What Does Spyware Do my PC?
Why Do I Need Anti-Virus?
Why Do I Need Backups?
Backups: An Important Part of Data Security
Rating: -3.60- (out of 5)
|
Backups: An Important Part of Data Security By Chuck Connell Backups. This topic may seem boring, or obvious, but it is amazing how often I run into IT managers who aren't doing it right. Imagine that someone hacks into your computer system and deletes a very large number of files, with no way to recover the files later. You would certainly consider this a major security failure. Yet a disk crash, without proper backups, is the same thing. There are four important elements to any good backup plan: 1) Perform incremental backups often, with full backups less often. This is standard procedure for most backup software, but is worth stating anyway. There is little reason to back up every file every night, since only a small percentage of files change each day. On the other hand, it is good to have a full backup every so often, since restoring files from incremental backups is a pain and can be prone to errors. 2) Use multiple sets of backup media. In other words, don't overwrite the same set of disks/tapes each night or each week. There are several reasons for this. Suppose that you have only one set of weekly backup media and keep reusing it. Now suppose that your backup process fails one week. You are completely vulnerable, since you have no full backup at all. Another reason is that a user may tell you on Thursday that they want to restore a file they had on Monday and Tuesday. If you have reused your daily media, you no longer have a backup of this file. 3) Take some backups off site and keep them for a long time. Backup media is very cheap and compact lately. CD-R's are now selling for about 30 cents each, and they are small when stacked together. You can store 70GB (100 CDs) in a stack about the size of two Big Macs. TR5 tapes are even smaller, although they cost more per gigabyte. 4) Test the backups! This is one of the biggest errors I see. Many IT managers feel secure in the belief that their staff is performing regular backups, only to be shocked when they actually try to use one of the backups and find that it does not work. There are many reasons that a backup may not have the files you think it does, including failure of the backup software, human error, and bad physical media. Every so often, delete a few unimportant files from your system. Then ask your IT staff to restore the files. You may be surprised what happens. Putting all these pointers together yields a backup scheme that looks something like this… Create 20 sets of daily (incremental) backup media and four sets of weekly (full) backup media. Do an incremental backup each night Monday through Friday, and a full backup every weekend. Each set of media (daily and weekly) will be reused once per month. At the end of each month, take the latest full backup off site and keep it there for several years. Replace the full backup set with new media. Once per quarter, delete some files, and then attempt to restore them. Make sure some of the files were deleted just the day before, some the previous week, and some a month earlier. (This simulates what really happens when people ask to restore files.) Of course, other variations on these ideas also are valid. Small organizations with low computer usage might do incremental backups weekly and full backups monthly. Some organizations store every week's backup off site. Some use remote backup procedures so backup media is always off site. The key is to define a backup scheme that makes sense for your organization, and then stick with it. |
Antivirus updating - why it's more important than ever before
|
September 1, 2007 |
|
David Emm |
Today's threats spread further and faster than ever before. In the good old days, viruses could only travel as fast or as far as a users' activity allowed them to. Boot sector viruses relied on the exchange of floppy disks in order to spread. Things changed significantly when macro viruses appeared in 1995, since they were able to piggyback all emails sent by the infected user. Even macro viruses relied on unsuspecting users to exchange infected files. However, it took computer worms to truly change the virus landscape. And updating antivirus solutions became critical once worms came to stay.
Melissa, which appeared in March 1999, marked a quantum leap forward in terms of speed of infection. Unlike earlier macro viruses, which waited for the user to send the infected data, Melissa hijacked the email system to spread itself proactively. All that was required of the user was to double-click on the infected email attachment. After this, the virus harvested email addresses from the Outlook address book and sent itself directly to the contacts listed in it. This mass-mailer was able to spread further and faster than any previous macro virus. As a result, infected corporate email systems quickly became clogged with email and many simply crashed under the pressure.
It's hardly surprising that Melissa set a trend. Since March 1999, nearly all of the major viruses and worms to threaten corporate and home users have included mass-mailing capability. However, other developments have also combined to enable threats to spread more quickly.
In the first place, an increasing number of threats in recent years have made use of system exploits to enable them to get a foothold in the corporate network and spread more rapidly. Such attack methods were previously associated with the activities of hackers, rather than virus writers, so this marked a significant departure from the older generation of viruses. Previously, virus writers relied on their own code in order to spread and let the unsuspecting user do the rest. Increasingly, today's threats have woken up to the potential helping hand provided by vulnerabilities in common applications and operating systems. Interestingly, Melissa was the first threat to make use of an application vulnerability, tapping into the spreading capability offered by Microsoft Outlook.
However, it wasn't until 2001, with the appearance of CodeRed and Nimda, that this started to become a stock-in-trade of viruses and worms. CodeRed, which appeared in July 2001, was a 'file less' worm. In a complete departure from existing virus practice, the worm existed just in memory and made no attempt to infect files on the victim machines. The worm used a Microsoft IIS server vulnerability (MS01-033 'Uncheck Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise') to attack Windows 2000 servers. It spread via TCP/IP transmissions on port 80, launching itself in memory via a buffer overflow and then sending itself in the same way to other vulnerable servers.
