Friday, April 2nd, 2010
VBScript type virus attack is still very high, it is evident from the many reports that complain about these types of script viruses. One virus that shot high into the first sequence is Discusx.vbs. If you still remember with these viruses, the Virus Top-10 March 2008 edition of the past, viruses Discusx.vbs ranked 5th, but this times he darted up to the first sequence. The following list details:
1. Discusx.vbs
VBScript viruses on this one, has around 4800 bytes size. He will try to infect the multiple drives in your computer, including flash disk drive, which if infected shall make autorun.inf file and System32.sys.vbs on the root drive. In addition, he will change the caption of Internet Explorer into “.: Iscus-X SAY MET LEBARAN! [HAPPY LEBARAN ?!]::.”.
2. Reva.vbs
Again, the virus types that VBScript pretty much complained of by some readers. He will try to spread itself to every drive on your computer including flash disk drives. On the drive there will be infected reva.vbs files, autorun.inf, and shaheedan.jpg. In addition, he will change the default page of Internet Explorer in order to lead to other sites
3. XFly
PC Media Antivirus recognizes two variants of this virus, namely XFly.A and XFly.B. Just like most other local viruses, he created using Visual Basic. Has a body size of 143,360 bytes without being compressed. And he may be disguised as a folder, MP3 files with WinAmp or any other way directly change the existing icon resource to its body. This will make more difficult for ordinary users in recognize. On infected computers, when running Internet Explorer, its caption is changed into x-fly “..:: ::..”, and when starting Windows will appear the message from the maker of the virus in the default browser. Or every time show at 12:30, 16:00, or 20:00, the virus will display a black screen that also contains messages from the virus creator.
4. Explorea
Viruses that are compiled using Visual Basic comes with a size of about 167,936 bytes, without being compressed. Using the standard Windows folder icon similar to defraud victims. This virus will attack your Windows Registry to change the default open from a few extensions such as. LNK,. PIF,. BAT, and. COM. On infected computers, certain times when the error message sometimes appears, for example when opening the System Properties.
5. Gen.FFE
Gen.FFE or manufacturer named Fast Firus Engine is one of the locally made program Virus Generator. By simply using this program, did not take long to create a virus / new variant. Viruses of the output of this program icon-like images using standard default Windows folder. He will block access to Task Manager, Command Prompt, and also eliminate some of the menu in the Start Menu. He also will read the captions of active programs, if there are strings associated with the antivirus program will immediately shut down by it.
6. Empty
Viruses are also created using Visual Basic and had a folder icon has a size of about 110,592 bytes, without being compressed. There are so many changes that he has made in Windows, such as the Registry, File System, etc., which can even cause Windows can not be used as appropriate. On computers that are infected by this virus, when the launch of Windows will display a message from the virus creator.
7. Raider.vbs
This VBScript virus type-size 10,000 bytes, if the virus file is opened with Notepad for example, so many strings that can not be read because of the encrypted condition. In the Registry, he also gave recognition to create a new key in HKEY_LOCAL_MACHINE \ Software with same name as the name of the computer name, the contents of a string value such as a virus, Raider, and the date the first time the infected computer.
8. ForrisWaitme
Viruses are created with Visual Basic using the Windows default folder icon similar to disguises. Some ulahnya is exchanged with the left mouse button function right, removes Folder Options menu, create a file the message “read saya.txt” on the drive is infected, and there are still others.
9. Pray
Local virus was created using Visual Basic. We found 2 variants of this virus, for Pray.A variant has no icon, while for variant Pray.B use like Windows Explorer icon. If the computer is infected by this virus, while at the computer clock shows 05:15 AM, 13:00, 16:00, 18:30, or 19:45 and, this virus will display a message reminding the user to perform the prayer.
10. Rian.vbs
This VBScript virus has a size of 3788 bytes. When infecting, it will create new files autorun.inf and RiaN.dll.vbs on each root drive that is inserted in the victim’s computer, including the Flash Disk. Computers infected by this virus, caption of Internet Explorer will change to “Rian P2 Cantiq PR
Posted in Uncategorized | No Comments »
Saturday, December 5th, 2009
Certification is the comprehensive evaluation of the technical and nontechnical security features of an information system and the other safeguards created in support of the accreditation process, to establish the extent in which a particular design and implementation meets the set of specified security requirements.
