United States Army Combined Arms Center Troubleshooting TBC Workstation.
Troubleshooting Workstation Security Issues
Transcript of Troubleshooting Workstation Security Issues
![Page 1: Troubleshooting Workstation Security Issues](https://reader030.fdocuments.us/reader030/viewer/2022012721/61b391f2a71d20284d383226/html5/thumbnails/1.jpg)
Troubleshooting Workstation Security IssuesDetect, Remove, and Prevent Malware
![Page 2: Troubleshooting Workstation Security Issues](https://reader030.fdocuments.us/reader030/viewer/2022012721/61b391f2a71d20284d383226/html5/thumbnails/2.jpg)
Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Troubleshooting Workstation Security Issues
2
• Detect, Remove, and Prevent Malware
• Troubleshoot Common Workstation Security Issues
![Page 3: Troubleshooting Workstation Security Issues](https://reader030.fdocuments.us/reader030/viewer/2022012721/61b391f2a71d20284d383226/html5/thumbnails/3.jpg)
Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Computer Viruses and Worms
Virus: Code designed to infect computer files (or disks) when it is activated.
Worm: A type of virus that spreads through memory and network connections rather than infecting files.
3
• Virus types:
• Boot sector
• Firmware
• Program
• Script
• Macro
• Worms:
• Self-contained
• Typically target a network application vulnerability
• Rapidly consume network bandwidth
![Page 4: Troubleshooting Workstation Security Issues](https://reader030.fdocuments.us/reader030/viewer/2022012721/61b391f2a71d20284d383226/html5/thumbnails/4.jpg)
Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Trojan Horses and Spyware (Slide 1 of 5)
Trojan Horse: A malicious software program hidden within an innocuous-seeming piece of software.
Spyware: Software that records information about a PC and its user.
Rootkit: A class of malware that modifies system files, often at the kernel level, to conceal its presence.
Ransomware: A type of malware that tries to extort money from the victim by appearing to lock their computer or by encrypting their files, for instance.
4
![Page 5: Troubleshooting Workstation Security Issues](https://reader030.fdocuments.us/reader030/viewer/2022012721/61b391f2a71d20284d383226/html5/thumbnails/5.jpg)
Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Trojan Horses and Spyware (Slide 2 of 5)
5
• Trojans:
• Often function as a back door to applications
• Backdoor allows attacker access to the computer
• Upload files
• Install software
• Turn the system into a botnet
• Launch DoS attacks
• Send mass-mail spam
• Used to conceal the attacker’s actions
![Page 6: Troubleshooting Workstation Security Issues](https://reader030.fdocuments.us/reader030/viewer/2022012721/61b391f2a71d20284d383226/html5/thumbnails/6.jpg)
Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Trojan Horses and Spyware (Slide 3 of 5)
6
• Spyware:
• Often installed without user’s knowledge
• Keyloggers attempt to steal information by recording keystrokes
![Page 7: Troubleshooting Workstation Security Issues](https://reader030.fdocuments.us/reader030/viewer/2022012721/61b391f2a71d20284d383226/html5/thumbnails/7.jpg)
Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Trojans and Spyware (Slide 4 of 5)
7
• Rootkits:
• Masquerade as a dll
• Doesn’t reveal its presence
• General function:
• Replace key system files and utilities
• Provide backdoor for rootkit handler
• Evade anti-virus software
• May be deployed as part of DRM
![Page 8: Troubleshooting Workstation Security Issues](https://reader030.fdocuments.us/reader030/viewer/2022012721/61b391f2a71d20284d383226/html5/thumbnails/8.jpg)
Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Trojans and Spyware (Slide 5 of 5)
8
• Ransomware:
• Attempt to extort money from the victim
• May block access to the PC or encrypt files
![Page 9: Troubleshooting Workstation Security Issues](https://reader030.fdocuments.us/reader030/viewer/2022012721/61b391f2a71d20284d383226/html5/thumbnails/9.jpg)
Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Sources of Malware Infection
9
• Unsavory websites
• Unpatched browser
• Low security settings
• No anti-virus software
• Links in unsolicited email
• Compromised PC on the same network
• Executing file of unknown origin
• Zero-day exploit
![Page 10: Troubleshooting Workstation Security Issues](https://reader030.fdocuments.us/reader030/viewer/2022012721/61b391f2a71d20284d383226/html5/thumbnails/10.jpg)
Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Antivirus Software
Antivirus software: Software capable of detecting and removing virus infections and (in most cases) other types of malware.
