SlideShare une entreprise Scribd logo

Computer Security: Worms

Sabidur Rahman
Sabidur Rahman

"A Worst-Case Worm" by Nicholas Weaver and Vern Paxson is an interesting paper. This shows how we can model the cost of such attacks in terms of real money.

Formation
1  sur  19
Télécharger pour lire hors ligne
A WORST-CASE WORM BY NICHOLAS WEAVER AND VERN PAXSON Presenter: K M Sabidur Rahman, ECS 236: Computer Security: Intrusion Detection Based Approach, UC Davis krahman@ucdavis.edu http://www.linkedin.com/in/kmsabidurrahman/ http://www.linkedin.com/in/kmsabidurrahman/5/13/20161
Agenda •How to model damage done by worms •Attack details (target, ways) •How to estimate number of infected system •Damages done by worm (data, hardware, downtime) •How to estimate damages and loss •Defense against worms 5/13/20162
What is Worm? •malicious •self-propagating network programs •capable of spreading substantially faster than humans can respond •contain highly malicious payloads •represent a substantial threat to computing infrastructure •Slammer worm disrupting a nuclear power plant’s systems, ATMs and 911 operations •Welchia’s disruption of the Navy Marine Corps Intranet and ATMs 5/13/20163
Modeling of a Worm’s damage 5/13/20164
Assumptions related to Attack •Infect as many US systems as possible •Maximize damage in each infected system •Keep the worm active as long as possible to reinfect any repaired but vulnerable system 5/13/20165
Assumptions on Attacker resources •Several experienced programmers •Access to significant amount of computing hardware •Several months of time for development and testing •Nation state adversary (more resource than terrorist group) 5/13/20166
Candidates to target •Windows SMB/CIFS file sharing •This server is distributed with Windows 98 •SMB/CIFS are widely deployed •Default anonymous login capabilities •SMB service runs as part of OS kernel •On-by-default nature means most of the Windows PCs are vulnerable •File sharing is essential for business operations 5/13/20167
SMB/CIFS vulnerabilities •Allows arbitrary remote execution as long as the attacker has domain access •Worm can query the local windows domain controller and ask for a list of local machines and their names •RPC vulnerability (Blaster worm)•RPC vulnerability (Blaster worm) •To cross the firewall and spread across different domains, mail-worm mode or infected web browser mode can be used. •Use US related IP addresses to target the worm 5/13/20168
Speed of propagation Spread across Internet: Slammer worm took less than 10 minutes to infect 10’s of thousands of servers Spread through gateways: Needs human action (mail/web). Nimda’s worm took within a few hours. Pure mail worm such as SoBig.E required a little more than a day to reach the peak volumerequired a little more than a day to reach the peak volume Intranet spread: With 100 Mbps and 1 Gbps LANs, infecting a few victims takes less than a second. The whole intranet in much less than a minute. Total spread time in US business hour can be in hours 5/13/20169
Testing Has to be tested in wide range of environments Make it polymorphic or include anti-anti-virus routines 5/13/201610
Estimating number of Infected system •Penetration of 60% of the vulnerable business PCs is plausible in worst case •Survey from 2001 suggests 85 million PCs in business and government of US •Not including 45 million households with PCs•Not including 45 million households with PCs 5/13/201611
Attack’s Damage Data damage payload: Once the infected machine is no longer needed as a part of spreading process, worm may damage the remote or local disks. Overwrite random sectors on the disk. Hardware damage: Reflash the BIOS, corrupting the bootrap programHardware damage: Reflash the BIOS, corrupting the bootrap program to initialize the computer. Software can flash BIOS in 7 popular systems and 2 motherboards 5/13/201612
Attack’s damage Attempting reinfections and increasing downtime: Zero day exploit significantly increases the downtime. The time between when a system is restored and when a patch is installed allows a system to be reinfected if there are still copies activeinstalled allows a system to be reinfected if there are still copies active on the local network 5/13/201613
Estimating damage Drec: represents the system administration time to restore the system: reload the operating system, install patches, reinstall applications, restore data from backups, and reconnect the system to the network Assumed to be ½ hour for this analysis. Which roughly translated to $20 per system$20 per system Dtime: productivity loss due to downtime, depends on both the value of the labor and the time lost. Approximated to be $35/hr 5/13/201614
Estimating damage Ttime: 16 hr, two working day per user. First day, to develop patches and workarounds by Microsoft. Second day to restore full network operation by local sysadmin. Ddata: Lost data, approximated to $2000, single loss incident. P : 0.1. Assuming data is not lost most of the time, because ofPlost_data: 0.1. Assuming data is not lost most of the time, because of backups Pbios: 0.1. Attacker will be able to permanently destroy limited number of configurations Dbios: $1400 (cost of replacement) + $1000 (40 hr productivity) = $ 2400 5/13/201615
Estimating loss 5/13/201616
Model limitation Doesn’t consider nonlinear effect on companies: follow-on effect (sometimes these values are inflated) A downtime of one hour may not have that much consequences as one day Some companies may suffer slowly over longer termsSome companies may suffer slowly over longer terms Possible damage to critical infrastructure (power grid, hospital, telecommunication, nuclear infrastructure) 5/13/201617
Current defenses and recommendations Most email worms are stopped by signature based scanning, can be easily avoided Most of the IDS are deployed to protect against external attacks (but this attack is from internal connections) Restrictive policies for mail worm scanning should be enforcedRestrictive policies for mail worm scanning should be enforced Additional filters for unusual characteristics (long strings in header) Network file sharing can be restricted Servers can be of different platform(Linux) Disabling BIOS reflashing Data backups and off-site storage protection 5/13/201618
5/13/201619

