How Can a CIO Secure a Moving Target      with Limited Resources?                                Dr. Stefan Frei          ...
Know your EnemyThe Changing Threat Environment                                                           Fastest          ...
Availability of Malware Toolsleads to ..      High degree of attack          automation    More opportunistic attacks
Malware as a Service (MaaS)                                     Malware offered for                                     $2...
Malware Construction KitLive DemonstrationWe “trojanize” Windows Minesweeper using anoff-the-shelf malware construction ki...
Full Remote Control..                              List / start / stop / disable servicesRead clipboardList and kill proce...
Malware Development Process         Obfuscation & Quality Assurance1 Original Malware Create core malicious functionality:...
An Arms Race …286 million    virus samples counted               in 2010 783,562       samples / day  32,648       samples...
Limitations of traditional defenseWe are to loose this Arms Race .. 25%           of 123 publicly known exploits          ...
From a Criminal’s      Perspective#Hosts x #Vulnerabilities           =     Opportunity
Worldwide Internet Usage    2,095 Million    estimated Internet users on March 31st, 2011                                 ...
2,095 Million potential victims..End-points are increasingly targeted     End-point are where the most valuable 1   data i...
From a Criminal’s      Perspective#Hosts x #Vulnerabilities           =     Opportunity
AnalysisWhat does an end-point look like?Data: Scan results from more than 4.8 Mio usersof the Secunia Personal Software I...
Distribution of   Distribution of  #vendors         #programs
The Top-50 Software Portfolio ..Covers the 50 most prevalent programs torepresent a typical end-point:28 Microsoft and 22 ...
An alarming trend ..in # of end-point vulnerabilities Number of vulnerabilities continuously increased since 2007         ...
A relevant trend ..in criticality and type of vulnerabilities      800+      Vulnerabilities         of which      >50%
What is the sourceof this increasing trend?            ?OS          MS           TPOperating   Microsoft   Third-party Sys...
It is third-party programs Non-Microsoft programs are found to be almost exclusively responsible for this increasing trend...
The Operating System& Top-50 Software Portfolio                          Top 50 Portfolio                                 ...
How do we keep a typical end-point up to date?
Complexity hurts12 different update mechanisms .. 11 Update                                      1 UpdateMechanisms       ...
Cybercriminals     knowpatch available       ≠patch installed
Patch Complexity ..has a measurable effect on security           Percent of unpatched programs                            ...
You can’t hideEven rare programs have exploits                         Programs with low market share are  FALLACY        ...
Are we doomed?
The Good Newsmost patches are available on time!72%of the patches are available on the day of vulnerability   Patch Availa...
Cybercriminals.. don’t need zero-day exploits!Malware propagation methods:         of the attacks had no patch available a...
Instant patching of all programs is amajor challenge                             What patching                           s...
SimulationStatic vs. Dynamic PatchingSay you have a portfolio of the 200 mostprevalent programsOn average, how many progra...
Statically patching                        .. the most prevalent programs                                       Percentage...
Statically patching                        .. the most critical programs                                       Percentage ...
Why?.. chasing a moving target    Programs vulnerable in one year, but not                                               3...
Job Security ..It depends when you get 0wned          ✓                      ✓                     ✗           time  Patch...
A patch provides       better protectionthan thousands of signatures    it eliminates theroot cause
Properties of a Patch.. from a risk & operations perspective    No false positives (no false alarms)    No false negativ...
The Known UnknownsBusiness                              Criminals View                                   View             ...
The Known UnknownsBusiness                                Criminals View                                     View         ...
The Known UnknownsBusiness                                 Criminals View                                      View       ...
The Known UnknownsBusiness                                 Criminals View                                      View       ...
Common Fallacy               Business                               CybercriminalProgram X is not                         ...
Failure of End-Point SecurityWhat is needed: Reduce Complexity  We need tools to simplify and automate  patch management ...
Conclusion - IKnow your enemy and risks Microsoft is still perceived as the primary  attack vector  Our defense likely lo...
Conclusion - IIKnow your tools We need Antivirus, IDS/IPS, ..  But we also need to know the limitations of  those technol...
Stay Secure!    Dr. Stefan FreiMail: sfrei@secunia.com Twitter: @stefan_frei    secunia.com
Supporting Material Secunia 2011 Yearly Report http://secunia.com/company/2011_yearly_report/ How to Secure a Moving Tar...
Upcoming SlideShare
Loading in …5
×

Maximize Computer Security With Limited Ressources

762 views
681 views

Published on

Presentation from Stefan Frei on how patches are an effective method to escape the arms race with cybercriminals. The majority of vulnerabilities have patches ready on the day of disclosure, which means that the right patch strategy is evident to maximize risk reduction.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
762
On SlideShare
0
From Embeds
0
Number of Embeds
45
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Maximize Computer Security With Limited Ressources

