Presentation is loading. Please wait.

Presentation is loading. Please wait.

September 29, 2009Computer Security Awareness Day1 Fermilab.

Published byGwenda Bates Modified over 9 years ago

Similar presentations

Presentation on theme: "September 29, 2009Computer Security Awareness Day1 Fermilab."— Presentation transcript:

1 September 29, 2009Computer Security Awareness Day1 Fermilab

2 Why are we here? Current environment How are machines getting infected? Improvements (timeline) Weekly AV scan changes What is Tissue? AV Notice TIssue Detector Rebuilds vs fixes AV service enhancements Help us to help you Blocked? Getting help… Questions? September 29, 2009Computer Security Awareness Day2

3  AV Protection for ~3000 Windows systems  Volume of AV notices via Email ◦ ~1000 per month  A single machine can generate several notices  Too many for any one person to filter by hand ◦ Manual response  Can be unreliable  No priority  No official procedures prior to May 2009  Tune IT Up requirement September 29, 2009Computer Security Awareness Day3

4  Symantec AV corporate edition 10 ◦ multiple parent servers to support Fermilab ◦ servers report into a central AV Report server ◦ system is configured to download and advertise new signature files every 15 minutes  If away from the lab: clients are configured to download new sig files from Symantec once a day ◦ clients are configured to perform a full scan once a week (most are set for Tuesday 2AM) ◦ clients use heuristics in addition to the standard signature based realtime protection. September 29, 2009Computer Security Awareness Day4

5  AV alone cannot cover all malware ◦ Malware being written at a high rate, a challenge for AV manufactures to keep up ◦ Now needed - Antivirus, Antispyware, firewall, intrusion prevention, device and application control ◦ Local admin permissions  Domain and local accounts ◦ USB devices  Autorun & Autoplay can allow malware ◦ Web browsing  Business need web browsing  Non-business casual web browsing September 29, 2009Computer Security Awareness Day5

6 Malware runs in memory Attempt to write Rootkit to file system AV does real-time file scan after file is closed Malware Normal web surfing Request Rootkit from the cloud September 29, 2009Computer Security Awareness Day6 Malware

7  Web Proxy Server ◦ Applied to 98% of the network subnets at the lab  Disable Autorun ◦ prevents malware from auto-running on USB device insertion  Restricting web access via domain ◦ Applies to machines with critical business needs  Restore points - 2 options ◦ disable restore to remove malware, then re-enable ◦ rebuild  Weekly AV Scan changes – next slide September 29, 2009Computer Security Awareness Day7

8  Scans may be postponed four times ◦ instead of cancels  Tested new setting for several weeks with no problems  Staged rollout throughout the end of the year September 29, 2009Computer Security Awareness Day8

9 September 29, 2009Computer Security Awareness Day9  Tracking Issue workflow system ◦ Strong Authentication violations ◦ OS patching levels ◦ Network inventory ◦ Antivirus Notices  Monitors the central logging repository ◦ Blocks are issued based on parameter settings

10 September 29, 2009Computer Security Awareness Day10  Registered system administrators will get notified  Issue must be properly remediated or the system will be blocked  You will be blocked again if the problem is not actually fixed

11 September 29, 2009Computer Security Awareness Day11 This email is automatically generated, do not reply. The system listed below is registered to you as a sysadmin. A network block for this system (described below) has been requested by Computer Security. Please visit: https://nimisrva.fnal.gov/WF/TIssue/event_mgr/displayRemediationForm?machine_id=34754 to view more details about the vulnerability found and to enter the action taken to fix the vulnerability. Note: If this event is not remediated, the system will be blocked from network access at None Here is a description of the host/sms check: IP Address: 131.225.xx.xx MAC Address: 00:00:00:00:00:00 Node name: xxxxxxxxx Affiliation: xx/xx/xxx/xxxxxxxxxxxxxxxxx Last found: 2009-09-22 13:08:41 Issue: Virus Found (Blocking Event) Additional Info:Class/Action/Location trigger: Host:xxxxxxxxxxxx IP:131.225.xx.xx USER:xxxxxxxxx Class/Action/Location triggers: Infostealer=Security Update for OS Microsoft Windows>>KB390496.exe (Cleaned by Deletion ) THIS IS A BLOCK EVENT. If you experience difficulties resolving this issue or require additional assistance, please contact the FNAL Service Desk (x2345) to open a ticket to be routed to your local desktop or server support group.