Accreditation is the formal declaration by a Designated Approving Authority (DAA) that an information system is approved to operate in a particular security mode by using a prescribed set of safeguards at an acceptable level of risk. Recertification and reaccreditation are required when changes occur in the system and/or its environment, or after a defined period of time after accreditation.
C&A is required for all federal government departments and agencies, as determined by the National Policy on Certification and Accreditation of National Security Telecommunications and Information Systems, issued April 8, 1994. The policy is intended to provide the national security community with standard methodologies for C&A processes, assign authority and responsibilities, and lay a basis for mutual recognition of certification results in order to ensure the security of national security systems. Its goals are the development of cost-effective policies, procedures, and methodologies for the C&A of national telecommunications and information systems.
Two of the most used C&A standards are the aforementioned NIACAP and DITSCAP. As mentioned in the previous section of this chapter, the Defense Information Assurance Certification and Accreditation Process (DIACAP) was recently developed to replace DITSCAP, and is intended to make DoD C&A easier. We will describe each of these processes in detail later in the subsection on C&A phases.
NIST C&A Documents
NIST has developed a suite of documents for conducting C&A, including:
· Special Publication 800-37, “Guide for the Security Certification and Accreditation of Federal Information Systems”
· Special Publication 800-53, “Security Controls for Federal Information Systems (interim guidance)”
· Special Publication 800-53A, “Techniques and Procedures for Verifying the Effectiveness of Security Controls in Federal Information Systems”
· NIST Special Publication 800-59, “Guideline for Identifying an Information System as a National Security System”
· NIST Special Publication 800-60, “Guide for Mapping Types of Information and Information Systems to Security Objectives and Risk Levels”
C&A Roles and Responsibilities
Many roles are involved in the C&A process. Several of these roles, such as the system owner, system manager, configuration manager, systems administrator, and risk analyst, are defined in other chapters of this book.
Using the DITSCAP as a model, the four minimum roles needed to perform a C&A are the:
1. IS program manager
2. Designated Approving Authority (DAA), also referred to as the accreditor
3. Certification agent (certifier)
4. User representative
The individuals in these roles tailor and scope the C&A efforts to the particular mission, environment, system architecture, threats, funding, and schedule of the system. These individuals resolve critical schedule, budget, security, functionality, and performance issues. We’ll examine these roles in more detail in the following subsections.
Additional roles may be added to increase the integrity and objectivity of C&A decisions. For example, the Information Systems Security Officer (ISSO) usually performs a key role in the maintenance of the security posture after the accreditation and may also play a key role in the C&A of the system.
Program Manager
The program manager represents the interests of the system in areas such as:
· Acquisition
· Life cycle schedules
· Funding responsibility
· System operation
· System performance
· Maintenance
Which organization the program manager represents is determined by the phase in the life cycle of the system. The program manager coordinates all aspects of the system from initial concept, through development, to implementation and system maintenance. The DAA, certifier, and user representative give advice, information, and guidance to the program manager throughout the C&A.
The program manager:
· Is the primary authorization advocate
· Is responsible for the IS throughout the life cycle (cost, schedule, and performance of the system development)
· Ensures that the security requirements are integrated in a way that will result in an acceptable level of risk to the operational infrastructure as documented in the System Security Authorization Agreement (SSAA)
· Keeps all C&A participants informed of life cycle actions, security requirements, and documented user needs
Additionally, the program manager provides details of the system and its life cycle management to the DAA, certifier, and user representative during Phase 2. The program manager must verify that the implementation of the system is consistent with the system security characteristics reflected in the SSAA.
As additional system details become available, the program manager ensures the SSAA is updated. At the end of Phase 2, the program manager ensures that a configuration management procedure is in place and that the system is properly controlled during the certification process.
The PM also ensures that the certification-ready system is under configuration management during Phase 3. The DAA, certifier, and user representative validate that the operational environment and system configuration are consistent with the security characteristics reflected in the SSAA.
Designated Approving Authority (DAA)
The DAA is the primary government official responsible for implementing system security. The DAA is an executive with the authority and ability to balance the needs of the system with the security risks. He or she determines the acceptable level of residual risk for a system and must have the authority to oversee the budget and IS business operations of systems under his or her purview.
Based on the information available in the SSAA, the DAA can grant the accreditation, an Interim Approval to Operate (IATO), or may determine that the system’s risks are not at an acceptable level and it is not ready to be operational. In reaching these decisions, the DAA is supported by all the documentation provided in the SSAA.
