Software Industry

Internet serves as an essential part in personal tasks and business. Many services thrive on internet, they highly rely on the connectivity. Online banking and ecommerce are the best examples for commercial use of Internet. Like real world, Internet is also targeted by hackers and criminals for its abundant personal and intellectual data available on it. Security incidents could result in catastrophic damage like real world incidents. Malwares helps such ill-intended people to accomplish these goals.

Malware has prevailed ever since internet and email communication came into existence. Any malicious software or a program designed with intent to damage or disable computer systems, network or any connected devices can be termed as ‘Malware’. Malware’s objectives can range from disrupting computing power or service, stealing critical data, accessing private networks, or exploiting critical resources.  A software can be termed a malware based on the intent of the creator rather than its actual features. Initially it was created for experiments, but eventually it is used for destruction of a business or person life. Its creation is on rise due to the money that is made through these organized crimes. Common malwares are created to make profit from forced advertising, stealing sensitive data, spreading email spam, or extorting money. Factors like defects in operating systems design, misconfiguration and network issues can make a system vulnerable to malware attacks.

Malware trends usually vary every year. However, studying these trends are necessary as they reflect adversaries’ intent and capability. Malware detection by sensors does not always indicate actual infection or attacks but weaponization of the code or attempted delivery to target victims and systems. We can detect malware at a network, application and host level on any devices. Currently cybercriminals are getting better at their hi-tech by leveraging newly announced zero-day vulnerabilities. The number of unique exploit detections is increasing constantly. Attacks against crypto mining, operational technology, Internet of Things(IoT) have risen than usual. Any piece of software that is used to disrupt computer functions, steal sensitive information, bypass access controls or harm the host system can be termed Malware. It is rather a broad term and consists of a variety of malicious programs. In Security terminology it is always recommended to identify the classification of a malware to understand its complete behavior. Each type of malware has its distinct pattern of infecting the system. The common types of malware include virus, rootkits, spyware, adware, trojan horses, ransomware and botnets. Below figure shows the different types of malware.

It is a contagious piece of code that infects software and then spreads from file to file on system. When infected software or files are shared between computers, the virus then spreads to the new host. It requires a legitimate program to execute and infect the victim’s file. It is the only form of malware that infects other systems or files. It can also spread through script files, documents, and cross-site scripting vulnerabilities in web apps. Till date, many antivirus programs fail to differentiate the actual virus and the infected file. It is the commonly reported malware by regular end-users and media personnel’s. Commonly called computer worms or trojans are the most preferred weapon of choice by hackers. They mostly disguise to be a routine useful program and forces the victim to install it on their systems. It can be any form of backdoor that allows the attackers unauthorized access. The access can be from low-level to high-level information. These malwares are the most preferred forms in stealing financial information of user. The data can include logins, financial data and electronic money.

One of the most advanced forms of malware in present days that has several destructive effects. This form of malware usually infects the system from within, locking the system and making it unusable. Then encrypts the victims file, rendering them inaccessible, and demanding a ransom payment usually in a form of cryptocurrency (bitcoins) to decrypt the files. It is the considered as a dangerous cyberthreat as its detection and removal is complicated. The best practice to prevent ransomware attack is to do an offline backup of all critical files. A type of malware that spies on user activity without their knowledge. Most of the targeted attacks begins with a spyware program that logs the keystrokes of victims and gains access to passwords or intellectual property. The capabilities include activity monitoring, keystroke collection and data harvesting (account information, logins). Additional capabilities include altering security settings of software or browsers to tamper network connections.

It is the abbreviated form of advertising-supported software. It is the most common day-to-day malware which redirects a user to land on a webpage that contains product promotions or advertisements. Common examples of adware include pop-up ads on websites and advertisements displayed by software. It is very common in for application that offers free versions to be bundled up with adware. It is considered as revenue generating tool. However, occasionally it exposes the compromised end-user to unwanted potentially malicious advertising which is usually in the form of popups and windows that cannot be closed. When a piece of software allows an attacker to gain complete control over the other device without the victim’s knowledge then the system is termed as a botnet. Attackers use this to control the device and carry out attacks on the other computers and networks, without allowing any trace of the bot. Thereby, all the infected computers are controlled remotely by cybercriminals who can use the botnet in many ways like denial of service attacks, keystroke logging, web spider that scrape server data and spam emails distribution. Websites prevent this by using ‘CAPTCHA’ tests to validate humans against bots.

