CYBERSECURITY SOLUTI ONS FOR DIGIT AL ENTERPRISES. [605205]

POLITECHNIC A UNIVERSITY OF BUCH AREST
FACULTY OF ENTREPRENEURSHIP, BUSINESS
ENGINEERING AND M ANAGEMENT
MANAGEMENT OF THE DIGIT AL ENTERPRISES

CYBERSECURITY SOLUTI ONS FOR DIGIT AL ENTERPRISES.
THE DEFENSE -IN-DEPTH APPRO ACH
Scientific Research Report 1

Thesis supervisor:
PhD. Alexandra IOANID

Student: [anonimizat] 2018

– 1 –
Table of Contents

Attacks and Defenses ––––––––––– ––––––––––– ––––––––- – 7 –
Steps of an Attack ––––––––––– ––––––––––– ––––––––– – 7 –
Defenses Against Attacks ––––––––––– ––––––––––– –––––– – 8 –
Malware Attacks ––––––––––– ––––––––––– –––––––––– – 10 –
Circul ation/Infection ––––––––––– ––––––––––– –––––––- – 11 –
Conce alment ––––––––––– ––––––––––– ––––––––––- – 15 –
Payload Capabilities ––––––––––– ––––––––––– –––––––- – 15 –
Conclusions ––––––––––– ––––––––––– ––––––––––– – – 19 –

Table of Figures

Figure 1: Rel ationship of security to convenience ––––––––––– –––––––– – 2 –
Figure 2: Skills needed for cre ating attacks ––––––––––– ––––––––––- – 5 –
Figure 3 : Cyber Kill Ch ain ––––––––––– ––––––––––– –––––– – 8 –
Figure 4: Appender infection ––––––––––– ––––––––––– ––––– – 12 –
Figure 5: Swiss cheese infection ––––––––––– ––––––––––– –––– – 13 –
Figure 6: Split infection ––––––––––– ––––––––––– ––––––– – 13 –
Figure 7 : Ransomw are mess age ––––––––––– ––––––––––– –––– – 17 –

Table of T ables

Table 1: Characteristics of these different attackers ––––––––––– ––––––– – 7 –
Table 2: Windows file types th at can be infected ––––––––––– –––––––– – 12 –
Table 3: Difference between viruses, worms, and Troj ans ––––––––––– ––––- – 14 –
Table 4: Technologies used by spyw are ––––––––––– ––––––––––– – – 15 –
Table 5: Famous logic bombs ––––––––––– ––––––––––– ––––– – 17 –
Table 6: Uses of botnets ––––––––––– ––––––––––– ––––––– – 18 –

– 2 –
What Is Inform ation Security?
Underst anding Security

A search of the Internet to define the word security will result in a variety of definitions.
Sometimes security is defined as the st ate of being free from d anger, while at other times security is
said to be the protection of property . And another interpret ation of security is the degree of resist ance
from h arm. The difference in these definitions hinges upon whether the focus is on the process (how
to achieve security) or the go al (what it me ans to have security). In re ality security is both: it is the
goal to be free from d anger as well as the process th at achieves th at freedom. ᵨ

Yet bec ause complete security c an never be fully achieved, most often security is viewed as a
process. In this light security m ay be defined as the necess ary steps to protect a person or property
from h arm. This h arm m ay come from one of two sources: either from a direct action th at is intended
to inflict d amage or from an indirect and unintention al action. Consider a typic al house: it is necess ary
to provide security for the house and its inh abitants from these two diff erent sources. For ex ample,
the house and its occup ants must be secure from the direct attack of a crimin al who w ants to inflict
bodily h arm to someone inside or a burgl ar who w ants to ste al a television. This security m ay be
provided by locked doors, a fence, or a strong police presence. In addition, the house must also be
protected from indirect acts th at are not exclusively directed against it. Th at is, the house needs to be
protected from a hurric ane (by being built with strong m aterials and inst alling hurric ane shutters) or
a storm surge (by being built off the ground).

It is also import ant to underst and the rel ationship between security and convenience. As
security is incre ased, convenience is often decre ased. Th at is, th e more secure something is, the less
convenient it may become to use (security is s aid to be “inversely proportion al” to convenience).
Consider again a typical house. A homeowner might inst all an autom ated alarm system th at requires
a code t o be entered on a keyp ad within 30 seconds of entering the house. Although the alarm syst em
makes the house more secure, it is less convenient th an just w alking into the house. Thus , security
may be understood as sacrificing conveni ence for s afety. Another w ay to think of security is giving
up short -term comfort for long -term protection. In any c ase, security usually requires forgoing
convenience to achieve a greater level of s afety or protection.

Figure 1: Rel ationship of security to convenience

– 3 –

Defining Inform ation Security

The term inform ation security is frequently used to describe the t asks of securing
inform ation th at is in a digital form at. This digit al inform ation is m anipul ated by a microprocessor
(such as on a person al compu ter), stored on a storage device (like a hard drive or USB fl ash drive),
and transmitted over a network (such as a local area network or the Internet).
Just as security c an be viewed as both a goal and a process, the s ame is true with inform ation
security. Inform ation security c an be best understood by ex amining its go als and the process of how
it is accomplished. Together these c an help cre ate a solid definition of inform ation security.
Inform ation security c annot completely prevent successful attacks or g uarantee th at a system
is tot ally secure, just as the security me asures t aken for a house c an never gu arantee complete s afety
from a burgl ar or a hurric ane. The go al of inform ation security is to ensure th at protective me asures
are properly implemented to ward off attacks and prevent the tot al coll apse of the system when a
successful attack does occur. Thus, inform ation security is first protection .
Second, inform ation security is intended to protect inform ation that provides v alue to people
and org anizations. There are three protections th at must be extended over inform ation:
confidenti ality, integrity, and availability —or CIA:
• Confidenti ality. It is import ant that only approved individu als can access import ant inform ation.
For ex ample, the credit c ard number used to m ake an online purch ase must be kept secure and
not m ade available to other p arties. Confidenti ality ensures th at only authorized p arties c an view
the inform ation. Providing confidenti ality can involve se veral different security tools, ranging
from softw are to “scr amble” the credit card number stored on the web server to door locks to
prevent access to those servers.
• Integrity. Ensures th at the inform ation is correct and no un authorized person or m alicious
softw are has altered the d ata. In the ex ample of the online purch ase, an attacker who could ch ange
the amount of a purch ase from $10,000.00 to $1.00 would violate the integrity of the inform ation.
• Availability. Inform ation h as value if the authorized p arties who are assured of its integrity c an
access the inform ation. Availability ensures th at data is accessible to authorized users. This
means th at the inform ation c annot be “locked up” so tight th at no one c an access it. It also me ans
that attackers h ave not performed an attack so that the d ata cannot be re ached.
In addition to CI A, another set of protections must be implemented to secure inform ation.
These are authentic ation, authoriz ation, and accounting —or AAA:
1. Authentic ation. Authentic ation ensures th at the individu al is who she cl aims to be (the authentic
or genuine person) and not an imposter. A person accessing the web server that cont ains a user’s
credit c ard number must prove th at she is indeed who she cl aims to be and not a fraudulent attacker.
One w ay in which authenti cation c an be performed is by the person providing a password th at only
she knows.
2. Authoriz ation. Authoriz ation is providing permission or approv al to specific technology
resources. After a person h as provided authentic ation she m ay have the authority to access the credit
card number or enter a room th at cont ains the web server, provided she h as been given prior
authoriz ation.
3. Accounting. Accounting provides tr acking of events. This m ay include a record of who accessed
the web server, from wh at location, and at what specific time.