Recommandé

A cost analysis of typical computer viruses and defenses
A cost analysis of typical computer viruses and defensesA cost analysis of typical computer viruses and defenses
A cost analysis of typical computer viruses and defensesUltraUploader
 
Отчет Executive overview RAPID7
Отчет Executive overview RAPID7Отчет Executive overview RAPID7
Отчет Executive overview RAPID7Sergey Yrievich
 
Report PAPID 7
Report PAPID 7Report PAPID 7
Report PAPID 7Sergey Yrievich
 
Отчет Executive penetration RAPID 7
Отчет Executive penetration RAPID 7Отчет Executive penetration RAPID 7
Отчет Executive penetration RAPID 7Sergey Yrievich
 
Отчет Csa report RAPID7
Отчет Csa report RAPID7Отчет Csa report RAPID7
Отчет Csa report RAPID7Sergey Yrievich
 
Living off the land and fileless attack techniques
Living off the land and fileless attack techniquesLiving off the land and fileless attack techniques
Living off the land and fileless attack techniquesSymantec Security Response
 
Ns
NsNs
NsDeepenti123
 
Datamining
DataminingDatamining
DataminingPardeep Kumar
 

Recommandé

A cost analysis of typical computer viruses and defenses
A cost analysis of typical computer viruses and defensesA cost analysis of typical computer viruses and defenses
A cost analysis of typical computer viruses and defensesUltraUploader
 
Отчет Executive overview RAPID7
Отчет Executive overview RAPID7Отчет Executive overview RAPID7
Отчет Executive overview RAPID7Sergey Yrievich
 
Report PAPID 7
Report PAPID 7Report PAPID 7
Report PAPID 7Sergey Yrievich
 
Отчет Executive penetration RAPID 7
Отчет Executive penetration RAPID 7Отчет Executive penetration RAPID 7
Отчет Executive penetration RAPID 7Sergey Yrievich
 
Отчет Csa report RAPID7
Отчет Csa report RAPID7Отчет Csa report RAPID7
Отчет Csa report RAPID7Sergey Yrievich
 
Living off the land and fileless attack techniques
Living off the land and fileless attack techniquesLiving off the land and fileless attack techniques
Living off the land and fileless attack techniquesSymantec Security Response
 
Ns
NsNs
NsDeepenti123
 
Datamining
DataminingDatamining
DataminingPardeep Kumar
 
What you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareWhat you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareKaspersky
 
Ddos- distributed denial of service
Ddos- distributed denial of service Ddos- distributed denial of service
Ddos- distributed denial of service laxmi chandolia
 
Netforts
Netforts Netforts
Netforts Wing Venture Capital
 
WannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to knowWannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to knowSymantec Security Response
 
RSAC 2021 Spelunking Through the Steps of a Control System Hack
RSAC 2021 Spelunking Through the Steps of a Control System HackRSAC 2021 Spelunking Through the Steps of a Control System Hack
RSAC 2021 Spelunking Through the Steps of a Control System HackDan Gunter
 
Kenneth Howard Long_Res_Was
Kenneth Howard Long_Res_WasKenneth Howard Long_Res_Was
Kenneth Howard Long_Res_WasKenneth Long
 
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid Them
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid ThemInfoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid Them
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid ThemJennifer Nichols
 