Heuristic: Monitoring technique that allows dynamic pattern matching based on past experience rather than relying on pre-loaded signatures.
10
• Can run:
• When a file is accessed
• At boot time
• User can:
• Disinfect file
• Quarantine file
• Delete file
• Updates must be installed
![Page 11: Troubleshooting Workstation Security Issues](https://reader030.fdocuments.us/reader030/viewer/2022012721/61b391f2a71d20284d383226/html5/thumbnails/11.jpg)
Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Best Practices for Malware Removal
11
1. Identify and research malware symptoms.
2. Quarantine infected systems.
3. Disable System Restore (in Windows).
4. Remediate infected systems:
• Update anti-malware software.
• Scan and use removal techniques (Safe Mode, Pre-installation environment).
5. Schedule scans and run updates.
6. Enable System Restore and create restore point (in Windows).
7. Educate end user.
![Page 12: Troubleshooting Workstation Security Issues](https://reader030.fdocuments.us/reader030/viewer/2022012721/61b391f2a71d20284d383226/html5/thumbnails/12.jpg)
Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Malware Research
12
![Page 13: Troubleshooting Workstation Security Issues](https://reader030.fdocuments.us/reader030/viewer/2022012721/61b391f2a71d20284d383226/html5/thumbnails/13.jpg)
Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Quarantine and Remediation of Infected Systems (Slide 1 of 2)
13
• Disconnect network link
• Move infected system to secure work area
• Disable System Restore and automated backup systems
• Scan any removal media that was attached
• Use antivirus software on the infected system
![Page 14: Troubleshooting Workstation Security Issues](https://reader030.fdocuments.us/reader030/viewer/2022012721/61b391f2a71d20284d383226/html5/thumbnails/14.jpg)
Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Quarantine and Remediation of Infected Systems (Slide 2 of 2)
14
![Page 15: Troubleshooting Workstation Security Issues](https://reader030.fdocuments.us/reader030/viewer/2022012721/61b391f2a71d20284d383226/html5/thumbnails/15.jpg)
Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Malware Infection Prevention (Slide 1 of 2)
15
![Page 16: Troubleshooting Workstation Security Issues](https://reader030.fdocuments.us/reader030/viewer/2022012721/61b391f2a71d20284d383226/html5/thumbnails/16.jpg)
Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Malware Infection Prevention (Slide 2 of 2)
16
• Inspect and re-secure DNS configuration:
• Flush local DNS
• Check HOSTS file for spoofed entries
• Check priority order for name resolution
• Validate DNS resolvers
• Check where forwarding queries are sent
• Check software firewalls
• Enable System Restore:
• If disabled, re-enable
• Create fresh restore point
• Create clean backup
• Rescan system
![Page 17: Troubleshooting Workstation Security Issues](https://reader030.fdocuments.us/reader030/viewer/2022012721/61b391f2a71d20284d383226/html5/thumbnails/17.jpg)
Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Guidelines for Reducing Malware Effects
17
• Perform regular backups.
• Apply OS and app security patches.
• Only allow installation of approved software.
• Install and use antivirus software.
• Run on access.
• Configure message server filtering.
• Use administrative privileges only when necessary.
• Train users about attachments.
• Audit system events.
• Create procedures for recovery from infection.