Nimda appeared shortly afterwards, in September 2001 and, unlike earlier mass-mailing threats, didn't rely on the user to click on an infected EXE file attached to an email message. Instead, it made use of an Internet Explorer vulnerability to launch itself automatically on vulnerable systems (MS01-020, 'Incorrect MIME header can cause Outlook to execute email attachment'). This was a six month old vulnerability, but a great many systems were still un-patched and vulnerable to attack and the use of this vulnerability helped Nimda to infect systems all over the globe in the space of just a few hours.
The use of system exploits has now become commonplace. In fact, some threats have avoided the use of 'traditional' virus techniques altogether. Lovesan, Welchia and, more recently, Sasser are examples of Internet worms pure and simple. There's no mass-mailing, there's no requirement for a user to run an infected program. Instead, these threats spread directly across the Internet, from machine to machine, using various system vulnerabilities.
Others combine the use of system exploits with other infection methods. Nimda, for example, incorporated several attack mechanisms. As well as the mass-mailing aspect of the virus outlined above, Nimda also appended viral exploit code (in the form of infected Java code) to HTML files. If the infected machine were a server, a user became infected across the web when they accessed the infected pages. Nimda went even further in its efforts to spread across the corporate network by scanning the network for accessible resources and dropping copies of itself there, to be run by unsuspecting users. On infected machines, the virus also converted the local drive(s) to open shares, providing remote access to anyone with malicious intent. For good measure, Nimda also used the 'Web Folder Traversal' security breach in Microsoft IIS (Internet Information Server) to infect vulnerable servers by downloading a copy of itself from already infected machines on the network. Nimda's multi-faceted attack strategy, coupled with its use of system vulnerabilities, led many to refer to this as a 'blended attack'.
This trend has continued. Many of today's 'successful' threats (successful from the author's perspective, that is) make use of multiple attack mechanisms and use system vulnerabilities to bypass the user and launch code automatically, dramatically reducing the 'lead time' between the appearance of a new threat and it reaching epidemic proportions. There's no question that today's threats are faster than ever before. Where it used to take weeks, or even months, for a virus to achieve widespread circulation, today's threats can achieve worldwide distribution in hours - riding on the back of our business-critical email infrastructure and exploiting the increasing number of system vulnerabilities that give them a springboard into the corporate enterprise.
The number of new threats continues to grow steadily, with several hundred new threats appearing every day. As outlined above, many of today's threats are a composite 'bundle' containing different types of threat. Malicious code writers have at their disposal a wide-ranging malware 'menu'. Alongside the 'traditional' threat from viruses, there are now email and Internet worms, Trojans and various other types of threat. Often a virus or worm will drop a Trojan backdoor onto the infected system. This allows remote control of the machine by the author of the virus or worm, or by whoever has 'leased' the Trojan from them for spam propagation or other malicious purposes. Or the code may include a Trojan downloader, specifically designed to pull down malicious code from a remote site - perhaps an update to the virus or worm. Then again, it may include a Denial-of-Service (DoS) attack, designed to bring down a particular web site.
Antivirus products have become increasingly sophisticated over the years, to deal with the growing complexity of viruses, worms Trojans and other malicious code. This includes proactive detection mechanisms designed to find new, unknown threats even before they first appear in the field. Nevertheless, regular updating of antivirus protection is more important than ever before, given the speed at which today's threats are able to spread. That's why antivirus vendors have sought to reduce the time interval between virus definition updates, from quarterly, to monthly, to weekly, and finally to daily updates. And Kaspersky Lab now provides updated virus definition files every hour on the hour.
WHAT IS SPYWARE ON YOUR PC?
Any software that covertly gathers user information through the user's Internet connection without his or her knowledge, usually for advertising purposes. Spyware applications are typically bundled as a hidden component of freeware or shareware programs that can be downloaded from the Internet; however, it should be noted that the majority of shareware and freeware applications do not come with spyware. Once installed, the spyware monitors user activity on the Internet and transmits that information in the background to someone else. Spyware can also gather information about e-mail addresses and even passwords and credit card numbers.
Spyware is similar to a Trojan horse in that users unwittingly install the product when they install something else. A common way to become a victim of spyware is to download certain peer-to-peer file swapping products that are available today.
Aside from the questions of ethics and privacy, spyware steals from the user by using the computer's memory resources and also by eating bandwidth as it sends information back to the spyware's home base via the user's Internet connection. Because spyware is using memory and system resources, the applications running in the background can lead to system crashes or general system instability.
Because spyware exists as independent executable programs, they have the ability to monitor keystrokes, scan files on the hard drive, snoop other applications, such as chat programs or word processors, install other spyware programs, read cookies, change the default home page on the Web browser, consistently relaying this information back to the spyware author who will either use it for advertising/marketing purposes or sell the information to another party.
Licensing agreements that accompany software downloads sometimes warn the user that a spyware program will be installed along with the requested software, but the licensing agreements may not always be read completely because the notice of a spyware installation is often couched in obtuse, hard-to-read legal disclaimers.