E-Book, Englisch, 656 Seiten, Web PDF
Harley AVIEN Malware Defense Guide for the Enterprise
1. Auflage 2011
ISBN: 978-0-08-055866-0
Verlag: Elsevier Science & Techn.
Format: PDF
Kopierschutz: 1 - PDF Watermark
E-Book, Englisch, 656 Seiten, Web PDF
ISBN: 978-0-08-055866-0
Verlag: Elsevier Science & Techn.
Format: PDF
Kopierschutz: 1 - PDF Watermark
Members of AVIEN (the Anti-Virus Information Exchange Network) have been setting agendas in malware management for several years: they led the way on generic filtering at the gateway, and in the sharing of information about new threats at a speed that even anti-virus companies were hard-pressed to match. AVIEN members represent the best-protected large organizations in the world, and millions of users. When they talk, security vendors listen: so should you.
AVIEN's sister organization AVIEWS is an invaluable meeting ground between the security vendors and researchers who know most about malicious code and anti-malware technology, and the top security administrators of AVIEN who use those technologies in real life. This new book uniquely combines the knowledge of these two groups of experts. Anyone who is responsible for the security of business information systems should be aware of this major addition to security literature.
* 'Customer Power” takes up the theme of the sometimes stormy relationship between the antivirus industry and its customers, and tries to dispel some common myths. It then considers the roles of the independent researcher, the vendor-employed specialist, and the corporate security specialist.
* 'Stalkers on Your Desktop” considers the thorny issue of malware nomenclature and then takes a brief historical look at how we got here, before expanding on some of the malware-related problems we face today.
* 'A Tangled Web” discusses threats and countermeasures in the context of the World Wide Web.
* 'Big Bad Bots” tackles bots and botnets, arguably Public Cyber-Enemy Number One.
* 'Crème de la CyberCrime” takes readers into the underworld of old-school virus writing, criminal business models, and predicting future malware hotspots.
* 'Defense in Depth” takes a broad look at DiD in the enterprise, and looks at some specific tools and technologies.
* 'Perilous Outsorcery” offers sound advice on how to avoid the perils and pitfalls of outsourcing, incorporating a few horrible examples of how not to do it.
* 'Education in Education” offers some insights into user education from an educationalist's perspective, and looks at various aspects of security in schools and other educational establishments.
* 'DIY Malware Analysis” is a hands-on, hands-dirty approach to security management, considering malware analysis and forensics techniques and tools.
* 'Antivirus Evaluation & Testing” continues the D-I-Y theme, discussing at length some of the thorny issues around the evaluation and testing of antimalware software.
* 'AVIEN & AVIEWS: the Future” looks at future developments in AVIEN and AVIEWS.
.
David Harley has been researching and writing about malicious software and other security issues since the end of the 1980s. From 2001 to 2006 he worked in the UK's National Health Service as a National Infrastructure Security Manager, where he specialized in the management of malicious software and all forms of email abuse, as well as running the Threat Assessment Centre, and has worked since as an independent author and consultant for Small Blue-Green World. He joined ESET's Research team in January 2008. He was co-author of Viruses Revealed (McGraw-Hill) and lead author and technical editor of The AVIEN Malware Defense Guide for the Enterprise (Syngress), as well as a contributor to Botnets: the Killer Web App (Syngress). He has contributed chapters to many other books on security and education for publishers such as Wiley, Pearson and Vieweg, as well as a multitude of specialist articles and conference papers. In his copious free time he is Chief Operations Officer for AVIEN (the Anti-Virus Information Exchange Network) and administers the MAC Virus web site.
Autoren/Hrsg.
