Your SlideShare is downloading. ×
0
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

How Malware Works - Understanding Software Vulnerabilities

299

Published on

Most computer viruses use software vulnerabilities to get installed. This is a brief look at the risk software vulnerabilities pose.

Most computer viruses use software vulnerabilities to get installed. This is a brief look at the risk software vulnerabilities pose.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
299
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • F-Secure being in the industry for 25 years, we were the 1st company to spot the 1st virus. Good selling pointing. Global software security company, listed in NASDAQ OMX Helsinki Ltd23 country offices with 900+ employees, and a presence in more than 100 countries.Awarded world-class anti-malware research and operationsPraised Strategy. Highest score among all vendors for our product roadmap and strategy, given by Forrester Research Inc.
  • Let’s look at the detail of our security offering…
  • Adobe – 2.9 million customer lost personal data including passwords and credit card information, as well as source codeWhatsapp – Poor design means encryption is predictable and easy to crack
  • Blackhole Creator has been arrested. Use of the tool has dropped since then. Dick Cheney removed the wireless function of his implant because he was worried a hacker could interfere with it. Homeland used this in an episode.
  • Government – New Cyber Defence ForceOpposition – Plans to tackle cybercrime
  • It’s now a case of it, not when you will be attacked.information security functions not fully meeting the needs in 83% of organizations, 93% of companies globally are maintaining or increasing their investment in cyber-security to combat the ever increasing threat from cyber-attacks.Thirty-one percent of respondents report the number of security incidents within their organization has increased by at least 5% over the last 12 months.
  • Oracle tops the chart with 424 vulnerabilities, much higher than their 262 entries in 2011. A significant number of these vulnerabilities are related to Java.Microsoft continues to decrease the number of vulnerabilities it reported with 169 vulnerabilities, down from 244 in 2011 and 318 in 2010.Google had the most vulnerabilities in 2011, but now lies in sixth position with only half of the vulnerabilities they reported in 2011.
  • These numbers confirm that mobile platforms are garnering more and more attention from security researchers and hackers.An interesting entry into the chart this year is VMware ESX/ESXi. The virtualization market is growing and the security focus has shifted to follow the trend.454 vulnerabilities were reported in 2012 for the top five web browsers (Mozilla Firefox, Google Chrome, Apple Safari, Microsoft Internet Explorer and Opera Browser). This figure is greater than all the vulnerabilities reported in 2012 for all operating systems combined (which had “only” 436 vulnerabilities).
  • Our competitors are catching us and they have started making claims about “equal level” patch management features. This is however not true since at so far they only support Windows Update. According to Vulnerability Database only 12 % of the vulnerabilities are found from OS and 85 % from 3rd party software. The remaining 3% is from hardware etc.86 – 10 - 4
  • APT – Business and Political Targets
  • DATAPOINT:RSAhttp://blogs.rsa.com/anatomy-of-an-attack/+ + + + + + + + + + + + + + + + + + +The email subject line read “2011 Recruitment Plan.”The email was crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached excel file. It was a spreadsheet titled “2011 Recruitment plan.xls.The spreadsheet contained a zero-day exploit that installs a backdoor through an Adobe Flash vulnerability (CVE-2011-0609). As a side note, by now Adobe has released a patch for the zero-day, so it can no longer be used to inject malware onto patched machines. IF PATCHED!OK, back to the attack. As you know, the next step in a typical APT is to install some sort of a remote administration tool that allows the attacker to control the machine.  In our case the weapon of choice was a Poison Ivy variant set in a reverse-connect mode that makes it more difficult to detect, as the PC reaches out to the command and control rather than the other way around. Similar techniques were reported in many past APTs, including GhostNet.Having set remote access, now the attacker in a typical APT starts digital shoulder surfing to establish the employee’s role and their level of access. If this isn’t sufficient for the attackers’ purpose, they will seek user accounts with better, more relevant, privileges. I’ve pieced together a separate blog post as an appendix, talking about the attack end-to-end and providing more data.Then they use the compromised accounts, coupled with various other tactics, to gain access to more “strategic” users. In