Presentation is loading. Please wait.

Presentation is loading. Please wait.

Defense-in-Depth Against Malicious Software Rick Claus / Bruce Cowper IT Pro Advisors Microsoft Canada.

Similar presentations


Presentation on theme: "Defense-in-Depth Against Malicious Software Rick Claus / Bruce Cowper IT Pro Advisors Microsoft Canada."— Presentation transcript:

1 Defense-in-Depth Against Malicious Software Rick Claus / Bruce Cowper IT Pro Advisors Microsoft Canada

2 Session Prerequisites  Hands-on experience with Microsoft Windows Server and Active Directory  Basic understanding of network security fundamentals  Basic understanding of concepts related to malicious software Level 200

3 Session Overview  Understanding the Characteristics of Malicious Software  Malware Defense-in-Depth  Malware Defense for Client Computers  Malware Defense for Servers  Network-Based Malware Defense  Malware Outbreak Control and Recovery

4 Understanding the Characteristics of Malicious Software  Understanding the Characteristics of Malicious Software  Malware Defense-in-Depth  Malware Defense for Client Computers  Malware Defense for Servers  Network-Based Malware Defense  Malware Outbreak Control and Recovery

5 Malicious Software: Identifying Challenges to an Organization Malware: A collection of software developed to intentionally perform malicious tasks on a computer system Feedback from IT and security professionals includes: “The users executed the attachment from their e-mail even though we’ve told them again and again that they aren’t supposed to.” “The antivirus software should have caught this, but the signature for this virus hadn’t been installed yet.” “We didn’t know our servers needed to be updated.” “This never should have made it through our firewall; we didn’t even realize those ports could be attacked.” “The users executed the attachment from their e-mail even though we’ve told them again and again that they aren’t supposed to.” “The antivirus software should have caught this, but the signature for this virus hadn’t been installed yet.” “We didn’t know our servers needed to be updated.” “This never should have made it through our firewall; we didn’t even realize those ports could be attacked.”

6 Understanding Malware Attack Techniques Common malware attack techniques include: Social engineering Backdoor creation E-mail address theft Embedded e-mail engines Exploiting product vulnerabilities Exploiting new Internet technologies Social engineering Backdoor creation E-mail address theft Embedded e-mail engines Exploiting product vulnerabilities Exploiting new Internet technologies

7 Understanding the Vulnerability Timeline Product shipped Vulnerabilitydiscovered Update made available Update deployed by customer Vulnerabilitydisclosed Most attacks occur here

8 Understanding the Exploit Timeline Product shipped Vulnerabilitydiscovered Update made available Update deployed by customer Vulnerabilitydisclosed Exploit Days between update and exploit have decreased

9 Identifying Common Malware Defense Methods Malware Attack Defense Method Mydoom Block port 1034 Update antivirus signatures Implement application security Sasser Block ports 445, 5554, and 9996 Install the latest security update Blaster Install the latest security update Block TCP ports 135, 139, 445, and 593 and UDP ports 135, 137, and 138, and also block UDP ports 69 (TFTP) and TCP 4444 for remote command shell. Update antivirus signatures SQL Slammer Install the latest security update Block UDP port 1434 Download.Ject Install the latest security update Increase security on the Local Machine zone in Internet Explorer Clean any infections related to IIS

10 Malware Defense: Best Practices Stay informed Implement application security Restrict local administration rights Implement security and antivirus update management Implement firewall protection

11 Malware Defense-in-Depth  Understanding the Characteristics of Malicious Software  Malware Defense-in-Depth  Malware Defense for Client Computers  Malware Defense for Servers  Network-Based Malware Defense  Malware Outbreak Control and Recovery

12 What Is Defense-in-Depth? Using a layered approach:  Increases an attacker’s risk of detection  Reduces an attacker’s chance of success Security policies, procedures, and education Policies, procedures, and awareness Guards, locks, tracking devices Physical security Application hardening Application OS hardening, authentication, update management, antivirus updates, auditing Host Network segments, IPSec, NIDS Internal network Firewalls, boarder routers, VPNs with quarantine procedures Perimeter Strong passwords, ACLs, encryption, EFS, backup and restore strategy Data

