This is my first blog
and my aim is to share real time experience of cyber security experts, I will
try to cover famous cyber-attacks and how a cyber expert protects its
environment from different types of attacks, apart from these I will try to
cover tutorial related to different technology and tools related to cyber
security.
And today I will start
my blog with a very famous attack that was first detected in November
2008, it affected government organization, private sector and also on home
computers in over 190 countries, which is making it the largest known computer
worm infection since 2003, if you are a cyber expert than you are guessing
right, I am talking about Conficker, it targeted Microsoft Windows
operating systems, it came in picture in 2008 at first time, in 2011 Ukrainian
police arrested Mikael sallnert, and he got 48 months prison punishment.
How Conficker affect your machine ?
It uses dictionary attacks on administrator passwords propagate
while forming a botnet, it execute arbitrary code via a
crafted RPC request that triggers a buffer overflow during canonicalizati. Conficker
will copy itself with a random name into the system directory %systemroot%\system32 and
register itself as a service. It tries to get IP address of the machine
Then it set up a small
http server in the machine after that it scan for other infected machine when a
target is found, the infected machine URL will be sent to the target as the
payload. The remote computer then downloads the word and start infecting
other machine.
We need to understand
why such attacks takes place, how it enters in any environment, and one of the
main reason is unmanaged machines in your environment, the Rogues machines may
help the attacker to target your environment.
What is Rogue machine?
An unprotected system,
known as rogue system, if antivirus is not installed in the machine or it
is not following the security policy it may come under Rogue machine.
How we can protect our
environment?
We can protect our
environment by using antivirus, but what if any machine do not have antivirus
in such case it’s very difficult to find those machine which do not have
antivirus.
Let’s take an example of a
car manufacturing company: In this business it has different business units
like manufacturing unit, designing unit, dealer unit and show rooms, A car
company directly manage manufacturing unit and designing unit but it does not
manage show rooms directly and its difficult to check its clients (Dealer)
computer security status, due to business requirements dealer can also access
company network and since company do not manage dealer computer so it’s a big
risk that an attacker first target the dealer’s
computer (which is not secure or in which antivirus is not installed) and then it can attack manufacturing unit. To
protect from such attack we need to govern all machines of our network no
matter it is managed by us or not, and here the role of Rogue System Detection
comes.How Rogue System Detection works?
We need to install
Rogues Systems detection sensor in our network we can use DHCP server for it.
It detects all the
machine which belongs to that subnet, it detect all laptops, desktops, IP
phone, Printer etc. and send that information to endpoint management tool (
from where cyber experts manage cyber security related products)
It uses Winpcap to
detect system in network; it also uses ARP and DHCP protocol to listen other
network traffic.
Rogue censor sends
information of the entire machine to antivirus management tool, where the
antivirus management tool filter what are rogues systems among them.
We can put the device
like printer or IP phone in exception list to avoid that, we can block few
machine as per our requirement.
So like this we can
manage rogues machine of our environment, and we can protect our environment
from unmanaged machine and we can protect our network environment from attacks
like Conficker.