the RSA attack the timeline was shorter, but still there was time for the attacker to identify and gain access to more strategic users.The attacker first harvested access credentials from the compromised users (user, domain admin, and service accounts). They performed privilege escalation on non-administrative users in the targeted systems, and then moved on to gain access to key high value targets, which included process experts and IT and Non-IT specific server administrators.If the attacker thinks they can exist in the environment without being detected, they may continue in a stealth mode for a long while. If they think they run the risk of being detected, however, they move much faster and complete the third, and most “noisy”, stage of the attack. Since RSA detected this attack in progress, it is likely the attacker had to move very quickly to accomplish anything in this phase.In the third stage of an APT, the goal is to extract what you can. The attacker in the RSA case established access to staging servers at key aggregation points; this was done to get ready for extraction. Then they went into the servers of interest, removed data and moved it to internal staging servers where the data was aggregated, compressed and encrypted for extraction.The attacker then used FTP to transfer many password protected RAR files from the RSA file server to an outside staging server at an external, compromised machine at a hosting provider. The files were subsequently pulled by the attacker and removed from the external compromised host to remove any traces of the attack.I hope this description provides information that can be used to understand what has happened and correlate with other APTs. 
  • DATAPOINT:RSAhttp://blogs.rsa.com/anatomy-of-an-attack/+ + + + + + + + + + + + + + + + + + +The email subject line read “2011 Recruitment Plan.”The email was crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached excel file. It was a spreadsheet titled “2011 Recruitment plan.xls.The spreadsheet contained a zero-day exploit that installs a backdoor through an Adobe Flash vulnerability (CVE-2011-0609). As a side note, by now Adobe has released a patch for the zero-day, so it can no longer be used to inject malware onto patched machines. IF PATCHED!OK, back to the attack. As you know, the next step in a typical APT is to install some sort of a remote administration tool that allows the attacker to control the machine.  In our case the weapon of choice was a Poison Ivy variant set in a reverse-connect mode that makes it more difficult to detect, as the PC reaches out to the command and control rather than the other way around. Similar techniques were reported in many past APTs, including GhostNet.Having set remote access, now the attacker in a typical APT starts digital shoulder surfing to establish the employee’s role and their level of access. If this isn’t sufficient for the attackers’ purpose, they will seek user accounts with better, more relevant, privileges. I’ve pieced together a separate blog post as an appendix, talking about the attack end-to-end and providing more data.Then they use the compromised accounts, coupled with various other tactics, to gain access to more “strategic” users. In the RSA attack the timeline was shorter, but still there was time for the attacker to identify and gain access to more strategic users.The attacker first harvested access credentials from the compromised users (user, domain admin, and service accounts). They performed privilege escalation on non-administrative users in the targeted systems, and then moved on to gain access to key high value targets, which included process experts and IT and Non-IT specific server administrators.If the attacker thinks they can exist in the environment without being detected, they may continue in a stealth mode for a long while. If they think they run the risk of being detected, however, they move much faster and complete the third, and most “noisy”, stage of the attack. Since RSA detected this attack in progress, it is likely the attacker had to move very quickly to accomplish anything in this phase.In the third stage of an APT, the goal is to extract what you can. The attacker in the RSA case established access to staging servers at key aggregation points; this was done to get ready for extraction. Then they went into the servers of interest, removed data and moved it to internal staging servers where the data was aggregated, compressed and encrypted for extraction.The attacker then used FTP to transfer many password protected RAR files from the RSA file server to an outside staging server at an external, compromised machine at a hosting provider. The files were subsequently pulled by the attacker and removed from the external compromised host to remove any traces of the attack.I hope this description provides information that can be used to understand what has happened and correlate with other APTs. 
