Documente Academic
Documente Profesional
Documente Cultură
Programme
NPfIT
Sub-Prog /
Project
Infrastructure
Security
NPFIT-FNT-TO-IG-GPG-0005.01
Prog. Director
Chris Wilber
Status
Approved
Owner
James Wood
Version
2.0
Author
Mark Penny
Version Date
12 February, 2010
th
Amendment History:
Version
Date
Amendment History
0.1
0.2
30/08/2005
0.4
20/10/2005
1.0
23/02/2006
1.1
19/03/2009
1.2
30/03/2009
1.3
31/03/2009
1.4
06/04/2009
1.4a
30/09/2009
2.0
12/10/2010
Document approved.
nd
Forecast Changes:
Anticipated Change
When
Annual Review
February 2011
Reviewers:
This document must be reviewed by the following:
Name
Signature
Title / Responsibility
Date
Infrastructure
Security Team
Version
1.3
James Wood
Head of IT Security
1.4a
Approvals:
This document must be approved by the following:
Name
Signature
James Wood
Title / Responsibility
Date
Head of IT Security
Version
2.0
Distribution:
NHS Connecting for Health Infrastructure Security Team Website
http://nww.connectingforhealth.nhs.uk/infrasec/gpg
Document Status:
This is a controlled document.
Whilst this document may be printed, the electronic version maintained in FileCM is
the controlled copy. Any printed copies of the document are not controlled.
Page 2 of 29
Related Documents:
These documents will provide additional information.
Ref no
Title
Version
NPFIT-SHR-QMS-PRP-0015
Latest
NPFIT-FNT-TO-IG-GPG-0033
Page 3 of 29
Contents
1
Purpose .........................................................................................................5
1.2
Audience .......................................................................................................5
1.3
Content ..........................................................................................................6
1.4
Disclaimer......................................................................................................6
Introduction..........................................................................................................7
2.1
Anti-virus .............................................................................................................8
3.1
3.2
3.3
3.4
3.5
3.6
4.2
4.2.1
Active Monitoring
18
4.2.2
19
4.2.3
20
5.1.1
21
5.1.2
22
5.1.3
22
5.1.4
22
5.1.5
Spear Phishing
23
5.2
A
Background ...................................................................................................7
Page 4 of 29
1.2 Audience
This document assumes a general understanding of the terms virus and
malware It also assumes a general understanding of other computing related
terms.
Further information on information security and related matters is available from
the NHS Connecting for Health Infrastructure Security Team website:
http://nww.connectingforhealth.nhs.uk/infrasec/
Page 5 of 29
1.3 Content
This document comprises the following sections/topics:
Description and information on anti-virus products for different types of
platform
Technical solutions for monitoring for malware
The need for an anti-virus policy
The need for user education on viruses, malware and phishing
Descriptions of common phishing attacks and how to spot them
An appendix of attachment types which organisations could consider
blocking because they could be used to deliver malicious payloads
1.4 Disclaimer
Reference to any specific commercial product, process or service by trade name,
trademark manufacturer, or otherwise, does not constitute or imply its
endorsement, recommendation, or favouring by NHS Connecting for Health. The
views and opinions of authors expressed within this document shall not be used
for advertising or product endorsement purposes.
Any party relying on or using any information contained in this document and/or
relying on or using any system implemented based upon information contained in
this document should do so only after performing a risk assessment. It is
important to note that a risk assessment is a prerequisite for the design of
effective security countermeasures. A correctly completed risk assessment
enables an NHS organisation to demonstrate that a methodical process has
been undertaken which can adequately describe the rationale behind any
decisions made. Risk assessments should include the potential impact to live
services of implementing changes.
This means that changes implemented following this guidance are done so at the
implementers risk. Misuse or inappropriate use of this information can only be
the responsibility of the implementer.
Page 6 of 29
2 Introduction
This document provides general information on the topics of viruses and malware
together with potential solutions for their proactive detection and eradication. It
covers the concepts of phishing and pharming and what can be done from the
perspective of user education in this regard. The document also details additional
defence-in-depth concepts which can assist in protecting information assets
from harm from viruses and malware.
2.1 Background
Attackers are increasingly utilising viruses and malware in their attempts to
compromise systems, gain unauthorised access to information and to take
control of computer resources - often redirecting these resources for attacks
against other targets.
Spyware and malware is often bundled with legitimate software. When users
install the legitimate software they can also inadvertently install the bundled
spyware affecting the confidentiality and integrity of their systems security. .