13 Applying Defense-in-Depth to Malware Defense Policies, procedures, and awareness Physical security Perimeter Internal network Network defenses Host Application Data Client defenses Server defenses Host Application Data

14 Implementing Host Protection Policies, Procedures, and Awareness Recommended policies and procedures include: Host protection defense policies: Scanning policy Signature update policy Allowed application policy Host protection defense policies: Scanning policy Signature update policy Allowed application policy Network defense policies: Change control Network monitoring Attack detection Home computer access Visitor access Wireless network policy Network defense policies: Change control Network monitoring Attack detection Home computer access Visitor access Wireless network policy Security update policy: 1. 1. Assess environment to be updated 2. 2. Identify new updates 3. 3. Evaluate and plan update deployment 4. 4. Deploy the updates Security update policy: 1. 1. Assess environment to be updated 2. 2. Identify new updates 3. 3. Evaluate and plan update deployment 4. 4. Deploy the updates

15 Implementing Physical Security and Antivirus Defense Elements of an effective physical defense plan include: Server computers Network access points Premises security Personnel security Mobile computers and devices Workstation computers

16 Malware Defense for Client Computers  Understanding the Characteristics of Malicious Software  Malware Defense-in-Depth  Malware Defense for Client Computers  Malware Defense for Servers  Network-Based Malware Defense  Malware Outbreak Control and Recovery

17 Protecting Client Computers: What Are the Challenges? Challenges related to protecting client computers include: Implementing data storage policies Implementing data security Regulatory compliance Implementing data storage policies Implementing data security Regulatory compliance Data challenges Controlling application usage Secure application configuration settings Maintaining application security updates Controlling application usage Secure application configuration settings Maintaining application security updates Application challenges Maintaining security updates Maintaining antivirus software Implementing a personal firewall Maintaining security updates Maintaining antivirus software Implementing a personal firewall Host challenges

18 Implementing Client-Based Malware Defense Steps to implement a client-based defense include: Reduce the attack surface 1 1 Install antivirus software 4 4 Enable a host-based firewall 3 3 Test with configuration scanners 5 5 Use least-privilege policies 6 6 Apply security updates 2 2 Restrict unauthorized applications 7 7

19 Choosing an Update Management Solution for Malware Defense Customer type ScenarioSolution Consumer All scenarios Windows Update Small organizati on Has no Windows servers Windows Update At least one Windows 2000 or newer servers and one IT administrator MBSA and SUS Medium- sized or large enterprise Wants a update management solution with basic level of control that updates Windows 2000 and newer versions of Windows MBSA and SUS Wants a single flexible update management solution with extended level of control to update and distribute all software SMS

20 Understanding the Benefits of Software Update Services Gives administrators basic control over update management Administrators can review, test, and approve updates before deployment Simplifies and automates key aspects of the update management process Can be used with Group Policy, but Group Policy is not required to use SUS Easy to implement Free tool from Microsoft Gives administrators basic control over update management Administrators can review, test, and approve updates before deployment Simplifies and automates key aspects of the update management process Can be used with Group Policy, but Group Policy is not required to use SUS Easy to implement Free tool from Microsoft

21 SUS—How It Works Parent SUS server Windows update Child SUS server Internet Client computers

22 Demonstration 1: Configuring Software Update Services to Deploy Security Updates  Configure Software Update Services to deploy security updates

23 Configuring Applications to Protect Client Computers Applications that may be malware targets include: E-mail client applications Desktop applications Instant messaging applications Web browsers Peer-to-peer applications

24 Managing Internet Explorer Browser Security Security Feature Description MIME security improvements Consistency checks Consistency checks Stricter rules Stricter rules Better security management Add-on control and management features Add-on control and management features Better prompts Better prompts New script-initiated windows restrictions New script-initiated windows restrictions Local Machine zone Ability to control security in the local machine zone Feature Control Security Zone settings MIME sniffing MIME sniffing Security elevation Security elevation Windows restriction Windows restriction Group Policy settings Administrative control for feature control security zones

