SlideShare a Scribd company logo

CyberSecurity Series Malware slides

Jim Kaplan CIA CFE
Jim Kaplan CIA CFE

The document discusses malware defenses, types of malicious software (malware), and the importance of understanding and combating cybersecurity threats. It outlines different malware categories, infection mechanisms, and prevention strategies, including the role of antivirus software and detection systems. It also emphasizes the need for education in the audit and IT security community about these evolving threats.

Technology
1 of 31
Downloaded 18 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
3/19/2018 1 Richard Cascarino CISM, CIA, ACFE, CRMA Cybersecurity Series Malware Defense About Jim Kaplan, CIA, CFE  President and Founder of AuditNet®, the global resource for auditors (available on iOS, Android and Windows devices)  Auditor, Web Site Guru,  Internet for Auditors Pioneer  IIA Bradford Cadmus Memorial Award Recipient  Local Government Auditor’s Lifetime Award  Author of “The Auditor’s Guide to Internet Resources” 2nd Edition Page 2
3/19/2018 2 ABOUT AUDITNET® LLC • AuditNet®, the global resource for auditors, serves the global audit community as the primary resource for Web-based auditing content. As the first online audit portal, AuditNet® has been at the forefront of websites dedicated to promoting the use of audit technology. • Available on the Web, iPad, iPhone, Windows and Android devices and features: • Over 2,800 Reusable Templates, Audit Programs, Questionnaires, and Control Matrices • Webinars focusing on fraud, data analytics, IT audit, and internal audit with free CPE for subscribers and site license users. • Audit guides, manuals, and books on audit basics and using audit technology • LinkedIn Networking Groups • Monthly Newsletters with Expert Guest Columnists • Surveys on timely topics for internal auditors Introductions Page 3 HOUSEKEEPING This webinar and its material are the property of AuditNet® and its Webinar partners. Unauthorized usage or recording of this webinar or any of its material is strictly forbidden. • If you logged in with another individual’s confirmation email you will not receive CPE as the confirmation login is linked to a specific individual • This Webinar is not eligible for viewing in a group setting. You must be logged in with your unique join link. • We are recording the webinar and you will be provided access to that recording after the webinar. Downloading or otherwise duplicating the webinar recording is expressly prohibited. • If you have indicated you would like CPE you must attend the entire Webinar to receive CPE (no partial CPE will be awarded). • If you meet the criteria for earning CPE you will receive a link via email to download your certificate. The official email for CPE will be issued via NoReply@gensend.io and it is important to white list this address. It is from this email that your CPE credit will be sent. There is a processing fee to have your CPE credit regenerated post event. • Submit questions via the chat box on your screen and we will answer them either during or at the conclusion. • You must answer the survey questions after the Webinar or before downloading your certificate.
3/19/2018 3 IMPORTANT INFORMATION REGARDING CPE! • SUBSCRIBERS/SITE LICENSE USERS - If you attend the entire Webinar you will receive an email with the link to download your CPE certificate. The official email for CPE will be issued via NoReply@gensend.io and it is important to white list this address. It is from this email that your CPE credit will be sent. There is a processing fee to have your CPE credit regenerated post event. • NON-SUBSCRIBERS/NON-SITE LICENSE USERS - If you attend the entire Webinar and requested CPE you must pay a fee to receive your CPE. No exceptions! • We cannot manually generate a CPE certificate as these are handled by our 3rd party provider. We highly recommend that you work with your IT department to identify and correct any email delivery issues prior to attending the Webinar. Issues would include blocks or spam filters in your email system or a firewall that will redirect or not allow delivery of this email from Gensend.io • Anyone may register, attend and view the Webinar without fees if they opted out of receiving CPE. • We are not responsible for any connection, audio or other computer related issues. You must have pop-ups enabled on you computer otherwise you will not be able to answer the polling questions which occur approximately every 20 minutes. We suggest that if you have any pressing issues to see to that you do so immediately after a polling question. The views expressed by the presenters do not necessarily represent the views, positions, or opinions of AuditNet® LLC. These materials, and the oral presentation accompanying them, are for educational purposes only and do not constitute accounting or legal advice or create an accountant-client relationship. While AuditNet® makes every effort to ensure information is accurate and complete, AuditNet® makes no representations, guarantees, or warranties as to the accuracy or completeness of the information provided via this presentation. AuditNet® specifically disclaims all liability for any claims or damages that may result from the information contained in this presentation, including any websites maintained by third parties and linked to the AuditNet® website. Any mention of commercial products is for information only; it does not imply recommendation or endorsement by AuditNet® LLC
3/19/2018 4 ABOUT RICHARD CASCARINO, MBA, CIA, CISM, CFE, CRMA • Principal of Richard Cascarino & Associates based in Colorado USA • Over 28 years experience in IT audit training and consultancy • Past President of the Institute of Internal Auditors in South Africa • Member of ISACA • Member of Association of Certified Fraud Examiners • Author of Data Analytics for Internal Auditors 7 TODAY’S AGENDA • Types of Malware • Blended Threats • Infection Mechanisms • Semantic, or Heuristics Based Malware Detection • Polymorphic Malware • Metamorphic Malware • Hiding techniques and Detection of Malware Page 8
3/19/2018 5 MALWARE DEFENSES Block malicious code from altering system settings or contents, capturing data or spreading • Anti-virus anti-spyware software • Continuous scanning • Automatically updated daily • Disable auto-run on network devices MALWARE PAYLOADS • No payload • Payload without damage • Only display some information • Payload with little impact • Modify documents (wazzu virus) • Payload with heavy impact • Remove files, format storage • Encrypting data (blackmail) • Destroy hardware (W95.CIH): rewrite flash bios • DDoS attacks • Steal data for profit
3/19/2018 6 MALICIOUS SOFTWARE • Programs that exploit vulnerabilities in computing systems • Also referred to as malware • Can be divided into two primary categories: • parasitic • programs that cannot exist independently. Part of some application or system program (host) • viruses, logic bombs, and backdoors are examples • independent • self-contained programs that can be scheduled and run by the operating system • worms and bots are examples SOME VIRUS TYPE • Polymorphic : uses a polymorphic engine to mutate while keeping the original algorithm intact (packer) • Metamorphic : Change after each infection