  • CryptoLocker is a computer worm which surfaced in late 2013. A form of ransomware targeting Microsoft Windows-based computers, the trojanencrypts files stored on local hard drives and mounted network drives using public-key cryptography, and then displays a message saying that the files will be decrypted if a fee is paid through an anonymous payment service by a specified deadline, beyond which decryption is no longer possible.CryptoLocker typically propagates as an attachment to a seemingly innocuous e-mail (usually taking the appearance of a legitimate company e-mail), or from a botnet. The attached ZIP file contains an executable file with filename and icon disguised as a PDF file, taking advantage of Windows' default behaviour of hiding the extension from file names to disguise the real .EXE extension. Some instances may actually contain the Zeustrojan instead, which in turn installs CryptoLocker.[1][2] When first run, the payload installs itself in the Documents and Settings folder with a random name, and adds a key to the registry that causes it to run on startup. It then attempts to contact one of several designated command and control servers; once connected, the server then generates a 2048-bitRSA key pair, and sends the public key back to the infected computer.[1][3] The server may be a local proxy and go through others, frequently relocated in different countries to make tracing difficult.[4][5]The payload then proceeds to begin encrypting files across local hard drives and mapped network drives with the public key, and logs each file encrypted to a registry key. The process only encrypts certain types of files by extensions, but particularly targets Microsoft Office and OpenDocument files.[2] The payload then displays a message informing the user that files have been encrypted, and demands a payment of either 100 or 300 USD or Euro through an anonymous pre-paid cash voucher (i.e. MoneyPak or Ukash), or 2 Bitcoin in order to decrypt the files. The payment must be made within 72 or 100 hours, or else the private key on the server would be destroyed, and "nobody and never [sic] will be able to restore files."[1][3]
  • The supposedly Russian creators use the names "HodLuM" and "Paunch". It was reported on the October 7, 2013 that "Paunch" has been arrested.
  • Microsoft – Patch Tuesday – 2nd Tuesday of the MonthOracle – 127 security patches including 51 patches for Java, all but one of the Java patches allow for RCEIos 7 fixed 80 vulnerabilities (Just over 50% of users have upgraded)The most concerning of the iOS vulnerabilities is CVE-2013-5139. This is a flaw in the IOSerialFamily driver that could allow an attacker to run arbitrary code, with no authentication required for the exploit, and it could result in disclosure of information stored on the phone as well as denial of service. The other high severity vulnerabilities can also be exploited to create a denial of service attack. -
  • There are five main areas to the new policy: improved reporting, improved validation, improved remediation, the implementation of a 'hall of fame' – and a reward scheme paying between $150 - $15,000.
  • CVE Identifiers (also called "CVE names," "CVE numbers," "CVE-IDs," and "CVEs") are unique, common identifiers for publicly known information security vulnerabilities.Updating Java - In the Java 7 update 11 release, the default security level setting for Java was increased to High. This configuration means that users need to expressly authorize an applet execute (whether they are unsigned or self-signed)Disabling the Java browser plug-in - If updating Java isn’t an option, user can focus on managing the Java browser plug-in by disabling the plug-in and only enabling it when needed. This can be done via a handy, one-click option in the Control Panel (available in the Java 7 update 10 release) or via the web browser’s settings. The instructions for disabling Java in various web browsers are available at: http://www.java.com/en/download/help/disable_browser.xmlUsing two browsers - Rather than fiddling with security settings, the user may opt for a two-browser strategy, in which one browser with the Javaplug-in enabled is dedicated solely to using the website or program that demands it. All other web browsing is done on a separate browser without the