This form of malware remotely accesses or controls the computer without victim’s knowledge or security programs. The rootkit once installed allows the malicious party to remotely execute files, access/steal information, alter security configuration, tamper software, install concealed malware and control it like a bot. Rootkit prevention using software is not effective due to its stealthy operations as it hides its presence. Hence its prevention highly relies on manual methods like monitoring irregular activity, signature scanning, and storage dump analysis. Regularly patching the vulnerabilities, updating virus definitions, avoiding illegit downloads, and performing static analysis scans can prevent rootkits.

The process of identifying and studying the lifecycle of a computer malware can be termed as malware analysis. This study also extends in understanding its behavior and prevention techniques. The two key techniques in malware analysis that security professionals perform include code (static) analysis and behavioral (dynamic) analysis. Although both types accomplish the same goal of explaining how malware works, the tools, time and skills required to perform the analysis are very different. Code analysis is the actual viewing of code and walking through it to get a better understanding of the malware and what it is doing. Behavioral analysis is how the malware behaves when executed, who it talks to, what gets installed, and how it runs. When performing Malware analysis, both static and dynamic analysis should be performed to understand the complete behavior and impact on the host system. Below figure depicts the high-level process involved in malware analysis.

Code or Static analysis is the process of analyzing a malware binary without running the actual code. First, the signature of the binary file is determined which serves as a unique identifier for the corresponding binary file. A cryptographic hash value of the file is then calculated, and each component is studied. Reverse engineering technique is used to understand the binary file by loading the executable into disassembler. Later, the machine-readable code is converted into assembly language for further analysis. Some of the other techniques used in static analysis are file fingerprinting, virus scanning, memory dumping, packer detection, and debugging. Basic analysis usually gathers indicators like file name, MD5 checksums or hashes, file type, file size and antivirus recognition patterns. Mostly, static analysis is much safer than dynamic analysis. However, it is largely ineffective against present day malware, as it can miscue some important behaviors.

A sophisticated form of analysis where the malware under study is run in a controlled or an isolated environment to observe its behavior. In advanced levels of analysis, a debugger can be used to determine the functionality of the malware executable which rather is difficult to obtain using other static techniques. Dynamic analysis reveals indicators like domain name, IP addresses, file path locations, registry keys, and additional files on the server or network. It is also useful in identifying an attacker-controlled external server for command and control purposes to download additional malware files. Manual analysis is replaced by automated analysis through commercial sandboxes that is fully equipped with advanced detection tools. Though it is a detailed process, it is likely to miss important behaviors in dynamic analysis as some malware are designed to overcome such environments.

Apart from regularly applying patches and updates, conducting penetration testing and forming usage policies, security researchers prepare a response plan to tackle security incidents. Malware response is an organized approach to respond and manage the aftermath of a security incident. A malware incident response plan does not usually focus on an attack; rather, it emphasizes on the payload(malware) left behind on the targeted systems. There are six steps involved for an effective response which is explained in detail below. Gathers an appropriate team to create malware-specific incident handling policies and procedures. Run a malware-oriented training and exercises to identify the gaps in organization policies and procedures. Determine the actual working procedure based on the organization. Ensure the overall preparedness of the malware response team.

Ensure to deliver complete immunity against any known malware or its variants by deploying and monitoring antivirus/anti-spyware software. Install toolkits on any form of removable media for identifying, examining and performing analysis. Perform static analysis in frequent intervals to ensure safety of the product. Conduct dynamic sandbox testing for an overall vigilance. Ensure to adapt to the technological advancements. Malware incidents may have to be contained by shutting down a server/workstation or block services (e.g., e-mail, Web browsing, or Internet access). Backups of critical resources should be mandated. Also, responsible authorities for such approvals must be quick and proactive during response. Early containment can stop the spread of malware and prevent further damage to systems both internal and external to your network.

Incorporate a variety of eradication techniques to remove malware from the infected systems. Ensure to clean up the attacker’s artifacts. If required shut down or stop services to prevent malware from spreading. Restore confidentiality, integrity, and availability of data on the infected systems, and bring the system back to normalcy in a secure manner from containment measures. This includes recoupling systems networks and upgrading compromised systems from scratch or any known good backups. Assessment of the risks for restoring network services, and response guide for restoration of services is devised. All the process involved should be documented and drafted. Any changes in security policy, software configurations, and the addition of malware detection and prevention controls is identified periodically and reported. User’s environment can greatly affect when malicious programs are replicated. It can lead to deletion, modification or corruption of files in systems. It can even reset a secure setting existing in an environment leading to ultimate ineffectiveness of the system. To mitigate this threat a sandbox environment is required. Any malware program can be discharged in such an environment without the fear of actual impact in rest of the core network. Actions within the sandbox is used in the malware study either to prevent the larger systems from getting affected or to deploy preventive software. Generally, to understand the complete impact of a program it is recommended to use a full system emulation sandbox that is capable of replicating both hardware and software attached to the host system. Below are some of the common types of sandboxes used:

Cuckoo Sandbox – It is an Open Source software for automating analysis of suspicious files.