  1. 1. How Can a CIO Secure a Moving Target with Limited Resources? Dr. Stefan Frei Research Analyst Director SecuniaSession ID: SPO2-302Session Classification: Intermediate
  2. 2. Know your EnemyThe Changing Threat Environment Fastest growing Personal Theft segmentMotivation Gain Author Tools created by Personal of experts now Fame Tools used by less- Vandalism skilled criminals, for personal gain Curiosity Script- Hobbyist Expert Kiddy Hacker Attackers’ Expertise
  3. 3. Availability of Malware Toolsleads to .. High degree of attack automation More opportunistic attacks
  4. 4. Malware as a Service (MaaS) Malware offered for $249 with a Service Level Agreement and replacement warranty if the creation is detected by any anti-virus within 9 monthsSource: www.turkojan.com
  5. 5. Malware Construction KitLive DemonstrationWe “trojanize” Windows Minesweeper using anoff-the-shelf malware construction kitAbsolutely no coding expertise required!
  6. 6. Full Remote Control.. List / start / stop / disable servicesRead clipboardList and kill processes Read / modify registryLife capture and control ofdesktop Life capture of webcam orRemote command console microphoneOnline / offline keylogger Disable taskbar / desktop icons / start-Execute commands button, reboot, .. Restart / update trojan. Load new plug-ins
  7. 7. Malware Development Process Obfuscation & Quality Assurance1 Original Malware Create core malicious functionality: DDoS, steal data, spread infection, ..2 Permutations 3 Quality 4 Deployment Assurance Only malware that Obfuscate malware. Create multiple serial Test new creations passed QA (not variants to thwart against a number of detected) is used for detection engines up-to-date anti-virus deployment engines Reject if detected
  8. 8. An Arms Race …286 million virus samples counted in 2010 783,562 samples / day 32,648 samples / hour 544 samples / minute 9 samples / second Source: Symantec Internet Security Threat Report (ISTR), Volume 16
  9. 9. Limitations of traditional defenseWe are to loose this Arms Race .. 25% of 123 publicly known exploits missed by top 10 prevention products 40% missed after slight tweaking of the exploits NSS Labs Test of 2010/Q3 Up to 9% of the end-points in enterprises are found to be bot infected NSS Labs Anti-Malware Test Report 2010Q3 Damballa on Darkreading, 2010
  10. 10. From a Criminal’s Perspective#Hosts x #Vulnerabilities = Opportunity
  11. 11. Worldwide Internet Usage 2,095 Million estimated Internet users on March 31st, 2011 penetration of 31% population 448% growth from 2000 to 2010 Source: http://www.internetworldstats.com 12
  12. 12. 2,095 Million potential victims..End-points are increasingly targeted End-point are where the most valuable 1 data is found to be the least protected By definition, end-point PCs have access to all data needed to conduct their business End-points are difficult to secure 2 Highly dynamic environment and unpredictable usage patterns by users A single vulnerable program is enough 3 Cybercriminals only need a single vulnerable program to compromise the entire system
  13. 13. From a Criminal’s Perspective#Hosts x #Vulnerabilities = Opportunity
  14. 14. AnalysisWhat does an end-point look like?Data: Scan results from more than 4.8 Mio usersof the Secunia Personal Software Inspector PSISecunia PSI is a lightweight scanner to enumerate and identify insecure programs automatically install missing patches Free for personal use http://secunia.com/psi
  15. 15. Distribution of Distribution of #vendors #programs
  16. 16. The Top-50 Software Portfolio ..Covers the 50 most prevalent programs torepresent a typical end-point:28 Microsoft and 22 third-party (non MS) programsfrom 12 different vendors 12 28 22 Third- Vendors Microsoft party Top-50 Portfolio as of December 2011
  17. 17. An alarming trend ..in # of end-point vulnerabilities Number of vulnerabilities continuously increased since 2007 870 Vulnerabilities in 2011 doubled in two years 421 in 2009 229 in 2007 18
  18. 18. A relevant trend ..in criticality and type of vulnerabilities 800+ Vulnerabilities of which >50%
  19. 19. What is the sourceof this increasing trend? ?OS MS TPOperating Microsoft Third-party System Programs Programs
  20. 20. It is third-party programs Non-Microsoft programs are found to be almost exclusively responsible for this increasing trend OS What you 12% MS patch 10% TP Third-party Programs 78%Cybercriminals Origin of vulnerabilities in the Top-50 Portfolio as of Dec 2011 don’t care
  21. 21. The Operating System& Top-50 Software Portfolio Top 50 Portfolio 2011 + Vulnerabilities 870 Vulnerabilities 867 Vulnerabilities 869
  22. 22. How do we keep a typical end-point up to date?
  23. 23. Complexity hurts12 different update mechanisms .. 11 Update 1 UpdateMechanisms OS Mechanism 12% TO PATCH MS TO PATCH 10%22 third-party programs TP Third-party OS+28 Microsoft programsfix 78% of the Programs fix 22% of the vulnerabilities vulnerabilities 78%
  24. 24. Cybercriminals knowpatch available ≠patch installed
  25. 25. Patch Complexity ..has a measurable effect on security Percent of unpatched programs Third-Party Microsoft 2.7% insecure Microsoft programs 2011 average 6.5% insecure Third-Party programs
  26. 26. You can’t hideEven rare programs have exploits Programs with low market share are FALLACY not exposed - as no exploits exist Exploit availability vs. market share of programs 22% of the programs with 10-20% market share have exploits