plug-in.Enable Click to Play - For Java-enabled web browsers, an additional touch of security comes from the plug-in blocking feature built into most browsers. In Firefox and Opera, it’s known as ‘Click to Play’ while Chrome has a ‘Block all’ option for plug-ins in its Contents Settings page. This functionality prevents automatic execution of plug-ins (not just Java) and requires the user to click on the plug-in of interest before it will run.3rd party apps: Another possibility is to use third-party programs to block plug-ins from automatically running on page load, unless the user chooses otherwise. The most popular of such programs is NoScript, which blocks multiple types of active content in Mozilla-based browsers, though there are a handful of other applications available that perform a similar function
  • CVE Identifiers (also called "CVE names," "CVE numbers," "CVE-IDs," and "CVEs") are unique, common identifiers for publicly known information security vulnerabilities.Updating Java - In the Java 7 update 11 release, the default security level setting for Java was increased to High. This configuration means that users need to expressly authorize an applet execute (whether they are unsigned or self-signed)Disabling the Java browser plug-in - If updating Java isn’t an option, user can focus on managing the Java browser plug-in by disabling the plug-in and only enabling it when needed. This can be done via a handy, one-click option in the Control Panel (available in the Java 7 update 10 release) or via the web browser’s settings. The instructions for disabling Java in various web browsers are available at: http://www.java.com/en/download/help/disable_browser.xmlUsing two browsers - Rather than fiddling with security settings, the user may opt for a two-browser strategy, in which one browser with the Javaplug-in enabled is dedicated solely to using the website or program that demands it. All other web browsing is done on a separate browser without the plug-in.Enable Click to Play - For Java-enabled web browsers, an additional touch of security comes from the plug-in blocking feature built into most browsers. In Firefox and Opera, it’s known as ‘Click to Play’ while Chrome has a ‘Block all’ option for plug-ins in its Contents Settings page. This functionality prevents automatic execution of plug-ins (not just Java) and requires the user to click on the plug-in of interest before it will run.3rd party apps: Another possibility is to use third-party programs to block plug-ins from automatically running on page load, unless the user chooses otherwise. The most popular of such programs is NoScript, which blocks multiple types of active content in Mozilla-based browsers, though there are a handful of other applications available that perform a similar function
  • http://www.f-secure.com/en/web/business_global/swup
  • Browsingprotectioncheckssafety and/orsuitability of thewantedwebsitefrom F-Secure cloud.On managedenvironmentsyoucanchoosewouldyoulikethepossibility to bypasstheblock to beofferedornot.
  • Transcript

    • 1. How malware works: Software Vulnerabilities 30th October 2013 – 11am (UK) Bunmi Sowande bunmi.Sowande@f-secure.com +44 (0) 7818 515 687
    • 2. Agenda • Introduction – F-Secure • Security in the news • Malware – how you get infected • Software vulnerabilities • Anatomy of a cyber crime • Software publishers fight back • We will protect you – F-Secure’s 8 layers of protection • F-Secure Software Updater
    • 3. Praised by Analysts The Forrester Wave™: Endpoint Security, Q1 2013 Forrester Research Inc. gave us the highest score among all vendors for our product roadmap and strategy. We received top ranking scores on our performance and satisfaction, in addition to our advanced antimalware technologies.
    • 4. Awarded Protection Prestigious Best Protection awards by AV-Test “We are proud to congratulate the entire F-Secure team for receiving the AVtest Best Protection Award 2012” “Out of all corporate endpoint protection products reviewed, FSecure Client Security offered by far the best protection.” Andreas Marx, CEO of AV-TEST Andreas Marx, CEO of AVTEST
    • 5. Awarded Protection Top Ranked Protection year after year! Top Rated Protection since 2006!
    • 6. Awarded Protection Certified and awarded by numerous 3rd parties!