3/19/2018 7 Backdoor (Trapdoor) • Entry point into a program that allows someone who is aware of trapdoor to gain access • used by programmers to be able to debug and test programs while skipping a lengthy setup/authentication process during development • Avoids necessary setup and authentication Logic Bomb • Code embedded in a legitimate program that is set to “explode” when certain conditions are met • Presence or absence of certain files, particular day of the week, particular user running application • One of the oldest types of program threats, predating viruses and worms Trojan Horse (FDoS GOZI virus etc) • Useful program that contains hidden code; when invoked performs some harmful function • Can be installed through software downloads, bundling, email attachments, websites with executable content, etc. Trojan-type malware is on the rise, accounting for a very high percentage of the global malware. MALICIOUS SOFTWARE (MALWARE) Viruses Program that can “infect” other programs by modifying them in such a way that the infected program can infect other programs E-mail Virus • Activated when recipient opens the e-mail attachment (e.g. Melissa virus). • Sends itself to everyone on the mailing list of the infected user A SIMPLE VIRUS
3/19/2018 8 Worms Exhibits similar characteristics as an e-mail virus, but worm does not need a host program and it is not passive, it actively seeks out more machines to infect via • Electronic mail facility: A worm mails a copy of itself to other systems • Remote execution: A worm executes a copy of itself on another system • Remote log-in: A worm logs on to a remote system as a user and then copies itself from one system to the other Some worms are used to create bots (zombies) Bots (Zombie or drone) • Program that secretly takes over another Internet-attached computer and uses it to launch attacks that are difficult to trace to the bot’s creator • planted on hundreds of computers belonging to unsuspecting third parties and then used to overwhelm a target Web site by launching an overwhelming onslaught of Internet traffic • The collection of bots acting in a coordinated manner is called botnet • Uses of Bots • DDoS (Distributed Denial of Service attacks), spamming, sniffing traffic on a compromised machine, keylogging, spreading new malware, manipulating online polls/games/clicks for ads (every bot has a distinct IP address), etc. MALICIOUS SOFTWARE ROOTKITS Rootkit • Malware which consists of a set of programs designed to take fundamental control of a computer system and hide the fact that a system has been compromised e.g. Poison Ivy Remote Access Tool (RAT) • Typically, rootkits act to obscure their presence on the system through subversion or evasion of standard OS security mechanisms. • Techniques used to accomplish this can include concealing running processes from monitoring programs, or hiding files or system data from the OS • Rootkits may also install a "back door" in a system by replacing the login mechanism (such as /bin/login) with an executable that steals a login combination, which is used to access the system illegally. • With root access, an attacker has complete control of the system to do anything Rootkit Installation • Usually via a Trojan horse. A user is induced to load a Trojan horse which then installs the rootkit. • Another means of rootkit installation is by hacker activity which is a rather lengthy process.
3/19/2018 9 BOTS Bots (Zombie or drone) • Program that secretly takes over another Internet-attached computer and uses it to launch attacks that are difficult to trace to the bot’s creator Remote Control Facility • A worm propagates and activates itself, whereas a bot is controlled from a central facility • Once a communication path is established, the control module can activate the bots in host machines (which are taken hostage). For greater flexibility, the control module can instruct the bots to download a file from an internet site and execute it. This way, a bot can be used for different kinds of attacks. Constructing the Attack Network 3 things needed: (1) attack software (2) a large number of vulnerable machines (3) locating these machines (scanning or fingerprinting). Scanning is generally done in a nested (or recursive) manner. Scanning strategies: • Random – check random IP addresses for vulnerability (generates suspicious internet traffic) • Hit list – a long list is compiled a priori. Each infected machine is given a partial list to infect generates less internet traffic and therefore makes it more difficult to detect. • Topological – uses information contained on an infected machine to find more hosts to scan • Local subnet – if a host could be infected behind a firewall, that host could be used to infect others on the same subnet (all behind the same firewall). BUFFER OVERFLOW ATTACKS • Also known as a buffer overrun • Defined in the NIST (National Institute of Standards and Technology) Glossary of Key Information Security Terms as: “A condition at an interface under which more input can be placed into a buffer or data-holding area than the capacity allocated, overwriting other information. Attackers exploit such a condition to crash a system or to insert specially crafted code that allows them to gain control of the system” • One of the most prevalent and dangerous types of security attacks • Modern Languages provide bounds checking at run time to prevent buffer overflow. Therefore, more robust against such attacks.
3/19/2018 10 EXPLOITING BUFFER OVERFLOW • To exploit any type of buffer overflow the attacker needs: • To identify a buffer overflow vulnerability in some program that can be triggered using externally sourced data under the attackers control • To understand how that buffer will be stored in the processes memory, and hence the potential for corrupting adjacent memory locations and potentially altering the flow of execution of the program POLLING QUESTION
3/19/2018 11 Blended Threats • A blended threat is a more sophisticated attack that bundles some of the worst aspects of viruses, worms, Trojan horses, and other malware into one single threat. Blended threats can use server and Internet vulnerabilities to initiate, then transmit and also spread an attack. Blended threats are designed to use multiple modes of transport—email, flash drives, networks, and so on. 21 WHAT TO INFECT • Executable • Interpreted file • Kernel • Service • Master Boot Record (MBR) • Hypervisor (Virtual Machine Monitor)
3/19/2018 12 OVERWRITING MALWARE Targeted Executable MalwareMalware PREPENDING MALWARE Targeted Executable Malware Infected host Executable Malware
3/19/2018 13 APPENDING MALWARE Targeted Executable Malware Infected host Executable Malware CAVITY MALWARE Targeted Executable Infected host Executable Malware Malware
3/19/2018 14 MULTI-CAVITY MALWARE Targeted Executable Malware Malware Malware Malware PACKERS (SELF-EXTRACTING ARCHIVE) Malware Infected host Executable Packer Payload
3/19/2018 15 POLLING QUESTION PACKER FUNCTIONALITIES • Compress • Encrypt • Randomize (polymorphism) • Anti-debug technique (int / fake jmp) • Add-junk • Anti-VM/sandbox • Virtualization
3/19/2018 16 AUTO START • Folder auto-start : C:Documents and Settings[user_name]Start MenuProgramsStartup • Win.ini : run=[backdoor]" or "load=[backdoor]". • System.ini : shell=”myexplorer.exe” • Wininit • Config.sys AUTO START CONT. • Assign know extension (.doc) to the malware • Add a Registry key such as HKCUSOFTWAREMicrosoftWindows CurrentVersionRun • Add a task in the task scheduler • Run as service
3/19/2018 17 UNIX AUTOSTART • Init.d • /etc/rc.local • .login .xsession • crontab • crontab -e • /etc/crontab MACRO VIRUS • Use the builtin script engine • Example of call back used (word) • AutoExec() • AutoClose() • AutoOpen() • AutoNew()
