Malware Defense-in-Depth 2.0 A practical approach to secure your enterprise against viruses, worms and rootkits Aa’ed Alqarta
Malware Defense-in-Depth 2.0
A practical approach to secure your enterprise against viruses,
worms and rootkits
Aa’ed Alqarta
The ProblemSecurity defenses can’t keep up
with latest threatsMalware is penetrating the
network and infecting computersAntivirus software is not a silver
bullet for all threatsWe are losing the war against
malware
4
What is a Malware?According to NIST, “Malware (NIST, 2005) refers to a
program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim’s data, applications, or operating system (OS) or of otherwise annoying or disrupting the victim.”
NIST: National Institute of Standards and Technology
Types of MalwaresVirusesWormsBackdoorsSpywaresBots “Botnets”RootkitsRansomware
Top Malware Targets
Attack AnatomyAttackers discover vulnerabilities and
write exploits for them (e.x JS)They infect web sites to attack visitorsA visitor browse the site and
immediately get infected A virus will be installed in the
background and infect the client software
Infected computers will attack internal clean machines (Workstations/Servers)
Web URL FilteringEnable AV scanning for malicious
files/URLsBlock access to malicious
categories (Porn/Hacking/Downloads/Video/P2P/Torrent/Blogs/Infected Hosts/IM)
Block downloads of executables (exe/dll/com)
Inspect SSL traffic for malicious traffic
Application Control (Whitelisting)Allow business approved applications
only◦Office, Accounting, Finance, …etc
Protect critical system files from modifications
Block any unapproved applications (including malwares)
The ability to block zero-day malware if AV is not detecting it
Monitoring of all applications usage in the net
Device Control
Block the usage of removable drives (Flash / IPod / H.D / Camera)
If you should allow Flash drives in the network:
- Use “Secure” Flash disks (Encryption, AV, Password
- Disable “Autorun” and block exe/Autorun.inf
Network Access ControlOnly allows compliance computers
in the network◦AV is running and updated◦FW is running◦Latest Service Pack◦Domain User
Quarantine infected computers in a separate “Remediation Environment” ◦WSUS, AV Server, Proxy
FW Best PracticesNo “Any Any” rulesOut-bound SMTP for Exchange
servers onlyHTTP/HTTPS/FTP are a good start
for end userBlock Infected computersEnabled outbound denied logging
Case Study: Conficker/DownadupWindows Server service vulnerability
(MS08-067)W32.Downadup A, B, C, EPropagates through network file
shares, flash disksDisables User Accounts in ADBlocks access to security sites and MS
updatesStops security tools and softwares
“self-protection”
SummaryUse a good antivirus which has a
high detection ratePatch OS + 3rd party applicationsUse Application Whitelisting +
Device ControlBlock access to malicious, media,
downloads, and blogs Network segmentationsWeb content filtering policy
Thank You
E-mail me: [email protected] http://extremesecurity.blogspot.com