Malware Defense-in-Depth 2.0

Malware Defense-in-Depth 2.0 A practical approach to secure your enterprise against viruses, worms and rootkits Aa’ed Alqarta

The Problem
Security defenses can’t keep up with latest threats
Malware is penetrating the network and infecting computers
Antivirus software is not a silver bullet for all threats
We are losing the war against malware

What is a Malware?
According to NIST,
“ Malware (NIST, 2005) refers to a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim’s data, applications, or operating system (OS) or of otherwise annoying or disrupting the victim.”
NIST: National Institute of Standards and Technology

Types of Malwares
Viruses
Worms
Backdoors
Spywares
Bots “Botnets”
Rootkits
Ransomware

Top Malware Targets

Attack Anatomy
Attackers discover vulnerabilities and write exploits for them (e.x JS)
They infect web sites to attack visitors
A visitor browse the site and immediately get infected
A virus will be installed in the background and infect the client software
Infected computers will attack internal clean machines (Workstations/Servers)

Web URL Filtering
Enable AV scanning for malicious files/URLs
Block access to malicious categories (Porn/Hacking/Downloads/Video/P2P/Torrent/Blogs/Infected Hosts/IM)
Block downloads of executables (exe/dll/com)
Inspect SSL traffic for malicious traffic

Application Control (Whitelisting)
Allow business approved applications only
Office, Accounting, Finance, …etc
Protect critical system files from modifications
Block any unapproved applications (including malwares)
The ability to block zero-day malware if AV is not detecting it
Monitoring of all applications usage in the net

Device Control
Block the usage of removable drives (Flash / IPod / H.D / Camera)
If you should allow Flash drives in the network:
Use “Secure” Flash disks (Encryption, AV, Password
Disable “Autorun” and block exe/Autorun.inf

Network Access Control
Only allows compliance computers in the network
AV is running and updated
FW is running
Latest Service Pack
Domain User
Quarantine infected computers in a separate “Remediation Environment”
WSUS, AV Server, Proxy

FW Best Practices
No “Any Any” rules
Out-bound SMTP for Exchange servers only
HTTP/HTTPS/FTP are a good start for end user
Block Infected computers
Enabled outbound denied logging

Case Study: Conficker/Downadup
Windows Server service vulnerability (MS08-067)
W32.Downadup A, B, C, E
Propagates through network file shares, flash disks
Disables User Accounts in AD
Blocks access to security sites and MS updates
Stops security tools and softwares “self-protection”

Summary
Use a good antivirus which has a high detection rate
Patch OS + 3 rd party applications
Use Application Whitelisting + Device Control
Block access to malicious, media, downloads, and blogs
Network segmentations
Web content filtering policy

Thank You
E-mail me: a.qarta@gmail.com
http://extremesecurity.blogspot.com

http://extremesecurity.blogspot.com	610
http://websecurity.com.ua	114
http://extremesecurity.blogspot.in	17
http://extremesecurity.blogspot.co.uk	11
http://extremesecurity.blogspot.ca	9
http://www.extremesecurity.blogspot.com	7
http://translate.googleusercontent.com	7
http://extremesecurity.blogspot.com.au	4
http://www.slideshare.net	4
http://extremesecurity.blogspot.de	3
http://extremesecurity.blogspot.fr	2
http://extremesecurity.blogspot.it	1
http://extremesecurity.blogspot.com.br	1
http://extremesecurity.blogspot.com.es	1

Malware Defense-in-Depth 2.0

by Aaed Alqarta on May 17, 2010

Accessibility

Categories

Tags

Upload Details

Usage Rights

14 Embeds 791

Statistics

Malware Defense-in-Depth 2.0 — Presentation Transcript