Managing Network Security Monitoring at Large Scale with Puppet - PuppetConf ...
Managing Network Security Monitoring at Large Scale with Puppet - PuppetConf ...Managing Network Security Monitoring at Large Scale with Puppet - PuppetConf ...
Managing Network Security Monitoring at Large Scale with Puppet - PuppetConf ...Puppet
 
Network security
Network securityNetwork security
Network securityShyam Kumar Singh
 
Managed Vulnerability Scan
Managed Vulnerability ScanManaged Vulnerability Scan
Managed Vulnerability ScanShawn Jordan
 
To see things others can't - APTs, Incident Response, DDoS
To see things others can't - APTs, Incident Response, DDoSTo see things others can't - APTs, Incident Response, DDoS
To see things others can't - APTs, Incident Response, DDoSMarco Gioanola
 
Privacy, Security
Privacy, SecurityPrivacy, Security
Privacy, Securityguestf77c65c
 
Malicious Client Detection using Machine learning
Malicious Client Detection using Machine learningMalicious Client Detection using Machine learning
Malicious Client Detection using Machine learningCysinfo Cyber Security Community
 
The CCleaner Infection
The CCleaner InfectionThe CCleaner Infection
The CCleaner InfectionLeonardo Antichi
 
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...NoNameCon
 
Hunt down the evil of your infrastructure
Hunt down the evil of your infrastructureHunt down the evil of your infrastructure
Hunt down the evil of your infrastructureBangladesh Network Operators Group
 
Needlesand haystacks i360-dublin
Needlesand haystacks i360-dublinNeedlesand haystacks i360-dublin
Needlesand haystacks i360-dublinDerek King
 
Drive by downloads-cns
Drive by downloads-cnsDrive by downloads-cns
Drive by downloads-cnsmmubashirkhan
 
Software Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecuritySoftware Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecurityNicholas Davis
 
Hacking and its Defence
Hacking and its DefenceHacking and its Defence
Hacking and its DefenceGreater Noida Institute Of Technology
 
Minimizing the threat of Ransomware with enterprise file services
Minimizing the threat of Ransomware with enterprise file servicesMinimizing the threat of Ransomware with enterprise file services
Minimizing the threat of Ransomware with enterprise file servicesDavid Finkelstein
 
CTERA Minimizing the threat of Ransomware with enterprise file services
CTERA Minimizing the threat of Ransomware with enterprise file servicesCTERA Minimizing the threat of Ransomware with enterprise file services
CTERA Minimizing the threat of Ransomware with enterprise file servicesDavid Finkelstein
 

Contenu connexe

Tendances

What you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareWhat you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareKaspersky
 
Ddos- distributed denial of service
Ddos- distributed denial of service Ddos- distributed denial of service
Ddos- distributed denial of service laxmi chandolia
 
WannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to knowWannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to knowSymantec Security Response
 
RSAC 2021 Spelunking Through the Steps of a Control System Hack
RSAC 2021 Spelunking Through the Steps of a Control System HackRSAC 2021 Spelunking Through the Steps of a Control System Hack
RSAC 2021 Spelunking Through the Steps of a Control System HackDan Gunter
 
Kenneth Howard Long_Res_Was
Kenneth Howard Long_Res_WasKenneth Howard Long_Res_Was
Kenneth Howard Long_Res_WasKenneth Long
 
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid Them
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid ThemInfoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid Them
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid ThemJennifer Nichols
 
Managing Network Security Monitoring at Large Scale with Puppet - PuppetConf ...
Managing Network Security Monitoring at Large Scale with Puppet - PuppetConf ...Managing Network Security Monitoring at Large Scale with Puppet - PuppetConf ...
Managing Network Security Monitoring at Large Scale with Puppet - PuppetConf ...Puppet
 
Managed Vulnerability Scan
Managed Vulnerability ScanManaged Vulnerability Scan
Managed Vulnerability ScanShawn Jordan
 
To see things others can't - APTs, Incident Response, DDoS
To see things others can't - APTs, Incident Response, DDoSTo see things others can't - APTs, Incident Response, DDoS
To see things others can't - APTs, Incident Response, DDoSMarco Gioanola
 
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...NoNameCon
 
Needlesand haystacks i360-dublin
Needlesand haystacks i360-dublinNeedlesand haystacks i360-dublin
Needlesand haystacks i360-dublinDerek King
 
Drive by downloads-cns
Drive by downloads-cnsDrive by downloads-cns
Drive by downloads-cnsmmubashirkhan
 
Software Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecuritySoftware Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecurityNicholas Davis
 

Tendances (20)

What you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareWhat you need to know about ExPetr ransomware
What you need to know about ExPetr ransomware
 
