dangers of spyware and requiring security awareness training for users from the top executives to the receptionists, janitors, etc. basically anyone within the organization that uses a computer. Employees should be made aware of the dangers of opening suspicious s or browsing the Internet and clicking on suspect webpages. Failure to adhere to safe practices can lead to compromised data. Employees must be made aware that attackers know the value of data to an organization and that it motivates attackers to steal, sabotage, or corrupt data (Whitman & Mattord, 2012). After training has been completed, employees should be required to sign an acceptable use policy, showing that they understand what is required of them to help protect the company s assets, and an explanation of how security measurements will be carried out and enforced (Dubin, 2005) This training should occur at least once a year and should be training should be reinforced with monthly newsletters that cover security awareness tips. Awareness training should cover the following: Safe web surfing Acceptable uses for the Internet Policies for downloading software

9 Tips on spotting potentially infected desktops When to contact the help desk. In addition to training and monthly IT newsletters, employees should be tested by having the IT department employee s suspicious s (an that appears out of the scope of their job) to see how the employees respond to the suspicious . If they click on the link or open the attachment, it will send the employee a notification that they should not have either clicked on the link or opened the attachment and they will be sent a follow up explaining the dangers of opening suspicious s and that he or she can expect another suspicious within a certain time frame to see if they follow the organizations security policy for employees. If the employee does not open the , then he or she will be commended for following the correct security procedure. Conclusion In concluding my scenario, I felt the best approach for me was to cover all of the bases regarding malware, particularly spyware. The first step was to determine that spyware is indeed on the computer(s), followed by the recommended steps for removing the spyware and determining which files are infected and can those infected files be cleaned and restored or need to be deleted and will deleting those files compromise the computers performance. After

10 cleaning the system or having to reimage the computer, it is important to make sure that computer is protected as well as determine if other systems within the organization are infected as well. During this time it is of even of more importance to make sure the organizations systems are fully protected with the latest anti-malware/virus definitions as well as securing up any holes that may exist with the systems firewall, Exchange server and so on. The last item in my scenario was employee training. I felt employee best practices and thorough training is the best way to prevent malware, viruses, and other dangerous threats from infecting employee workstations and that maintaining those training concepts throughout the year is the best defense against system threats.

11 References Barracuda Web Filter. (2013). Retrieved from Barracuda: General_SpywareRemoval&kw=spyware%20removal&gclid=CL7dr_Da9roCFdBlOgod_UcAVQ Dubin, J. (2005, September ). Security awareness training: How to educate employees about spyware. Retrieved from Search Security: Microsoft. (2013, August 7th). Anti-Malware Protection. Retrieved from Technet: Stallings, W., & Brown, L. (2012). Computer Security: Principals and Practice. Upper Saddle River, NJ: Pearson. Symantec Endpoint Protection. (2013). Retrieved from Symantec: Tittel, E. (n.d.). How to detect spyware on corporate PCs. Retrieved from Search CIO-Midmarket: Whitman, M. E., & Mattord, H. J. (2012). Principals of Information Security. Boston: Course Technology.