![Page 18: Troubleshooting Workstation Security Issues](https://reader030.fdocuments.us/reader030/viewer/2022012721/61b391f2a71d20284d383226/html5/thumbnails/18.jpg)
Activity
Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Discussing Detecting, Removing, and Preventing Malware Infections
18
![Page 19: Troubleshooting Workstation Security Issues](https://reader030.fdocuments.us/reader030/viewer/2022012721/61b391f2a71d20284d383226/html5/thumbnails/19.jpg)
Activity
Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Using Antivirus Software
19
![Page 20: Troubleshooting Workstation Security Issues](https://reader030.fdocuments.us/reader030/viewer/2022012721/61b391f2a71d20284d383226/html5/thumbnails/20.jpg)
Troubleshooting Workstation Security IssuesTroubleshoot Common Workstation Security Issues
![Page 21: Troubleshooting Workstation Security Issues](https://reader030.fdocuments.us/reader030/viewer/2022012721/61b391f2a71d20284d383226/html5/thumbnails/21.jpg)
Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Common Symptoms of Malware Infection
21
• Performance symptoms:
• Fails to boot or locks up
• Strange messages or graphics on screen
• System or network performance is very slow
• Application crashes and service problems:
• Security-related applications stop working
• Applications and plug-ins stop working or crash frequently
• File system errors and anomalies:
• File system or individual files are corrupted or deleted
• Date stamps and file sizes change
• Permissions change
• New executables appear in system folders
• Examine event logs for audit failures and crash events
![Page 22: Troubleshooting Workstation Security Issues](https://reader030.fdocuments.us/reader030/viewer/2022012721/61b391f2a71d20284d383226/html5/thumbnails/22.jpg)
Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Web Browser Security Issues (Slide 1 of 2)
Redirection: When the user tries to open a web page but is sent to another page (which may or may not look like the page the user was attempting to access).
22
• Browsers are often targeted with adware and spyware:
• Pop-ups
• Additional toolbars
• Home page changes suddenly
• Search provider changes suddenly
• Slow performance
• Excessive crashes
• Trojans, rootkits, and botnets
• Firewall shows unfamiliar processes or ports trying to connect to the Internet
• Scan of other hosts for weaknesses
• Attempts to launch DoS attacks
![Page 23: Troubleshooting Workstation Security Issues](https://reader030.fdocuments.us/reader030/viewer/2022012721/61b391f2a71d20284d383226/html5/thumbnails/23.jpg)
Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Web Browser Security Issues (Slide 2 of 2)
23
• Virus alert hoaxes and rogue antivirus:
• Hoax virus alerts sent as pranks
• Asks user to forward message to everyone
• Contains steps to “remove” the virus
• Actually causes damage instead
• Rogue antivirus used to disguise trojans
• Fake security alerts
• Cold calling users and claiming to represent Microsoft support
![Page 24: Troubleshooting Workstation Security Issues](https://reader030.fdocuments.us/reader030/viewer/2022012721/61b391f2a71d20284d383226/html5/thumbnails/24.jpg)
Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Digital Certificate Issues (Slide 1 of 4)
Digital certificate: An X.509 digital certificate is issued by a CA as a guarantee that a public key it has issued to an organization to encrypt messages sent to it genuinely belongs to that organization.
Certificate Authority (CA): A server that can issue digital certificates and the associated public/private key pairs.
24
• Digital certificate:
• Wrapper for public/private key pair
• Vouched for by a CA
• When compromised, a CA installs its own root certificate on the computer:
• Validates the CA signature on messages
• Stolen certificates exploited due to weaknesses in the key used in the certificate
![Page 25: Troubleshooting Workstation Security Issues](https://reader030.fdocuments.us/reader030/viewer/2022012721/61b391f2a71d20284d383226/html5/thumbnails/25.jpg)
Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Digital Certificate Issues (Slide 2 of 4)
25
• Browser displays certificate information in the address bar:
• Valid, trusted certificates show a padlock icon
• Highly trusted certificates show a green address bar
• Untrusted, invalid certificates show a maroon address bar
![Page 26: Troubleshooting Workstation Security Issues](https://reader030.fdocuments.us/reader030/viewer/2022012721/61b391f2a71d20284d383226/html5/thumbnails/26.jpg)
Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Digital Certificate Issues (Slide 3 of 4)
26
1. Check the domain in the address bar.2. Only enter information using a trusted certificate.3. Select the padlock to view certificate holder and information about
the CA that issued the certificate and view the certificate itself.