    • 7. Comprehensive Protection Providing 360 protection from all threats Protection Service for Business Business Suite In-House IT Policy Manager Management as a Service Internet Gatekeeper Messaging Security Gateway PSB Portal Out-sourced IT Server Security Client Security Email and Server Security Mobile Security Linux Security AV for Workstations PSB Server Security PSB Email and Server Security PSB Workstation Security Protection Service for Email PSB Mobile Security
    • 8. SECURITY IN THE NEWS
    • 9. SECURITY IN THE NEWS
    • 10. SECURITY IN THE NEWS
    • 11. SECURITY IN THE NEWS
    • 12. Malware Attack Vectors INFECTED CONTAMINATED CONTAMINATED MALICIOUS LINK ADVERTISEMENT WEBSITE ATTACHMENT TO MALWARE An otherwise legitimate website A legitimate website is An authentic looking email An email from a seemingly is infected though hostile compromised by an attacker deceives the end-user to open trusted or legitimate source advertisements originating from and consequently contaminated a seemingly genuine deceives the end-user to follow non-website related by inserting malicious content attachment, which contains an a link to an external website independent 3rd party adinto it, which then infects every integrated malware. Which which contains malicious agencies, which then visitor going to the site. through software vulnerability software that infects every contaminates visitors by or exploit gains access to the visitor going to the site. exploiting software system. vulnerabilities.
    • 13. Malware Attack – What Next? VULNERABILITY BACKDOOR ACCESS But due to a vulnerability from outdated software, an integrated malware payload is installed. Malware contacts remote server and deploys additional malware, ensuring multiple backdoor and remote access. With access secured, the attacker aims to escalate privileges in order to gain further access in the network.
    • 14. Malware Attack – What Next? DATA ESCAPE With access to most confidential parts and files of the network, the criminal identifies most valuable data and starts sending it to external staging servers. Valuable data is then extracted and send forward. Attacker destroys evidence and hides tracks, but might leave a backdoor for further access.
    • 15. Karmina Senior Analyst WHAT IS A SOFTWARE VULNERABILITY? Software bug or defect that allows your device to be compromised. Security (an intersection of 3 elements): • a system susceptibility or flaw • attacker access to the flaw • and attacker capability to exploit the flaw
    • 16. Vulnerabilities by Numbers Top 10 Vendors Vendor No. of vulnerabilities 2012 Oracle Apple Mozilla Microsoft IBM Google Adobe Cisco HP Apache 2011 424 ↑ 270 ↑ 262 195 ↑ 169 ↓ 110 154 ↑ 150 ↓ 143 137 ↓ 134 ↓ 189 74 ↓ 55 ↑ 144 246 244 299 135 44 Source: National Vulnerability Database (http://nvd.nist.gov/)
    • 17. Vulnerabilities by Numbers Most Targeted Applications Operating Systems Operating System No. of vulnerabilities 2012 2011 Apple iOS Microsoft Windows Server 2003 Microsoft XP Microsoft Windows 2008 Microsoft Windows Vista Microsoft Windows 7 Cisco IOS Linux Kernel Oracle Solaris VMware ESXi VMware ESX Cisco IOS XE Citrix Xen Apple Mac OS X Apple Mac OS X Server 86 45 42 48 41 42 36 45 47 12 11 9 33 21 17 ↑ ↓ ↓ ↓ ↓ ↓ ↑ ↓ ↑ ↑ ↑ ↓ ↑ ↓ ↓ 35 105 96 101 91 98 36 45 47 7 7 13 3 69 66 Application Mozilla FireFox Mozilla Thunderbird Mozilla SeaMonkey Google Chrome Mozilla Firefox ESR Mozilla Thunderbird ESR Apple iTunes Apple Safari Adobe Flash Player Oracle Java Adobe Air Adobe Flash Player for Android Ffmpeg Microsoft Internet Explorer Adobe Shockwave Player Adobe Reader No. of vulnerabil ities 2012 159 144 143 125 115 109 102 85 66 58 54 53 42 41 27 25 2011 ↑ ↑ ↑ ↓ ↑ ↑ ↑ ↑ ↑ ↑ ↓ ↓ ↓ 97 63 63 275 78 45 63 37 27 10 45 38 65 Source: National Vulnerability Database (http://nvd.nist.gov/)
    • 18. Is Windows Update based Patch Management Enough?