3/19/2018 18 DOCUMENT BASED MALWARE • MS Office • Open Office • Acrobat USERLAND ROOT KIT • Perform • login • sshd • passwd • Hide activity • ps • netstat • ls • find • du
3/19/2018 19 SUBVERTING THE KERNEL • Kernel task • Process management • File access • Memory management • Network management What to hide ➡Process ➡Files ➡Network traffic KERNEL ROOTKIT PS KERNEL Hardware : HD, keyboard, mouse, NIC, GPU P1 P2 P3 P3 rootkit
3/19/2018 20 SUBVERTING TECHNIQUES • Kernel patch • Loadable Kernel Module • Kernel memory patching (/dev/kmem) POLLING QUESTION
3/19/2018 21 MALWARE DEFENSES (1) • Detection: once the infection has occurred, determine that it has occurred and locate the virus • Identification: once detection has been achieved, identify the specific virus that has infected a program • Removal: once the specific virus has been identified, remove the virus from the infected program and restore it to its original state MALWARE DEFENSES (2) • The first generation scanner • Virus signature (bit pattern) • Maintains a record of the length of programs • The second generation scanner • Looks for fragments of code (neglect unnecessary code) • Checksum of files (integrity checking) • Virus-specific detection algorithm • Deciphering (W95.Mad, xor encrypting) • Filtering
3/19/2018 22 MALWARE DEFENSES (3) • The third generation scanner • Identify a virus by its actions • The fourth generation scanner • Include a variety of anti-virus techniques • Collection method • Using honeypots HEURISTICS • Analyze program behavior • Network access • File open • Attempt to delete file • Attempt to modify the boot sector
3/19/2018 23 CHECKSUM • Compute a checksum for • Good binary • Configuration file • Detect change by comparing checksum • At some point there will more malware than “goodware” ... POLLING QUESTION
3/19/2018 24 MALWARE IN MOBILE PHONES • Mobile phones are computers with great connectivity • Internet • WLAN • Bluetooth • Regular phone network (SMS, MMS) • RFID MALWARE DEFENSE Antivirus Approaches – (1) Detection (2) Identification (3) Removal As virus arms race has evolved, antivirus software have grown more complex. Two sophisticated ones are: Generic Decryption and Digital Immune System Generic Decryption (GD) Contains three essential parts: • CPU emulator – Instructions in an executable file are interpreted by the emulator rather than the processor in a controlled environment. If the code includes a decryption routine, it is also interpreted and the virus is exposed. Virus itself does the decryption for the antivirus program (GD) • Virus signature scanner – Scan target code looking for known virus signatures • Emulation control module – Controls the execution of the target code. Periodically, it interrupts the interpretation to scan the target code for virus signatures
3/19/2018 25 DIGITAL IMMUNE SYSTEM • Developed by IBM (refined by Symantec) – general purpose emulation and virus detection system • Motivation: rising threat of Internet-based virus propagation • Integrated mail systems (e.g. MS Outlook, Lotus Notes) • Mobile-program system (e.g. Java and ActiveX allow programs to move on their own) 1. Each PC runs a monitoring program to detect unusual behavior 2. Encrypt the sample and forward to VAM 3. Analyze the sample in a safe environment via emulation 4. Prescription is sent back to Adm.Machine 5.-6. Forwarded to the infected client as well as the other PCs on the same network 7. All subscribers receive regular antivirus updates COUNTERMEASURES • An Intrusion Detection System (IDS) is a security service that monitors and analyzes system events to detect unauthorized access • Intrusion detection systems (IDSs) can be classified as: • host-based IDS • monitors the characteristics of a single host and the events occurring within that host for suspicious activity • network-based IDS • monitors network traffic for particular network segments or devices and analyzes network, transport, and application protocols to identify suspicious activity
3/19/2018 26 INTRUSION DETECTION • Assumption: the behavior of the intruder differs from the legitimate user. • But, there is overlap. A loose interpretation of intruder may lead to false positives ; on the other hand, a tight interpretation may lead to false negatives (risky!) IDS COMPONENTS Sensors responsible for collecting data the input for a sensor may be any part of a system that could contain evidence of an intrusion types of input to a sensor include network packets, log files, and system call traces Analyzers receive input from one or more sensors or from other analyzer responsible for determining if an intrusion has occurred may provide guidance about what actions to take as a result of the intrusion User interface enables a user To view output from the system or To control the behavior of the system
3/19/2018 27 NIST VULNERABILITY CHECKLISTS • https://nvd.nist.gov/ncp/repository • By tier • By type • By target product • By Category • By authority 53 54 NIST PUBLICATIONS • NIST Checklist Publication (Revised Special Publication 800-70) • NIST IR – National Security Automation Program • NIST IR 7275 – XCCDF version 1.1.2 (Draft Posted)
3/19/2018 28 POLLING QUESTION SECURITY CONTENT AUTOMATION PROTOCOL (SCAP) • Enables standardized and automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA and DoD 8500.2/8510 compliance) • Enumeration of vulnerabilities, misconfigurations, platforms, and impact • Machine readable security configuration checklists
3/19/2018 29 SCAP COMPONENTS • Six open XML standards: • Common Vulnerabilities and Exposures (CVE) • Dictionary of security related software flaws • Common Configuration Enumeration (CCE) • Dictionary of software misconfigurations • Common Platform Enumeration (CPE) • Standard nomenclature and dictionary for product naming • eXtensible Checklist Configuration Description Format (XCCDF) • Standard XML for specifying checklists • Open Vulnerability Assessment Language (OVAL) • Standard XML for checking machine state • Common Vulnerability Scoring System (CVSS) • Standard for scoring the impact of vulnerabilities SCAP COMPLIANCE PROGRAM • Ensuring security tools • comply to the NIST Security Content Automation Protocol (SCAP) • enable agencies to continuously monitor systems against OMB mandated configuration settings (results mapped to FISMA) • Supports Multiple Initiatives: • OMB FDCC Secure Configuration Effort • NIST FISMA Implementation Phase II (also applies to NIST HIPAA work) • Information Security Automation Program (ISAP): OSD, DISA, NSA, DHS, NIST • OSD Computer Network Defense Pilot • NIST Checklist Program • NIST National Vulnerability Database
3/19/2018 30 SCAP AND FISMA • SCAP checklists have NIST 800-53 mappings for the recommended configuration settings • SCAP compliant tools report on the compliance of the setting to FDCC and to the corresponding 800-53 technical control(s) • Report provides evidence chain for due diligence. POLLING QUESTION
3/19/2018 31 CYBERSECURITY WEBINAR SERIES • May 3 - Boundary Defense Mechanisms • May 24 - Controlling Ports and Network Devices • June 21 - Application Security • July 12 - SEIM Log Analysis • August 2 - Administrative Control Breaches • Sept 14 - Vulnerability Assessment • Sept 27 - Advanced Persistent Threats and targeted cyber attacks AUDITNET® AND CRISK ACADEMY • If you would like forever access to this webinar recording • If you are watching the recording, and would like to obtain CPE credit for this webinar • Previous AuditNet® webinars are also available on-demand for CPE credit http://criskacademy.com http://ondemand.criskacademy.com Use coupon code: 50OFF for a discount on this webinar for one week

