Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia .

Defense-in-Depth Against Malicious Software

Jeff AlexanderIT Pro EvangelistMicrosoft Australiahttp://blogs.msdn.com/jeffa36

Agenda

• Characteristics of Malicious Software• Malware Defence-in-Depth• Malware Defence for Client Computers• Malware Defence for Servers• Network-Based Malware Defence• What about Spyware?• Guidance Tools and Response

Malicious Software: Identifying Challenges to an Organisation

• Malware: A Collection of software developed to intentionally perform malicious tasks on a computer system

• Feedback from IT and Security professionals include:– “Users executed the email attachment even though we’ve told them

again and again not to”

– “The antivirus software should have caught this, but the signature for this virus is not installed yet”

– “We didn’t know our servers needed to be updated”

– “This never should have made it through our firewall; we didn’t realize those ports could be attacked”

Understanding Malware Attack Techniques• Common malware attack techniques include:

– Social engineering

– Backdoor creation

– E-mail Address theft

– Embedded e-mail engines

– Exploiting product vulnerabilities

– Exploiting new Internet technologies

Understanding the Vulnerability Timeline

Product Product shippedshipped

VulnerabilityVulnerabilitydiscovereddiscovered

Update made Update made availableavailable

Update deployedUpdate deployedby customerby customer

VulnerabilityVulnerabilitydiscloseddisclosed

Most attacks occur Most attacks occur herehere

Understanding the Exploit Timeline

What Is Defence-in-Depth?Using a layered approach:• Increases an attacker’s risk of detection • Reduces an attacker’s chance of success

Security policies, procedures, and educationPolicies, procedures, and awarenessPolicies, procedures, and awareness

Guards, locks, tracking devicesPhysical securityPhysical security

Application hardeningApplication

OS hardening, authentication, update management, antivirus updates, auditing

Host

Network segments, IPSec, NIDSInternal network

Firewalls, boarder routers, VPNs with quarantine proceduresPerimeter

Strong passwords, ACLs, encryption, EFS, backup and restore strategy

Data

Implementing Host ProtectionPolicies, Procedures, and Awareness

• Recommended policies and procedures include:– Host protection defence policies:

• Scanning policy• Signature update policy• Allowed application policy

– Security update policy• Assess environment to be updated• Identify new updates• Evaluate and plan update deployment• Deploy the updates

– Network defence policies• Change control• Network monitoring• Attack detection• Home Computer access• Visitor access• Wireless network policy

Protecting Client Computers: What Are the Challenges?

• Challenges related to protecting client computers include:– Host challenges:

• Maintaining security updates

• Maintaining antivirus software

• Implementing a personal firewall

– Application challenges• Controlling application usage

• Secure application configuration settings

• Maintaining application security updates

– Data challenges• Implementing data storage policies

• Implementing data security

• Regulatory compliance

Configuring client applications to defend against malware

TodayTodayFuturFutureeWindows, SQL,Windows, SQL,

Exchange, Office…Exchange, Office…

Windows, SQL,Windows, SQL,Exchange, Office…Exchange, Office…

Office Update

Download Center

SUSSUS SMSSMS

““Microsoft Update”Microsoft Update”(Windows Update)(Windows Update)

VS Update

Windows Update

Windows onlyWindows only

Windows onlyWindows only

Update Management for Malware Defence

Windows, Windows, SQL,SQL,Exchange, Exchange, Office…Office…

AutoUpdateAutoUpdate

Windows Windows UpdateUpdateServicesServices

Due Q4FY05Due Q4FY05

Configuring SUS to deploy security updates

Blocking Unauthorized Applications with Software Restriction Policies• Software restriction policies

– Can be used to:• Fight viruses• Control ActiveX downloads• Run only signed scripts• Ensure approved software is installed• Lock down a computer

– Can be applied to the following rules:• Hash• Certificate• Path• Zone

– Can be set to:• Unrestricted• Disallowed