    • 19. Vulnerability Types RCE EOP DOS Leak
    • 20. Vulnerability Types -RCE • RCE – Remote Code Execution • Runs code without authorisation or authentication • “Drive by installations” • Code is designed as data • Documents, emails and websites can be used
    • 21. Vulnerability Types - EOP • EOP – Elevation of Privilege • Allows attacker to either gain higher privileges or impersonate another user with higher privileges • Usually targets the “admin” or “root” account • Combined with RCE, allows an attacker to install malware on one or more systems
    • 22. Vulnerability Types – DOS • DOS – Denial of Service • Makes a device or system unavailable to intended users • Uses or creates software bottlenecks • Excessive CPU usage, memory leaks, disk I/O, slow or long LDAP searches, database calls or large join operations. • Motives for DOS • Protestors, hacktivists • Industrial espionage • Distraction from criminal activity
    • 23. Vulnerability Types – Leaks Leaks (or information disclosure) • Enables an attacker to gain valuable information • Memory dumps, log files, network traffic • Mobile Phone Apps – unencrypted data • Invisible to the user
    • 24. Gregory Senior Software Engineer ZERO – DAY: An attack that exploits a previously unknown vulnerability APT – Advanced Persistent Threat – Targeted attack aimed at specific organisations • Governments • Financial institutions • Medical organisations
    • 25. Veli-Jussi Director, Security Products ANATOMY OF A CRIME - RSA Source: RSA http://blogs.rsa.com/anatomy-of-an-attack/
    • 26. Anatomy of a crime – RSA – March 2011 Source: RSA http://blogs.rsa.com/anatomy-of-an-attack/ 201 RE 1 C 1 2 3 PHISHING EMPLOYEE VULNERABILITY Attacker sent two „spear phishing‟ emails during the course of two-day period. The email, titled 2011 Recruitment Plan, related well with the ongoing recruitment process in the company. Emails were sent to two small groups of employees without particularly high profile or target value. It was crafted well enough to trick one employee to retrieve it from their Junk mail folder, and open the attached excel file. The attached excel file contained a zero-day exploit that installed a backdoor through an Adobe Flash vulnerability. (CVE-2011-0609)
    • 27. Anatomy of a crime - RSA 4 REMOTE ACCESS Having the backdoor secured, the attacker installed a remote administration tool called „Poison Ivy‟, which allowed the attacker to remotely control the computer. 5 SENSITIVE DATA $66.3 Million With remote access Direct bottom-line established, the attacker cost of investigating leveraged the original and monitoring of credentials in gaining entry to corporate customer more „strategic‟ systems and transactions employees with access to sensitive data. Data was then extracted and aggregated to an internal staging server. 6 EVASION & EXIT From there, data was send to an external staging server at a compromised machine – and subsequently pulled by the attacker. Traces and data was removed from the compromised host to remove any traces.
    • 28. Rasomware – Targeting SMB’s and home users
    • 29. Rasomware – Targeting SMB’s and home users
    • 30. Rasomware – Targeting SMB’s and home users
    • 31. Blackhole Exploit Kit • Off the shelf malware tool – currently most prevalent web threat • Targets web users through out of date browsers to install malware • Once infected, the attacker can see what other vulnerabilities can be exploited
    • 32. 87% of corporate computers miss critical software updates. 13 13 25 49 Missing updates 0 1-4 5-9 >10
    • 33. Software Publishers fight back • • • • Microsoft – Patch Tuesday SAP + Adobe – Patch Tuesday Oracle – Quarterly patches Apple
    • 34. Software publishers fight back • Bug Bounty Programs
    • 35. Software publishers fight back • T-Shirt Gate - Yahoo !
    • 36. How can you protect yourself? • Patch regularly, patch quickly • Reduce your attack surface • Less (software) is more • Avoid vulnerable software – Java, in particular • Get an anti virus program – keep it up to date! • Have a strong security policy and enforce it • “Educate Rob” – user education. You are only as strong as your weakest link.