Weitere Infos & Material
1;Front Cover;1
2;AVIEN Malware Defense Guide for the Enterprise;4
3;Copyright Page;5
4;Lead Author and Technical Editor;6
5;Foreword Author;7
6;Contributors;8
7;Contents;16
8;Foreword;28
9;Preface;30
10;Introduction;34
11;Chapter 1: Customer Power and AV Wannabes;37
11.1;Introduction;38
11.2;History of AVIEN and AVIEWS;38
11.2.1;Background: So Who Is Robert Vibert?;38
11.2.2;AV Vendor/Researcher Lists and Groups;39
11.2.3;VB 2000: A Star is Born;40
11.2.3.1;Cocktails For Two — and More;41
11.2.3.2;After the Hangover;41
11.2.3.3;One Day at a Time;41
11.2.4;Oh No,The Users Are Ganging Up On Us!!!;42
11.2.4.1;The Objectives of AVIEN and AVIEWS;43
11.2.4.2;AVIEN Membership Benefits;43
11.2.4.3;Alerts and Advisories;43
11.2.4.4;Peer Discussions;44
11.2.4.5;AVIEN Projects;44
11.3;Anti-virus Vendor Image;45
11.3.1;AVIEN & AVIEWS: Independents and Vendors in Anti-Malware Research;45
11.3.2;Favorite Myths;48
11.3.2.1;“Anti-virus Only Catches Known Viruses”;49
11.3.2.2;“Vendors Protect Their Own Revenue Stream, Not Their Customers”;52
11.3.2.3;“Vendors Only Know About and Detect Viruses”;53
11.3.2.4;“They Write All the Viruses”;54
11.3.2.5;“Anti-virus Should Be a Free Service: After All, There Are Free Services That Do a Better Job”;54
11.4;AV Wannabe;55
11.5;So You Want to Be a Bona Fide Computer Anti-Malware Researcher?;55
11.5.1;In the Beginning...;56
11.5.2;Anti-virus Company Analysts;57
11.5.3;Independent Researchers;57
11.5.4;Technical and Psychological Analysts;57
11.5.5;Corporate Anti-virus Specialist;58
11.5.6;What is a Researcher?;58
11.5.7;Researcher Skill-Set;59
11.5.8;What Makes a Researcher?;59
11.5.9;In The End;60
11.6;You Should Be Certified;61
11.6.1;(ISC)2;61
11.6.1.1;SSCP;63
11.6.1.2;CISSP;64
11.6.1.3;CISSP Concentrations;64
11.6.2;SANS GIAC/GSM Certifications;66
11.6.2.1;Other Certifications and Qualifications;69
11.6.3;Vendor-Dependent Training;70
11.6.3.1;McAfee;70
11.6.3.2;Sophos;71
11.6.3.3;Symantec;73
11.6.4;Should There Be a Vendor-independent Malware Specialist Certification?;74
11.6.5;Levels of Certification and Associated Knowledge Bases;75
11.6.5.1;Certified Anti-Virus Administrator (CAVA);75
11.6.5.2;Certified Anti-virus Specialist (CAVS);75
11.6.5.3;Certified Enterprise Anti-virus Architect (CEAVA);76
11.6.5.4;Updating the Certifications;78
11.7;Summary;79
11.8;Solutions Fast Track;80
11.9;Frequently Asked Questions;83
12;Chapter 2: Stalkers on Your Desktop;87
12.1;Introduction;88
12.2;Malware Nomenclature;89
12.3;21st Century Paranoid Man;92
12.3.1;In The Beginning;92
12.4;The Current Threatscape;94
12.4.1;The Rise of Troy;95
12.4.2;Rootkits;96
12.4.2.1;Kernel Mode and User Mode;98
12.4.2.2;Persistency and Non-Persistency;98
12.4.2.3;Rootkit Detection;99
12.5;Words Can Hurt You;100
12.5.1;Spam, Spam, Spam;100
12.6;Fraudian Slips;102
12.6.1;Advance Fee Fraud (419s);102
12.6.2;Phishing Scams;103
12.6.3;Or Would You Rather Be a Mule?;106
12.6.4;Pump and Dump Scams;110
12.7;Hoaxes and Chain Letters;112
12.7.1;Why Do People Pass Hoaxes and Chain Letters On?;113
12.8;Summary;114
12.9;Solutions Fast Track;114
12.10;Frequently Asked Questions;117
13;Chapter 3: A Tangled Web;121
13.1;Introduction;122
13.2;Attacks on the Web;122
13.3;Hacking into Web Sites;124
13.4;Index Hijacking;126
13.5;DNS Poisoning (Pharming);131
13.6;Malware and the Web: What, Where, and How to Scan;136
13.6.1;What to Scan;136
13.6.2;Where to Scan;140
13.6.3;How to Scan;141
13.7;Parsing and Emulating HTML;143
13.8;Browser Vulnerabilities;146