Inform ation security involves more th an protecting the inform ation itself. Bec ause this
inform ation is stored on computer h ardware, m anipul ated by softw are, and tr ansmitted by
communic ations, e ach of these areas must also be protected. The third objective of inform ation

– 4 –
security is to protect the integrity, confidenti ality, and availability of inform ation on the devices th at
store, m anipul ate, and transmit the inform ation.

In the p ast the term h acker referred to a person w ho used advanced computer skills to attack
computers. Yet bec ause th at title often c arried with it a negative connot ation, it w as qualified in an
attempt to distinguish between different types of the attackers. Bl ack hat hackers were those attackers
who violated computer security for person al gain (such as to steal credit c ard numbers) or to inflict
malicious d amage (corrupt a hard drive). White h at hackers were described as “ethic al attackers ”:
with an org anization’s permission they would attempt to prob e a system for any we aknesses and then
privately provide inform ation back to th at org anization about any uncovered vulner abilities. In
between were gr ay hat hackers who would attempt to bre ak into a computer system without the
organization’s permission (an illegal activity) but not for their own advantage; inste ad, they would
disclose the vulner ability in order to sh ame the org anization into t aking action.
However, these “hat” titles did not always accurately reflect the different motives and go als of the
attackers and are not widely used in the security community. Inste ad, more descriptive c ategories of
attackers are used, including cybercrimin als, script kiddies, brokers, insiders, cyberterrorists,
hactivists, and st ate-sponsored attackers.
Who Are the Attackers?
Cybercrimin als
The generic term cybercrimin als is often used to describe individu als who l aunch attacks
against other users and their computers (another generic word is simply attackers). However, strictly
speaking cybercrimin als are a loose network of attackers, identity thieves, and fin ancial fraudsters
who are highly motiv ated, less risk -averse, well -funded, and ten acious. Some security experts believe
that many cybercrimin als belong to org anized g angs of young attackers, often clustered in E astern
Europe an, Asian, and Third World regions.
Inste ad of attacking a computer to show off their technology skills (f ame), cybercrimin als
have a more focused go al of fin ancial gain (fortune): cybercrimin als exploit vulner abilities to ste al
inform ation or l aunch attacks th at can gener ate income. This difference m akes the new attackers more
dangerous and their attacks more thre atening. These t argeted attacks against fin ancial networks and
the theft of person al inform ation are sometimes known as cybercrime. Fin ancial cybercrime is often
divided into two c ategories. The first c ategory focuses on individu als and businesses. Cybercrimin als
steal and use stolen d ata, credit c ard numbers, online fin ancial account inform ation, or Soci al Security
numbe rs to profit from its victims or send millions of sp am em ails to peddle counterfeit drugs, pir ated
softw are, fake w atches, and pornogr aphy
The second c ategory focuses on businesses and governments. Cybercrimin als attempt to ste al
research on a new product from a business so th at they c an sell it to an unscrupulous foreign supplier
who will then build an imit ation model of the product to sell worldwide. This deprives the legitim ate
business of profits after investing hundreds of millions of doll ars in product development, and bec ause
these foreign suppliers are in a different country they are beyond the re ach of domestic enforcement
agencies and courts. Governments are also the t argets of cybercrimin als: if the l atest inform ation on

– 5 –

13%
28%
44%15%a new missile defense system c an be stolen it c an be sold —at a high price —to th at government ’s
enemies.
The attacks by these well -resourced and tr ained cybercrimin als often result in multiye ar
intrusion campaigns t argeting highly sensitive economic, propriet ary, or n ational security
inform ation. This h as cre ated a new cl ass of attacks c alled Advanced Persistent Thre at (APT).
Cybercrimin als are successful with APTs bec ause they use advanced tools and techniques that can
defeat many convention al computer defenses.
Script Kiddies
Script kiddies are individu als who w ant to attack computers, yet they l ack the knowledge of
computers and networks needed to do so. Script kiddies inste ad do their work by downlo ading
autom ated attack softw are (scripts) from websites and using it t o perform m alicious acts. Figure 2
illustr ates the skills needed for cre ating attacks. Over 40 percent of attacks require low or no skills
and are frequently conducted by script kiddies.

Figure 2: Skills needed for cre ating attacks
Today script kiddies c an acquire entire exploit kits from other attackers to e asily cr aft an
attack. Script kiddies c an either rent or purch ase the kit from its authors and then specify various
options to customize their attacks.
Brokers
In recent ye ars sever al softw are vendors h ave st arted fin ancially rew arding individu als who
uncover vulner abilities in their softw are and then priv ately report it b ack to the vendors so that the
weaknesses c an be addressed. Some vendors even sponsor annual competitive contests and
handsomely p ay those who c an successfully attack their softw are. However, other individu als who
uncover vulner abilities do not report it to the softw are vendor but inste ad sell them to the highest
bidder. Known as brokers, these attackers sell their knowledge of a vulner ability to other attackers or
even governments. These buyers are gener ally willing to p ay a high price bec ause this vulner ability
is unknown to the softw are vendor and thus is unlikely to be “patched ” until after new attacks b ased
on it are already widespre ad.

