Keystroke and terminal loggers can also glean encryption keys, thereby enabling successful
cryptanalysis attacks that result in the ability to decrypt encrypted information.
Rootkit Prevention
Prevention is the best cure; adopting measures that prevent rootkits from being installed is far
better than having to detect and eradicate them after they are installed. In a way the term ???rootkit
prevention??? does not make sense, however, because rootkit installation is something that occurs
after a system is compromised at the superuser level. Th e one essential element in preventing rootkits
from being installed, therefore, is keeping systems from being compromised in the ?¬? rst place.
Some measures that accomplish this goal include using prophylactic measures, running software
that detects and eradicates rootkits, patch management, con?¬? guring systems appropriately, adhering
to the least privilege principle, using ?¬? rewalls, using strong authentication, practicing good
security maintenance, and limiting compilers.
Prophylactic Measures
Prophylactic measures are measures that prevent rootkits from being installed, even if an attacker
has superuser privileges. Th e challenge of creating prophylactic measures that work reliably despite
the fact that an attacker has control of the operating system on a compromised system is great;
it should thus come as no surprise that few such measures currently exist. Intrusion prevention
is a promising prophylactic measure.
Pages:
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353