The nature of this type of software can present long term issues for security
because it often remains hidden from the user (or poses as a legitimate
application) while continually divulging information from the infected host. The
most effective defences against viruses, malware and hoaxes are those that
combine various technologies and strategies. These range from in-depth
technical solutions to effective user education, preventing the compromise of
these technical solutions.
Page 7 of 29
3 Anti-virus
Anti-virus software and related applications can be used as a technical defence
to stop viruses from infecting systems. Such software is generally host based
and runs on the system it is protecting. Anti-virus software can detect many types
of malware. These types include computer viruses, worms and trojan horses as
well as spyware.
A computer virus is a type of malicious software which infects files on a
computer system. A virus may look for specific types of file to infect such as
Word documents; once an infected document is sent to someone else, the virus
then spreads to and infects that persons PC. A resident computer virus can
survive system reboots and operates in the background on the system, looking
for files to infect. A non-resident computer virus only runs when an infected file
is launched.
A worm is a type of malicious software which does not require user interaction
to run. Worms can spread from system to system utilising automated infection
methods and generally exploit un-patched software vulnerabilities in order to
spread. A worm does not steal personal information from systems but simply
exists to spread and cause system problems in relation to integrity and
availability.
A trojan horse is malicious software which on the surface has a legitimate usage
but unbeknownst to the user contains functionality which can be used to steal
sensitive data or perform other unwanted actions.
Page 8 of 29
http://www.connectingforhealth.nhs.uk/systemsandservices/infogov/igsoc
Page 9 of 29
http://nww.connectingforhealth.nhs.uk/infrasec/gpg
Further information is available in the Remote Access and Remote Management GPG
documents available from the NHS CFH IST web site:
http://nww.connectingforhealth.nhs.uk/infrasec/gpg
Page 10 of 29
Page 11 of 29
Page 12 of 29
Page 13 of 29
The Patch Management GPG provides additional information including statements from the
MHRA on such devices.
5
http://support.microsoft.com/kb/309422
Page 14 of 29
These services allow users to chat in real time, while also giving them the ability
to share files and workspaces.
It is this ability to transmit files, and the possibility that any such transmissions
may bypass established controls, that make instant messaging services a
significant problem area for those tasked with protecting a system from virus
infection. Many anti-virus manufacturers have responded to this situation (via
integration with messaging products or file analysis) with solutions that provide
real time monitoring of files within instant messaging systems. For those using
externally provided IM systems (such as those from Microsoft, Google or Yahoo
for example), there is the additional problem of IM spam and possible phishing
attacks.
If organisations use internal IM systems, they should investigate the features and
facilities provided by the software manufacturer which can be turned on to
minimise the possibility that malicious files could be shared.
Unless absolutely necessary for business functions, the transfer of files using
instant messaging services should be disabled and more robust methods utilised
as an alternative. For example, the NHS Secure File Transfer Service can be
used. More information is available at:
http://nww.connectingforhealth.nhs.uk/infrasec/secure-file (N3 connection
required.)
Page 15 of 29
Technical means should be put in place to ensure that users cannot disable or interfere with anti-virus software. Ideally,
this is best implemented by ensuring the principle of least privilege is implemented on user desktop systems. (I.e. users
are not local administrators on their machines.)
Page 16 of 29
Page 17 of 29
Page 18 of 29
Page 19 of 29
Page 20 of 29
Page 21 of 29
sensitive information (e.g. bank account details) and/or makes upfront monetary
payments.
5.1.2 Pyramid Schemes, Chain Letters & Fake Notifications
A common technique initially used to harvest valid email addresss for spam
email operations. The scammer persuades the user (using financial incentives) to
visit malicious websites or otherwise tricks them into running malware infected
attachments. A well publicised example of this type of scam consisted of an
email sent to many thousands of people, requesting money for an orphaned
terrorist attack victim. Many people entered their bank details to pledge money, it
was only later that the subterfuge was discovered and that those who responded
had revealed their bank details to criminals.
A variant on the above is the fake notification e-mail which claims that it comes
from the users bank and states that the users account will be closed unless the
user goes to a web site and verifies their details. These types of scam can often
be spotted because the fake banking web site linked to requests information
which a bank would never ask for such as PIN number and National Insurance
number.
5.1.3 Current News Hoax
Attackers also use emails claiming to contain detailed information on worldwide
issues, and popular and/or breaking news stories to spread viruses, trojans or
spyware. They can achieve this by tricking users into running malware
applications after masking them within what seems to be a potentially useful
utility.