– 6 –
Insiders
Another serious thre at to an org anization actually comes from an unlikely source: its
employees, contr actors, and business p artners, often c alled insiders. For ex ample, a health c are
worker disgruntled over an upcoming job termin ation might illeg ally g ather he alth records on
celebrities and sell them to the medi a, or a securities tr ader who loses billions of doll ars on bad stock
bets could use her knowledge of the b ank’s computer secur ity system to conce al the losses through
fake transactions.
Most m alicious insider attacks consist of the s abotage or theft of intellectu al property. One
study reve aled th at most c ases of s abotage come from employees who h ave announced their
resign ation o r have been form ally reprim anded, demoted, or fired. When theft is involved, the
offenders are usu ally s alespeople, engineers, computer progr ammers, or scientists who actually,
believe th at the accumul ated d ata is owned by them and not the org anization (most of these thefts
occur within 30 d ays of the employee resigning).
Cyberterrorists
Many security experts fe ar that terrorists will turn their attacks to a nation’s network and
computer infr astructure to c ause disruption and panic among citizens. Known as cyberterrorists, their
motiv ation is ideologic al, attacking for the s ake of their principles or beliefs. Cyberterrorists may be
the attackers th at are most fe ared, for it is almost impossible to predict when or where an attack m ay
occur. Unlike cybercri minals who continuously probe systems or cre ate attacks, cyberterrorists c an
be in active for sever al years and then suddenly strike in a new w ay. Their t argets m ay include a small
group of computers or networks th at can affect the largest number of users, such as the computers
that control the electric al power grid of a state or region.
Hactivists
Another group motiv ated by ideology is h activists. Unlike cyberterrorists who l aunch attacks
against foreign n ations to incite p anic, h activists (a combin ation of the words h ack and activism) are
gener ally not as well -defined. Attacks by h activists c an involve bre aking into a website and ch anging
the contents on the site as a means of m aking a politic al statement against those who oppose their
beliefs. In addition to attacks as a means of protest or to promote a politic al agend a, other attacks c an
be ret aliatory. For ex ample, h activists m ay dis able the website belonging to a bank bec ause th at bank
stopped accepting online payments th at were deposited into accounts belonging to the h activists.
State-Sponsored Attackers
Inste ad of using an army to m arch across the b attlefield to strike an advers ary, governments
are using st ate-sponsored attackers for l aunching computer attacks against their foes. In recent ye ars
the work of some attackers appears to h ave been sponsored by different governments. These attackers
target foreign governments or even citizens of the government who are considered hostile or
threatening .
• The m alware known as Flame appears to t arget computers in Middle E astern countries. One of
Flame’s most ingenious tricks, which h ad many security rese archers in awe, cre ated a fake
Microsoft electronic document so th at Flame appeared to be an upd ate from Microsoft and w as
easily distributed to any Windows computer.

– 7 –
• Perhaps the most inf amous government -backed m alware to d ate was called Stuxnet. This m alware
actively t argeted Windows computers th at managed l arge-scale industri al-control systems used at
milit ary inst allations, oil pipeline control systems, m anufacturing environments, and nucle ar
power pl ants. At first it w as thought th at Stuxnet took advantage of a single previously unknown
softw are vulner ability. Upon closer inspection, it w as found th at Stuxnet exploited four unknown
vulner abilities, something never seen before.
• It is estim ated th at more th an 300,000 Ir anian citizens were h aving their em ail mess ages re ad
without their knowledge by the Ir anian government seeking to loc ate and cr ack down on
dissidents. It appears that the government used stolen electronic documents to permit its spies to
log in directly to the em ail mailboxes of the victims and re ad any stored em ails. In addition,
another progr am could pinpoint the ex act loc ation o f the victim.

Attacker c ategory Objective Typic al target Sample attack
Cybercrimin als Fortune over f ame Users, businesses,
governments Steal credit c ard
inform ation
Script kiddies Thrills, notoriety Businesses, users Erase data
Brokers Sell vulner ability to highest
bidder Any Find vulner ability in
operating system
Insiders Retaliate against employer,
shame government Governments, businesses Steal documents to publish
sensitive inform ation
Cyberterrorists Cause disruption and panic Businesses Cripple computers th at
control w ater tre atment
Hactivists To right a perceived wrong
against them Governments, businesses Disrupt fin ancial website
State-sponsored
attackers Spy on citizens, disrupt
foreign government Users, governments Read user ’s email mess ages
Table 1: Characteristics of these different attackers
Attacks and Defenses

Although a wide v ariety of attacks c an be l aunched against a computer or network, the s ame
basic steps are used in most attacks. Protecting computers against these steps in an attack calls for
following five fund ament al security principles.
Steps of an Attack
A kill ch ain is a milit ary term used to describe the system atic process to t arget and eng age an
enemy. An attacker who attempts to bre ak into a web server or computer network actually follows
these s ame steps. Known as the Cyber Kill Ch ain1 it outlines these steps of an attack:
Reconn aissance. The first step in an attack is to probe for any inform ation about the system: the type
of hardware used, version of oper ating system softw are, and even person al inform ation about the
users. This c an reve al if the system is a viable target for an attack and how it could be attacked.
Weaponiz ation. The attacker cre ates an exploit (like a virus) and packages it into a deliver able p ayload
(like a Microsoft Excel spre adsheet) th at can be used against the t arget.

1 The Cyber Kill Chain was first introduced by researchers at Lockheed Martin in 2011. The company later trademarked
the term “Cyber Kill Chain. ”

– 8 –
Delivery. At this step the we apon is tr ansmitted to the t arget, such as by an em ail attachment or
through an infected web server.
Exploit ation. After the we apon is delivered to the victim, the exploit ation st age triggers the intruders ’
exploit. Gener ally, the exploit ation t argets an applic ation or oper ating system vulner ability, but it also
could involve tricking the user into t aking a specific action.
Installation. At this step the we apon is inst alled to either attack the computer or inst all a remote
“backdoor ” so the attacker c an access the system.
Comm and and Control. Many times, the compromised system connects b ack to the attacker so th at
the system c an be remotely controlled by the attacker and receive future instructions.
Actions on Objectives. Now the attackers c an start to t ake actions to achieve their origin al objectives,
such as stealing user p asswords or l aunching attacks against other computers.