25 Demonstration 2: Configuring Client-Based Applications  Configure client applications to defend against malware

26 Blocking Unauthorized Applications with Software Restriction Policies Software restriction policies: Can be set to: Unrestricted Disallowed Can be set to: Unrestricted Disallowed Can be applied to the following rules: Hash Certificate Path Zone Can be applied to the following rules: Hash Certificate Path Zone Can be used to: Fight viruses Control ActiveX downloads Run only signed scripts Ensure approved software is installed Lock down a computer Can be used to: Fight viruses Control ActiveX downloads Run only signed scripts Ensure approved software is installed Lock down a computer

27 New Security Features in Windows Firewall On by default Boot-time security Global configuration and restore defaults Local subnet restrictions Command-line support On with no exceptions Windows Firewall exceptions list Multiple profiles RPC support Unattended setup support

28 Configuring Windows Firewall for Antivirus Defense

29 Protecting Client Computers: Best Practices Identify threats within the host, application, and data layers of the defense-in-depth strategy Implement software restriction policies to control applications Implement an effective security update management policy Implement an effective antivirus management policy Use Active Directory Group Policy to manage application security requirements

30 Malware Defense for Servers  Understanding the Characteristics of Malicious Software  Malware Defense-in-Depth  Malware Defense for Client Computers  Malware Defense for Servers  Network-Based Malware Defense  Malware Outbreak Control and Recovery

31 Protecting Servers: What Are the Challenges? Challenges to protecting servers include: Maintaining reliability and performance Maintaining security updates Maintaining antivirus updates Applying specialized defense solutions based upon server role Maintaining reliability and performance Maintaining security updates Maintaining antivirus updates Applying specialized defense solutions based upon server role

32 What Is Server-Based Malware Defense? Basic steps to defend servers against malware include: Reduce the attack surface Analyze using configuration scanners Enable a host-based firewall Apply security updates Analyze port information

33 Implementing Server-Based Host Protection Software Considerations when implementing server-based antivirus software include: CPU utilization during scanning Application reliability Management overhead Application interoperability CPU utilization during scanning Application reliability Management overhead Application interoperability

34 Protecting Server-Based Applications Applications that typically have specialized host protection implementations include: ApplicationExample Web servers Internet Information Services (IIS) Messaging servers Microsoft Exchange 2003 Database servers Microsoft SQL Server 2000 Collaboration servers Microsoft SharePoint Portal Server 2003

35 Demonstration 3: Using ISA Server 2004 SMTP Message Screener  Implement the SMTP message screener

36 Protecting Servers: Best Practices Consider each server role implemented in your organization to implement specific host protection solutions Stage all updates through a test environment before releasing into production Deploy regular security and antivirus updates as required Implement a self-managed host protection solution to decrease management costs

37 Network-Based Malware Defense  Understanding the Characteristics of Malicious Software  Malware Defense-in-Depth  Malware Defense for Client Computers  Malware Defense for Servers  Network-Based Malware Defense  Malware Outbreak Control and Recovery

38 Protecting the Network: What Are the Challenges? Challenges related to protecting the network layer include: Balance between security and usability Lack of network-based detection or monitoring for attacks Balance between security and usability Lack of network-based detection or monitoring for attacks

39 Implementing Network-Based Intrusion-Detection Systems Important points to note: Network-based intrusion-detection systems are only as good as the process that is followed once an intrusion is detected ISA Server 2004 provides network-based intrusion- detection abilities Network-based intrusion-detection systems are only as good as the process that is followed once an intrusion is detected ISA Server 2004 provides network-based intrusion- detection abilities Provides rapid detection and reporting of external malware attacks Network-based intrusion-detection system

40 Implementing Application Layer Filtering Application layer filtering includes the following: Web browsing and e-mail can be scanned to ensure that content specific to each does not contain illegitimate data Deep content analyses, including the ability to detect, inspect, and validate traffic using any port and protocol

