Security Breaches occur when patches, updates, untrained personnel, misconfiguration of servers and other issues occur. To protect your network, you should look at these top ten vulnerabilities and think outside of the box to protect your network.

Top Reasons for IT Security Breaches

It is almost impossible to find the top ten reasons why security breaches occur on your network. This article contains not only the top ten but a few more critical areas to look at when securing your network. Here is a link to reported breaches of companies across the U.S.

When a security breach occurs, there is generally a simple reason why this has taken place. Information Technology Professionals should be trained on all aspects of security and should be certified in information technology security. Allowing untrained IT personnel to work with your network can cause your network to fail or allow malicious users to breach the network.

When new computers are deployed, connecting a computer to the internet before it is hardened with updates, patches, user configuration and its firewall can create an opening on your network. Because default installations of any operating system have vulnerabilities, hackers can exploit these computers or devices in minutes.

Every IT team should be trained and made aware of security exploits that are on the web. The IT team should communicate anytime Microsoft or related vendors issue warnings and updates. Being unaware of potential security problems can lead to a breach of your network.

Disaster Backup and Recovery plans need to be put in place and should be tested on a regular basis. How does this fall in the top ten? There have been many cases over the past year where IT personnel have misplaced, discarded or lost tape backups of critical data. Tapes should be stored securely both on and offsite.

One of the biggest to leave holes in your network is by deploying devices such as wireless access points that still have default username and passwords in place. When deploying any device, the default username and passwords should be changed to protect access to the device. Wireless should be hardened by using a Radius server and WPA Enterprise security. Leaving the default passwords on firewalls or other devices can leave a critical opening on your network.

How To Make a Security Breach Less Likely

Running a WSUS update server on your network is no guarantee that updates will be pushed out. Network and server personnel need to review the reports on the server and patch any holes on systems that have failed to get their updates. Automatic security doesn’t mean that all computers will be up to date and patched. An audit of all computers should be performed on a regular basis. Any system that fails to get updates should be patched immediately.

We often take passwords for granted. As we develop relationships with employees, the simple trust that we gain from these relationships should not apply to passwords. Passwords are critical to the survival of your data. You should develop a system of identifying personnel who call to have their passwords changed. Never respond to an email request and don’t give out passwords to unauthorized personnel.

A firewall is put in place to protect your network. If you fail to keep the firewall up to date with software, firmware and rules, you will create a security hole. Firewalls are one of the first lines of defense against any type of network breach. The dangers of not monitoring your firewall logs cannot be overemphasized.

Never use unencrypted protocols on you network to manage other devices. Simple scanning software can pick up plain text data and your passwords or data may be captured.

With viruses and malware changing everyday, you cannot place a computer on your network until is protected. Updates for antimalware and antivirus should be controlled at an enterprise level. These updates should be randomly checked to make sure your computers are protected.

Computers should be checked for unnecessary services such as telnetd or ftpd. Any service that can jeopardize your network should be stopped or removed from computers or disabled on any device that is on your network.

While these security issues are critical, training your personnel to look for these and any security issue such as computers not on a domain, simple file sharing, and temporary security fixes, failing to encrypt and protect data, failing to patch all software on computers and other common security issues are important issues to look for.

source: http://www.brighthub.com/computing/smb-security/articles/49647.aspx

Tweet this!

Sometimes referred to as a multipartite virus, the hybrid virus is one of the more difficult types of computer virus to bring under control. Essentially, the hybrid virus will combine elements of other virus programs in a new combination that will often slip past protections that would stop the original component viruses. Generally, a hybrid virus is capable of infecting both system sectors and program files, making it especially difficult to locate and remove from a system.

In many cases, the hybrid virus will include elements of both file infectors and boot infectors. The idea behind this approach is to launch a two-pronged attack on the system. As the multi-part virus enters the system, elements settle into program files, while at the same time identifying and infiltrating various sections of the operating system. This means that each time the executable file  imbedded with the hybrid virus runs, the result is an activation sequence that helps the virus to proliferate.

At the same time, the hybrid virus normally works into the section of the hard drive that controls the start up procedures for the computer. As with the infected program files, the virus is activated each time the system is booted up. Over time, this will damage the operation of the system, and possibly shut it down altogether.