More Related Content

What's hot (19)

PDF
What is malware
Malcolm York
 
PPT
Introduction to Malware
amiable_indian
 
PPSX
Ransomware 101
William Mann
 
PPTX
Spyware
Peeyush Sharma
 
PPT
Spyware Adware1
rubal_9
 
PPT
Spyware
subharock
 
PPSX
Technology Training - Security, Passwords & More
William Mann
 
PPTX
4.2.1 computer security risks
hazirma
 
PPTX
Introduction to Malwares
Abdelhamid Limami
 
PPTX
Computer security risks
Aasim Mushtaq
 
PPTX
SECURITY THREATS AND SAFETY MEASURES
Shyam Kumar Singh
 
PPT
Spyware and Trojan Horses (Computer Security Seminar by Akhil Sharma)
Akhil Sharma
 
PPTX
Network and Security | by M.Hassaan Anjum
Hassaan Anjum
 
PPT
Spyware
Ishita Bansal
 
PPT
3.2.1 computer security risks
hazirma
 
PPT
Virus
CHITRA S
 
ODP
Viruses andthreats@dharmesh
Dharmesh Kumar Sharma
 
PPT
Spyware And Anti Virus Software Presentation
amy.covington215944
 
PPT
Malware
Tuhin_Das
 
What is malware
Malcolm York
 
Introduction to Malware
amiable_indian
 
Ransomware 101
William Mann
 
Spyware
Peeyush Sharma
 
Spyware Adware1
rubal_9
 
Spyware
subharock
 
Technology Training - Security, Passwords & More
William Mann
 
4.2.1 computer security risks
hazirma
 
Introduction to Malwares
Abdelhamid Limami
 
Computer security risks
Aasim Mushtaq
 
SECURITY THREATS AND SAFETY MEASURES
Shyam Kumar Singh
 
Spyware and Trojan Horses (Computer Security Seminar by Akhil Sharma)
Akhil Sharma
 
Network and Security | by M.Hassaan Anjum
Hassaan Anjum
 
Spyware
Ishita Bansal
 
3.2.1 computer security risks
hazirma
 
Virus
CHITRA S
 
Viruses andthreats@dharmesh
Dharmesh Kumar Sharma
 
Spyware And Anti Virus Software Presentation
amy.covington215944
 
Malware
Tuhin_Das
 

Similar to CyberSecurity Series Malware slides (20)

PDF
Cybersecurity Series - Cyber Defense for Internal Auditors
Jim Kaplan CIA CFE
 
PDF
Cybersecurity update 12
Jim Kaplan CIA CFE
 
PDF
GDPR Series Session 4
Jim Kaplan CIA CFE
 
PDF
CyberSecurity Update Slides
Jim Kaplan CIA CFE
 
PPSX
Cyber Security Awareness Month 2017-Nugget 6
Chinatu Uzuegbu
 
PDF
Meeting the Cybersecurity Challenge
Net at Work
 
PDF
The state of web applications (in)security @ ITDays 2016
Tudor Damian
 
PDF
Cyber security series advanced persistent threats
Jim Kaplan CIA CFE
 
PDF
IT Fraud and Countermeasures
Jim Kaplan CIA CFE
 
PPTX
Back to school - CYBER SAFETY
Sairam
 
PDF
Focused agile audit planning using analytics
Jim Kaplan CIA CFE
 
PDF
How to data mine your print reports
Jim Kaplan CIA CFE
 
PDF
Top Security Challenges Facing Credit Unions Today
Chris Gates
 
PPTX
Cyber security fundamentals & ethical hacking
ervaijnathgoler
 
PDF
Luncheon 2015-11-19 - Lessons Learned from Avid Life Media by Rob Davis
North Texas Chapter of the ISSA
 
PDF
Newsletter connect - June 2016
Arish Roy
 
PPTX
Cybersecurity Training
WindstoneHealth
 
PPTX
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Wendy Knox Everette
 
PPTX
Ransomware : A cyber crime without solution ? by Prashant Mali
Adv. Prashant Mali ♛ [Bsc(Phy),MSc(Comp Sci), CCFP,CISSA,LLM]
 
PDF
Structuring your organization for success with data analytics
Jim Kaplan CIA CFE
 
Cybersecurity Series - Cyber Defense for Internal Auditors
Jim Kaplan CIA CFE
 
Cybersecurity update 12
Jim Kaplan CIA CFE
 
GDPR Series Session 4
Jim Kaplan CIA CFE
 
CyberSecurity Update Slides
Jim Kaplan CIA CFE
 
Cyber Security Awareness Month 2017-Nugget 6
Chinatu Uzuegbu
 
Meeting the Cybersecurity Challenge
Net at Work
 
The state of web applications (in)security @ ITDays 2016
Tudor Damian
 
Cyber security series advanced persistent threats
Jim Kaplan CIA CFE
 
IT Fraud and Countermeasures
Jim Kaplan CIA CFE
 
Back to school - CYBER SAFETY
Sairam
 
Focused agile audit planning using analytics
Jim Kaplan CIA CFE
 
How to data mine your print reports
Jim Kaplan CIA CFE
 
Top Security Challenges Facing Credit Unions Today
Chris Gates
 
Cyber security fundamentals & ethical hacking
ervaijnathgoler
 
Luncheon 2015-11-19 - Lessons Learned from Avid Life Media by Rob Davis
North Texas Chapter of the ISSA
 
Newsletter connect - June 2016
Arish Roy
 
Cybersecurity Training
WindstoneHealth
 
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Wendy Knox Everette
 
Ransomware : A cyber crime without solution ? by Prashant Mali
Adv. Prashant Mali ♛ [Bsc(Phy),MSc(Comp Sci), CCFP,CISSA,LLM]
 
Structuring your organization for success with data analytics
Jim Kaplan CIA CFE
 
Ad

More from Jim Kaplan CIA CFE (20)

PDF
Enhanced fraud detection with data analytics
Jim Kaplan CIA CFE
 
PDF
mplementing and Auditing GDPR Series (10 of 10)
Jim Kaplan CIA CFE
 
PDF
Touchstone Research for Internal Audit 2020 – A Look at the Now and Tomorrow ...
Jim Kaplan CIA CFE
 