41 Demonstration 4: Implementing Filtering with ISA Server 2004  Implement filtering with ISA Server 2004

42 Understanding Quarantine Networks Standard features of a quarantine network include: Typically restricted or blocked from gaining access to internal resources Provides a level of connectivity that allows temporary visitors’ computers to work productively without risking the security of the internal network Currently only available for VPN remote access solutions

43 Protecting the Network: Best Practices Have a proactive antivirus response team monitoring early warning sites such as antivirus vendor Web sites Have an incident response plan Implement automated monitoring and report policies Implement ISA Server 2004 to provide intrusion- detection capabilities

44 Malware Outbreak Control and Recovery  Understanding the Characteristics of Malicious Software  Malware Defense-in-Depth  Malware Defense for Client Computers  Malware Defense for Servers  Network-Based Malware Defense  Malware Outbreak Control and Recovery

45 How to Confirm the Malware Outbreak The process for infection confirmation includes: Reporting unusual activity Gathering the basic information Evaluating the data Gathering the details Responding to unusual activity False alarm? Hoax? Known infection? New infection? Reporting unusual activity Gathering the basic information Evaluating the data Gathering the details Responding to unusual activity False alarm? Hoax? Known infection? New infection?

46 How to Respond to a Malware Outbreak Outbreak control mechanism tasks include: Disconnect the compromised systems from the network Isolate the network(s) containing the infected hosts Disconnect the network from all external networks Research outbreak control and cleanup techniques Disconnect the compromised systems from the network Isolate the network(s) containing the infected hosts Disconnect the network from all external networks Research outbreak control and cleanup techniques Examples of recovery goals include: Minimal disruption to the organization’s business Fastest possible recovery time The capture of information to support prosecution The capture of information to allow for additional security measures to be developed Prevention of further attacks of this type Minimal disruption to the organization’s business Fastest possible recovery time The capture of information to support prosecution The capture of information to allow for additional security measures to be developed Prevention of further attacks of this type

47 How to Analyze the Malware Outbreak The following analysis tasks help you to understand the nature of the outbreak: Checking for active processes and services Checking the startup folders Checking for scheduled applications Analyzing the local registry Checking for corrupted files Checking users and groups Checking for shared folders Checking for open network ports Checking and exporting system event logs Running MSCONFIG Checking for active processes and services Checking the startup folders Checking for scheduled applications Analyzing the local registry Checking for corrupted files Checking users and groups Checking for shared folders Checking for open network ports Checking and exporting system event logs Running MSCONFIG

48 How to Recover from a Malware Outbreak Use the following process to recover from a virus outbreak: Restore missing or corrupt data Remove or clean infected files Reconnect your computer systems to the network Confirm that your computer systems are free of malware 1 1 3 3 4 4 2 2

49 How to Perform a Postrecovery Analysis Postrecovery analysis steps include the following: Postattack review meeting Postattack updates

50 Session Summary Understanding malware will help you to implement an effective defense against malware attacks Use a defense-in-depth approach to defend against malware Harden client computers by applying security updates, installing and maintaining an antivirus software strategy, and restricting computers using Group Policy Stage all updates through a test server before implementing into production, in order to minimize disruption ISA Server 2004 can be used to implement network defenses, such as application layer filtering, message screening, and network quarantine An efficient response and recovery plan will ensure that if a malware attack occurs, your organization can quickly recover with minimal disruption

51 Next Steps  Microsoft Technet Canada http://www.microsoft.ca/technet  Find additional security training events: http://www.microsoft.com/seminar/events/security.mspx  Sign up for security communications: http://www.microsoft.com/technet/security/signup/ default.mspx  Order the Security Guidance Kit: http://www.microsoft.com/security/guidance/order/ default.mspx  Get additional security tools and content: http://www.microsoft.com/security/guidance

52 Questions and Answers Team Blogs: http://blogs.msdn.com/brucecowperhttp://blogs.msdn.com/rclaus


Download ppt "Defense-in-Depth Against Malicious Software Rick Claus / Bruce Cowper IT Pro Advisors Microsoft Canada."

Similar presentations


Ads by Google