    • 37. How can you protect yourself? • Patch regularly, patch quickly • Reduce your attack surface • Less (software) is more • Avoid vulnerable software – Java, in particular • Get an anti virus program – keep it up to date! • Have a strong security policy and enforce it • “Educate Rob” – user education. You are only as strong as your weakest link.
    • 38. How can you protect yourself? • 95% of all attack attempts can be attributed to just 5 vulnerabilities • 1 vulnerability in Windows, 4 in Java • 3 of the top 5 were less than 6 months old, the most prevalent is 2 years old and was top vulnerability in 2012
    • 39. Comprehensive Protection Providing you with 8 layers of protection 1. URL/WEB ACCESS FILTERING 2. HTTP PROTOCOL SCANNING 3. EXPLOIT DETECTION 4. CLOUD REPUTATION QUERIES 5. SANDBOXING AND BEHAVIOURAL ANALYSIS 6. REAL-TIME SCANNING 7. MEMORY SCANNING 8. RUNTIME HEURISTICS Corporate Client Security Server Security Email and Server Security PSB Workstation Security PSB Email and Server Security Consumer Internet Security 2014 Mobile F-Secure Mobile Security
    • 40. Software Updater is unique Unique automatic deployment of security updates Patch management not just for Windows but also for 3rd party products Best detection, automatic updates and integrated management for an affordable package price
    • 41. Software Updater Combining operational efficiency and security Out-of-date 3rd party software is a significant security risk, yet expensive to update without Software Updater! … = Significant Cost Savings! Can be deployed in less than one hour.
    • 42. Software updater supported applications .NET Framework 7-Zip Access Access Database Engine Access Runtime Acrobat Distiller Acrobat Elements Acrobat Reader Adobe Acrobat Adobe AIR Adobe Flash Adobe Flash Player Plugin Adobe Reader Adobe Reader MUI Adobe Shockwave Player Apache Apache Tomcat Apple Application Support Apple iTunes Apple QuickTime AT&T Global Network Client Audacity BizTalk Server BlackBerry Desktop Manager BlackBerry Server for Exchange Business Contact Manager for Outlook CCleaner CDBurnerXP Citrix Group Policy Management Citrix MetaFrame XP Citrix Online Plugin Citrix Password Manager Console Citrix Presentation Server Citrix Single Sign-On Console Citrix XenApp Commerce Server Content Management Server CoreFTP DirectX Excel Microsoft Office Excel Viewer Exchange Exchange System Manager FileZilla Firefox Flash Player Plugin Foxit Reader Microsoft FrontPage Server Extensions Gimp Google Chrome Google Picasa Google Talk Groove Host Integration Server HP System Management Homepage Hyper-V InfoPath Internet Explorer Internet Information Server Internet Information Services ISA Server Java Development Kit LibreOffice MDAC Microsoft Antigen for SMTP Gateways Microsoft AntiXSS Microsoft CAPICOM Microsoft Digital Image Microsoft Expression Blend Microsoft Expression Design Microsoft Expression Encoder Microsoft Expression Media Microsoft Expression Studio Microsoft Expression Web Microsoft FAST Search Server 2010 for Sharepoint Microsoft Forefront Client Security Microsoft Forefront Endpoint Protection Microsoft Forefront Security for Exchange Server Microsoft Forefront Security for SharePoint Microsoft Forefront Threat Management Gateway Windows Journal Viewer Microsoft Lync Microsoft Lync Server Microsoft Office Microsoft Office Communications Server Microsoft Office Communicator Microsoft Office Converter Pack Microsoft Office File Validation Add-In Microsoft Office Groove Server Microsoft Office InfoPath Microsoft Office Outlook Microsoft Office Pinyin IME Microsoft Office Project Server Microsoft Office Search Server Microsoft Office SharePoint Server Microsoft