1 / 19

Streeterville Group M. Aghajanian, M. Blackburn, T. Heller

Defending Against Users Executing Malware Code via Email. Streeterville Group M. Aghajanian, M. Blackburn, T. Heller. Introduction. Ultra-secure network to protect their sweet secrets: Enterprise firewalls. Only necessary services with required authentication. Tightly managed systems.

breena
Download Presentation

Streeterville Group M. Aghajanian, M. Blackburn, T. Heller

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Defending Against Users Executing Malware Code via Email • Streeterville Group • M. Aghajanian, M. Blackburn, T. Heller

  2. Introduction • Ultra-secure network to protect their sweet secrets: • Enterprise firewalls. • Only necessary services with required authentication. • Tightly managed systems. • Anomalies begin to appear. • CIO wants to know…

  3. Investigation Why?!

  4. Risk Analysis • Risk analysis (quantitative) • Policy • Design • Prevention • Response or countermeasures • Implementation • Control • Rinse and repeat...

  5. Risk Analysis • State of hosts: susceptible, infected, quarantined, recovered, transmitted, and healthy. •  Size of host population: small (binomial), large (poisson). • Diversity of hosts (mix of operating systems) • Weight of susceptibility • Weight of business value

  6. Risk Analysis

  7. Risk Analysis • Paradigm shift to more indirect costs than direct costs overall. • Largest expenses: • Staff hours for support. • Staff hours from downtime. • Hardware, software, vendor support and IT training. • Legal, human resources, and training.

  8. Prevention at the Edge and Perimeter • Layered schema for malware detection. • Prevention by inspection at various points at the edge and perimeter. • ClamAV (open source hardware solution) • Microsoft perspective (proprietary software solution) • Future approaches at the edge or perimeter (next sections)

  9. Prevention at the Edge and Perimeter Layered Protection Microsoft Approach

  10. Responding to User Actions: Clicking on Links • Drive-By Downloads • Exploit browser vulnerabilities. • JavaScript/ECMAScript • Content Parsing • Exploit vulnerabilities in browser add-ons. • Flash • Adobe Reader • Java

  11. Responding to User Actions: Clicking on Links • DNS Blacklisting • Used by spam filtering software. • Repurposed to everyday DNS. • Prevent access to sites known to host malware. • 11.25¢ per user/year. • SSL Proxy with malcode detection • Prevent all malcode delivery. • Including within encrypted sessions.

  12. Responding to User Actions: Clicking on Links • User Training • Detect Suspicious emails. • Close Browser if concerned. • Acceptable Use Policy • Discourage promiscuous behavior. • "Scare tactic" heightens stakes. • Ongoing Communication • Ongoing remediation costs = foregone benefits. • Reinforce desired behavior.

  13. Responding to User Actions: Clicking on Links • Application Selection • Remove Adobe Reader: 55% of all attacks. • Remove IE6, 5% of all attacks. • Update policies • Use Microsoft Group Policy  • Update MS products automatically. • Communicate & inform users • Perform software audits  • Not feasible in decentralized networks.

  14. Responding to User Actions: Clicking on Links • User cooperation • Accept new updates • Don't install unknown plugins • Vendor support • Push updates to all clients • Centralized patch level monitoring • Create vendor compliance standards

  15. Responding to User Actions: Opening Attachments • Typical approach • Bit-by-bit signatures (a.k.a. "hash") • New approach • Behavioral signature • Influence • Script Kiddies • Policy and enforcement • Additional software may be required • Performance hit • Instrumentation, Legacy systems

  16. Responding to User Actions: Opening Attachments • Antivirus/OS update policies and procedures • Responses to malware/vulnerabilities, a.k.a. Patches • Admins: greater freedom/power or computer security • If users choose when to update... • If admin chooses when to update... • "Managed" antivirus software • Shows who is doing what: Privacy issues • Distributed Support System • Typical of universities • Policies and enforcement up to non-IT personnel

  17. Responding to User Actions: Opening Attachments • User privilege management • Usually centralized • Environment and staff affect leniency • Research environment requires more user privileges • Less IT staff requires more user privileges • Requirements, Reactions & Risk • Users have different tasks, downtime, productivity requirements • Vendor/Instrumentation/Legacy computers • Limited support, no software patching (Vendor not liable) • Various versions of antivirus software • User POV • Updating is confusing, lengthy, slower computer and system re-boot

  18. Responding to User Actions: Opening Attachments • OS's require password authorization before execution • Protects against "accidentally" installing unwanted software • Users can enter password and move on • DEP & ASLR • Windows XP SP2, Mac OS X • Effective as individual solution • Exploits written for IE8 and Firefox (Mac & Win) • Defense-in-Depth: Makes exploits slower • Layering defenses: more obstacles, more opportunities

  19. Responding to User Actions: Opening Attachments • Network level sandbox • Users adept to waiting for emails • Deep-scanning email clients • Number of cores/cpu's growing & Privacy issues  • Research: Extent of malware coders sharing/upgrading malware • Executable signatures • Non IT Policies • High level policies (HIPPA, SOX) • Cause more IT support funding and detail • Force everyone to abide (legal consequences) • Northwestern University • Proactive policies, training

More Related