Figure 3 : Cyber Kill Ch ain
Defenses Against Attacks

Although multiple defenses m ay be necess ary to withst and an attack, these defenses should
be b ased on five fund ament al security principles: l ayering, limiting, diversity, obscurity, and
simplicity. These principles provide a found ation for building a secure system.
Layering . Inform ation security must be cre ated in l ayers. If only one defense mech anism is in pl ace,
an attacker only h as to circumvent th at single defense. Inste ad, a security system must h ave layers,
making it unlikely th at an attacker h as the tools and skills to bre ak through all the layers of defenses.
A layered approach also can be useful in resisting a variety of attacks. L ayered security provides the
most comprehensive protection.
Limiting access to inform ation reduces the thre at against it. This me ans th at only those personnel who
must use the d ata should h ave access to it. In addition, the type of access they h ave should be limited
to wh at those people need to perform their jobs. For ex ample, access to the hum an resource d atabase
for an org anization should be limited to only employees who h ave a genuine need to access it, such Reconnaissance Weaponization Delivery
Exploitation
Command and
Control
Installation
Actions on
Objectives

– 9 –
as hum an resource personnel or vice presidents. And, the type of access also should be restricted:
human resource employees m ay be able to view employee s alaries but not ch ange them. What level
of access should users h ave? The correct answer is the least amount necess ary to do their jobs, and
no more. Some w ays to limit access are technology -based (such as assigning file permissions so th at
a user c an only re ad but not modify a file), while others are procedur al (prohibiting an employee from
removing a sensitive document from the premises). The key is th at access must be restricted to the
bare minimum.
Diversity is closely rel ated to l ayering. Just as it is import ant to protect d ata with l ayers of security,
the layers also must be different (diverse). This me ans that if attackers penetr ate one l ayer, they c annot
use the same techniques to bre ak through all other l ayers. A jewel thief, for inst ance, might be able
to foil t he security c amera by dressing in bl ack clothing but should not be able to use the s ame
technique to trick the motion detection system. Using diverse l ayers of defense me ans th at breaching
one security l ayer does not compromise the whole system.
Inform ation security diversity m ay be achieved in sever al ways. For ex ample, some
organizations use security products provided by different m anufacturers. An attacker who c an
circumvent a security device from M anufacturer A could then use those s ame skills and knowledge
to defe at all of the s ame devices used by the org anization. However, if devices from M anufacturer A
and simil ar devices from M anufacturer B were both used by the s ame org anization, the attacker would
have more difficulty trying to bre ak through b oth types of devices bec ause they would be different.
Obscurity . An ex ample of obscurity in inform ation security would be not reve aling the type of
computer, version of oper ating system, or br and of softw are that is used. An attacker who knows th at
inform ation could use it to determine the vulner abilities of the system to attack it. However, if this
inform ation is conce aled it is more difficult to attack the system, since nothing is known about it and
it is hidden from the outside. Obscuring inform ation c an be an import ant me ans of protection.
Although obscurity is an import ant element of defense, it is not the only element. Sometimes
the design or implement ation of a device is kept secret with the thinking th at if attackers do not know
how it works, then it is secure. This attempt at “security through obscurity ” is flawed bec ause it
depends solely on secrecy as a defense.
Simplicity . Bec ause attacks c an come from a variety of sources and in m any w ays, inform ation
security is by its very n ature complex. The more complex it becomes, the more difficult it is to
underst and. A security gu ard who does not underst and how motion detectors inter act with infr ared
trip lights m ay not know wh at to do when one system alarm shows an intruder, but the other does not.
In addition, complex systems allow m any opportunities for something to go wrong. In short, complex
systems c an be a thief’s ally. The s ame is true with inform ation security. Complex security systems
can be h ard to underst and, troubleshoot, and even feel secure about. As much as possible, a secure
system should be simple for those on the inside to underst and and use. Complex security schemes are
often compromised to m ake them e asier for trusted users to work with, yet this c an also m ake it e asier
for the attackers. In short, keeping a system simple from the inside, but complex on the outside, c an
sometimes be difficult but re aps a major benefit.

– 10 –
Malware Attacks
Malware is softw are that enters a computer system without the user ’s knowledge or consent
and then performs an unw anted and usu ally harmful action. Strictly spe aking, m alware uses a threat
vector to deliver a malicious “payload” that performs a harmful function once it is invoked. However,
malware is most often used as a gener al term th at refers to a wide v ariety of d amaging softw are
progr ams.
In order to detect m alware on an infected computer, a softw are sc anning tool c an search for
the m alware, looking to m atch it against a known p attern of m alware. In order to circumvent this
detection of their softw are, attackers c an mask the presence of their m alware by h aving it “mutate”
or ch ange. Three types of mut ating m alware are:
Oligomorphic m alware. It changes its intern al code to one of a set number of predefined mut ations
whenever it is executed. However, bec ause oligomorphic m alware has only a limited number of
mutations, it will eventu ally ch ange b ack into a previous version th at may then be detected by a
scanner.
Polymorphic m alware. Malware code th at completely ch anges from its origin al form whenever it is
executed is known as polymorphic m alware. This is usu ally accomplished by the m alware cont aining
“scrambled ” code th at, when the m alware is activated, is “unscr ambled ” before it is executed.
Metamorphic m alware. Can actually rewrite its own code and thus appears different e ach time it is
executed. It does this by cre ating a logic al equiv alent of its code whenever it is run.
Different types of m alware have emerged over time bec ause of security defenses becoming
more sophist icated and the corresponding attacks becoming progressively more complex. However,
there h as been no st andard est ablished for the cl assific ation of the different types of m alware. As a
result, the definitions of the different types of m alware are often con fusing and m ay overl ap. One
method of cl assifying the v arious types of m alware is by using the prim ary trait that the m alware
possesses. These tr aits are circul ation, infection, conce alment, and payload capabilities.
Circul ation. Some m alware has as its prim ary trait spre ading r apidly to other systems in order to
impact a large number of users. M alware can circul ate through a variety of me ans: by using the
network to which all the devices are connected, through USB fl ash drives th at are shared among users ,
or by sending the m alware as an em ail attachment. M alware can be circul ated autom atically, or it m ay
require an action by the user.
Infection . Once the m alware re aches a system through circul ation, then it must “infect ” or embed
itself into th at system. The m alware might run only one time and then store itself in the computer ’s
memory, or it might rem ain on the system and be l aunched an infinite number of times through an
auto-run fe ature. Some m alware attaches itself to a benign progr am while other m alware functions as
a stand-alone process.
Conce alment . Some m alware has as its prim ary trait avoiding detection by conce aling its presence
from sc anners. Polymorphic m alware attempts to avoid detection by ch anging itself, while other
malware can embed itself within existing processes or modify the underlying host oper ating system.