13.9;Testing HTTP-scanning Solutions;148
13.10;Tangled Legal Web;149
13.11;Summary;151
13.12;Solutions Fast Track;151
13.13;Frequently Asked Questions;156
14;Chapter 4: Big Bad Botnets;159
14.1;Introduction;160
14.2;Bot Taxonomy;163
14.3;How Botnets are Used;171
14.3.1;DoS and DDoS ATTACKS;172
14.3.1.1;SYNs and Sensibility;173
14.3.1.2;UDP Flooding;174
14.3.1.3;ICMP Attacks;175
14.3.1.4;DNS Reflector Attacks;177
14.3.2;Managing DoS and DDoS Attacks;178
14.3.3;The Botnet as Spam Tool;178
14.3.4;Click Fraud;179
14.3.4.1;Click Fraud Detection;180
14.4;Bot Families;180
14.4.1;The Early Bot Catches the Worm;182
14.4.1.1;Pretty Park;182
14.4.1.2;SubSeven;183
14.4.1.3;GT Bot;183
14.4.1.4;TFN,Trinoo, and Stacheldraht;183
14.4.2;SDBot;186
14.4.2.1;Infection and Propagation;186
14.4.2.2;Rbot;188
14.4.2.3;Infection and Propagation;189
14.4.2.4;Known Vulnerability Exploits;191
14.4.2.5;Exploiting Malware Backdoors;192
14.4.2.6;Terminated Processes;193
14.4.3;Agobot (Gaobot) and Phatbot;194
14.4.3.1;Infection and Propagation;194
14.4.3.2;Terminated Processes;197
14.4.4;Spybot;198
14.4.4.1;Keystroke Logging and Data Capture;201
14.5;Mytob;201
14.6;Bot/Botnet Detection and Eradication;203
14.7;Summary;207
14.8;Solutions Fast Track;207
14.9;Frequently Asked Questions;212
15;Chapter 5: Cregraveme de la Cybercrime;217
15.1;Introduction;218
15.2;Old School Virus Writing;218
15.2.1;Generic Virus Writers;219
15.3;The Black Economy;223
15.3.1;Spam;224
15.3.2;A Word about Dialers;227
15.3.3;Botnets for Fun and for Profit;228
15.4;“Wicked Rose” and the NCPH Hacking Group;229
15.4.1;Introduction to NCPH;229
15.4.2;Public Knowledge of a Zero-day Word Exploit;229
15.4.3;The GinWui Backdoor Rootkit Payload;230
15.4.4;June 21, 2006-2007 - Continued US Targeted Attacks;231
15.4.5;Backtracking Targeted Attacks: RipGof;232
15.4.6;Timeline of Events;233
15.4.7;Introduction to Wicked Rose and NCPH;234
15.5;How Did NCPH Begin?;236
15.5.1;WZT;239
15.5.2;The Jiangsu Connection?;239
15.5.3;The China Syndrome;239
15.6;Lurkers in Your Crystal Ball;241
15.6.1;Things That Will Not Change (Much);241
15.6.1.1;Social Engineering;241
15.6.1.2;Back in Fashion;243
15.6.2;Botnets;244
15.6.3;The Shape of Things to Come;244
15.6.3.1;Communication: A Common Problem;244
15.6.3.2;Automobiles;246
15.6.3.3;VoIP;247
15.6.3.4;RSS;248
15.6.3.5;Podcast;248
15.6.3.6;Home Media Systems;249
15.6.3.7;Cell Phones;250
15.6.3.8;Credit Cards;252
15.6.3.9;Operating Systems;253
15.7;Summary;254
15.8;Solutions Fast Track;254
15.9;Frequently Asked Questions;257
16;Chapter 6: Defense-in-depth;261
16.1;Introduction;262
16.2;Enterprise Defense-in-Depth;263
16.2.1;Getting to Know Your Network;265
16.2.2;Choosing Your Network-Knowledge Tools;265
16.2.3;Designing An Effective Protection Strategy;267
16.2.4;Secure Individual Hosts First;267
16.2.5;Purchase Host-based Protective Software;268
16.2.6;Carefully Examine All Points of Access to Hosts;269
16.3;Malware Detection;270
16.3.1;Intrusion Detection;270
16.3.2;SNORT;272
16.3.3;Virus Detection;276
16.3.4;Generic Anti-virus;277
16.4;Planning,Testing, Revising;279
16.4.1;Develop Contingency Plans;280
16.4.2;Perform an “After Action Review”;280
16.4.3;Designate a Conference Room or Office as a “War Room”;281
16.4.4;Personnel;282
16.4.5;Look Beyond the Borders;283
16.5;Documentation;284
16.5.1;Malware Laboratory Procedures;285
16.6;Summary;288
16.7;Solutions Fast Track;288
16.8;Frequently Asked Questions;290
17;Chapter 7: Perilous Outsorcery;293
17.1;Introduction;294