The dual nature of the hybrid virus makes it extremely difficult to remove once it is in place. Unless all elements of the virus are removed, any remaining presence will quickly regenerate and re-infect the entire system. For this reason, special care should be taken to clean the system thoroughly, and making sure to conduct a virus check immediately after the cleaning takes place.

Of course, the best way to deal with a hybrid virus is to not become infected in the first place. One way to minimize the chances for infection is to be extremely careful about opening attachments that are of a suspicious nature. Care should also be taken to keep anti-virus software updated, and to not download programs from any online source that is not familiar and trusted.

source: http://www.wisegeek.com/what-is-a-hybrid-virus.htm

Tweet this!

A polymorphic virus is a computer virus which is capable of mutating itself when it replicates, making it more difficult to identify with ordinary antivirus software. To effectively find such viruses, antivirus software needs to have more complex algorithms available to help it identify distinctive patterns which can betray the presence of a virus even when the code behind the virus is not known to the software. Such software tends to be more expensive, reflecting the additional effort required during development and updates to make the software functional.

The first known polymorphic virus was developed in 1990, in the early days of the Internet, illustrating the fact that virus creators have always been ahead of the curve when it comes to developing malicious code. Polymorphic viruses operate with the assistance of an encryption engine which changes with each virus replication; this keeps the encrypted virus functional, while still hiding the polymorphic virus from the computer it infects and allowing the virus to slip through security systems which are designed to prevent malicious code from entering or exiting a network.

Essentially, the designers of polymorphic viruses have integrated a trait associated with viruses which infect humans into the design of their software, designed to infect computers. Human viruses are infamous for being able to mutate rapidly to avoid detection and prevent the buildup of immunities, and when a computer virus has a similar trait, the results can be unpleasant for computer users. It can be difficult to mount an adequate defense against a polymorphic virus, even with excellent antivirus software which has been designed to attempt to detect such viruses.

Polymorphic viruses can operate in different ways. Some mutate with each infection, making the virus extremely difficult to track. Others change with each generation. The speed of mutation is also highly variable. Some viruses mutate more slowly, which can make it easier to catch them, while others change very quickly. All of these variations, as a whole, make polymorphic viruses very diverse, which adds to the challenge of pinning them down.

Infection with a polymorphic computer virus can be a serious problem. While all computer viruses are designed to remain undetected for as long as possible, so that they can exact the maximum damage and increase their chances of infecting other computers, a polymorphic virus can linger undetected even on a system with antivirus software in place. People may also be lulled into thinking that their system is clean because they have such software and they update it regularly.

source: http://www.wisegeek.com/what-is-a-polymorphic-virus.htm

Tweet this!

Man in the browser attacks are designed to capture confidential information that can be utilized to the advantage of the entity that launched the attack. As part of the function, the man in the browser process begins with the establishment of the Trojan on the hard drive. The Trojan embeds in a file and is often hard to isolate. Once in place, the Trojan is in place, the virus launches a transparent overlay on the browser that is highly likely to be detected.

Unlike more traditional phishing methods that employ links in the body of emails to direct users to fake web sites and prompt them to enter secure data, the man in the browser simply captures data as the user enters it. The user is completely unaware of that the data is being hijacked, since he or she is interacting with a legitimate site. The man in the browser does not interfere with the transaction in any way at this point.

Once the data is captured, the entity that created and distributed the man in the browser attack receives the collection of security codes, credit card numbers, or bank account login information and can begin to use it for a wide range of purposes. The victim may not be aware of the problem until several credit cards have been used or the balance in the checking account begins ton dwindle unexpectedly.

Part of the frustration with a man in the browser attack is that the bug is very hard to detect and even harder to remove from the system. Unlike many other forms on intrusive viruses, a man in the browser invader operates between the browser security protocols and the input of the user. This means that standard security measures normally will not even reveal the presence of the man in the browser virus.

source: http://www.wisegeek.com/what-is-a-man-in-the-browser-attack.htm

Tweet this!

A boot sector virus is a computer virus which infects the boot sector on hard disks, floppy disks, and theoretically also other bootable media such as CD’s and DVD’s.

A boot sector virus does not need to be able to successfully boot the victims computer to infect it. Because of this, even non-bootable media can spread a boot sector virus.

Once the infected computer successfully boots, the boot sector virus stays in memory and infects floppies and other media when they are written to by the infected computer.

Boot sector viruses have become increasingly less common as floppy disks have become rarer.

source: http://www.topbits.com/boot-sector-virus.html

Tweet this!