  27. 27. Are we doomed?
  28. 28. The Good Newsmost patches are available on time!72%of the patches are available on the day of vulnerability Patch Availability disclosure 72% 28%
  29. 29. Cybercriminals.. don’t need zero-day exploits!Malware propagation methods: of the attacks had no patch available at the< 1% day of attack (zero-day attack) Microsoft SIR 11 Report 1H2011 Cybercriminals always find more than enough opportunity in unpatched and well understood program vulnerabilities
  30. 30. Instant patching of all programs is amajor challenge What patching strategy yields the largest risk reduction with limited resources available ?
  31. 31. SimulationStatic vs. Dynamic PatchingSay you have a portfolio of the 200 mostprevalent programsOn average, how many programs do you needto patch every year to get a 80% risk reduction? Static Approach Dynamic ApproachPatch the N most prevalent Patch the N most criticalprograms every year programs every year
  32. 32. Statically patching .. the most prevalent programs Percentage of risk remediated Patching N of 200 programs by patching N programs Strategy 1: Static 100% Risk remediated by patching thePercentage of risk remediated N most prevalent programs 80% 60% 40% 20% 80% risk reduction achieved 0% 37 by patching the 37 most 0 20 40 60 prevalent programs Number of programs patched
  33. 33. Statically patching .. the most critical programs Percentage of risk remediated Patching N of 200 programs by patching N programs Strategy 1: Static 100% Risk remediated by patching thePercentage of risk remediated N most prevalent programs 80% 60% Strategy 2: By Criticality Risk remediated by patching the 40% N most critical programs 20% 80% risk reduction achieved 0% 12 37 by either patching the 12 most 0 20 40 60 critical programs, or by patch- Number of programs patched ing the 37 most prevalent programs
  34. 34. Why?.. chasing a moving target Programs vulnerable in one year, but not 39% in the previous or following year of the programs vulnerable in one year are not vulnerable in the next year or vice versa Not vulnerable in other year
  35. 35. Job Security ..It depends when you get 0wned ✓ ✓ ✗ time Patch not Patch available Patch available available not installed & installed valid excuse, no excuse needed can’t do a lot #@!;#$limited feasible protection available, exploitation protection not implemented no more possible Patch released Patch installed
  36. 36. A patch provides better protectionthan thousands of signatures it eliminates theroot cause
  37. 37. Properties of a Patch.. from a risk & operations perspective  No false positives (no false alarms)  No false negatives (no missed attacks)  No latency or other delays introduced  No resources whatsoever consumed after deployment A patch essentially terminates the arms race with cybercriminals
  38. 38. The Known UnknownsBusiness Criminals View View Your Infrastructure Microsoft Third Party Programs Programs 1/5 4/5
  39. 39. The Known UnknownsBusiness Criminals View View Your Infrastructure Microsoft Third Party Programs Programs 1/5 4/5 business critical programs programs you know about programs you don’t know about
  40. 40. The Known UnknownsBusiness Criminals View View Your Infrastructure Microsoft Third Party Programs Programs 1/5 4/5 What you business critical patch programs programs you know about programs you don’t know about
  41. 41. The Known UnknownsBusiness Criminals View View Your Infrastructure Microsoft Third Party Programs Programs 1/5 4/5 What they What you business critical attack patch programs programs you know about programs you don’t know about
  42. 42. Common Fallacy Business CybercriminalProgram X is not Program X is just thebusiness critical, attack vector totherefore we won’t compromise the entirespend time patching it systemX = { Adobe Flash, Reader, Firefox, Java, .. } Exploitation of any program can compromise the entire end-point
  43. 43. Failure of End-Point SecurityWhat is needed: Reduce Complexity We need tools to simplify and automate patch management in order to master the complexity Intelligence We need tools to enumerate and identify all critical programs to ensure we spend resources on the relevant parts
  44. 44. Conclusion - IKnow your enemy and risks Microsoft is still perceived as the primary attack vector Our defense likely locks the front door while the back door remains wide open Intelligence Knowing all programs and the risks is critical in this dynamic environment This saves resources in remediation process
  45. 45. Conclusion - IIKnow your tools We need Antivirus, IDS/IPS, .. But we also need to know the limitations of those technologies Patching is a primary security measure Given the effectiveness of eliminating the root cause, and the availability of patches
  46. 46. Stay Secure! Dr. Stefan FreiMail: sfrei@secunia.com Twitter: @stefan_frei secunia.com
  47. 47. Supporting Material Secunia 2011 Yearly Report http://secunia.com/company/2011_yearly_report/ How to Secure a Moving Target with Limited Resources http://bit.ly/hzzlPi RSA Paper “Security Exposure of Software Portfolios” http://bit.ly/eQbwus Secunia Quarterly Security Factsheets http://secunia.com/factsheets Secunia Personal Software Inspector (PSI) free for personal use http://secunia.com/psi

×