Certification Agent
The certifier (or certification team) provides the technical expertise to conduct the certification throughout the system’s life cycle based on the security requirements documented in the SSAA. The certifier determines the existing level of residual risk and makes an accreditation recommendation to the DAA. The certifier is the technical expert who documents tradeoffs among security requirements, cost, availability, and schedule to manage security risk.
The certifier determines whether a system is ready for certification and conducts the certification process – a comprehensive evaluation of the technical and nontechnical security features of the system. At the completion of the certification effort, the certifier reports the status of certification and recommends to the DAA whether to accredit the system based on documented residual risk.
To avoid conflicts of interest, the certifier should be independent from the organization responsible for the system development or operation. Organizational independence of the certifier ensures the most objective information for the DAA to make accreditation decisions.
User Representative
The operational interests of system users are vested in the user representative. In the C&A process, the user representative is concerned with system availability, access, integrity, functionality, performance, and confidentiality as they relate to the mission environment.
Users and their representatives are found at all levels of an agency. As noted in the SSAA, the user representative:
· Is responsible for the identification of operational requirements
· Is responsible for the secure operation of a certified and accredited IS
· Represents the user community
· Assists in the C&A process
· Functions as the liaison for the user community throughout the life cycle of the system
· Defines the system’s operations and functional requirements
· Is responsible for ensuring that the user’s operational interests are maintained throughout system development, modification, integration, acquisition, and deployment
Information Systems Security Officer (ISSO)
The ISSO is the person responsible to the DAA for ensuring that security is provided for and implemented throughout the life cycle of an AS from the beginning of the system concept development phase through its design, development, operation, maintenance, and secure disposal. As per NIST 800-37, the ISSO is the agency official responsible for carrying out the Chief Information Officer responsibilities under FISMA.
NIACAP Roles
The NIACAP roles are virtually identical to the DITSCAP roles. The four minimum roles needed to perform a NIACAP security assessment are the:
· IS program manager
· Designated Approving Authority (DAA), also referred to as the accreditor
· Certification agent (certifier)
· User representative
The individuals in these roles tailor and scope the C&A efforts to the particular mission, environment, system architecture, threats, funding, and schedule of the system. These individuals resolve critical schedule, budget, security, functionality, and performance issues.
DIACAP ROLES
The DIACAP is intended to make C&A easier than either the DITSCAP or the NIACAP, as we will see in later chapters. The key participants in the DIACAP process are:
· DAA
· Information Assurance Manager
· Program Manager
· User Representative
· Certification Authority
NIST C&A Roles
NIST publication 800-37, “Guide for the Security Certification and Accreditation of Federal Information Systems,” describes these roles a little differently. For example, the DAA is referred to as the Authorizing Official.
NIST 800-37 also defines the role of Chief Information Officer. The Chief Information Officer is the agency official responsible for:
· Designating a senior agency information security officer
· Developing and maintaining information security policies, procedures, and control techniques to address all applicable requirements
· Training and overseeing personnel with significant responsibilities for information security
· Assisting senior agency officials concerning their security responsibilities
· Reporting annually, in coordination with other senior agency officials, to the agency head on the effectiveness of the agency information security program, including progress of remedial actions
C&A Phases
The phases of DITSCAP and NIACAP are also virtually identical. C&A is commonly composed of four phases:
1. Definition – This phase is focused on understanding the IS business case, the mission, environment, and architecture to determine the security requirements and level of effort necessary to achieve certification and accreditation. The objective of Phase 1 is to agree on the security requirements, C&A boundary, schedule, level of effort, and resources required.
2. Verification – Phase 2 confirms the evolving or modified system’s compliance with the information in the SSAA (or the System Security Plan in NIACAP). The objective of Phase 2 is to ensure that the fully integrated system will be ready for certification testing.
3. Validation – Phase 3 confirms compliance of the fully integrated system with the security policy and requirements stated in the SSAA. The objective of Phase 3 is to produce the required evidence to support the DAA in making an informed decision to grant approval to operate the system (accreditation or Interim Approval to Operate [IATO]).
4. Post Accreditation – The Post Accreditation phase starts after the system has been certified and accredited for operations. Phase 4 includes those activities necessary for the continuing operation of the accredited IS in its computing environment and for addressing the changing threats and small-scale changes a system faces through its life cycle. The objective of Phase 4 is to ensure secure system management, operation, and maintenance to preserve an acceptable level of residual risk. Phase 4 continues until the information system is removed from service (decommissioned), undergoes major revisions, or requires a periodic compliance validation.