A stealth virus is one that, while “active”, hides the modifications it
has made to files or boot records. This is usually achieved by
monitoring the system functions used to read files or sectors from
storage media and forging the results of calls to such functions. This
means programs that try to read infected files or sectors see the
original, uninfected form instead of the actual, infected form. Thus
the virus’s modifications may go undetected by antivirus programs.
However, in order to do this, the virus must be resident in memory when
the antivirus program is executed and *this* may be detected by an
antivirus program.

Example: The very first DOS virus, Brain, a boot-sector infector,monitors physical disk I/O and re-directs any attempt to read a Brain-infected boot sector to the disk area where the original boot sector is stored. The next viruses to use this technique were the file infectors Number of the Beast and Frodo (aka 4096, 4K).

Countermeasures: A “clean” system is needed so that no virus is present to distort the results of system status checks. Thus the system should be started from a trusted, clean, bootable discs before any virus-checking is attempted; this is “The Golden Rule of the Trade.”

source: http://stason.org/TULARC/security/computer-virus-l/14-What-is-a-stealth-virus-Computer-virus.html

Tweet this!

Spyware and viruses can interfere with your computer’s ability to process information or can modify or destroy data. You may feel that the more anti-virus and anti-spyware programs you install on your computer, the safer you will be. It is true that not all programs are equally effective, and they will not all detect the same malicious code. However, by installing multiple programs in an attempt to catch everything, you may introduce problems.

How can anti-virus or anti-spyware software cause problems?

It is important to use anti-virus and anti-spyware software. But too much or the wrong kind can affect the performance of your computer and the effectiveness of the software itself.

Scanning your computer for viruses and spyware uses some of the available memory on your computer. If you have multiple programs trying to scan at the same time, you may limit the amount of resources left to perform your tasks. Essentially, you have created a denial of service against yourself. It is also possible that in the process of scanning for viruses and spyware, anti-virus or anti-spyware software may misinterpret the virus definitions of other programs. Instead of recognizing them as definitions, the software may interpret the definitions as actual malicious code. Not only could this result in false positives for the presence of viruses or spyware, but the anti-virus or anti-spyware software may actually quarantine or delete the other software.
How can you avoid these problems?

* Investigate your options in advance – Research available anti-virus and anti-spyware software to determine the best choice for you. Consider the amount of malicious code the software recognizes, and try to find out how frequently the virus definitions are updated. Also check for known compatibility issues with other software you may be running on your computer.
* Limit the number of programs you install – Many vendors are now releasing packages that incorporate both anti-virus and anti-spyware capabilities together. However, if you decide to choose separate programs, you really only need one anti-virus program and one anti-spyware program. If you install more, you increase your risk for problems.
* Install the software in phases – Install the anti-virus software first and test it for a few days before installing anti-spyware software. If problems develop, you have a better chance at isolating the source and then determining if it is an issue with the software itself or with compatibility.
* Watch for problems – If your computer starts processing requests more slowly, you are seeing error messages when updating your virus definitions, your software does not seem to be recognizing malicious code, or other issues develop that cannot be easily explained, check your anti-virus and anti-spyware software.

source: http://www.bestsecuritytips.com/xfsection+article.articleid+113.htm

Tweet this!

Why can email attachments be dangerous?
Some of the characteristics that make email attachments convenient and popular are also the ones that make them a common tool for attackers: Email is easily circulated – Forwarding email is so simple that viruses can quickly infect many machines. Most viruses don’t even require users to forward the email—they scan a users’ computer for email addresses and automatically send the infected message to all of the addresses they find. Attackers take advantage of the reality that most users will automatically trust and open any message that comes from someone they know.

Email programs try to address all users’ needs – Almost any type of file can be attached to an email message, so attackers have more freedom with the types of viruses they can send.

Email programs offer many “user-friendly” features – Some email programs have the option to automatically download email attachments, which immediately exposes your computer to any viruses within the attachments.
What steps can you take to protect yourself and others in your address book?

Be wary of unsolicited attachments, even from people you know – Just because an email message looks like it came from your mom, grandma, or boss doesn’t mean that it did. Many viruses can “spoof” the return address, making it look like the message came from someone else. If you can, check with the person who supposedly sent the message to make sure it’s legitimate before opening any attachments. This includes email messages that appear to be from your ISP or software vendor and claim to include patches or anti-virus software. ISPs and software vendors do not send patches or software in email.

