The course text defines an incident as "the occurrence of an event or series of events that threatens the security of a computer or computers. It can occur when one user tries to connect to another user for the purpose of data and resource sharing, or when a hacker tries to gain undue advantage of resources of a computer over the Internet illegally. It also includes system crashes, which may have been caused by virus attacks, or unauthorized use of another user's account." The text goes on to mention that these events can also include external incidents such as fire, flood, electrical outages or excessive heat.
When one responds to an incident, it's important to follow a minimal set of protocols, which are known as the incident response:
1 - Keep track of the events or activities that have occurred,
2 - Analyze what occurred in order to determine the extent of any possible damage;
3 - Determine the provenance of an issue (find out how it happened)
4 - Determine what steps should be taken in future to prevent similar attacks.
There are many common vectors for attack, including the Trojan attack and the Boot Sector virus attack.
Trojan attacks are often transmitted by opening an infected email attachment. In the case of a Trojan attack, the text shows how to respond to the vector of infection by showing how to edit the system registry so as to prevent the Trojan from running. This is accomplished by removing the entry for the executable file that contains the malware, and then to remove the registry entry that starts that file automatically.
In the boot sector attack, a virus that is obtained by downloading files from a compromised access point is named in the text as a virus called FORMS. This infection is dealt with by booting to a floppy drive containing a minimal system image, and then to rebuild the boot sector using the DOS FDISK command. It's vital to remember that you must use the /mbr switch to only rebuild the master boot records, and not to reformat the hard drive!
The text does contain a procedural error in that the reader is told to set the initial boot device to the hard drive in the system BIOS. This will in fact cause the system to boot from the infected media, even if the floppy disk (or in the modern day an optical or flash drive) that contains an uninfected operating system. The system BIOS needs to be set to try to boot the floppy, optical or flash device prior to trying to boot from the infected hard drive.
While there are software programs that can automatically repair the damage done by these attacks, a professional needs to be aware of these methods to effect a repair.
The text goes on to describe an attack where home page settings have been changed in the user's web browser. It goes on to show how to edit the registry to restore the correct setting for Internet Explorer. This is done by deleting the Default_Page_URL value located in the Internet Explorer key inside the registry editor. The point is made that the location that is opened when Internet Explorer starts can also be changed from inside the browser.
Although modern and arguably more popular browsers such as Google Chrome and Mozilla Firefox are not discussed, they can likewise be changed from inside the browser software.
The text continues by discussing how to backup, export and restore a corrupted system registry. An ability to restore a previously made backup can easily solve the types of virus attacks that target the registry. The text, using the procedure from Windows XP, states that the ability to back up the registry is done via an applet available from the Accessories/System Tools menu. While this may have been true for XP (my memory does not support this and no longer have a copy of XP to check on), it will not work in Windows 7. The only way to backup and export the registry in Windows 7 is through REGEDIT.
In my opinion, the text wrongly conflates the exporting and importing of the system registry with the action of creating and the restoring of a system restore point. In Windows 7, this is done by clicking on the start button, right clicking on Computer and selecting Properties. You then click on the System Protection applet to create a restore point. Existing restore points can be reapplied by using the applet on the Accessories/System Tools menu as stated in the text.
The chapter concludes with the example of an incident in which a compact disc is inserted into a machine, and the optical disc runs automatically, installing an autorun.inf virus. While the text describes how to change the system registry to not allow the AUTORUN feature in Windows XP to function automatically, it does not address recovering from possible damage that might be caused by such a virus.
In Windows 7, things get a little more confusing by the introduction of the AutoPlay feature and as well AutoRun.
Microsoft's website says that: "AutoPlay is a Windows feature that lets you choose which program to use to start different kinds of media, such as music CDs, or CDs or DVDs containing photos. For example, the first time you try to play a music CD, AutoPlay asks which media player you want to use, if you have more than one installed on your computer. You can change AutoPlay settings for each media type.
"Autorun is a technology used to start some programs or enhanced content (such as video content on a music CD) automatically when you insert a CD or another media type into your computer. This is different from AutoPlay, but the result is often the same: when inserted, the CD starts automatically, using a particular program. Autorun is incorporated into the media types that use it, and you can't modify it.
Autoplay and Autorun are two different features of Windows. Disabling Autoplay from Control Panel and making changes in the system registry to set NoDriveTypeAutoRun key to FF does not change the Autorun behavior.
If Windows performs any task automatically when you connect an external device then Autoplay is enabled.
Expand Administrative Templates /Windows Components/Autoplay Policies in order, then double click "Turn off Autoplay". Click Enabled, and then select All drives so that you can disable Autorun on all drives.Click Ok at last.
After restarting your computer, you have done all the needed work to disable Auto Play in Windows 7.
This chapter was another lesson that was well explained, but hampered by procedural errors that are illustrated on an out of date operating system.
No comments:
Post a Comment