– 11 –
Payload capabilities . When p ayload capabilities are the prim ary focus of m alware, the focus is on
what nefarious action(s) the m alware performs. Does it ste al passwords and other v aluable d ata from
the user ’s system? Does it delete progr ams, so the computer c an no longer function properly? Or does
the m alware modify the system ’s security settings? In some c ases, the purpose of the m alware is to
use the infected system to l aunch attacks against other computers.

Circul ation/Infection
Three types of m alware have the prim ary traits of circul ation and/or infection. These are viruses,
worms, and Troj ans.
Viruses
A biologic al virus is an agent th at reproduces inside a cell. When a cell is infected by a virus, the
virus t akes over the oper ation of th at cell, converting it into a virtu al factory to m ake more copies of
it. The cell is forced to produce thous ands or hundreds of thous ands of identic al copies of the origin al
virus very r apidly (the polio virus c an make more th an one million copies of itself inside one single
infected hum an cell). Biologists often s ay that viruses exist only to m ake more viruses. A computer
virus (virus) is malicious computer code th at, like its biologic al counte rpart, reproduces itself on the
same computer. Strictly spe aking a computer virus replic ates itself (or an evolved copy of itself)
without any hum an intervention.
Almost all viruses “infect ” by inserting themselves into a computer file. A virus th at infect s
an execut able progr am file is simply c alled a progr am virus . When the progr am is l aunched the virus
is activated. A virus c an also infect a data file. One of the most common d ata file viruses is a macro
virus that is written in a script known as a macro. A macro is a series of instructions th at can be
grouped together as a single comm and. Often m acros are used to autom ate a com-plex set of t asks or
a repeated series of t asks. M acros c an be written by using a macro language, such as Visu al Basic for
Applications (VB A), and are stored within the user document (such as in an Excel .XLSX worksheet
or Word .DOCX file). Once the document is opened, the m acro instructions then execute, whether
those instructions are benign or a macro virus. A very l arge number of different file types c an cont ain
a virus.
File extension Description
.DOCX, .XLSX Microsoft Office user documents
.EXE Execut able progr am file
.MSI Microsoft inst aller file
.MSP Windows inst aller p atch file
.SCR Windows screen s aver
.CPL Windows Control P anel file
.MSC Microsoft M anagement Console file
.WSF Windows script file
.REG Windows registry file
.PS1 Windows PowerShell script

– 12 –
Table 2: Windows file types th at can be infected
Early viruses were rel atively straightforw ard in how they infected files. One b asic type of
infection is the appender infection. The virus first attaches or appends itself to the end of the infected
file. It then inserts at the beginning of the file a “jump ” instruction th at points to the end of the file,
which is the beginning of the virus code. When the progr am is l aunched, the jump instruction redirects
control to the virus.

Figure 4: Appender infection

However, these types of viruses could e asily by detected by virus sc anners. Most viruses tod ay
go to gre at lengths to avoid detection; this type of virus is c alled an armored virus. Some of the
armored virus infection techniques include:
• Swiss cheese infection. Inste ad of h aving a single “jump ” instruction to the “plain” virus code,
some armored viruses perform two actions to m ake detection more difficult. First, they
“scramble ” (encrypt) the virus code to m ake it more difficult to detect. Then they divide the
engine to “unscr amble ” (decrypt) the vir us code into different pieces and inject these pieces
throughout the infected progr am code. When the progr am is l aunched the different pieces are
then tied together and unscr amble the virus code.

– 13 –

Figure 5: Swiss cheese infectio n
• Split infection. Inste ad of inserting pieces of the decryption engine throughout the progr am
code, some viruses split the m alicious code itself into sever al parts (along with one m ain body
of code), and then these p arts are placed at random positions throughout the progr am code. To
make detection even more difficult these p arts m ay contain unnecess ary “garbage” code to
mask their true purpose.

Figure 6: Split infection

– 14 –
Each time the infected progr am is l aunched or the file is opened —either by the user or the
computer ’s oper ating system —the virus performs two actions. First, it unlo ads a payload to perform
a malicious action. Although e arly viruses often did nothing more th an displ ay an annoying mess age,
viruses tod ay are much more h armful. Viruses h ave performed the following actions:
• Caused a computer to cr ash repe atedly
• Erased files from a hard drive
• Turned off the computer ’s security settings
• Reform atted the h ard disk drive
The second action a virus t akes when executed is to reproduce itself by inserting its code into
another file on the s ame computer. A virus c an only replic ate itself on the host computer on which it
is loc ated; it c annot autom atically spre ad to another computer by itself.
Worms
A second type of m alware th at has as its prim ary purpose to spre ad is a worm. A worm is a
malicious progr am that uses a computer network to replic ate (worms are sometimes c alled network
viruses ). A worm is designed to enter a computer through the network and then t ake advantage of
vulner ability in an applic ation or an oper ating system on the host computer. Once the worm h as
exploited the vulner ability on one system, it immedi ately se arches for another computer on the
network th at has the s ame vulner ability.
Early worms were rel atively benign and designed simply to spre ad quickly and not corrupt the
systems they infected. These worms slowed down the network through which they were tr ansmitted
by replic ating so quickly th at they consumed all network resources. Tod ay’s worms c an leave behind
a payload on the systems they infect and cause h arm, much like a virus. Actions th at worms h ave
performed include deleting files on the computer or allowing the computer to be remotely controlled
by an attacker.
Trojan
A computer Trojan horse is an execut able progr am th at masquer ades as performing a benign
activity but also does something m alicious. For ex ample, a user m ay downlo ad wh at is advertised as
a calendar progr am, yet when it is inst alled, in addition to inst alling the c alendar it also installs
malware that scans the system for credit c ard numbers and passwords, connects through the network
to a remote system, and then tr ansmits th at inform ation to the attacker.
Action Virus Worm Trojan
What does it do? Inserts m alicious code
into a progr am or d ata
file Exploits a vulner ability in
an application or
operating system Masquer ades as
performing a benign
action but also does
something m alicious
How does it
spre ad to other
computers? User tr ansfers infected
files to other devices Uses a network to tr avel
from one computer to
another User tr ansfers Troj an
file to other computers
Does it infect a
file? Yes No It can
Does there need to
be user action for
it to spre ad?