DroidBox – Developed to offer dynamic analysis of Android applications.

Malwasm – It is a tool based on Cuckoo Sandbox designed to help perform step by step analysis, log all malware activities and store them into a web accessible database.

Behavioral monitoring tools gives sense for the key capabilities involved in a malicious software. Tools are classified based on the behavior they identify: Process monitoring: Process Explorer and Process Hacker replace the built-in Windows Task Manager. This helps in observing malicious processes including open local network ports, unencrypted files in server, insecure network connections. ProcDOT a powerful process monitoring tool helps to observe how local processes read, write, or delete registry entries and files. It helps to understand ways in which a malware attempts to embed into the system upon infection. Network monitoring: Wireshark and Burp Suite is a popular network sniffer. It can monitor network traffic for malicious communication attempts, such as DNS resolution requests, bot traffic, or downloads. Change detection: Regshot, a lightweight tool helps in comparing a system’s current state before and after the infection. It also highlights the key changes a malware makes to the file system and its file registry.

A basic code analysis always helps uncover important characteristics that is difficult to derive from behavioral analysis. It is usually hard to extract a malicious executable’s source code from its source. However, such source codes can be reversed using compiled Windows executables. Disassemblers and Message dumper helps in such static analysis of codes. Disassembler and debugger: OllyDbg and IDA Pro Freeware are the most popular disassemblers used in static analysis. It can parse compiled Windows executables and, acting as disassemblers, display their code in assembly instructions. These tools also have debugging capabilities, which allow you to execute the most remarkable parts of the malicious program slowly and under highly controlled conditions. Further it also helps to understand the purpose of the code. Memory dumper: Scylla and OllyDumpEx help to obtain the protected code located in a lab system’s memory and dump it to a file. This technique is useful while analyzing packed executables, which are difficult to disassemble. Because they usually encode or encrypt the instructions, extracting them into RAM only during run-time.

The present-day malwares are increasingly sophisticated. Cybercriminals ensure that they constantly match with any technological advancement. They assure that malware is undetectable by present day tools while building them. Practically every offensive technique is included in malware designing to make it more complex to defend against. Malwares are built responsively to hide from users or software that try to detect them. Hence, malware analysis is an integral step to be able to develop effective techniques for malicious code. It is also required to understand its types, nature and attacking methodologies. Malware Analysis also serves as primary source of information along with responding to network intrusions. It helps us to determine the nature of the incident and locate all infected machines and files. The end goal is typically to inspect the binaries capabilities, its level of infection in the network and ways to manage and contain them.

The needs of regular management of network vulnerabilities were often ignored at the onset of a vulnerability remediation project. Yet with increased vulnerabilities that are being identified every day and such vulnerabilities being reintroduced by the users into their environments, the remediation strategy needs to be repeated frequently. Organizations’ security administrators should perform sufficient testing and implementation of more automated solutions, which will enable them to remediate their network, not just every quarter, but in certain circumstances, it will have to be performed monthly. As a result, this step must be taken into consideration during the early project planning stages. So far, there has been no bullet that can eliminate the growing list of vulnerabilities. However, IT security professionals can address their existing vulnerability exposures and prepare enough defense. Vulnerabilities Causes and Threats. Vulnerabilities can be defined as weaknesses or falls that present a system to the risk of attack. As we know Vulnerabilities may exist from outside sources such as natural calamities, climate change or they can be controlled by the organization such as network, data, hardware, software. They could on top come from people, such as displeased employees or dishonest managers. Methodology Used in Vulnerability Assessment and Recommendations.