Ddos- distributed denial of service
Ddos- distributed denial of service Ddos- distributed denial of service
Ddos- distributed denial of service
 
Netforts
Netforts Netforts
Netforts
 
WannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to knowWannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to know
 
RSAC 2021 Spelunking Through the Steps of a Control System Hack
RSAC 2021 Spelunking Through the Steps of a Control System HackRSAC 2021 Spelunking Through the Steps of a Control System Hack
RSAC 2021 Spelunking Through the Steps of a Control System Hack
 
Kenneth Howard Long_Res_Was
Kenneth Howard Long_Res_WasKenneth Howard Long_Res_Was
Kenneth Howard Long_Res_Was
 
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid Them
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid ThemInfoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid Them
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid Them
 
Managing Network Security Monitoring at Large Scale with Puppet - PuppetConf ...
Managing Network Security Monitoring at Large Scale with Puppet - PuppetConf ...Managing Network Security Monitoring at Large Scale with Puppet - PuppetConf ...
Managing Network Security Monitoring at Large Scale with Puppet - PuppetConf ...
 
Network security
Network securityNetwork security
Network security
 
Managed Vulnerability Scan
Managed Vulnerability ScanManaged Vulnerability Scan
Managed Vulnerability Scan
 
To see things others can't - APTs, Incident Response, DDoS
To see things others can't - APTs, Incident Response, DDoSTo see things others can't - APTs, Incident Response, DDoS
To see things others can't - APTs, Incident Response, DDoS
 
Privacy, Security
Privacy, SecurityPrivacy, Security
Privacy, Security
 
Malicious Client Detection using Machine learning
Malicious Client Detection using Machine learningMalicious Client Detection using Machine learning
Malicious Client Detection using Machine learning
 
The CCleaner Infection
The CCleaner InfectionThe CCleaner Infection
The CCleaner Infection
 
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
 
Hunt down the evil of your infrastructure
Hunt down the evil of your infrastructureHunt down the evil of your infrastructure
Hunt down the evil of your infrastructure
 
Needlesand haystacks i360-dublin
Needlesand haystacks i360-dublinNeedlesand haystacks i360-dublin
Needlesand haystacks i360-dublin
 
Drive by downloads-cns
Drive by downloads-cnsDrive by downloads-cns
Drive by downloads-cns
 
Software Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecuritySoftware Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical Security
 
Hacking and its Defence
Hacking and its DefenceHacking and its Defence
Hacking and its Defence
 

Similaire à Computer Security: Worms

Minimizing the threat of Ransomware with enterprise file services
Minimizing the threat of Ransomware with enterprise file servicesMinimizing the threat of Ransomware with enterprise file services
Minimizing the threat of Ransomware with enterprise file servicesDavid Finkelstein
 
CTERA Minimizing the threat of Ransomware with enterprise file services
CTERA Minimizing the threat of Ransomware with enterprise file servicesCTERA Minimizing the threat of Ransomware with enterprise file services
CTERA Minimizing the threat of Ransomware with enterprise file servicesDavid Finkelstein
 
Internet Traffic Monitoring and Analysis
Internet Traffic Monitoring and AnalysisInternet Traffic Monitoring and Analysis
Internet Traffic Monitoring and AnalysisInformation Technology
 
Topic #17 IT Security ITSecurityIncidentsA.docx
Topic #17 IT Security ITSecurityIncidentsA.docxTopic #17 IT Security ITSecurityIncidentsA.docx
Topic #17 IT Security ITSecurityIncidentsA.docxjuliennehar
 
Prevention based mechanism for attacks in Network Security
Prevention based mechanism for attacks in Network SecurityPrevention based mechanism for attacks in Network Security
Prevention based mechanism for attacks in Network SecurityEditor IJMTER
 
Sirt roundtable malicious-emailtrendmicro
Sirt roundtable malicious-emailtrendmicroSirt roundtable malicious-emailtrendmicro
Sirt roundtable malicious-emailtrendmicroSumit Tambe
 
Implementation and implications of a stealth hard drive backdoor
Implementation and implications of a stealth hard drive backdoorImplementation and implications of a stealth hard drive backdoor
Implementation and implications of a stealth hard drive backdoorGaetano Zappulla
 
cloud computing final year project
cloud computing final year projectcloud computing final year project
cloud computing final year projectAmeya Vashishth
 
Application of hardware accelerated extensible network nodes for internet wor...
Application of hardware accelerated extensible network nodes for internet wor...Application of hardware accelerated extensible network nodes for internet wor...
Application of hardware accelerated extensible network nodes for internet wor...UltraUploader
 