PPTX
Implementing and Auditing GDPR Series (9 of 10)
Jim Kaplan CIA CFE
 
PDF
How to detect fraud like a pro detective slides
Jim Kaplan CIA CFE
 
PDF
Implementing and Auditing GDPR Series (8 of 10)
Jim Kaplan CIA CFE
 
PDF
How to get auditors performing basic analytics using excel
Jim Kaplan CIA CFE
 
PPTX
Tracking down outliers
Jim Kaplan CIA CFE
 
PDF
Implementing and Auditing General Data Protection Regulation
Jim Kaplan CIA CFE
 
PDF
When is a Duplicate not a Duplicate? Detecting Errors and Fraud
Jim Kaplan CIA CFE
 
PDF
General Data Protection Regulation Webinar 6
Jim Kaplan CIA CFE
 
PDF
General Data Protection Regulation for Auditors 5 of 10
Jim Kaplan CIA CFE
 
PDF
Ethics and the Internal Auditor
Jim Kaplan CIA CFE
 
PDF
How analytics should be used in controls testing instead of sampling
Jim Kaplan CIA CFE
 
PDF
How analytics should be used in controls testing instead of sampling
Jim Kaplan CIA CFE
 
PDF
Cybersecurity Slides
Jim Kaplan CIA CFE
 
PDF
Implementing and Auditing GDPR Series (3 of 10)
Jim Kaplan CIA CFE
 
PDF
Ethics for internal auditors
Jim Kaplan CIA CFE
 
PDF
Implementing and Auditing GDPR Series (2 of 10)
Jim Kaplan CIA CFE
 
PDF
Implementing and Auditing General Data Protection Regulation
Jim Kaplan CIA CFE
 
Enhanced fraud detection with data analytics
Jim Kaplan CIA CFE
 
mplementing and Auditing GDPR Series (10 of 10)
Jim Kaplan CIA CFE
 
Touchstone Research for Internal Audit 2020 – A Look at the Now and Tomorrow ...
Jim Kaplan CIA CFE
 
Implementing and Auditing GDPR Series (9 of 10)
Jim Kaplan CIA CFE
 
How to detect fraud like a pro detective slides
Jim Kaplan CIA CFE
 
Implementing and Auditing GDPR Series (8 of 10)
Jim Kaplan CIA CFE
 
How to get auditors performing basic analytics using excel
Jim Kaplan CIA CFE
 
Tracking down outliers
Jim Kaplan CIA CFE
 
Implementing and Auditing General Data Protection Regulation
Jim Kaplan CIA CFE
 
When is a Duplicate not a Duplicate? Detecting Errors and Fraud
Jim Kaplan CIA CFE
 
General Data Protection Regulation Webinar 6
Jim Kaplan CIA CFE
 
General Data Protection Regulation for Auditors 5 of 10
Jim Kaplan CIA CFE
 
Ethics and the Internal Auditor
Jim Kaplan CIA CFE
 
How analytics should be used in controls testing instead of sampling
Jim Kaplan CIA CFE
 
How analytics should be used in controls testing instead of sampling
Jim Kaplan CIA CFE
 
Cybersecurity Slides
Jim Kaplan CIA CFE
 
Implementing and Auditing GDPR Series (3 of 10)
Jim Kaplan CIA CFE
 
Ethics for internal auditors
Jim Kaplan CIA CFE
 
Implementing and Auditing GDPR Series (2 of 10)
Jim Kaplan CIA CFE
 
Implementing and Auditing General Data Protection Regulation
Jim Kaplan CIA CFE
 
Ad

Recently uploaded (20)

PDF
LLMs.txt: Easily Control How AI Crawls Your Site
Keploy
 
PPTX
Building Search Using OpenSearch: Limitations and Workarounds
Sease
 
PDF
Blockchain Transactions Explained For Everyone
CIFDAQ
 
PDF
"Beyond English: Navigating the Challenges of Building a Ukrainian-language R...
Fwdays
 
PDF
SWEBOK Guide and Software Services Engineering Education
Hironori Washizaki
 
PDF
Presentation - Vibe Coding The Future of Tech
yanuarsinggih1
 
PPTX
MSP360 Backup Scheduling and Retention Best Practices.pptx
MSP360
 
PPTX
OpenID AuthZEN - Analyst Briefing July 2025
David Brossard
 
PDF
Newgen 2022-Forrester Newgen TEI_13 05 2022-The-Total-Economic-Impact-Newgen-...
darshakparmar
 
PDF
Exolore The Essential AI Tools in 2025.pdf
Srinivasan M
 
PPTX
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
PPTX
UiPath Academic Alliance Educator Panels: Session 2 - Business Analyst Content
DianaGray10
 
PDF
Empower Inclusion Through Accessible Java Applications
Ana-Maria Mihalceanu
 
PPTX
"Autonomy of LLM Agents: Current State and Future Prospects", Oles` Petriv
Fwdays
 
PDF
Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025
faizk77g
 
PDF
Agentic AI lifecycle for Enterprise Hyper-Automation
Debmalya Biswas
 
PDF
The Builder’s Playbook - 2025 State of AI Report.pdf
jeroen339954
 
PDF
July Patch Tuesday
Ivanti
 
PDF
DevBcn - Building 10x Organizations Using Modern Productivity Metrics
Justin Reock
 
PDF
Python basic programing language for automation
DanialHabibi2
 
LLMs.txt: Easily Control How AI Crawls Your Site
Keploy
 
Building Search Using OpenSearch: Limitations and Workarounds
Sease
 
Blockchain Transactions Explained For Everyone
CIFDAQ
 
"Beyond English: Navigating the Challenges of Building a Ukrainian-language R...
Fwdays
 
SWEBOK Guide and Software Services Engineering Education
Hironori Washizaki
 
Presentation - Vibe Coding The Future of Tech
yanuarsinggih1
 
MSP360 Backup Scheduling and Retention Best Practices.pptx
MSP360
 
OpenID AuthZEN - Analyst Briefing July 2025
David Brossard
 
Newgen 2022-Forrester Newgen TEI_13 05 2022-The-Total-Economic-Impact-Newgen-...
darshakparmar
 
Exolore The Essential AI Tools in 2025.pdf
Srinivasan M
 
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
UiPath Academic Alliance Educator Panels: Session 2 - Business Analyst Content
DianaGray10
 
Empower Inclusion Through Accessible Java Applications
Ana-Maria Mihalceanu
 
"Autonomy of LLM Agents: Current State and Future Prospects", Oles` Petriv
Fwdays
 
Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025
faizk77g
 
Agentic AI lifecycle for Enterprise Hyper-Automation
Debmalya Biswas
 
The Builder’s Playbook - 2025 State of AI Report.pdf
jeroen339954
 
July Patch Tuesday
Ivanti
 
DevBcn - Building 10x Organizations Using Modern Productivity Metrics
Justin Reock
 
