Absolute Protection

It seems more people are hearing about rootkits but still do not understand what they are or threats they pose. Rootkits can be so effective at masking threats from your security system that a virus detected by every anti-virus product in production can be hidden so that it won’t be detected. The power from a rootkit comes from the fact that rootkits add code (called hooks) to the operating system and inserts it to run before the operating systems native function proceeds. An example would be enumerating files and directories. Typically a ‘dir’ command from the command prompt or viewing files and folders inside Explorer calls low level functions of the operating system to display all files under a particular folder. Now imagine someone writing a function that filters the results, thus removing files of choice and inserting this function to run before your operating system runs its normal function call. At this point the operating system has no way of knowing the files and directories previously filtered with the hook inserted by the rootkit in question. Because Anti-Virus products depend on the operating systems functions (API) to report on files and directories properly it is possible to hide known threats on a system without local anti-virus protection from knowing. Filtering file and directory listing is only one function of a rootkit, it is common for rootkits to alter other aspects of the operating system, such as the list of running processes, size of files, even what ports are opened and in listen mode on your machine. Some of the real advanced rootkits are able to use existing open service ports to transmit and receive data over the same path of other services, because it is able to view and remove data of the line before the operating system or application reacts. This allows rootkits to communicate between victims and the master silently.

There are many ways to detect and remove rootkits, but the best and most effective defense is to prevent them from installing. This means preventing installation of distrusted applications that install low level hooks into the operating system. Averting requires heuristics or pro-active defense protection in your security systems. It is becoming more common for anti-virus products such as Kaspersky to have the ability to detect “malicious looking” files and processes before there is a known signature for the threat. This allows the product to provide what is commonly referred to as Zero Day protection.

Techniques to detect and remove rootkits are getting better, but the most common and effective way to remove rootkits is to scan the system while it is offline. This means moving the drive to another system and scanning it under its operating system. The reason for this is that as long the infected operating system is running, any queries for files and processes cannot be trusted to be accurate. By removing the drive and scanning it under a different system, you effectively turn off the rootkit protection and depend entirely on your Anti-Virus product to detect the signatures of known threats. More and more tools are becoming available using clever techniques to detect rootkits without shutting down the operating system. Common techniques query what the operating system reports and what a low level direct access to the hard disk reports and comparing the two for traces of hidden information. This is used against the register to find applications that are using hidden registry records to launch malicious files.

Twenty machines that contain government nuclear secrets are missing according to a recent audit by the Energy Department Inspector. In addition, the Energy Department currently uses computers that are not in their inventory, including one that was marked as destroyed.

A spokesman for the department, Craig Stevens, said Energy Secretary Samuel W. Bodman ‘recognizes that we need to manage this place better.’

If this were not menacing enough, the department also has the responsibility to track attempts from foreign governments to steal nuclear information. Unaccounted machines may very possibly house this information.

I still see a lot of clients using manual backups to backup important files daily, picking and choosing what files to backup in the event of a disaster. Every time there is a problem and they need to recover data they always come up short. Either someone forgot to do the backup that day, they forgot to update the backup to include an important directory, or they become overwhelmed with the restore process as the underlying system was not properly backed up.

There are no real savings by using manual backups as opposed to using complete backups to tape or disk. The labor and costs involved in recovering from a single failure generally will net a break even with the correct backup equipment. You can not easily put a ticket price on loss data.

Complete automated backups are also considerably simpler to perform and even easier to recover from. You also minimize the risk of not backing up important files.

While I am on the topic of backups, I am amazed at how often clients will delay bringing in help when their backup does fail to backup for the day. Either they do not monitor and confirm successful backups daily, or they keep waiting for weeks hoping that it will just start backing up properly. A failed backup is likely useless in the event of a disaster. Thus increasing the amount of data lost due to a failure. It is disappointing to get a call to help a client recover data only to find the backup stopped working 3 weeks or, or sometimes even 8 months ago. Every backup strategy requests daily confirmation of its success and failure and on going effort to ensure successful backups.

One of the most common problem we find is that most clients never test their backups. In an event of a failure, frequently we find their “successful” backup is incomplete or unavailable when you actually need it. In an ideal world, every company would have duplicate hardware to be able to drill the recovery process on separate hardware. Unfortunately it is not common to see this properly implemented and documented.

Another common problem we find is how often clients clean their tape drives. A lot of clients believe a tape drive should be cleaned once a year or never. Proper cleaning is very important and will often be the source of failed backups and tapes that just don’t recover when you need them to. Typically manufacturers recommend cleaning a tape drive every month or two depending on how many hours in service it has. Improper cleaning can and usually is a common cause of data loss.

If you have used email in the last few years you have without a doubt seen phishing attempts first hand. Maybe it was an email that appeared to be from PayPal asking you to confirm some information about your account to prevent immediate suspension. Or perhaps it was one of the infamous Fifth Third Bank emails asking you to confirm your account. Either way, I am sure you have seen your fair share of similar messages, I know I have.

In the last year the number of phishing sites plaguing our Internet has increased over 700 percent, now over 37,000 sites. Garner estimates over over 2.8 billion dollars lost to phishing attacks in 2006 alone. 3.5 million Americans lost an average of $800 last year in phishing scams.

Blacklisting is the most common defense against phishing threats. The practice of making a list of known phishing sites and blocking them by brute force. Although this strategy is very effective against known and documented phishing sites, it quickly becomes inadequate against the speed in which new phishing sites emerge.

The most effective defense against phishing scam has been around for many years. Avoid clicking links inside email, and when you do click a link inside an email, always try to hover the mouse over the link for a few moments until the hover tool tip shows up with the real link (if your mail client supports this). When surfing the web, use a strong anti-virus like Kaspersky and a good tool such as Site Advisor from McAfee. Although Kaspersky Anti-Virus is not free, McAfee Site Advisor is. Together they are a very effective defense against the ever increasing phishing threat. As always, try to type the website address you want to go to in the address bar directly instead of using links in your email.