Save and scan any attachments before opening them – If you have to open an attachment before you can verify the source, take the following steps:

1. Be sure the signatures in your anti-virus software are up to date (see Understanding Anti-Virus Software for more    information)
2. Save the file to your computer or a disk
3. Manually scan the file using your anti-virus software
4. Open the file

Turn off the option to automatically download attachments – To simplify the process of reading email, many email programs offer the feature to automatically download attachments. Check your settings to see if your software offers the option, and make sure to disable it.

source: http://www.bestsecuritytips.com/xfsection+article.articleid+131.htm

Tweet this!

How can I disable the Administrative Share creation in Windows NT/2000/XP/2003?

Every Windows NT/W2K/XP/2003 machine automatically creates a share for each drive on the system. These shares are hidden, but available with full control to domain administrators. The drive letter, followed by the $ sign is the name, and it is shared from the root. When trying to attain a highly secure network, you may wish to address this potential security issue by disabling these shares, or at least restricting their permissions to specific users or services.

The default-hidden shares are:

* C$ D$ E$ – Root of each partition. For a Windows NT workstation/W2K/2003/XP Professional computer only members of the Administrators or Backup Operators group can connect to these shared folders. For a Windows NT Server/W2K Server computer, members of the Server Operators group can also connect to these shared folders.

* ADMIN$ – %SYSTEMROOT% This share is used by the system during any remote administration of a computer. The path of this resource is always the path to the W2K/NT system root (the directory in which W2K/NT is installed usually C:\Winnt and in XP it’s C:\Windows).

* FAX$ – On W2K Server, this used by fax clients in the process of sending a fax. The shared folder temporarily caches files and accesses cover pages stored on the server.

* IPC$ – Temporary connections between servers using named pipes essential for communication between programs. It is used during remote administration of a computer and when viewing a computer’s shared resources. This share can be very dangerous and can be used to extract large amounts of information about your network, even by an anonymous account.

* NetLogon – This share is used by the Net Logon service of a W2K, 2003 and NT Server computer while processing domain logon requests, and by Pre-W2K computers when running logon scripts.

* PRINT$ – %SYSTEMROOT%\SYSTEM32\SPOOL\DRIVERS Used during remote administration of printers.

It is possible to simply remove the share from Server Manager (in NT) or Shared Folders (in W2K/XP/2003) but the problem with this method is that the shares will automatically be recreated when the machine reboots.

You can disable the automatic administrative share creation via Group Policy, but this is a much simpler way:

In order to disable these shares permanently, a registry edit will be necessary.
Servers

For NT 4.0/W2K/Windows Server 2003s, the change is:

Hive: HKEY_LOCAL_MACHINE Key: SYSTEM\CurrentControlSet\Services\LanManServer\Parameters Name: AutoShareServer Data Type: REG_DWORD Value: 0

Idiot proof note: If you can’t find the value in the registry under the exact location (i.e. it does not exist) – please right click in the right pane of the window and create it.

Note: A reboot is necessary for this to take effect.

Workstations

For NT 4.0 Workstation/W2K Pro/XP Pro, the change is:

Hive: HKEY_LOCAL_MACHINE Key: SYSTEM\CurrentControlSet\Services\LanManServer\Parameters Name: AutoShareWks Data Type: REG_DWORD Value: 0

A double idiot proof note: If you can’t find the value in the registry under the exact location (i.e. it does not exist) – please right click in the right pane of the window and create it.

Note: Again, a reboot is necessary for this to take effect. If you want the administrative shares to be re-created, you can change the value back to 1.

Note: Some applications depend on the presence of these shares. If things stop working you’ll know to re-enable the shares.

Security note: Unfortunately this registry hack does NOT stop the IPC$ share and this is a share that is often used by hackers to enumerate systems before attack since it can yield a wealth of information about your system names, your user names, and more. If your ACL permissions are not correct or you haven’t disabled anonymous user access or you haven’t disabled the guest account then this port can lead to total system compromise within minutes!

source:
http://www.petri.co.il/disable_administrative_shares.htm

Tweet this!

Many folks setting up wireless home networks rush through the job to get their Internet connectivity working as quickly as possible. That’s totally understandable. It’s also quite risky as numerous security problems can result. Today’s Wi-Fi networking products don’t always help the situation as configuring their security features can be time-consuming and non-intuitive. The recommendations below summarize the steps you should take to improve the security of your home wireless network.

