Malware / Port Question
Your secretary downloaded and installed what she thought was a useful free calendar program, now a port scan shows some new ports opened on her computer. What has happened?
The obvious answer looks - Malware has opened listening ports on her computer ... however if one wears a manager hat, then next option - She violated Corporate IT Security Policy could be right ?
Any thoughts folks ..
Cheers
Sam
- Malware has opened listening ports on her computer
- She violated Corporate IT Security Policy
- Her computer could have been infected
- Nothing. It is normal for a computer to have open ports
The obvious answer looks - Malware has opened listening ports on her computer ... however if one wears a manager hat, then next option - She violated Corporate IT Security Policy could be right ?
Any thoughts folks ..
Cheers
Sam
Comments
We can't download or install anything at work...
- Her computer could have been infected
According to my simple logic this would be the most rational answer as:- Malware has opened listening ports on her computer - not 100% sure that the computer is infected - needs to be investigated further to get certainty
- She violated Corporate IT Security Policy - we do not know what the policy is based on the limited info provided by the question
- Nothing. It is normal for a computer to have open ports - very unlikely..
Great fun if you have to answer 250 questions like that..-- Malware has opened listening ports on her computer -- I don't buy it since there's no hard evidence of malware presented in the question. Open ports is normal and it doesn't necessarily mean malware. Even new open ports could indicate some reconfiguration has happened or new other software was installed.
-- She violated Corporate IT Security Policy -- I don't think so, because there's no evidence that this corp has an IT security policy that prohibits installation of 3rd party software. Plus, policy in general shouldn't even do so, it is a general document that states some stuff like "we as a company do whatever is possible to protect our PCs". Prohibited 3-rd party software installation, I'd say, would be a standard or "acceptable use" signed agreement.
-- Her computer could have been infected -- Yeah, that's something that I would choose. Because it talks in terms of probability, it could be, it could be not, overall situation looks sketchy, but without investigation it only looks so and could very easily be a false positive and calendar application is actually a calendar application, nothing else.
-- Nothing. It is normal for a computer to have open ports -- Good answer, but probably not for a security consultant. It's really okay to have open ports, but new open ports is a change to a baseline and needs to be investigated. Since we have an indication of change in computer's behavior (new open ports) it's worth investigating. We can't just say "it's normal" and do nothing.
- I can't confirm that calendar app was malware. Legitimate apps could do this or it could be unrelated. Full incident response and analysis is needed to determine this.
- I have no idea what the current policy is or even if there's one. Why are we assuming it exists?
- Something did happen and change was introduced from a (hopefully) known-good config as new ports showed up as open. No idea if this is benign or malicious.
Least sucky answer supported by the question: 'Her computer could have been infected'.
Well then the management needs a flick too:)
Sec+ : infected?
CEH : malware, hacker has gained access to the network
CASP : infected
CISSP : policy
CISM : IRM (incident response management): investigate, contain the risk (if any) and let user continue with her work
CISA : insufficient controls to minimize risk, do not take action, raise audit red flag
MCSA : this is a server app, of course it has listening ports.
Well said. Agree with this interpretation.