IT-security in the Ubiquitous Computing World Chris Kuo, CISSP, CISA Acer eDC (e-Enabling Data Center) Acer Inc. 2007/3/27

2 Goals of Information Security Target of Protection: Data Goals of Protection: Confidentiality, Integrity and Availability of Data Integrity Availability Confidentiality Ensure the data is available and timely Ensure the data is not disclosed improperly Ensure the data is correct

3 Attacks on availability of PC Grid Enterprises may use PC grid to run complicated and critical applications where businesses rely on PC grid relies on the health of underlying PCs PC..... A virtualized computer using security mechanisms of authentication, digital signature, encryption, etc Critical AP

4 Emerging Client Security Issues (I) Client security becomes more important –In the past, security has been focused on perimeter (network devices) and servers –Performance and capacities of client machines are increasing –Client devices, such as NBs & PCs, are assuming greater roles in infrastructure as P2P and other emerging applications –Clients may contain vital information just as servers

5 Emerging Security Issues (II) Attack origins shift –Security deployment of client machines are often neglected Virus pattern not updated, AV software turned off, … –Client devices are easier than servers to hack More unprotected channels: via or web-browsing Loose security sense of device owners –Clients are becoming the target of more and more attacks (malware: Trojans, backdoors, …) –Client-originated outward communications are rarely blocked, and becomes the major channel for information leakages –Client-originated internal attacks are much more effective than direct external assaults

6 Detection & Removal Effort Malware Breakout Scenarios (A)Known virus due to faulty Anti-Virus (AV) software deployment (B)Virus variant incapable to remove variant version of virus by existing AV (C)New malware beyond the detection of any AV or IDS system malware: virus, backdoor (Trojan), spyware, bot, … Risk Low High Low High AV system AV Monitoring Anti-Malware Monitoring Virus Malware (A) known virus (B) virus variant (C) new malware

7 Targeted Phishing Mail Attacks Hacker VPN Firewall Intrusion Detection Authentication Critical info leakage PC User Social Engineering (Phishing Mail)

8 Phishing Mail Testing Results 1st test2nd test Number of tested persons 981 Number of mails for each person 10 Number of victims Ratio of Victims35%+25%+ Number of total test mails 9810 Successful mails Successful rate10%+5%+

9 Fail to Detect Malware

10 Detection & Removal Effort Defense Against Malware Risk Low High Low High AV system AV Monitoring Anti-Malware Monitoring Virus Malware (A) known virus (B) virus variant (C) new malwareCause: new malware cannot be detected by AV or IDS Phenomena: network congestion or system overload network congestion or system overload un-noticed information leak by backdoor un-noticed information leak by backdoor devices can be illegally controlled remotely devices can be illegally controlled remotelySolution: monitor network behavior to catch malware activities monitor network behavior to catch malware activities identify malware hosts identify malware hosts perform forensics on hosts perform forensics on hosts

11 Malware Detection Example(I) Set filtering rules and get interested events –Outbound connections for hosts in China and the connections were denied by firewall

12 Malware Detection Example(II) The Event Diagram shows suspicious hosts Inspect the hosts to get suspicious files

13 Malware Monitoring Information Source: Firewall –Firewall contains logs of all traffic transactions permitted or denied –Considerable resources and capabilities are required to effectively analyze firewall logs, “in real-time!” In Acer SOC, about 100M event per day! Network Behavior Model –By firewall logs, the legal/illegal network behavior model of a site may be constructed –Rules to allow or detect/alert network behavior must be established –Illegal behavior, once identified, must be alerted in the form of “security incidents” –Response team must address security incidents in specified time (under SLA) and perform forensic actions to understand the intrusion In 2006, Acer SOC uncovered >200 new malware!

14 Security Management Flow EventSources Workflow Layer  Case Assignment  Trouble Shooting  Resolution and Tracking Intelligence Layer  Analysis & Trend Tracking  Behavior Models  Automatic Case Creation Import Layer  Message Aggregation  Message Normalization FirewallVPNIDS/IPSAnti-VirusSwitch... Security Information Management System Operation Workflow System

15 Security Management Platform A system to monitor/manage customers A system worth 2M~3M US dollars A distributed PC grid may save money and management efforts

16 Summary Ubiquitous computing(like PC grid) has raised the importance of client devices Network behavior of client devices must be constructed to allow comprehensive view on security –Firewall logs is the sole source for the understanding of comprehensive network behavior –Network behavior is monitored in real-time via SOC operations Existing AV systems, along with SOC, are part of defense infrastructure Defense weaponry –AV system: to detect any known virus events –AV monitoring: collecting AV event messages from AV server –Anti-malware monitoring: collecting firewall logs Grid computing has the potential to be used in security information management

17 Q&A