12  Previously each notice was manually reviewed  Now automated - virus notices are sorted and filtered ◦ Notices are flagged that require follow-up  All other AV notices are ignored o Started by using criteria that matched our current AV experience o Criteria changes will be made from Windows Policy Committee proposal vote September 29, 2009Computer Security Awareness Day12

13  Follow-up criteria ◦ Virus type blocks  Root kits, keyloggers, information stealing, etc ◦ File location blocks  Operating system, application program, etc  Departmental file servers are exempt from blocks September 29, 2009Computer Security Awareness Day13

14  Number of rebuilds are small versus the number of identified viruses  Rebuild if virus types meet criteria ◦ such as Hacktool.Rootkit & downadup (aka Confiker)  Rebuild if infected files are in protected system areas ◦ such as Windows, WINNT, System, System32  Fix if virus is in restore point  Ignore notices in temporary internet file areas and non-system areas September 29, 2009Computer Security Awareness Day14

15  Working with vendor to identify detected malware  Review and upgrade current solution ◦ Endpoint Security Protection  Antivirus  Antispyware  Firewall  intrusion prevention  device and application control September 29, 2009Computer Security Awareness Day15

16  If you are blocked please tell us if: ◦ you have recently borrowed a flash-drive/memory stick ◦ you have opened an email attachment  especially from your non-Fermi account ◦ you have browsed business related web sites ◦ you have browsed casual web sites  Providing detailed information may help problem resolution and future enhancements September 29, 2009Computer Security Awareness Day16

17  Email notice goes to the registered system administrator ◦ When your machine gets blocked you may not receive an email notice.  Contact the Service Desk at x2345 ◦ If you suspect you have been blocked ask that the TIssue site be checked  Need to provide username, nodename, IP address etc. September 29, 2009Computer Security Awareness Day17

18  Thank you for attending! September 29, 2009Computer Security Awareness Day18

Download ppt "September 29, 2009Computer Security Awareness Day1 Fermilab."

Similar presentations

Web Filtering. ExchangeDefender Web Filtering provides policy-controlled protection from dangerous content on the web. Web Filtering is agent based, allowing.

Web Filtering. ExchangeDefender Web Filtering provides policy-controlled protection from dangerous content on the web. Web Filtering is agent based, allowing.
Supplied on \web site. on January 10 th, 2008 Customer Security Management Reducing Internet fraud June 1 st, 2008 eSAC Walk Thru © Copyright Prevx Limited.

Supplied on \web site. on January 10 th, 2008 Customer Security Management Reducing Internet fraud June 1 st, 2008 eSAC Walk Thru © Copyright Prevx Limited.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
Day 4-1-1 anti-virus 3-3-1.anti-virus 1 detecting a malicious file malware, detection, hiding, removing.

Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Copyright© 2005-2006 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.

Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Symantec AntiVirus Update Mark Reynolds Manager of Support Services Technology Support Services Michael Satut Manager of Distributed Support Services Technology.

Symantec AntiVirus Update Mark Reynolds Manager of Support Services Technology Support Services Michael Satut Manager of Distributed Support Services Technology.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
SIRT Contact Orientation Security Incident Response Team Departmental Security Contacts April 16, 2004.

SIRT Contact Orientation Security Incident Response Team Departmental Security Contacts April 16, 2004.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
Protect Your Computer Protect Your Work Computing & Communications.

Protect Your Computer Protect Your Work Computing & Communications.
Viruses and Spyware. What is a Virus? A virus can be defined as a computer program that can reproduce by changing other programs to include a copy of.

Viruses and Spyware. What is a Virus? A virus can be defined as a computer program that can reproduce by changing other programs to include a copy of.
Spring 2008 www.umsl.edu/~iclabs. Definitions  Virus  A virus is a piece of computer code that attaches itself to a program or file so it can spread.

Spring Definitions  Virus  A virus is a piece of computer code that attaches itself to a program or file so it can spread.
LittleOrange Internet Security an Endpoint Security Appliance.

LittleOrange Internet Security an Endpoint Security Appliance.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
Windows Anti-virus and Security WNUG Meeting 2-7-2002.

Windows Anti-virus and Security WNUG Meeting
2851A_C01. Microsoft Windows XP Service Pack 2 Security Technologies Bruce Cowper IT Pro Advisor Microsoft Canada.

2851A_C01. Microsoft Windows XP Service Pack 2 Security Technologies Bruce Cowper IT Pro Advisor Microsoft Canada.
How to maintain your computer

How to maintain your computer

Similar presentations

Ads by Google