Yes
No
Yes
Table 3: Difference between viruses, worms, and Troj ans

– 15 –
Conce alment
Some types of m alware have avoiding detection as a prim ary trait. The most common
type of conce alment m alware first c aptured the public ’s attention through music CDs.
A rootkit is a set of softw are tools used to hide the actions or presence of other types of
softw are. This softw are can be benign, like pl aying music CDs, or it c an be m alicious, such as
Trojans, viruses, or worms. Rootkits do this by ch anging the oper ating system to force it to igno re
their m alicious files or activity. Rootkits also hide or remove all traces of evidence th at may
reveal the m alware, such as log entries.
One approach used by rootkits is to alter or repl ace oper ating system files with modified
versions th at are specific ally designed to ignore m alicious evidence. For ex ample, sc anning
softw are may be instructed to sc an all files in a specific directory. In order to do this, the sc anning
softw are will receive a list of those files from the oper ating system. A rootkit will repl ace the
operating system ’s accurate list of files with the rootkit ’s own routine th at will not displ ay
malicious files.
Payload Capabilities
The destructive power of m alware is to be found in its p ayload capabilities. The prim ary
pay-load capabilities are to collect d ata, delete d ata, modify system security settings, and
launch attacks.
Spyw are is a gener al term used to describe softw are th at secretly spies on users by
collecting inform ation without their consent. The Anti-Spyw are Co alition defines spyw are as
tracking softw are that is deployed without adequ ate notice, consent, or control by the user . This
softw are uses the computer ’s resources, including progr ams already inst alled on the computer,
for the purpose of collecting and dist ributing person al or sensitive inform ation.
Technology Description Impact
Autom atic downlo ad
softw are Used to downlo ad and inst all
softw are without the user ’s
interaction May be used to inst all
unauthorized applications
Passive tr acking
technologies Used to gather inform ation about
user activities without inst alling
any softw are May collect priv ate
inform ation such as websites
a user h as visited
System modifying
softw are Modifies or ch anges user
configur ations, se arch p age,
default medi a player, or lower –
level system functions Changes configur ations to
settings th at the user did not
approve
Tracking softw are Used to monitor user beh avior or
gather inform ation about the user,
sometimes including person ally
identifi able or other sensitive
inform ation May collect person al
inform ation th at can be
shared widely or stolen,
resulting in fr aud or identity
theft
Table 4: Technologies used by spyw are
One type of nef arious spyw are is a keylogger that silently c aptures and stores e ach
keystroke th at a user types on the computer ’s keybo ard. The attacker then se arches the c aptured
text for any useful inform ation such as passwords, credit c ard numbers, or person al inform ation.
A keylogger c an be a small hardware device or a softw are progr am. As a hardware
device, the keylogger is inserted between the computer keybo ard connection and USB port.
Because the device resembles an ordin ary keybo ard plug and the computer keybo ard USB port
is often on the b ack of the computer, a hardware keylogger c an easily go undetected. In addition,

– 16 –
the device is beyond the re ach of the computer ’s antimalware scanning softw are and thus r aises
no alarms. The attacker who inst alled the h ardware keylogger returns at a later time and
physic ally removes the device in order to access the inform ation it h as gathered.
Softw are keyloggers are progr ams inst alled on the computer th at silently c apture
sensitive inform ation. Softw are keylogger progr ams act like rootkits and conce al themselves so
that they c annot be detected by the user. An advantage of softw are keyloggers is th at they do not
require physic al access to the user ’s computer as with a hardware keylogger. The soft -ware, often
installed as a Trojan or by a virus, c an routinely send c aptured inform ation b ack to the attacker
through the computer ’s Internet connection.
Adware delivers advertising content in a manner th at is unexpected and unw anted by the
user. Once the adware m alware becomes inst alled, it typic ally displ ays advertising b anners,
popup ads, or opens new web browser windows at random interv als. Users gener ally reject
adware bec ause:
• Adware may displ ay objection able content, such as gambling sites or pornogr aphy.
• Frequent popup ads can interfere with a user’s productivity.
• Popup ads can slow a computer or even c ause cr ashes and the loss of d ata.
• Unw anted advertisements c an be a nuisance.
Some adware goes beyond affecting the user ’s computer experience. This is bec ause adware
progr ams c an also perform a tracking function, whi ch monitors and tr acks a user’s online activities
and then sends a log of these activities to third p arties without the user ’s authoriz ation or knowledge.
For ex ample, a user who visits online automobile sites to view specific types of c ars can be tr acked
by adware and cl assified as someone interested in buying a new c ar. Based on the sequence and type
of websites visited, the adware can also determine whether the surfers ’ behavior suggests they are
close to m aking a purch ase or are also looking at competitors ’ cars. This inform ation is g athered by
adware and then sold to automobile advertisers, who send the users regul ar mail advertisements about
their c ars or even c all the user on the telephone.
Ransomw are
One of the newest and fastest-growing typ es of m alware is r ansomw are. Ransomw are
prevents a user’s device from properly oper ating until a fee is p aid. One type of ransomw are locks up
a user’s computer and then displ ays a mess age th at purports to come from a law enforcement agency.