Vulnerability assessment is a test of weaknesses that can possibly exist within a system. Here are four-step processes for assessing vulnerability are. Scope The first step is to control which systems will be assessed. Focus After the scope has been determined, an appropriate time to conduct the assessment should be determined. We should know that vulnerability assessment should be unperformed within the production environment, as it may harmfully affect standard business operations. Assess Next, the systems are tested for vulnerabilities. Finding system vulnerabilities is not inescapably a bad thing, especially if the organization was unaware that the vulnerabilities existed prior to the assessment. This type of situation permits the company to involve another step to secure its systems. Respond The vulnerability assessment report forms the basis for any corrective measures, empowering management to decide the next action to take to the systems. Vulnerability Tasting Technique Network Scanning This technique uses port scanners to fingerprint systems, which provide information like the name of the computer being scanned, open ports, and the operating system it is running. This information can be leveraged by hackers to launch a targeted attack. Vulnerability Scanning This method analyzes the automatic data processing system and installed applications to establish if any recognized, vulnerabilities exist. Password Strength Passwords on the system are tested with various password-cracking tools to see if secure passwords have been used.

Analyzing system logs is another method of tracking vulnerabilities, log review is a significant part of the security management process and is used widely for determining a system breach.  Integrity Checking Integrity checks are used to examine the reliability of data in an organization’s systems and establish the damage caused to the data by malware infestation.  Antivirus Measures Scanning for viruses is one of the most valuable methods of detecting and preventing the virus from e-mails, websites, and other sources. War Dialing. This is a method of operating a computer’s modem to dial thousands of numbers in an effort to connect to other computer modems, which can provide unauthorized access to networks.  WarDriving. WarDriving involves an individual driving around with a laptop trying to connect to open wireless connections. For instance, an individual could park in a company’s lot to see if the company maintains an unencrypted network. Managing this network, the individual could next see if there was a way to connect to the encrypted network or utilize any corporate resources on the network.  Penetration Testing This method will test the physical, social, and technical barriers of a company to control how vulnerable a company is to threats.  Social Engineering We can say it is a approach of practicing social skills to convince people to perform actions, which they should not. Many tools are convenient for testing the vulnerability and penetrability of a network.  NMap. This tool scans a network for open ports on a system and creates a visual network map.  Nessus. This is one of the most popular vulnerability scanners and is widely used in industry.  Microsoft Baseline Security Analyzer (MBSA).

It is Microsoft Software tool that resolves whether systems on a network are missing security updates or have insufficient security settings for Microsoft applications, like the Windows operating system or SQL server.  Ettercap. This tool offers the ability to intercept network connections on and manipulate traffic. This is a network that analysis tool that can scan for open ports, fingerprint operating systems craft raw TCP/IP packets. If all organizations simply will fallow al this recommendations’ the numbers of cybercrime will be lower. Windows and Linux As we know, many organizations are using Windows and Linux, education management department should make sure that each employee is properly trained in both of these systems. According to the well-liked idea that Linux may have fewer risk factors, organizations until now should know that Linux has security risks, which if not addressed, can lead to a number of malicious attacks on our system. The Linux systems, that organizations come across, tend to be just as vulnerable as their Windows counterparts. The weaknesses of Linux are not essentially the fault of the operating systems (OS), but more due to the oversights by Linux administrators. Unusually, these represent the oversights related to default installations, which require a more constant maintenance, and systems need to be tested strict enough with proper tools to determine such weaknesses. Recommendations the most common Linux vulnerabilities  General lack of patch management for the OS:  Outdated third-party applications:  General lack of system hardening:  Lack of password enforcement/Lack of backups. Security weakness with Linux systems is connected to data backups. In many cases, these vulnerabilities are connected to Windows-focused admins that do not know how to supervise Linux systems. Organizations need to make it a priority to test Linux-based systems for vulnerabilities on a periodic and consistent basis. Companies never know when they are going to be exploited; that is why it is very important to have well trained IT specialists for both systems.

Recommendations for organizations  Mandatory education for each employee;  Follow all policies of the organization;  Keep information safe;  Always have back up;  Unluckily, many employees are sharing very sensitive data outside the workplace;  Updating system; Do not use work email as personal; No matter how much confidence we are about company’s success, there is always a possibility that something might go wrong. Things that may go wrong are called project risk. The companies’ sensible project manager can recognize all the project risks from the beginning and take some actions before even starting the project. However, there are rules, and if we clearly follow them, we can be capable to manage risks.  Accepting Risk;  Avoiding/Eliminating Risk;  Transferring Risk; Mitigating Risk; Accepting the risk means that while we have recognized it and entered it in our risk management software, companies are not taking any actions. Organizations are accepting the fact, which may happen, and we decide to deal with it if it does.