Python basic programing language for automation
DanialHabibi2
 

CyberSecurity Series Malware slides

  • 1. 3/19/2018 1 Richard Cascarino CISM, CIA, ACFE, CRMA Cybersecurity Series Malware Defense About Jim Kaplan, CIA, CFE  President and Founder of AuditNet®, the global resource for auditors (available on iOS, Android and Windows devices)  Auditor, Web Site Guru,  Internet for Auditors Pioneer  IIA Bradford Cadmus Memorial Award Recipient  Local Government Auditor’s Lifetime Award  Author of “The Auditor’s Guide to Internet Resources” 2nd Edition Page 2
  • 2. 3/19/2018 2 ABOUT AUDITNET® LLC • AuditNet®, the global resource for auditors, serves the global audit community as the primary resource for Web-based auditing content. As the first online audit portal, AuditNet® has been at the forefront of websites dedicated to promoting the use of audit technology. • Available on the Web, iPad, iPhone, Windows and Android devices and features: • Over 2,800 Reusable Templates, Audit Programs, Questionnaires, and Control Matrices • Webinars focusing on fraud, data analytics, IT audit, and internal audit with free CPE for subscribers and site license users. • Audit guides, manuals, and books on audit basics and using audit technology • LinkedIn Networking Groups • Monthly Newsletters with Expert Guest Columnists • Surveys on timely topics for internal auditors Introductions Page 3 HOUSEKEEPING This webinar and its material are the property of AuditNet® and its Webinar partners. Unauthorized usage or recording of this webinar or any of its material is strictly forbidden. • If you logged in with another individual’s confirmation email you will not receive CPE as the confirmation login is linked to a specific individual • This Webinar is not eligible for viewing in a group setting. You must be logged in with your unique join link. • We are recording the webinar and you will be provided access to that recording after the webinar. Downloading or otherwise duplicating the webinar recording is expressly prohibited. • If you have indicated you would like CPE you must attend the entire Webinar to receive CPE (no partial CPE will be awarded). • If you meet the criteria for earning CPE you will receive a link via email to download your certificate. The official email for CPE will be issued via [email protected] and it is important to white list this address. It is from this email that your CPE credit will be sent. There is a processing fee to have your CPE credit regenerated post event. • Submit questions via the chat box on your screen and we will answer them either during or at the conclusion. • You must answer the survey questions after the Webinar or before downloading your certificate.
  • 3. 3/19/2018 3 IMPORTANT INFORMATION REGARDING CPE! • SUBSCRIBERS/SITE LICENSE USERS - If you attend the entire Webinar you will receive an email with the link to download your CPE certificate. The official email for CPE will be issued via [email protected] and it is important to white list this address. It is from this email that your CPE credit will be sent. There is a processing fee to have your CPE credit regenerated post event. • NON-SUBSCRIBERS/NON-SITE LICENSE USERS - If you attend the entire Webinar and requested CPE you must pay a fee to receive your CPE. No exceptions! • We cannot manually generate a CPE certificate as these are handled by our 3rd party provider. We highly recommend that you work with your IT department to identify and correct any email delivery issues prior to attending the Webinar. Issues would include blocks or spam filters in your email system or a firewall that will redirect or not allow delivery of this email from Gensend.io • Anyone may register, attend and view the Webinar without fees if they opted out of receiving CPE. • We are not responsible for any connection, audio or other computer related issues. You must have pop-ups enabled on you computer otherwise you will not be able to answer the polling questions which occur approximately every 20 minutes. We suggest that if you have any pressing issues to see to that you do so immediately after a polling question. The views expressed by the presenters do not necessarily represent the views, positions, or opinions of AuditNet® LLC. These materials, and the oral presentation accompanying them, are for educational purposes only and do not constitute accounting or legal advice or create an accountant-client relationship. While AuditNet® makes every effort to ensure information is accurate and complete, AuditNet® makes no representations, guarantees, or warranties as to the accuracy or completeness of the information provided via this presentation. AuditNet® specifically disclaims all liability for any claims or damages that may result from the information contained in this presentation, including any websites maintained by third parties and linked to the AuditNet® website. Any mention of commercial products is for information only; it does not imply recommendation or endorsement by AuditNet® LLC
  • 4. 3/19/2018 4 ABOUT RICHARD CASCARINO, MBA, CIA, CISM, CFE, CRMA • Principal of Richard Cascarino & Associates based in Colorado USA • Over 28 years experience in IT audit training and consultancy • Past President of the Institute of Internal Auditors in South Africa • Member of ISACA • Member of Association of Certified Fraud Examiners • Author of Data Analytics for Internal Auditors 7 TODAY’S AGENDA • Types of Malware • Blended Threats • Infection Mechanisms • Semantic, or Heuristics Based Malware Detection • Polymorphic Malware • Metamorphic Malware • Hiding techniques and Detection of Malware Page 8
  • 5. 3/19/2018 5 MALWARE DEFENSES Block malicious code from altering system settings or contents, capturing data or spreading • Anti-virus anti-spyware software • Continuous scanning • Automatically updated daily • Disable auto-run on network devices MALWARE PAYLOADS • No payload • Payload without damage • Only display some information • Payload with little impact • Modify documents (wazzu virus) • Payload with heavy impact • Remove files, format storage • Encrypting data (blackmail) • Destroy hardware (W95.CIH): rewrite flash bios • DDoS attacks • Steal data for profit
  • 6. 3/19/2018 6 MALICIOUS SOFTWARE • Programs that exploit vulnerabilities in computing systems • Also referred to as malware • Can be divided into two primary categories: • parasitic • programs that cannot exist independently. Part of some application or system program (host) • viruses, logic bombs, and backdoors are examples • independent • self-contained programs that can be scheduled and run by the operating system • worms and bots are examples SOME VIRUS TYPE • Polymorphic : uses a polymorphic engine to mutate while keeping the original algorithm intact (packer) • Metamorphic : Change after each infection