3 Tips to Stay Safe Online in 2017
3 Tips to Stay Safe Online in 20173 Tips to Stay Safe Online in 2017
3 Tips to Stay Safe Online in 2017Bret Piatt
 
Cyber Security for SCADA
Cyber Security for SCADACyber Security for SCADA
Cyber Security for SCADARichard Umbrino
 
INLINE_PATCH_PROXY_FOR_XEN_HYPERVISOR
INLINE_PATCH_PROXY_FOR_XEN_HYPERVISORINLINE_PATCH_PROXY_FOR_XEN_HYPERVISOR
INLINE_PATCH_PROXY_FOR_XEN_HYPERVISORNeha Rana
 
Internets Manage Communication Procedure and Protection that Crash on Servers
Internets Manage Communication Procedure and Protection that Crash on ServersInternets Manage Communication Procedure and Protection that Crash on Servers
Internets Manage Communication Procedure and Protection that Crash on ServersIRJET Journal
 
Event - Internet Thailand - Total Security Perimeters
Event - Internet Thailand - Total Security PerimetersEvent - Internet Thailand - Total Security Perimeters
Event - Internet Thailand - Total Security PerimetersSomyos U.
 
A Comparative Approach to Handle Ddos Attacks
A Comparative Approach to Handle Ddos AttacksA Comparative Approach to Handle Ddos Attacks
A Comparative Approach to Handle Ddos AttacksIOSR Journals
 
Comparative Analysis of Different Denial of Service Attacks
Comparative Analysis of Different Denial of Service AttacksComparative Analysis of Different Denial of Service Attacks
Comparative Analysis of Different Denial of Service Attackstheijes
 

Similaire à Computer Security: Worms (20)

Minimizing the threat of Ransomware with enterprise file services
Minimizing the threat of Ransomware with enterprise file servicesMinimizing the threat of Ransomware with enterprise file services
Minimizing the threat of Ransomware with enterprise file services
 
CTERA Minimizing the threat of Ransomware with enterprise file services
CTERA Minimizing the threat of Ransomware with enterprise file servicesCTERA Minimizing the threat of Ransomware with enterprise file services
CTERA Minimizing the threat of Ransomware with enterprise file services
 
Internet Traffic Monitoring and Analysis
Internet Traffic Monitoring and AnalysisInternet Traffic Monitoring and Analysis
Internet Traffic Monitoring and Analysis
 
Topic #17 IT Security ITSecurityIncidentsA.docx
Topic #17 IT Security ITSecurityIncidentsA.docxTopic #17 IT Security ITSecurityIncidentsA.docx
Topic #17 IT Security ITSecurityIncidentsA.docx
 
Prevention based mechanism for attacks in Network Security
Prevention based mechanism for attacks in Network SecurityPrevention based mechanism for attacks in Network Security
Prevention based mechanism for attacks in Network Security
 
Sirt roundtable malicious-emailtrendmicro
Sirt roundtable malicious-emailtrendmicroSirt roundtable malicious-emailtrendmicro
Sirt roundtable malicious-emailtrendmicro
 
DDoS.ppt
DDoS.pptDDoS.ppt
DDoS.ppt
 
Implementation and implications of a stealth hard drive backdoor
Implementation and implications of a stealth hard drive backdoorImplementation and implications of a stealth hard drive backdoor
Implementation and implications of a stealth hard drive backdoor
 
cloud computing final year project
cloud computing final year projectcloud computing final year project
cloud computing final year project
 
Application of hardware accelerated extensible network nodes for internet wor...
Application of hardware accelerated extensible network nodes for internet wor...Application of hardware accelerated extensible network nodes for internet wor...
Application of hardware accelerated extensible network nodes for internet wor...
 
3 Tips to Stay Safe Online in 2017
3 Tips to Stay Safe Online in 20173 Tips to Stay Safe Online in 2017
3 Tips to Stay Safe Online in 2017
 
A worst case worm
A worst case wormA worst case worm
A worst case worm
 
Ransomware ly
Ransomware lyRansomware ly
Ransomware ly
 
Cyber Security for SCADA
Cyber Security for SCADACyber Security for SCADA
Cyber Security for SCADA
 
Network security
Network securityNetwork security
Network security
 
INLINE_PATCH_PROXY_FOR_XEN_HYPERVISOR
INLINE_PATCH_PROXY_FOR_XEN_HYPERVISORINLINE_PATCH_PROXY_FOR_XEN_HYPERVISOR
INLINE_PATCH_PROXY_FOR_XEN_HYPERVISOR
 