– 17 –
Figure 7: Ransomw are mess age
This mess age, using offici al-looking im agery, st ates th at the user h as performed an illeg al
action such as downlo ading pornogr aphy and must immedi ately p ay a fine online by entering a credit
card number. The computer rem ains “held host age” and locked (except for the numeric keys on the
keybo ard) until the r ansom p ayment is m ade.

Delete D ata
The p ayload of other types of m alware deletes d ata on the computer. This may involve
deleting import ant user d ata files, such as documents or photos, or er asing vit al oper ating system files
so th at the computer will no longer properly function.
One type of m alware that is frequently used to delete d ata is a logic bomb. A logic bomb is
computer code th at is typic ally added to a legitim ate progr am but lies dorm ant until it is triggered by
a specific logic al event. Once it is triggered, the progr am then deletes d ata or performs other m alicious
activities.

Description Reason for attack Results
A logic bomb w as planted i n a
financial services computer
network th at caused 1000
computers to delete critic al
data. A disgruntled employee h ad
counted on this to c ause the
comp any’s stock price to drop;
he pl anned to use th at event to
earn money. The logic bomb deton ated but
the employee w as caught and
sentenced to 8 ye ars in prison
and ordered to p ay $3.1 million
in restitution2
A logic bomb at a defense
contr actor w as designed to
delete import ant rocket project
data. The employee ’s plan was to be
hired as a highly p aid
consult ant to fix the problem. The logic bomb w as discovered
and disabled before it triggered.
The employee w as charged with
computer t ampering and
attempted fr aud and w as fined
$5000.3
A logic bomb at a health
services firm w as set to go off
on the employee ’s birthd ay. The employee w as angered
that he might be l aid off
(although he w as not). The employee w as sentenced to
30 months in a feder al prison
and paid $81,200 in restitution
to the comp any.4
Table 5: Famous logic bombs
Logic bombs are difficult to detect before they are triggered. This is bec ause logic bombs are
often embedded in very l arge computer progr ams, some cont aining tens of thous ands of lines of code,
and a trusted employee c an easily insert a few lines of compu ter code into a long progr am without
anyone detecting it. In addition, these progr ams are not routinely sc anned for cont aining m alicious
actions.
Modify System Security
The p ayload of some types of m alware attempts to modify the system ’s security settings so
that more insidious attacks c an be m ade. One type of m al-ware in this c ategory is c alled a backdoor.
A backdoor gives access to a computer, progr am, or service th at circumvents any norm al security
protections. B ackdoors th at are inst alled on 2 a computer allow the attacker to return at a later time
and byp ass security settings.

2 “History and milestones, ” About RSA Conference, www.rsaconference.com/about -rsa-conference/history -and-
milest ones.htm.
3 “Logic bombs, ” Computer Knowledge, www.cknow.com/cms/vtutor/logic -bombs.html.
4 Vijayan, Jaikumar, “Unix admin pleads guilty to planting logic bomb, ” Computerworld,
www.pcworld.com/article/137479/unix_admin_pleads_guilty_to_planting_logic_bomb. html.

– 18 –
Launch Attacks
One of the most popul ar payloads of m alware tod ay carried by Troj ans, worms, and viruses
is softw are that will allow the infected computer to be pl aced und er the remote control of an
attacker. This infected robot ( bot) computer is known as a zombie . When hundreds, thous ands, or
even hundreds of thous ands of zombie computers are gathered into a logic al computer network,
they cre ate a botnet under the control of the attacker ( bot herder ).
Infected zombie computers w ait for instructions through a comm and and control (C&C or
C2) structure from the bot herders reg arding which computers to attack and how. A common botnet
C&C mech anism used tod ay is the Hypertext Tr ansport Protocol (HTTP), which is the st andard
protocol for Internet us age. For ex ample, a zombie c an receive its instructions by autom atically
signing in to a website th at the bot herder oper ates or to a third -party website on which inform ation
has been pl aced th at the zombie knows how to interpret as comm ands (this l atter technique h as an
advantage in th at the bot herder does not need to h ave an affiliation with th at website). By using
HTTP, botnet tr affic m ay be more difficult to de tect and block. Some botnets even use blogs or send
speci ally coded attack comm ands through posts on the Twitter soci al networking service or notes
posted in F acebook.

Type of attack Description
Spamming Botnets are widely recognized as the prim ary source of sp am em ail. A
botnet consisting of thous ands of zombies en ables an attacker to
send m assive amounts of sp am.
Spre ading m alware Botnets c an be used to spre ad malware and cre ate new zombies and
botnets. Zombies h ave the ability to downlo ad and execute a file sent
by the attacker.
Manipul ating online
polls Because e ach zombie h as a unique Internet Protocol (IP) address,
each “vote” by a zombie will h ave the s ame credibility as a vote c ast
by a real person. Online g ames c an be m anipul ated in a similar way.
Denying services Botnets c an flood a web server with thous ands of requests and
overwhelm it to the point th at it cannot respond to legitim ate requests.
Table 6: Uses of botnets
In m any w ays a botnet is the ide al base of oper ations for attackers. Zombies are designed to
operate in the b ackground, often without any visible evidence of their existence. By keeping a low
profile, botnets are sometimes able to rem ain active and oper ational for ye ars. The ubiquitous always-
on Internet service provided by residenti al broadband ensures th at a large percent age of zombies in a
botnet are accessible at any given time. This h as resulted in a staggering number of botnets. One
botnet cont ained more th an 1.9 million zombies, and botnets of 100,000 zombies are not uncommon.5
Some security experts estim ate that between 7 and 25 percent of all computers on the Internet belong
to a botnet.6

5 “Grappling with the ZeroAccess botnet, ” Symantec, www.symantec.com/connect/blogs/grappling -zeroaccess -botnet.
6 Weber, Tim, “Criminals ‘may overwhelm the web, ’” BBC News, http://news.bbc.co.uk/2/hi/business/6298641.stm.

– 19 –
Conclusions
Taking a Multil ayered Approach

When you wonder about cyber security, it’s comfort able to become wr apped up in firew alls, m alware,
and other technic al terms. To est ablish a comprehensive protection str ategy, you should get down
with a different ide a in your he ad – your home.

