Google-fu? I need help with research -o-

Started by Izu, January 10, 2012, 09:00:48 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Izu

I need your help again. I think that either my google-fu is dead or I am just not using the right terms in English while searching.

I need to find information about how to secure a computer/network from Crimeware. I need to find information about:
- proactive defense - securing it before it gets infected, preventing from getting invecting
- active defense - how to secure it, save it, what to do if it's already infected
- postactive defense - what to do afterwards to make sure it won't get infected again.

Help.. pls... I need a paragraph or two for each of these -__- but my mind is just refusing to cooperate with me and my research ;.;

ONs and OFFs || M/M Search || Izu's A&A
...Like reflections on the page, the world's what you create...

jouzinka

Story status: Not Available
Life Status: Just keep swimming...
Working on: N/A

Izu

I don't think so... I need to find more of 'What-to-do' before, during and after infection, and this looks more like history of the term?

ONs and OFFs || M/M Search || Izu's A&A
...Like reflections on the page, the world's what you create...

jouzinka

Aha, I see. I thought it was supposed to be an essay or something. :-[ Will read better the next time.

Sorry I couldn't help. :-(
Story status: Not Available
Life Status: Just keep swimming...
Working on: N/A

Izu

No... it's a paper... -sighs and hugs- thanks for trying...

ONs and OFFs || M/M Search || Izu's A&A
...Like reflections on the page, the world's what you create...

jouzinka

*hugs* I'm sure you'll beat it anyway, Izu, t'will just take time. *more hugs*
Story status: Not Available
Life Status: Just keep swimming...
Working on: N/A

Vandren

Quote from: jouzinka on January 10, 2012, 09:09:37 AM
Aha, I see. I thought it was supposed to be an essay or something. :-[ Will read better the next time.

Probably shouldn't be using Wikipedia for an essay anyway.  :)

I assume you've tried your school library catalog and chatted with the reference librarians?
"Life is growth.  If we stop growing, technically and spiritually, we are as good as dead." -Morihei Ueshiba, O-Sensei

Izu

We can use wiki -.- And there is no material in the library.

ONs and OFFs || M/M Search || Izu's A&A
...Like reflections on the page, the world's what you create...

Vandren

"Life is growth.  If we stop growing, technically and spiritually, we are as good as dead." -Morihei Ueshiba, O-Sensei

Izu

*nods* Those are the books that I've been using so far for my paper. But they are not really talking all that much about the actual defense... or maybe when I was reading it my mind had already went poof and I didn't really understood anything... -English is not my native- I'll re-read it tomorrow again, but if you or anyone else find anything else about those things... please let me know.

And thanks...

ONs and OFFs || M/M Search || Izu's A&A
...Like reflections on the page, the world's what you create...

Vekseid

Quote from: Izu on January 10, 2012, 09:00:48 AM
I need your help again. I think that either my google-fu is dead or I am just not using the right terms in English while searching.

I need to find information about how to secure a computer/network from Crimeware. I need to find information about:
- proactive defense - securing it before it gets infected, preventing from getting invecting

Basic concept in proactive defense is to reduce points of entry, and to provide additional defenses to those points that must remain open.

So this has to do with disabling various unnecessary programs that are installed (unused libraries can also be a possible point of entry, though this is a rather rare vector lately), making sure that additional programs can't be run without permission, and ideally, to have a good understanding of what programs do get run on the machine.

This is also where the firewall is placed, both to prevent against incoming attacks, and to prevent a program that would have otherwise compromised the machine to be able to communicate back to an attacker.

Once the points of possible entry have been reduced to a known list (e.g. your web browser), you can focus on securing those points of entry, things like Noscript for Firefox, making sure plugins like Java and flash are up to date, code-auditing general server code, etc.

It can also involve replacing 'typical' programs with more secure variants, like replacing Adobe's pdf reader with Sumatra PDF or similar.

So, on Elliquiy's server, I have a full understanding of every running service that provides 'points of entry'
- sshd (SSH)
- Dovecot (IMAP)
- Postfix (SMTP)
- nginx (HTTP)
- MySQL (only connected to the slave server)
- Scripting processes (PHP mostly, have some Python and Ruby at various points, though).

A custom IPTables script works as my firewall, which prevents connections to unauthorized ports, has some fun with scan attempts (random drops, tarpitting and rejecting, etc), and secures the ports used by the above against abuse.

Because scripting processes are themselves points of entry, I also make sure that the users they run under are also similarly restricted. The /home, /var, /var/tmp, /data, /tmp, and /staff directories are all mounted nosuid, nodev, preventing them from exploiting setuid or device exploits. I have a tiny whitelist of programs that are allowed setuid root, the others get setuid turned off.

Similarly, on my Windows machines, I go through the Add/Remove Programs/Programs and Features to get rid of anything I don't need. Then anything that I need that autostarts at startup, I keep from autostarting unless it has to. I also disable extraneous services (this is less necessary in Windows 7 than it was previously, but pre-loaded bloatware is a common terror of the home user purchase). When securing a customer's machine, I usually try to train them on Flashblock and similar features, though it doesn't always work.

Virus protection is more useful on Windows than it is on Linux, but even on Windows, a good, up to date antivirus will only catch new malware about half the time (based on retrospective testing). This means that your best defense is really about having behavior that doesn't let you get infected. It also means that people who abandon their antivirus of choice just because 'it failed them' are probably going to repeat that betrayal until they learn.

Another aspect of proactive defense is being aware of spearphishing and other social engineering techniques.

Quote
- active defense - how to secure it, save it, what to do if it's already infected

Well to me 'active defense' involves monitoring and logging. For Elliquiy's server I run logcheck and Tiger to check for suspicious changes (though they pump out lots of dirty data) and ninja to autokill unauthorized processes that have somehow escalated to root. I get mailed when the user that can su to root logs in, and again on root logins. But almost all of these are various monitoring situations - learning what is going on as fast as possible.

'Reactive defense' usually involves an assessment of the sort of threat I'm facing. With 'nuke and pave' becoming more common, a lot of malware authors have given up and are just letting their malware get uninstalled normally.

Others take to ground in the system, and get more and more clever about hiding themselves. The result is 'nuke and pave'-
- Disconnect the hard drive
- Make sure whatever you're plugging it into doesn't autorun
- Plug it into another machine
- Back up what you need to
- Erase the infected drive's MBR
- Format infected drive
- Reinstall.

Sometimes I can get away with utilities like Combofix, but I never do this on any system where I can't be sure I know the threat has been eliminated.

Quote
- postactive defense - what to do afterwards to make sure it won't get infected again.

If this happened to -me- (and it hasn't for roughly a decade and a half at this point), I'd evaluate where I fucked up, and take measures to ensure it didn't happen again.

Usually, I perform the basic security steps on the client's computer then consult with them about 'good Internet practices'. Unfortunately, these change.

Hopefully that helps provide a starting point for additional terms to look for.

Izu


ONs and OFFs || M/M Search || Izu's A&A
...Like reflections on the page, the world's what you create...

Vekseid

Oh, another thing that could be meant by 'postactive' is damage recovery strategies, some of which require active preparation
- Making and restoring from backups
- Having a legal team
- etc.

Izu

Thank you, Veks. I think this will be enough. I will take a look into the things you've pointed out, search them and maybe add a lil more info about those things, but as a whole it should be alright.

ONs and OFFs || M/M Search || Izu's A&A
...Like reflections on the page, the world's what you create...