Internets Manage Communication Procedure and Protection that Crash on Servers
Internets Manage Communication Procedure and Protection that Crash on ServersInternets Manage Communication Procedure and Protection that Crash on Servers
Internets Manage Communication Procedure and Protection that Crash on Servers
 
Event - Internet Thailand - Total Security Perimeters
Event - Internet Thailand - Total Security PerimetersEvent - Internet Thailand - Total Security Perimeters
Event - Internet Thailand - Total Security Perimeters
 
A Comparative Approach to Handle Ddos Attacks
A Comparative Approach to Handle Ddos AttacksA Comparative Approach to Handle Ddos Attacks
A Comparative Approach to Handle Ddos Attacks
 
Comparative Analysis of Different Denial of Service Attacks
Comparative Analysis of Different Denial of Service AttacksComparative Analysis of Different Denial of Service Attacks
Comparative Analysis of Different Denial of Service Attacks
 

Plus de Sabidur Rahman

Smart city- services and technologies
Smart city- services and technologiesSmart city- services and technologies
Smart city- services and technologiesSabidur Rahman
 
Blockchain technology and its’ usecases in computer networks
Blockchain technology and its’ usecases in computer networksBlockchain technology and its’ usecases in computer networks
Blockchain technology and its’ usecases in computer networksSabidur Rahman
 
T-SDN Controllers for Transport Network
T-SDN Controllers for Transport NetworkT-SDN Controllers for Transport Network
T-SDN Controllers for Transport NetworkSabidur Rahman
 
5 g and beyond! IEEE ICC 2018 keynotes reviewed
5 g and beyond! IEEE ICC 2018 keynotes reviewed5 g and beyond! IEEE ICC 2018 keynotes reviewed
5 g and beyond! IEEE ICC 2018 keynotes reviewedSabidur Rahman
 
Meeting the requirements to deploy cloud RAN over optical networks - elastic ...
Meeting the requirements to deploy cloud RAN over optical networks - elastic ...Meeting the requirements to deploy cloud RAN over optical networks - elastic ...
Meeting the requirements to deploy cloud RAN over optical networks - elastic ...Sabidur Rahman
 
Akamai Edge 2017 reviewed
Akamai Edge 2017 reviewedAkamai Edge 2017 reviewed
Akamai Edge 2017 reviewedSabidur Rahman
 
Understanding mobile service usage and user behavior pattern for mec resource...
Understanding mobile service usage and user behavior pattern for mec resource...Understanding mobile service usage and user behavior pattern for mec resource...
Understanding mobile service usage and user behavior pattern for mec resource...Sabidur Rahman
 
Innovations in Edge Computing and MEC
Innovations in Edge Computing and MECInnovations in Edge Computing and MEC
Innovations in Edge Computing and MECSabidur Rahman
 
Dynamic workload migration over optical backbone network to minimize data cen...
Dynamic workload migration over optical backbone network to minimize data cen...Dynamic workload migration over optical backbone network to minimize data cen...
Dynamic workload migration over optical backbone network to minimize data cen...Sabidur Rahman
 
Migration of groups of virtual machines in distributed data centers to reduce...
Migration of groups of virtual machines in distributed data centers to reduce...Migration of groups of virtual machines in distributed data centers to reduce...
Migration of groups of virtual machines in distributed data centers to reduce...Sabidur Rahman
 
Big data and machine learning for network research problems
Big data and machine learning for network research problemsBig data and machine learning for network research problems
Big data and machine learning for network research problemsSabidur Rahman
 
Cost savings from auto-scaling of network resources using machine learning
Cost savings from auto-scaling of network resources using machine learningCost savings from auto-scaling of network resources using machine learning
Cost savings from auto-scaling of network resources using machine learningSabidur Rahman
 
IoT Mobility Forensics
IoT Mobility ForensicsIoT Mobility Forensics
IoT Mobility ForensicsSabidur Rahman
 
Network tomography to enhance the performance of software defined network mon...
Network tomography to enhance the performance of software defined network mon...Network tomography to enhance the performance of software defined network mon...
Network tomography to enhance the performance of software defined network mon...Sabidur Rahman
 
Approximation techniques used for general purpose algorithms
Approximation techniques used for general purpose algorithmsApproximation techniques used for general purpose algorithms
Approximation techniques used for general purpose algorithmsSabidur Rahman
 

Plus de Sabidur Rahman (15)

Smart city- services and technologies
Smart city- services and technologiesSmart city- services and technologies
Smart city- services and technologies
 