“No one w ants to sleep in a house with broken win dows, unlocked doors, a leaky roof, or cr acks in
the found ation. It ’s an open invit ation to crimin als, animals, rain, and other forces of n ature. If you
value your business like you v alue the contents of your home, protect it. Otherwise, buy an umbrell a
and sell your v aluables.” 7

In rel ation to cyber security, those “leaky roofs ” and “broken windows ” come in sever al varieties.
The one method for protecting yourself against ever more intric ate and dangerous cyber -attacks is
having a multil ayered method to security, which access should consider both technology and hum an
issues.

Underst and the New Thre at Landscape

You c an only successfully protect your comp any if you possess a solid underst anding of the types of
crimin als and cyber -attacks you ’re protecting against and the d ata stores you must s afeguard. Surveys
indic ate cyber -attacks are incre asingly t argeting sm all businesses, in l arge p art bec ause they often
have less s afeguards comp ared to larger comp anies.

“In the l ast six to nine months, I ’ve seen a tremendous incre ase in the attacks against sm all businesses;
it has really spiked, and the attacks are different th an they were three to five ye ars ago. Before, the
attacks were designed to be m alicious and cause h avoc. Now they are very t argeted and go after
specific types of inform ation, such as financial inform ation.” 8

A cyber -attack can impact sales, cash, inability to provide services, and harm to your reput ation. “You
need to underst and the re al risks of cyb er-attacks. In m any cases, a data breach costs a small business
a month ’s worth of profit ability. In the worst c ase, the d amage can be so severe it puts you out of
business. In f act, six in 10 sm all businesses are out of business within six months of an attack.” 9

Determine Where Your Business Is Vulner able

Businesses h ave different needs when it comes to protecting themselves. Some businesses accept
credit c ards and need to be PCI compli ant; other comp anies work with leg al or confidenti al documents
and must set up addition al measures of protection for them.

“I speak to dozens of business owners every month -in all shapes and sizes, very few of them, prob ably
fewer th an 15 percent, are fully covered and prep ared if dis aster were to strike.

One criti cal area that almost all business owners overlook is their customers and vendors. Wh at if
your business gets h acked or hit by a natural disaster? Wh at happens to your business if you are shut
down for a week, a month, or even perm anently? Are you current with your accounts receiv able? Do
your top two or three clients represent more th an 30 percent of your over all revenue? Are you loc ated

7 Brian Moran, a business consultant in Baltimore, Maryland
8 Mark Gilmore, president of Wired Integrations in San José, California
9 Aaron Hanson, product marketing lead at Symantec

– 20 –
in the s ame area of the country as your customers “7

A good st arting point for underst anding your risks is a complete security audit. “More and more sm all
businesses are conducting security assessments and audits of their environments, and th at means a
step-by-step ex amination of your technology –your servers, your applic ations, your mobile devices –
and you r processes, to identify your specific risks and the s afeguards you need. ”2

Focus on the Hum an Element

While technologic al safeguards are critic al, many d ata breaches are due to hum an error. For th at
reason, you should enforce policies for how your employees should behave online; for ex ample, they
should not click on unknown links, and they should use strong p asswords th at include letters and
symbols.

It’s equ ally imper ative to tr ain employees about the causes for these policies and about the risk cyber –
attacks c an pose to the comp any. Emph asize the import ance of protecting mobile devices, systems,
memory devices, and the confidenti al data these cont ain, from loss or theft.

In addition, the business owner should be a security role model. “If the business owner doesn ’t care
and is loose with security policies, you c an’t expect the employees to c are and follow them, ”3

Think of Security in L ayers

With cyber -attacks becoming incre asingly complex, sm all comp anies need the l atest technology
protection, just as larger enterprises do. “Sometimes, sm all businesses use free or consumer
technology, like antivirus softw are, and too often they don ’t realize they need commerci al-strength
technology, until a virus strikes, and their business is p aralyzed for d ays bec ause their computers h ave
to be rebuilt, and they c an’t access the Internet. ”2

The key is to think of security as a series of l ayers which act together to provide your business with
the gre atest protection against the incre asingly diverse array of cyber thre ats. The protections include
backup and retriev al, a firew all, website trust m arkers, and endpoint security.

To underst and the import ance of a multi -layered approach to secur ity, think b ack to the “house ”
analogy. In th at case, you put a fence around your property, locks on the doors and windows, and an
alarm system in c ase you are bre ached. In the c ase of your sm all business:

• A firew all is like a fence for your network, blocking unw anted m alicious intrusions into your
network.
• An endpoint security solution (which protects computers, l aptops, servers, and other devices) is
like the locks on your doors. It will block unw anted m alware on your endpoin t computers.
• A solution th at monitors your computers is like the alarm system th at can warn you if something
penetr ated your network.
• A backup and recovery str ategy th at can help you recover your files and systems in c ase of dis aster
is like h aving a homeo wner ’s insur ance policy.
• SSL certific ates–a critic al safeguard for credit c ards and othe r import ant digit al inform ation–
authentic ate the identity of your business and show customers th at your site is secure. Indeed,
trust m arkers displ ayed in se arch results c an improve customer confidence and incre ase traffic to
your site. It ’s like a house displ aying a seal of protection, which conveys you ’ve taken the steps
to ensure your business is s afe and is being monitored on a regul ar basis.

– 21 –

As you c an see , protecting your sm all business is not a matter of employing a single solution; r ather,
it’s the l ayers of protection th at can keep you s afe.

Make Security an Ongoing Process

Cyber -attacks are relentless, and crimin als are const antly thinking of new approaches. This implies
that your defenses also must be ongoing and const antly improving . For ex ample, endpoint security
solution is just as potent as the l atest upd ate–you should regul arly upd ate your systems and sc an your
website for m alware and vulner abilities.

One means to achieve this is to autom ate security. For instance, you could purch ase security
subscription services for all employees and devices. Cloud -hosted security services are easy to inst all
and e asier to handle, and they autom atically provide m any s afeguards–patching and properly
configuring –that are often overlooked if being performed manually. Remember: when it comes to
protecting your “house, ” it’s only enough to le ave one window open once to suffer a dreadful loss,
so always m ake sure every door is locked and every lock is secured.