![Page 27: Troubleshooting Workstation Security Issues](https://reader030.fdocuments.us/reader030/viewer/2022012721/61b391f2a71d20284d383226/html5/thumbnails/27.jpg)
Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Digital Certificate Issues (Slide 4 of 4)
27
![Page 28: Troubleshooting Workstation Security Issues](https://reader030.fdocuments.us/reader030/viewer/2022012721/61b391f2a71d20284d383226/html5/thumbnails/28.jpg)
Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Email Issues
Spam: Junk messages sent over email.
Zombie PC: A PC infected with unauthorized software that directs the PC to launch a DDoS attack.
28
• Keep spam filters up-to-date to protect against latest spam techniques.
• Messages filtered as spam posted to Junk email folder.
• Check to see if any legitimate messages were sent to Junk.
• Users can blacklist spammers and whitelist safe senders.
• Email frequently used vector for malware.
• Spam may be symptom of malware infection.
• Zombie PC.
• User receives bounces, non-deliverable messages, automated replies from unknown recipients regarding spam that was sent.
![Page 29: Troubleshooting Workstation Security Issues](https://reader030.fdocuments.us/reader030/viewer/2022012721/61b391f2a71d20284d383226/html5/thumbnails/29.jpg)
Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Guidelines for Troubleshooting Common Workstation Security Issues (Slide 1 of 3)
29
• Symptoms of malware infection might include:
• Performance issues such as failure to boot, lock ups, slow performance, or strange messages or images on screen.
• Frequent application crashes and service problems.
• Changes to system files or changes to file permissions.
• Event log entries showing a high number of audit failures or application and service crash events.
![Page 30: Troubleshooting Workstation Security Issues](https://reader030.fdocuments.us/reader030/viewer/2022012721/61b391f2a71d20284d383226/html5/thumbnails/30.jpg)
Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Guidelines for Troubleshooting Common Workstation Security Issues (Slide 2 of 3)
30
• Web browsers are frequent targets for malware delivery.
• May be adware or spyware.
• Might redirect users to a site that imitates the site the user attempted to access.
• As compromised PC attempts to communicate with handler, unfamiliar processes or ports show up in firewall log files.
• Hoax virus alerts requesting users to forward the message, or messages including steps to remove the virus with the steps doing the actual damage.
• Rogue antivirus disguises Trojans.
![Page 31: Troubleshooting Workstation Security Issues](https://reader030.fdocuments.us/reader030/viewer/2022012721/61b391f2a71d20284d383226/html5/thumbnails/31.jpg)
Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Guidelines for Troubleshooting Common Workstation Security Issues (Slide 3 of 3)
31
• Check for compromised CAs.
• Verify the padlock icon is shown in browsers for secure sites and that the address bar is not maroon, which would indicate an untrusted, insecure site.
• Email issues include:
• Check the Junk email folder to ensure legitimate emails are not improperly flagged.
• Make sure users understand the potential issues in running email file attachments.
![Page 32: Troubleshooting Workstation Security Issues](https://reader030.fdocuments.us/reader030/viewer/2022012721/61b391f2a71d20284d383226/html5/thumbnails/32.jpg)
Activity
Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Discussing Troubleshooting Common Workstation Security Issues
32
![Page 33: Troubleshooting Workstation Security Issues](https://reader030.fdocuments.us/reader030/viewer/2022012721/61b391f2a71d20284d383226/html5/thumbnails/33.jpg)
Activity
Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Identifying Security Protection Methods
33
![Page 34: Troubleshooting Workstation Security Issues](https://reader030.fdocuments.us/reader030/viewer/2022012721/61b391f2a71d20284d383226/html5/thumbnails/34.jpg)
Reflective Questions
Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
1. Which best practice for minimizing the effect of malware do you think is most important?
2. How might you recognize a possible spyware or adware infection on a workstation?
34