Each phase consists of defined activities with specific tasks and procedures, as will be seen in later chapters.
DIACAP Phases
The DIACAP process is a little different from DITSCAP or NIACAP.
The overall process is similar to other C&A activities. The DIACAP process is expected to consist of five phases, with subordinate tasks:
1. Initiate and Plan IA C&A:
o Register system with DoD Component IA Program.
o Assign IA controls.
o Assemble DIACAP team.
o Develop DIACAP strategy.
o Initiate IA implementation plan.
2. Implement and Validate Assigned IA Controls:
o Execute and update IA implementation plan.
o Conduct validation activities.
o Combine validation results in DIACAP Scorecard.
3. Make Certification Determination and Accreditation Decisions:
o Analyze residual risk.
o Issue certification determination.
o Make accreditation decision.
4. Maintain Authority to Operate and Conduct Reviews:
o Initiate and update lifecycle implementation plan for IA controls.
o Maintain situational awareness.
o Maintain IA posture.
5. Decommission System:
o Conduct activities related to the disposition of the system data and objects.
Posted in Uncategorized | No Comments »
Thursday, October 29th, 2009
Fault Description:
As Raid card hardware failure, resulting in four groups Raid5 in the three groups on the system can not be identified. Array of data is very important, even if the replacement Raid card, re-configure the raid information, and it does not guarantee data security. After further reflection, the customer decided to find a relatively safe ways to bring the data back out, and then decided to replace the hardware devices.
Solution:
The face in front of 42 from the array of pull down the size of the optical interface for the 146GB hard drive, technical engineers, if not a wealth of experience and deep knowledge of data recovery, one can not calm themselves, and second, convince customers. Escort age boys calmly took over the project.
The first step to determine the disk drive from the 1-42 group number, the first group, second group, the third group of faults Raid5 composed by 14 disk. Each raid of 14 tray is not a node 14 disk, but the number of nodes in the disk are, fortunately hardware engineers in the configuration when the raid made a detailed record of 42 provinces from the disk analysis which is a group of 14 disk raid5 time, raid5 disk group to confirm successful completion.
The second step, analyzing the data toward the bottom of this step is raid data recovery the most critical step in, if you analyze data from a group of raid5 combination of laws, the other two groups also turned out in a matter of course. With experience in the future, raid5 is the most common and relatively easy to analyze, which unlike the HP RAID ADG, Raid1 + e, Raid1 extended so as hard. Engineers quickly analyze the data combination of the law.
The third step, re-analysis of the data if the data is a key step toward the case, then the reorganization of data is the core technology. Fly-off data recovery with independent intellectual property rights of flight passenger data reorganization Raid software, any one can be re-Raid data. Some data recovery companies Whenever an algorithm is more complicated raid, with the market data recovery software can not do, they think can not be repaired. The fundamental is the non-professional skills, with the second-rate or free of foreign cracked version of the data recovery software to restore the high-end raid failure, can only be luck, there is no theoretical and technical support. Flying off raid recovery technology, which in theory can prove that the failure was incorrigible, and which can not be saved in.
Problems encountered in actual operation:
Days of unpredictable things can happen, people have good and bad fortune overnight. In the RAID data recovery process, the data not displayed in your eyes before you do not say OK, because there are more uncertainties in the head. Had thought that the first group fail raid re very smoothly, and did not expect that there is a 14 disk drive identification is not normal, then we lack in this block of disk data reorganization, did not expect that, when combined to the 70GB disk found in a large number of physical or bad Road, we can only terminate the program. When they find out there are two raid5 and two or more physical disk failure occurs, data recovery to this stage of people’s emotions is the most depressed and hard to endure. But the rule of thumb, we decided to have bad sectors on the hard disk to be a separate image, and then re-image files. If nothing works, we can only repair disk does not recognize a piece of. Finally overcome all the difficulties and successfully recovered all the data.
Summary:
In the high-end storage device fails, we must first think of the importance of data, in fact, this is a sense of thinking and a backup. If the data is very important, we recommend that do not make any exaggerated faulty equipment operation (refer to Rebuild, initialization, synchronization of data, re-equipped with raid, etc.), these operations are more fatal, is not reversible. To seek a professional data recovery company, to provide you with a reasonable recovery program, you can rest assured that your hard drive sent to the operating table. Those non-professional company, if asked to provide an array card or resume the server to do so, you should consider its technical reliability.
Posted in Raid Data Recovery, Uncategorized | No Comments »