  • 7. 3/19/2018 7 Backdoor (Trapdoor) • Entry point into a program that allows someone who is aware of trapdoor to gain access • used by programmers to be able to debug and test programs while skipping a lengthy setup/authentication process during development • Avoids necessary setup and authentication Logic Bomb • Code embedded in a legitimate program that is set to “explode” when certain conditions are met • Presence or absence of certain files, particular day of the week, particular user running application • One of the oldest types of program threats, predating viruses and worms Trojan Horse (FDoS GOZI virus etc) • Useful program that contains hidden code; when invoked performs some harmful function • Can be installed through software downloads, bundling, email attachments, websites with executable content, etc. Trojan-type malware is on the rise, accounting for a very high percentage of the global malware. MALICIOUS SOFTWARE (MALWARE) Viruses Program that can “infect” other programs by modifying them in such a way that the infected program can infect other programs E-mail Virus • Activated when recipient opens the e-mail attachment (e.g. Melissa virus). • Sends itself to everyone on the mailing list of the infected user A SIMPLE VIRUS
  • 8. 3/19/2018 8 Worms Exhibits similar characteristics as an e-mail virus, but worm does not need a host program and it is not passive, it actively seeks out more machines to infect via • Electronic mail facility: A worm mails a copy of itself to other systems • Remote execution: A worm executes a copy of itself on another system • Remote log-in: A worm logs on to a remote system as a user and then copies itself from one system to the other Some worms are used to create bots (zombies) Bots (Zombie or drone) • Program that secretly takes over another Internet-attached computer and uses it to launch attacks that are difficult to trace to the bot’s creator • planted on hundreds of computers belonging to unsuspecting third parties and then used to overwhelm a target Web site by launching an overwhelming onslaught of Internet traffic • The collection of bots acting in a coordinated manner is called botnet • Uses of Bots • DDoS (Distributed Denial of Service attacks), spamming, sniffing traffic on a compromised machine, keylogging, spreading new malware, manipulating online polls/games/clicks for ads (every bot has a distinct IP address), etc. MALICIOUS SOFTWARE ROOTKITS Rootkit • Malware which consists of a set of programs designed to take fundamental control of a computer system and hide the fact that a system has been compromised e.g. Poison Ivy Remote Access Tool (RAT) • Typically, rootkits act to obscure their presence on the system through subversion or evasion of standard OS security mechanisms. • Techniques used to accomplish this can include concealing running processes from monitoring programs, or hiding files or system data from the OS • Rootkits may also install a "back door" in a system by replacing the login mechanism (such as /bin/login) with an executable that steals a login combination, which is used to access the system illegally. • With root access, an attacker has complete control of the system to do anything Rootkit Installation • Usually via a Trojan horse. A user is induced to load a Trojan horse which then installs the rootkit. • Another means of rootkit installation is by hacker activity which is a rather lengthy process.
  • 9. 3/19/2018 9 BOTS Bots (Zombie or drone) • Program that secretly takes over another Internet-attached computer and uses it to launch attacks that are difficult to trace to the bot’s creator Remote Control Facility • A worm propagates and activates itself, whereas a bot is controlled from a central facility • Once a communication path is established, the control module can activate the bots in host machines (which are taken hostage). For greater flexibility, the control module can instruct the bots to download a file from an internet site and execute it. This way, a bot can be used for different kinds of attacks. Constructing the Attack Network 3 things needed: (1) attack software (2) a large number of vulnerable machines (3) locating these machines (scanning or fingerprinting). Scanning is generally done in a nested (or recursive) manner. Scanning strategies: • Random – check random IP addresses for vulnerability (generates suspicious internet traffic) • Hit list – a long list is compiled a priori. Each infected machine is given a partial list to infect generates less internet traffic and therefore makes it more difficult to detect. • Topological – uses information contained on an infected machine to find more hosts to scan • Local subnet – if a host could be infected behind a firewall, that host could be used to infect others on the same subnet (all behind the same firewall). BUFFER OVERFLOW ATTACKS • Also known as a buffer overrun • Defined in the NIST (National Institute of Standards and Technology) Glossary of Key Information Security Terms as: “A condition at an interface under which more input can be placed into a buffer or data-holding area than the capacity allocated, overwriting other information. Attackers exploit such a condition to crash a system or to insert specially crafted code that allows them to gain control of the system” • One of the most prevalent and dangerous types of security attacks • Modern Languages provide bounds checking at run time to prevent buffer overflow. Therefore, more robust against such attacks.
  • 10. 3/19/2018 10 EXPLOITING BUFFER OVERFLOW • To exploit any type of buffer overflow the attacker needs: • To identify a buffer overflow vulnerability in some program that can be triggered using externally sourced data under the attackers control • To understand how that buffer will be stored in the processes memory, and hence the potential for corrupting adjacent memory locations and potentially altering the flow of execution of the program POLLING QUESTION
  • 11. 3/19/2018 11 Blended Threats • A blended threat is a more sophisticated attack that bundles some of the worst aspects of viruses, worms, Trojan horses, and other malware into one single threat. Blended threats can use server and Internet vulnerabilities to initiate, then transmit and also spread an attack. Blended threats are designed to use multiple modes of transport—email, flash drives, networks, and so on. 21 WHAT TO INFECT • Executable • Interpreted file • Kernel • Service • Master Boot Record (MBR) • Hypervisor (Virtual Machine Monitor)
  • 15. 3/19/2018 15 POLLING QUESTION PACKER FUNCTIONALITIES • Compress • Encrypt • Randomize (polymorphism) • Anti-debug technique (int / fake jmp) • Add-junk • Anti-VM/sandbox • Virtualization
  • 16. 3/19/2018 16 AUTO START • Folder auto-start : C:Documents and Settings[user_name]Start MenuProgramsStartup • Win.ini : run=[backdoor]" or "load=[backdoor]". • System.ini : shell=”myexplorer.exe” • Wininit • Config.sys AUTO START CONT. • Assign know extension (.doc) to the malware • Add a Registry key such as HKCUSOFTWAREMicrosoftWindows CurrentVersionRun • Add a task in the task scheduler • Run as service
  • 17. 3/19/2018 17 UNIX AUTOSTART • Init.d • /etc/rc.local • .login .xsession • crontab • crontab -e • /etc/crontab MACRO VIRUS • Use the builtin script engine • Example of call back used (word) • AutoExec() • AutoClose() • AutoOpen() • AutoNew()
  • 18. 3/19/2018 18 DOCUMENT BASED MALWARE • MS Office • Open Office • Acrobat USERLAND ROOT KIT • Perform • login • sshd • passwd • Hide activity • ps • netstat • ls • find • du
  • 19. 3/19/2018 19 SUBVERTING THE KERNEL • Kernel task • Process management • File access • Memory management • Network management What to hide ➡Process ➡Files ➡Network traffic KERNEL ROOTKIT PS KERNEL Hardware : HD, keyboard, mouse, NIC, GPU P1 P2 P3 P3 rootkit