Office Small Business Accounting Microsoft Office Visual Web Developer Microsoft Office Web Apps Application Server Components Microsoft Outlook Express Microsoft Project Web Front End Server Microsoft Report Viewer Redistributable Microsoft Search Server Services For Unix Microsoft SharePoint Microsoft Silverlight Microsoft Step By Step Interactive Training Microsoft System Center Configuration Manager Microsoft Systems Management Server MICROSOFT UNIFIED ACCESS GATEWAY Microsoft Virtual Machine (VM) Microsoft Virtual PC Microsoft Virtual Server Microsoft Visual C++ Redistributable Microsoft Visual Studio Microsoft Visual Studio Tools for Applications Microsoft Windows Defender Microsoft Windows Live OneCare Microsoft Word Server Microsoft Works 6-9 Converter MozyHome MozyPro MSComctl Analysis Services MSN Messenger MSXML NetChk Protect Notepad++ Office Microsoft Office OneNote Opera Oracle OpenOffice.Org Outlook Outlook Express Outlook TimeZoneMove Pidgin PowerPoint PowerPoint Viewer Producer for PowerPoint Microsoft Project Proofing Tools Publisher RealPlayer RealVNC Safari Salesforce Chatter Desktop SeaMonkey Sharepoint Designer Microsoft SharePoint Team Services Sharepoint Workspace Shavlik NetChk Protect SkyDrive Pro Skype Skype Business Small Business Server SNA Server Snapshot Viewer for Microsoft Access SQL Server SQL Server Desktop Engine (MSDE) Sun Java Runtime Environment Thunderbird TortoiseSVN http://www.f-secure.com/en/web/business_global/swup UltraVNC Virtual CloneDrive Visio Visio Viewer Visual Basic Visual Basic for Applications SDK Visual C++ Redistributable Visual FoxPro Visual Studio .NET VLC Media Player VMware Player VMware Workstation Winamp Windows Server Windows Windows Embedded Standard Windows Home Server Windows Storage Server Windows Hyper-V Server Windows Internal Database Windows Live Messenger Windows Mail Windows Media Encoder Windows Media Player Windows Media Services Windows Messenger MSN MESSENGER Windows Movie Maker Windows Search Windows SharePoint Services Windows Small Business Server Windows Storage Server Windows Web Server WinRAR WinZip SQL Server Desktop Engine (Windows) Word Word Viewer WSUS Zimbra Desktop
    • 43. F-Secure DeepGuard 5 – EXPLOIT DETECTION … DG 5.0 monitors the most commonly exploited software Protects against threats such as “Red October" If the software starts to behave suspiciously, DeepGuard stops the exploit Special logic for handling document exploits
    • 44. F-Secure DeepGuard Sandboxing and Behavioural Analysis Proactive behaviour-based protection against emerging threats Unknown Program Executes Behavior Analysis Reputation Check Event Analysis DeepGuard is our behaviour analysis feature, providing you with a last line of defence against unknown malware
    • 45. DeepGuard 5 vs IE Zero-Day Exploit CVE-2013-3893
    • 46. CLOUD REPUTATION QUERIES Real Time Protection Network “ Quite a few protection features gain their bleeding edge with cloud-based operations and this requires connection to the F-Secure cloud.
    • 47. URL/WEB ACCESS FILTERING F-Secure Browsing Protection While browsing the internet, it is nice to see where you could safely go… And when your user takes a wrong turn, we are there to stop them.
    • 48. HTTP PROTOCOL SCANNING Network Interceptor Framework (NIF) No more browser plugins All HTTP, IMAP4, POP3 and SMTP traffic scanned Firewall - Network Traffic Control POP F-Secure Firewall controls all network traffic to and from your workstation Unknown HTTP Email
    • 49. F-Secure Reseller/Partner Technical Training day coming soon 6th December 2013 Slough Copthorne Hotel Places limited - contact me for details 07818 515 687 bunmi.Sowande@f-secure.com

    ×