Many of us are concerned about the ever increasing threat to information security and business continuity posed by malicious software. Before delving into ways to deal with malicious software it’s important to ensure that we are all familiar with the commonly used terminology.
Note: I wrote the following definitions myself.
Malware / Malicious Software = Software that is used by a third party to perpetrate acts against the owner of the target system/data
Virus = When used in relation to computer software the term “Virus” is used to refer to malware that replicates itself to adjacent systems following user interaction. Viruses typically carry a malicious payload that can cause disruption to the target system.
Worm = A class of Virus that automatically replicates itself to adjacent systems without user interaction – in other words they spread in an automated fashion
Rootkit = Software that can be used to hide (cloak) the presence of malware from the user. Sophisticated rootkits can hide themselves from both the Administrator and even the operating system. Personally my greatest security oriented concern for end user systems is the rapid spread of powerful rootkits as they invalidate all security mechanisms and can be very difficult to find. Many of the most powerful rootkits are freely available from public websites (including full source code) therefore the barrier to entry for those with malicious intent are incredibly low. There are even books detailing how to write your own rootkit.
Spyware = Software that hides itself on the target machine (often using a rootkit) to gather information about the interaction between the user and the system. Spyware commonly records every key press the user makes – this is known as “key logging”. Once spyware invades a system it can observe all system interaction even with encrypted website connections (HTTPS / SSL) and encrypted files.
The more I study malicious software the more I believe that as an industry we need to focus our efforts upon preventing malware getting onto our systems in the first place. One of the most effective ways to reduce the risk of malware compromising your systems is to sign onto computer systems using accounts that have the minimum amount of privilege. Least User Access (LUA) is a widely used term to describe the use of least privilege. Adopting the principle of LUA means that many people use two computer accounts – one with privilege and one without.
The privileged account can be used when the system administrator consciously wants to change the system configuration. Such a change could be to install additional software or hardware or perhaps to repurpose the system for a different scenario.
The least privileged account can be used for day to day activities such as browsing the Internet, accessing email, operating line of business applications and manipulating documents.
In a business environment there are likely to be people who are tasked with administering systems on behalf of users and therefore such people will of course have access to privileged accounts. In such an environment it may not be necessary for individuals to have access to accounts with administrative privileges. If people are mobile and therefore outside the timely reach of administrative assistance then there may be a case for them knowing the credentials of a privileged account for their system in addition to their normal credentials. Active Directory is a feature of Microsoft Windows that enables administrators to control the configuration of all Microsoft Windows computer systems in the environment from central point.
In a home environment of course all administrative tasks are likely to be carried out by the owner of the system. I encourage home users to take advantage of both a privileged (administrative) account AND a non-privileged account. I “sell” friends and family on the premise that their system is less likely to “break” (become infected with malicious software) if they use the non-privileged account for day to day activities.
Emerging services such as Microsoft’s OneCare offering can be used to take care of security updates and anti-virus / malware.
Dealing with Malware through proactive measures such as adopting the principle of least privilege is a classic case where changing your process can enable you to continue enjoying the benefits of technology without suffering the pain of security compromise and down time.