A related type of hoax is that which arrives in an e-mail and claims that a file on
the users computer is a virus and provides instructions on how to remove the
infected file. These types of hoax also state that the user should forward the email to all contacts in their address book. The file in question referenced in these
hoaxes is usually a system file and therefore benign. An example of this type of
hoax is the infamous Teddy Bear virus.8
5.1.4 Fake Security software hoax
A recent trend has been the emergence of fake security software. The normal
delivery mechanism for such software is via adverts in legitimate web sites or by
visiting certain types of web site. Normally, a pop-up dialog box will appear
claiming that the users PC is infected with viruses or malware and that by
downloading and installing a piece of software they can run a more thorough
check of their PC. Once the software is downloaded and installed, it pretends to
8
http://www.hoax-slayer.com/teddy-bear-virus-hoax.html
Page 22 of 29
scan the PC and finds several examples of viruses and malware on the system.
The software then requests payment (via credit or debit card) in order to remove
the viruses and malware found. If the user does not pay for the software, it
repeatedly generates pop up messages warning of virus and malware infection.
Such software often contains techniques to thwart removal. Fake security
software can often be detected and removed by legitimate anti-virus products.
5.1.5 Spear Phishing
This is a type of targeted attack which can focus on specific individuals within an
organisation. The individuals who are the targets are often those who are very
senior within an organisation or whom an attacker would consider to have access
to sensitive and valuable information. Alternatively, targets may be considered or
known to be high net worth individuals.
Spear Phishing attacks often take the form of an e-mail which attempts to
coerce the recipient into either installing or downloading a piece of software.
Once the software is installed, it can monitor keystrokes, spy on and relay
sensitive information viewed by the target and so forth. These e-mails can often
appear to come from senders that the recipient may have communicated with in
the past or may even trust. Thus, such attacks can be very difficult to spot
indeed.
There have also been cases of new (often 0 day) vulnerabilities being used in
spear phishing attacks. Vulnerabilities in Acrobat Reader and Microsoft products
have been targeted in this way as it is more likely that the attack will not be
detected by anti-virus or anti-malware products and will not have been patched.
User education and awareness training is the best way to detect spear phishing
attacks and the advice given in the User Education section above will be of
benefit.
A useful website which provides further information on identity theft, phishing,
scams and hoaxes is Get Safe Online. See: http://www.getsafeonline.org/
Page 23 of 29
Keyword Searching.
Domain blocking of common hoax sources.
Statistical analysis of content.
Attachment filtering.
In addition, e-mail applications themselves now contain filters which aim to look
for the signs of phishing scams in e-mails received. Any suspected e-mails are
flagged for the users attention and moved to a special folder within the software.
Whilst these solutions are not infallible, they do provide an extra layer of defence
and along with gateway measures and user training are worth using. Software
manufacturers of e-mail applications additionally provide updates for these filters
to further improve their detection capabilities.
The deployment of software which analyses the content of emails for particular
words or patterns (in conjunction with robust anti-virus software) should further
increase the effectiveness of blocking the type of hoaxes which attempt to
convince the user to execute malicious software.
Page 24 of 29
File Name
Extension
File type
.ade
.adp
.app
Executable Application
.asp
.bas
.bat
Batch Processing
.cer
.chm
.cmd
.cnt
.com
Command
.cpl
.crt
Certificate File
.csh
csh Script
.der
.exe
Executable File
Page 25 of 29
File Name
Extension
File type
.fxp
.gadget
.hlp
.hpj
.hta
Hypertext Application
.inf
.ins
.isp
.its
.js
.jse
.ksh
.lnk
.mad
.maf
Access (Microsoft)
.mag
.mam
.maq
.mar
.mas
.mat
.mau
Page 26 of 29
File Name
Extension
File type
.mav
.maw
.mda
.mdb
.mde
.mdt
.mdw
.mdz
.msc
.msh
Microsoft Shell
.msh1
Microsoft Shell
.msh2
Microsoft Shell
.mshxml
Microsoft Shell
.msh1xml
Microsoft Shell
.msh2xml
Microsoft Shell
.msi
.msp
.mst
.ops
.osd
.pcd
.pif
Page 27 of 29
File Name
Extension
File type
.plg
.prf
.prg
Program File
.pst
.reg
.scf
.scr
.sct
.shb
.shs
.ps1
Windows PowerShell
.ps1xml
Windows PowerShell
.ps2
Windows PowerShell
.ps2xml
Windows PowerShell
.psc1
Windows PowerShell
.psc2
Windows PowerShell
.tmp
Temporary File/Folder
.url
Internet Location
.vb
.vbe
.vbp
.vbs
Page 28 of 29
File Name
Extension
File type
.vsmacros
.vsw
.ws
.wsc
.wsf
.wsh
.xnk
Page 29 of 29