1. Change Default Administrator Passwords (and Usernames)

At the core of most Wi-Fi home networks is an access point or router. To set up these pieces of equipment, manufacturers provide Web pages that allow owners to enter their network address and account information. These Web tools are protected with a login screen (username and password) so that only the rightful owner can do this. However, for any given piece of equipment, the logins provided are simple and very well-known to hackers on the Internet. Change these settings immediately.

2. Turn on (Compatible) WPA / WEP Encryption

All Wi-Fi equipment supports some form of encryption. Encryption technology scrambles messages sent over wireless networks so that they cannot be easily read by humans. Several encryption technologies exist for Wi-Fi today. Naturally you will want to pick the strongest form of encryption that works with your wireless network. However, the way these technologies work, all Wi-Fi devices on your network must share the identical encryption settings. Therefore you may need to find a “lowest common demoninator” setting.

3. Change the Default SSID

Access points and routers all use a network name called the SSID. Manufacturers normally ship their products with the same SSID set. For example, the SSID for Linksys devices is normally “linksys.” True, knowing the SSID does not by itself allow your neighbors to break into your network, but it is a start. More importantly, when someone finds a default SSID, they see it is a poorly configured network and are much more likely to attack it. Change the default SSID immediately when configuring wireless security on your network.

4. Enable MAC Address Filtering

Each piece of Wi-Fi gear possesses a unique identifier called the physical address or MAC address. Access points and routers keep track of the MAC addresses of all devices that connect to them. Many such products offer the owner an option to key in the MAC addresses of their home equipment, that restricts the network to only allow connections from those devices. Do this, but also know that the feature is not so powerful as it may seem. Hackers and their software programs can fake MAC addresses easily.

5. Disable SSID Broadcast

In Wi-Fi networking, the wireless access point or router typically broadcasts the network name (SSID) over the air at regular intervals. This feature was designed for businesses and mobile hotspots where Wi-Fi clients may roam in and out of range. In the home, this roaming feature is unnecessary, and it increases the likelihood someone will try to log in to your home network. Fortunately, most Wi-Fi access points allow the SSID broadcast feature to be disabled by the network administrator.

6. Do Not Auto-Connect to Open Wi-Fi Networks

Connecting to an open Wi-Fi network such as a free wireless hotspot or your neighbor’s router exposes your computer to security risks. Although not normally enabled, most computers have a setting available allowing these connections to happen automatically without notifying you (the user). This setting should not be enabled except in temporary situations.

7. Assign Static IP Addresses to Devices

Most home networkers gravitate toward using dynamic IP addresses. DHCP technology is indeed easy to set up. Unfortunately, this convenience also works to the advantage of network attackers, who can easily obtain valid IP addresses from your network’s DHCP pool. Turn off DHCP on the router or access point, set a fixed IP address range instead, then configure each connected device to match. Use a private IP address range (like 10.0.0.x) to prevent computers from being directly reached from the Internet.

8. Enable Firewalls On Each Computer and the Router

Modern network routers contain built-in firewall capability, but the option also exists to disable them. Ensure that your router’s firewall is turned on. For extra protection, consider installing and running personal firewall software on each computer connected to the router.

9. Position the Router or Access Point Safely

Wi-Fi signals normally reach to the exterior of a home. A small amount of signal leakage outdoors is not a problem, but the further this signal reaches, the easier it is for others to detect and exploit. Wi-Fi signals often reach through neighboring homes and into streets, for example. When installing a wireless home network, the position of the access point or router determines its reach. Try to position these devices near the center of the home rather than near windows to minimize leakage.

10. Turn Off the Network During Extended Periods of Non-Use
The ultimate in wireless security measures, shutting down your network will most certainly prevent outside hackers from breaking in! While impractical to turn off and on the devices frequently, at least consider doing so during travel or extended periods offline. Computer disk drives have been known to suffer from power cycle wear-and-tear, but this is a secondary concern for broadband modems and routers.

If you own a wireless router but are only using it wired (Ethernet) connections, you can also sometimes turn off Wi-Fi on a broadband router without powering down the entire network.

source: http://compnetworking.about.com/od/wirelesssecurity/tp/wifisecurity.htm

Tweet this!