17.2;Key Concepts: Outsourcing AV Services and Risk Management;296
17.3;Key Building Blocks for Managing Outsourced Security;297
17.3.1;What Do “Security Activities” Imply for a Business Manager?;298
17.3.2;What does “Outsourcing AV Services” Mean?;299
17.3.3;What Drives the Success or Failure of Outsourced Operational AV?;301
17.3.3.1;First Law;302
17.3.3.2;Second Law;302
17.3.3.3;Third Law;302
17.3.3.4;Fourth Law;302
17.3.3.5;Fifth Law;303
17.3.3.6;Sixth Law;305
17.3.3.7;Seventh Law;306
17.3.4;What Common Phases does the Project Manager Encounter when Outsourcing AV Services?;306
17.3.5;What Are The Most Common Problems Seen During AV Outsourcing?;308
17.3.5.1;Miscommunication Between Customer and Vendor;308
17.3.5.2;Lack of Responsive and Flexible Threat/ Change Management Mechanisms;310
17.3.5.3;Procurement and Tendering Conflicts;310
17.3.5.4;A Vendor-Centric Worldview;311
17.3.5.5;Overestimation of a Vendor’s Competence;311
17.4;The Perils of Outsourcing AV Activities;312
17.4.1;Why Do More and More Companies Outsource AV Services?;313
17.5;The ‘Perilous Outsorcery’ Management Matrix;316
17.5.1;The First Dimension: Use The Job Descriptions, Roles, and Functions of People You Meet;316
17.5.2;The Second Dimension:AV Function Types from Risk and Systems Management Perspectives;317
17.5.3;The Third Dimension:Type of Governance Role Using The RACI Model;318
17.5.4;An Example of the “Perils of Outsourcing” Matrix;320
17.6;Critical Success Factors for Surviving AV Outsourcing;321
17.6.1;Sources of CSFs: the More Explicit, the Better!;322
17.6.2;Open Peer Communication Lines Between Both Companies;323
17.6.3;Use a Questionnaire to Match People to AV Functions;325
17.6.4;Align as Soon as Possible with Monitoring Services (SOC) and Incident Management Teams;326
17.6.5;Outline the AV infrastructure (as Seen by the Customer and the Vendor) and Discuss Differences;327
17.6.5.1;Align or Prepare the Reporting on Compliance Issues of Outsourced AV Services;328
17.6.6;Putting the Pieces Together;329
17.6.7;Roles and Responsibilities;331
17.7;Sample AV Skills and Experience Questionnaire for an AV Service Provider.;332
17.8;Summary;337
17.9;Solutions Fast Track;337
17.10;Frequently Asked Questions;340
18;Chapter 8: Education in Education;343
18.1;Introduction;344
18.2;User Education from an Educationalist’s Perspective;345
18.2.1;Some True Stories;349
18.2.1.1;The Grandmother;350
18.2.1.2;The Sister;351
18.2.1.3;The Father;351
18.2.1.4;The Young Girl;351
18.2.1.5;The Self-employed Professional;352
18.2.1.6;The Unwitting Spammers;352
18.2.1.7;And the Point is...;352
18.2.1.8;Where Do You Come In?;353
18.3;Security and Education in the UK;356
18.3.1;Evaluating Security Advice;357
18.3.2;Information Sharing and the WARP factor;357
18.3.3;The Myth of Teenage Literacy;360
18.3.4;Teaching Security in the Classroom;361
18.3.5;Duty of Care;367
18.3.6;Surfing the Darkside Economy;368
18.3.7;Duty of Care Issues (Again);369
18.3.8;Cross-Curricular Security;370
18.3.9;Technical Areas Checklist;373
18.4;Not Exactly a Case Study:The Julie Amero Affair;375
18.5;Summary;378
18.6;Solutions Fast Track;378
18.7;Frequently Asked Questions;381
19;Chapter 9: DIY Malware Analysis;385
19.1;Introduction;386
19.2;Anti-Malware Tools of the Trade 101;386
19.3;The Basics: Identifying a Malicious File;387
19.4;Process and Network Service Detection Tools;395
19.5;Web-based Inspection and Virus Analysis Tools;403
19.5.1;AV Vendors Accept Submissions;403