Blockchain technology and its’ usecases in computer networks
Blockchain technology and its’ usecases in computer networksBlockchain technology and its’ usecases in computer networks
Blockchain technology and its’ usecases in computer networks
 
T-SDN Controllers for Transport Network
T-SDN Controllers for Transport NetworkT-SDN Controllers for Transport Network
T-SDN Controllers for Transport Network
 
5 g and beyond! IEEE ICC 2018 keynotes reviewed
5 g and beyond! IEEE ICC 2018 keynotes reviewed5 g and beyond! IEEE ICC 2018 keynotes reviewed
5 g and beyond! IEEE ICC 2018 keynotes reviewed
 
Meeting the requirements to deploy cloud RAN over optical networks - elastic ...
Meeting the requirements to deploy cloud RAN over optical networks - elastic ...Meeting the requirements to deploy cloud RAN over optical networks - elastic ...
Meeting the requirements to deploy cloud RAN over optical networks - elastic ...
 
Akamai Edge 2017 reviewed
Akamai Edge 2017 reviewedAkamai Edge 2017 reviewed
Akamai Edge 2017 reviewed
 
Understanding mobile service usage and user behavior pattern for mec resource...
Understanding mobile service usage and user behavior pattern for mec resource...Understanding mobile service usage and user behavior pattern for mec resource...
Understanding mobile service usage and user behavior pattern for mec resource...
 
Innovations in Edge Computing and MEC
Innovations in Edge Computing and MECInnovations in Edge Computing and MEC
Innovations in Edge Computing and MEC
 
Dynamic workload migration over optical backbone network to minimize data cen...
Dynamic workload migration over optical backbone network to minimize data cen...Dynamic workload migration over optical backbone network to minimize data cen...
Dynamic workload migration over optical backbone network to minimize data cen...
 
Migration of groups of virtual machines in distributed data centers to reduce...
Migration of groups of virtual machines in distributed data centers to reduce...Migration of groups of virtual machines in distributed data centers to reduce...
Migration of groups of virtual machines in distributed data centers to reduce...
 
Big data and machine learning for network research problems
Big data and machine learning for network research problemsBig data and machine learning for network research problems
Big data and machine learning for network research problems
 
Cost savings from auto-scaling of network resources using machine learning
Cost savings from auto-scaling of network resources using machine learningCost savings from auto-scaling of network resources using machine learning
Cost savings from auto-scaling of network resources using machine learning
 
IoT Mobility Forensics
IoT Mobility ForensicsIoT Mobility Forensics
IoT Mobility Forensics
 
Network tomography to enhance the performance of software defined network mon...
Network tomography to enhance the performance of software defined network mon...Network tomography to enhance the performance of software defined network mon...
Network tomography to enhance the performance of software defined network mon...
 
Approximation techniques used for general purpose algorithms
Approximation techniques used for general purpose algorithmsApproximation techniques used for general purpose algorithms
Approximation techniques used for general purpose algorithms
 

Dernier

A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...Pooja Nehwal
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionSafetyChain Software
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpinRaunakKeshri1
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAssociation for Project Management
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDThiyagu K
 
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...anjaliyadav012327
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room servicediscovermytutordmt
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfSoniaTolstoy
 
The byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptxThe byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptxShobhayan Kirtania
 

Dernier (20)

Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory Inspection
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpin
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
 
Advance Mobile Application Development class 07
Advance Mobile Application Development class 07Advance Mobile Application Development class 07
Advance Mobile Application Development class 07
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
The byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptxThe byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptx
 