  • 20. 3/19/2018 20 SUBVERTING TECHNIQUES • Kernel patch • Loadable Kernel Module • Kernel memory patching (/dev/kmem) POLLING QUESTION
  • 21. 3/19/2018 21 MALWARE DEFENSES (1) • Detection: once the infection has occurred, determine that it has occurred and locate the virus • Identification: once detection has been achieved, identify the specific virus that has infected a program • Removal: once the specific virus has been identified, remove the virus from the infected program and restore it to its original state MALWARE DEFENSES (2) • The first generation scanner • Virus signature (bit pattern) • Maintains a record of the length of programs • The second generation scanner • Looks for fragments of code (neglect unnecessary code) • Checksum of files (integrity checking) • Virus-specific detection algorithm • Deciphering (W95.Mad, xor encrypting) • Filtering
  • 22. 3/19/2018 22 MALWARE DEFENSES (3) • The third generation scanner • Identify a virus by its actions • The fourth generation scanner • Include a variety of anti-virus techniques • Collection method • Using honeypots HEURISTICS • Analyze program behavior • Network access • File open • Attempt to delete file • Attempt to modify the boot sector
  • 23. 3/19/2018 23 CHECKSUM • Compute a checksum for • Good binary • Configuration file • Detect change by comparing checksum • At some point there will more malware than “goodware” ... POLLING QUESTION
  • 24. 3/19/2018 24 MALWARE IN MOBILE PHONES • Mobile phones are computers with great connectivity • Internet • WLAN • Bluetooth • Regular phone network (SMS, MMS) • RFID MALWARE DEFENSE Antivirus Approaches – (1) Detection (2) Identification (3) Removal As virus arms race has evolved, antivirus software have grown more complex. Two sophisticated ones are: Generic Decryption and Digital Immune System Generic Decryption (GD) Contains three essential parts: • CPU emulator – Instructions in an executable file are interpreted by the emulator rather than the processor in a controlled environment. If the code includes a decryption routine, it is also interpreted and the virus is exposed. Virus itself does the decryption for the antivirus program (GD) • Virus signature scanner – Scan target code looking for known virus signatures • Emulation control module – Controls the execution of the target code. Periodically, it interrupts the interpretation to scan the target code for virus signatures
  • 25. 3/19/2018 25 DIGITAL IMMUNE SYSTEM • Developed by IBM (refined by Symantec) – general purpose emulation and virus detection system • Motivation: rising threat of Internet-based virus propagation • Integrated mail systems (e.g. MS Outlook, Lotus Notes) • Mobile-program system (e.g. Java and ActiveX allow programs to move on their own) 1. Each PC runs a monitoring program to detect unusual behavior 2. Encrypt the sample and forward to VAM 3. Analyze the sample in a safe environment via emulation 4. Prescription is sent back to Adm.Machine 5.-6. Forwarded to the infected client as well as the other PCs on the same network 7. All subscribers receive regular antivirus updates COUNTERMEASURES • An Intrusion Detection System (IDS) is a security service that monitors and analyzes system events to detect unauthorized access • Intrusion detection systems (IDSs) can be classified as: • host-based IDS • monitors the characteristics of a single host and the events occurring within that host for suspicious activity • network-based IDS • monitors network traffic for particular network segments or devices and analyzes network, transport, and application protocols to identify suspicious activity
  • 26. 3/19/2018 26 INTRUSION DETECTION • Assumption: the behavior of the intruder differs from the legitimate user. • But, there is overlap. A loose interpretation of intruder may lead to false positives ; on the other hand, a tight interpretation may lead to false negatives (risky!) IDS COMPONENTS Sensors responsible for collecting data the input for a sensor may be any part of a system that could contain evidence of an intrusion types of input to a sensor include network packets, log files, and system call traces Analyzers receive input from one or more sensors or from other analyzer responsible for determining if an intrusion has occurred may provide guidance about what actions to take as a result of the intrusion User interface enables a user To view output from the system or To control the behavior of the system
  • 27. 3/19/2018 27 NIST VULNERABILITY CHECKLISTS • https://nvd.nist.gov/ncp/repository • By tier • By type • By target product • By Category • By authority 53 54 NIST PUBLICATIONS • NIST Checklist Publication (Revised Special Publication 800-70) • NIST IR – National Security Automation Program • NIST IR 7275 – XCCDF version 1.1.2 (Draft Posted)
  • 28. 3/19/2018 28 POLLING QUESTION SECURITY CONTENT AUTOMATION PROTOCOL (SCAP) • Enables standardized and automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA and DoD 8500.2/8510 compliance) • Enumeration of vulnerabilities, misconfigurations, platforms, and impact • Machine readable security configuration checklists
  • 29. 3/19/2018 29 SCAP COMPONENTS • Six open XML standards: • Common Vulnerabilities and Exposures (CVE) • Dictionary of security related software flaws • Common Configuration Enumeration (CCE) • Dictionary of software misconfigurations • Common Platform Enumeration (CPE) • Standard nomenclature and dictionary for product naming • eXtensible Checklist Configuration Description Format (XCCDF) • Standard XML for specifying checklists • Open Vulnerability Assessment Language (OVAL) • Standard XML for checking machine state • Common Vulnerability Scoring System (CVSS) • Standard for scoring the impact of vulnerabilities SCAP COMPLIANCE PROGRAM • Ensuring security tools • comply to the NIST Security Content Automation Protocol (SCAP) • enable agencies to continuously monitor systems against OMB mandated configuration settings (results mapped to FISMA) • Supports Multiple Initiatives: • OMB FDCC Secure Configuration Effort • NIST FISMA Implementation Phase II (also applies to NIST HIPAA work) • Information Security Automation Program (ISAP): OSD, DISA, NSA, DHS, NIST • OSD Computer Network Defense Pilot • NIST Checklist Program • NIST National Vulnerability Database
  • 30. 3/19/2018 30 SCAP AND FISMA • SCAP checklists have NIST 800-53 mappings for the recommended configuration settings • SCAP compliant tools report on the compliance of the setting to FDCC and to the corresponding 800-53 technical control(s) • Report provides evidence chain for due diligence. POLLING QUESTION
  • 31. 3/19/2018 31 CYBERSECURITY WEBINAR SERIES • May 3 - Boundary Defense Mechanisms • May 24 - Controlling Ports and Network Devices • June 21 - Application Security • July 12 - SEIM Log Analysis • August 2 - Administrative Control Breaches • Sept 14 - Vulnerability Assessment • Sept 27 - Advanced Persistent Threats and targeted cyber attacks AUDITNET® AND CRISK ACADEMY • If you would like forever access to this webinar recording • If you are watching the recording, and would like to obtain CPE credit for this webinar • Previous AuditNet® webinars are also available on-demand for CPE credit http://criskacademy.com http://ondemand.criskacademy.com Use coupon code: 50OFF for a discount on this webinar for one week