19.5.2;Using an Online Malware Inspection Sandbox;410
19.6;Using Packet Analyzers to Gather Information;419
19.6.1;Results of Running windump at the Command Line to Show Proper Syntax Formatting;420
19.7;Examining Your Malware Sample with Executable Inspection Tools;424
19.8;Using Vulnerability Assessment and Port Scanning Tools;430
19.9;Advanced Tools: An Overview of Windows Code Debuggers;437
19.10;Advanced Analysis and Forensics;441
19.11;Advanced Malware Analysis;442
19.11.1;Static (Code) Analysis;442
19.11.2;Packers and Memory Dumping;444
19.11.2.1;Quick Assessment;447
19.11.2.2;Disassembling Malware;449
19.11.2.3;Debugging Malware;450
19.11.3;Dynamic (Behavior) Analysis;452
19.11.3.1;Isolated Environments;452
19.11.3.2;Behavior Monitoring;454
19.12;Forensic Analysis;456
19.12.1;Collecting Volatile Data;457
19.12.1.1;Rootkits;458
19.12.1.2;Collecting Process and Network Data;459
19.12.2;Collecting Non-volatile Data;461
19.12.2.1;Determining the Initial Vector;461
19.12.2.2;A Lesson from History;462
19.12.2.3;Case Study: An IRCbot-infected Machine;464
19.13;Summary;468
19.14;Solutions Fast Track;468
19.15;Frequently Asked Questions;473
20;Chapter 10: Antimalware Evaluation and Testing;477
20.1;Introduction;478
20.2;Antimalware Product Evaluation;479
20.2.1;Configurability;481
20.2.2;Cost;481
20.2.3;Ease of Use;483
20.2.4;Functionality;484
20.2.5;Performance;484
20.2.6;Support Issues;487
20.2.6.1;Upgrades and Updates;488
20.2.6.2;Information Flow and Documentation;488
20.3;Evaluation Checklist;489
20.3.1;Core Issues;490
20.4;Testing Antimalware Products;498
20.4.1;Replicating Malware;500
20.4.1.1;Why is Sample Verification Important?;500
20.4.1.2;Polymorphic Replicative Malware;502
20.4.2;Environment;504
20.4.3;In the Wild Testing;504
20.4.4;Non-Replicating Malware;506
20.4.4.1;Is It or Isn’t It?;506
20.4.4.2;Does it work?;510
20.4.5;Time To Update Testing;512
20.4.5.1;Defining the Problems;512
20.4.5.2;Problem 1:Time to Update as a Measure of Protection Capability;513
20.4.5.3;Problem 2: Baseline Setting for Heuristic/Proactive Detections;514
20.4.5.4;Problem 3:Time of Release vs.Time of First Detection;517
20.4.6;Frozen Update (Retrospective) Testing;519
20.4.7;A Few Words on False Positives;520
20.4.8;A Checklist of Do’s and Don’ts in Testing;520
20.4.8.1;First of All, Here’s What Not to Do!;521
20.4.8.2;How to Do it Right!;522
20.4.8.3;Non-detection Testing Parameters;522
20.4.9;Conclusion;523
20.5;Independent Testing and Certification Bodies;523
20.5.1;VB100 Awards;524
20.5.2;ICSA Labs (a Division of Cybertrust);525
20.5.3;Checkmark Certification;525
20.5.3.1;Anti-virus Level 1;525
20.5.3.2;Anti-virus Level 2;526
20.5.3.3;Trojan;526
20.5.3.4;Anti-Spyware;526
20.5.4;AV-Test.org;526
20.5.5;AV-Comparatives.org;526
20.6;Summary;527
20.7;Solutions Fast Track;529
20.8;Frequently Asked Questions;532
21;Chapter 11: AVIEN and AVIEWS: the Future;535
22;Appendix A: Resources;539
22.1;Introduction;540
22.2;Customer Power;541
22.3;Stalkers on Your Desktop;541
22.4;A Tangled Web;543
22.5;Big Bad Bots;544
22.6;Cragraveme de la CyberCrime;544
22.7;Defense in Depth;545
22.8;Perilous Outsorcery;545
22.9;Education in Education;545
22.10;DIY Malware Analysis;547
22.11;Antivirus Evaluation and Testing;548
22.12;Additional Resources;548
22.12.1;Books;548
22.12.2;Additional Resources;549
22.12.2.1;Linux:;550
22.12.2.2;Macintosh:;550
22.12.2.3;Network Tools:;550
22.12.2.4;SANS:;551
22.12.2.5;Security Focus Newsletters;551
23;Appendix B: Glossary;553
23.1;Introduction;554
24;Index;563