Computer Security: Worms

  • 1. A WORST-CASE WORM BY NICHOLAS WEAVER AND VERN PAXSON Presenter: K M Sabidur Rahman, ECS 236: Computer Security: Intrusion Detection Based Approach, UC Davis krahman@ucdavis.edu http://www.linkedin.com/in/kmsabidurrahman/ http://www.linkedin.com/in/kmsabidurrahman/5/13/20161
  • 2. Agenda •How to model damage done by worms •Attack details (target, ways) •How to estimate number of infected system •Damages done by worm (data, hardware, downtime) •How to estimate damages and loss •Defense against worms 5/13/20162
  • 3. What is Worm? •malicious •self-propagating network programs •capable of spreading substantially faster than humans can respond •contain highly malicious payloads •represent a substantial threat to computing infrastructure •Slammer worm disrupting a nuclear power plant’s systems, ATMs and 911 operations •Welchia’s disruption of the Navy Marine Corps Intranet and ATMs 5/13/20163
  • 4. Modeling of a Worm’s damage 5/13/20164
  • 5. Assumptions related to Attack •Infect as many US systems as possible •Maximize damage in each infected system •Keep the worm active as long as possible to reinfect any repaired but vulnerable system 5/13/20165
  • 6. Assumptions on Attacker resources •Several experienced programmers •Access to significant amount of computing hardware •Several months of time for development and testing •Nation state adversary (more resource than terrorist group) 5/13/20166
  • 7. Candidates to target •Windows SMB/CIFS file sharing •This server is distributed with Windows 98 •SMB/CIFS are widely deployed •Default anonymous login capabilities •SMB service runs as part of OS kernel •On-by-default nature means most of the Windows PCs are vulnerable •File sharing is essential for business operations 5/13/20167
  • 8. SMB/CIFS vulnerabilities •Allows arbitrary remote execution as long as the attacker has domain access •Worm can query the local windows domain controller and ask for a list of local machines and their names •RPC vulnerability (Blaster worm)•RPC vulnerability (Blaster worm) •To cross the firewall and spread across different domains, mail-worm mode or infected web browser mode can be used. •Use US related IP addresses to target the worm 5/13/20168
  • 9. Speed of propagation Spread across Internet: Slammer worm took less than 10 minutes to infect 10’s of thousands of servers Spread through gateways: Needs human action (mail/web). Nimda’s worm took within a few hours. Pure mail worm such as SoBig.E required a little more than a day to reach the peak volumerequired a little more than a day to reach the peak volume Intranet spread: With 100 Mbps and 1 Gbps LANs, infecting a few victims takes less than a second. The whole intranet in much less than a minute. Total spread time in US business hour can be in hours 5/13/20169
  • 10. Testing Has to be tested in wide range of environments Make it polymorphic or include anti-anti-virus routines 5/13/201610
  • 11. Estimating number of Infected system •Penetration of 60% of the vulnerable business PCs is plausible in worst case •Survey from 2001 suggests 85 million PCs in business and government of US •Not including 45 million households with PCs•Not including 45 million households with PCs 5/13/201611
  • 12. Attack’s Damage Data damage payload: Once the infected machine is no longer needed as a part of spreading process, worm may damage the remote or local disks. Overwrite random sectors on the disk. Hardware damage: Reflash the BIOS, corrupting the bootrap programHardware damage: Reflash the BIOS, corrupting the bootrap program to initialize the computer. Software can flash BIOS in 7 popular systems and 2 motherboards 5/13/201612
  • 13. Attack’s damage Attempting reinfections and increasing downtime: Zero day exploit significantly increases the downtime. The time between when a system is restored and when a patch is installed allows a system to be reinfected if there are still copies activeinstalled allows a system to be reinfected if there are still copies active on the local network 5/13/201613
  • 14. Estimating damage Drec: represents the system administration time to restore the system: reload the operating system, install patches, reinstall applications, restore data from backups, and reconnect the system to the network Assumed to be ½ hour for this analysis. Which roughly translated to $20 per system$20 per system Dtime: productivity loss due to downtime, depends on both the value of the labor and the time lost. Approximated to be $35/hr 5/13/201614
  • 15. Estimating damage Ttime: 16 hr, two working day per user. First day, to develop patches and workarounds by Microsoft. Second day to restore full network operation by local sysadmin. Ddata: Lost data, approximated to $2000, single loss incident. P : 0.1. Assuming data is not lost most of the time, because ofPlost_data: 0.1. Assuming data is not lost most of the time, because of backups Pbios: 0.1. Attacker will be able to permanently destroy limited number of configurations Dbios: $1400 (cost of replacement) + $1000 (40 hr productivity) = $ 2400 5/13/201615
  • 17. Model limitation Doesn’t consider nonlinear effect on companies: follow-on effect (sometimes these values are inflated) A downtime of one hour may not have that much consequences as one day Some companies may suffer slowly over longer termsSome companies may suffer slowly over longer terms Possible damage to critical infrastructure (power grid, hospital, telecommunication, nuclear infrastructure) 5/13/201617
  • 18. Current defenses and recommendations Most email worms are stopped by signature based scanning, can be easily avoided Most of the IDS are deployed to protect against external attacks (but this attack is from internal connections) Restrictive policies for mail worm scanning should be enforcedRestrictive policies for mail worm scanning should be enforced Additional filters for unusual characteristics (long strings in header) Network file sharing can be restricted Servers can be of different platform(Linux) Disabling BIOS reflashing Data backups and off-site storage protection 5/13/201618