Presentation is loading. Please wait.

Presentation is loading. Please wait.

Streeterville Group M. Aghajanian, M. Blackburn, T. Heller Defending Against Users Executing Malware Code via Email.

Published byGregory Whitehead Modified over 9 years ago

Similar presentations

Presentation on theme: "Streeterville Group M. Aghajanian, M. Blackburn, T. Heller Defending Against Users Executing Malware Code via Email."— Presentation transcript:

1 Streeterville Group M. Aghajanian, M. Blackburn, T. Heller Defending Against Users Executing Malware Code via Email

2 Case of Confounded Confections, Inc. Introduction Ultra-secure network to protect their sweet secrets: 1.Enterprise firewalls. 2.Only necessary services with required authentication. 3.Tightly managed systems. Anomalies begin to appear. CIO wants to know…

3 Investigation Why?!

4 Quick Review Risk Analysis Risk analysis (quantitative) Policy Design Prevention Response or countermeasures Implementation Control Rinse and repeat...

5 Classifications State of hosts: susceptible, infected, quarantined, recovered, transmitted, and healthy. Size of host population: small (binomial), large (poisson). Diversity of hosts (mix of operating systems) Weight of susceptibility Weight of business value Risk Analysis

6

7 General Cost of Malware Paradigm shift to more indirect costs than direct costs overall. Largest expenses: Staff hours for support. Staff hours from downtime. Hardware, software, vendor support and IT training. Legal, human resources, and training. Risk Analysis

8 Design Solutions Layered schema for malware detection. Prevention by inspection at various points at the edge and perimeter. ClamAV (open source hardware solution) Microsoft perspective (proprietary software solution) Future approaches at the edge or perimeter (next sections) Prevention at the Edge and Perimeter

9 Layered Protection Microsoft Approach

10 Exploitations Responding to User Actions: Clicking on Links Drive-By Downloads o Exploit browser vulnerabilities.  JavaScript/ECMAScript  Content Parsing o Exploit vulnerabilities in browser add-ons.  Flash  Adobe Reader  Java

11 Countermeasures Responding to User Actions: Clicking on Links DNS Blacklisting o Used by spam filtering software. o Repurposed to everyday DNS. o Prevent access to sites known to host malware. o 11.25¢ per user/year. SSL Proxy with malcode detection o Prevent all malcode delivery. o Including within encrypted sessions.

12 Prevention—Human Factor Responding to User Actions: Clicking on Links User Training o Detect Suspicious emails. o Close Browser if concerned. Acceptable Use Policy o Discourage promiscuous behavior. o "Scare tactic" heightens stakes. Ongoing Communication o Ongoing remediation costs = foregone benefits. o Reinforce desired behavior.

13 Mitigation—Technical Approaches Responding to User Actions: Clicking on Links Application Selection o Remove Adobe Reader: 55% of all attacks. o Remove IE6, 5% of all attacks. Update policies o Use Microsoft Group Policy  Update MS products automatically. o Communicate & inform users o Perform software audits  Not feasible in decentralized networks.

14 Mitigation—Human Factor Responding to User Actions: Clicking on Links User cooperation o Accept new updates o Don't install unknown plugins Vendor support o Push updates to all clients o Centralized patch level monitoring o Create vendor compliance standards

15 Antivirus Signatures Responding to User Actions: Opening Attachments o Typical approach  Bit-by-bit signatures (a.k.a. "hash") o New approach  Behavioral signature o Influence  Script Kiddies o Policy and enforcement  Additional software may be required  Performance hit  Instrumentation, Legacy systems

16 Policies and Enforcement Responding to User Actions: Opening Attachments Antivirus/OS update policies and procedures o Responses to malware/vulnerabilities, a.k.a. Patches o Admins: greater freedom/power or computer security o If users choose when to update... o If admin chooses when to update... o "Managed" antivirus software  Shows who is doing what: Privacy issues Distributed Support System o Typical of universities o Policies and enforcement up to non-IT personnel

17 OS Countermeasures Responding to User Actions: Opening Attachments User privilege management o Usually centralized  Environment and staff affect leniency  Research environment requires more user privileges  Less IT staff requires more user privileges  Requirements, Reactions & Risk  Users have different tasks, downtime, productivity requirements Vendor/Instrumentation/Legacy computers o Limited support, no software patching (Vendor not liable) o Various versions of antivirus software o User POV  Updating is confusing, lengthy, slower computer and system re- boot

18 Execution and Service Management Responding to User Actions: Opening Attachments OS's require password authorization before execution o Protects against "accidentally" installing unwanted software o Users can enter password and move on DEP & ASLR o Windows XP SP2, Mac OS X o Effective as individual solution o Exploits written for IE8 and Firefox (Mac & Win) o Defense-in-Depth: Makes exploits slower  Layering defenses: more obstacles, more opportunities

19 Future Approaches Network level sandbox o Users adept to waiting for emails Deep-scanning email clients o Number of cores/cpu's growing & Privacy issues Research: Extent of malware coders sharing/upgrading malware Executable signatures Non IT Policies o High level policies (HIPPA, SOX)  Cause more IT support funding and detail  Force everyone to abide (legal consequences) Northwestern University o Proactive policies, training Responding to User Actions: Opening Attachments

Download ppt "Streeterville Group M. Aghajanian, M. Blackburn, T. Heller Defending Against Users Executing Malware Code via Email."

Similar presentations

Slide Heading Seminar Series: Managing IT Risk In 2010 Understanding End User Attack Vectors Brian Judd, CISSP SynerComm January 20, 2009.

Slide Heading Seminar Series: Managing IT Risk In 2010 Understanding End User Attack Vectors Brian Judd, CISSP SynerComm January 20, 2009.
Update your Software or Die! Wolfgang Kandek Qualys, Inc. RMISC 2012 Denver - May 18, 2012.

Update your Software or Die! Wolfgang Kandek Qualys, Inc. RMISC 2012 Denver - May 18, 2012.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
USING EMET TO DEFEND AGAINST TARGETED ATTACKS PRESENTED BY ROBERT HENSING – SENIOR CONSULTANT – MICROSOFT CORPORATION MICHAEL MATTES – SENIOR CONSULTANT.

USING EMET TO DEFEND AGAINST TARGETED ATTACKS PRESENTED BY ROBERT HENSING – SENIOR CONSULTANT – MICROSOFT CORPORATION MICHAEL MATTES – SENIOR CONSULTANT.
McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.

McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.
Security Controls – What Works

Security Controls – What Works
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Symantec AntiVirus Update Mark Reynolds Manager of Support Services Technology Support Services Michael Satut Manager of Distributed Support Services Technology.

Symantec AntiVirus Update Mark Reynolds Manager of Support Services Technology Support Services Michael Satut Manager of Distributed Support Services Technology.
Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.

Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
GET CONTROL! Avoid The Headache… Five Simple Steps to a Safer Computer – NUIT Tech Talk.

GET CONTROL! Avoid The Headache… Five Simple Steps to a Safer Computer – NUIT Tech Talk.
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
Chapter Nine Maintaining a Computer Part III: Malware.

Chapter Nine Maintaining a Computer Part III: Malware.
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 IT Essentials PC Hardware and Software 4.1 Instructional Resource Chapter.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 IT Essentials PC Hardware and Software 4.1 Instructional Resource Chapter.
Securing Legacy Software SoBeNet User group meeting 25/06/2004.

Securing Legacy Software SoBeNet User group meeting 25/06/2004.
Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.

Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

Similar presentations

Ads by Google