Malware Defense-in-Depth 2.0


Published on

Published in: Technology
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Malware Defense-in-Depth 2.0

  1. 1. Malware Defense-in-Depth 2.0 A practical  approach to secure your enterprise against viruses,  worms and rootkits Aa’ed Alqarta
  2. 2. The Problem <ul><li>Security defenses can’t keep up with latest threats </li></ul><ul><li>Malware is penetrating the network and infecting computers </li></ul><ul><li>Antivirus software is not a silver bullet for all threats </li></ul><ul><li>We are losing the war against malware </li></ul>
  3. 4. What is a Malware? <ul><li>According to NIST, </li></ul><ul><li>“ Malware (NIST, 2005) refers to a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim’s data, applications, or operating system (OS) or of otherwise annoying or disrupting the victim.” </li></ul><ul><li>NIST: National Institute of Standards and Technology </li></ul>
  4. 5. Types of Malwares <ul><li>Viruses </li></ul><ul><li>Worms </li></ul><ul><li>Backdoors </li></ul><ul><li>Spywares </li></ul><ul><li>Bots “Botnets” </li></ul><ul><li>Rootkits </li></ul><ul><li>Ransomware </li></ul>
  5. 6. Top Malware Targets
  6. 7. Attack Anatomy <ul><li>Attackers discover vulnerabilities and write exploits for them (e.x JS) </li></ul><ul><li>They infect web sites to attack visitors </li></ul><ul><li>A visitor browse the site and immediately get infected </li></ul><ul><li>A virus will be installed in the background and infect the client software </li></ul><ul><li>Infected computers will attack internal clean machines (Workstations/Servers) </li></ul>
  7. 8. Web URL Filtering <ul><li>Enable AV scanning for malicious files/URLs </li></ul><ul><li>Block access to malicious categories (Porn/Hacking/Downloads/Video/P2P/Torrent/Blogs/Infected Hosts/IM) </li></ul><ul><li>Block downloads of executables (exe/dll/com) </li></ul><ul><li>Inspect SSL traffic for malicious traffic </li></ul>
  8. 9. Application Control (Whitelisting) <ul><li>Allow business approved applications only </li></ul><ul><ul><li>Office, Accounting, Finance, …etc </li></ul></ul><ul><li>Protect critical system files from modifications </li></ul><ul><li>Block any unapproved applications (including malwares) </li></ul><ul><li>The ability to block zero-day malware if AV is not detecting it </li></ul><ul><li>Monitoring of all applications usage in the net </li></ul>
  9. 10. Device Control <ul><li>Block the usage of removable drives (Flash / IPod / H.D / Camera) </li></ul><ul><li>If you should allow Flash drives in the network: </li></ul><ul><li>Use “Secure” Flash disks (Encryption, AV, Password </li></ul><ul><li>Disable “Autorun” and block exe/Autorun.inf </li></ul>
  10. 11. Network Access Control <ul><li>Only allows compliance computers in the network </li></ul><ul><ul><li>AV is running and updated </li></ul></ul><ul><ul><li>FW is running </li></ul></ul><ul><ul><li>Latest Service Pack </li></ul></ul><ul><ul><li>Domain User </li></ul></ul><ul><li>Quarantine infected computers in a separate “Remediation Environment” </li></ul><ul><ul><li>WSUS, AV Server, Proxy </li></ul></ul>
  11. 12. FW Best Practices <ul><li>No “Any Any” rules </li></ul><ul><li>Out-bound SMTP for Exchange servers only </li></ul><ul><li>HTTP/HTTPS/FTP are a good start for end user </li></ul><ul><li>Block Infected computers </li></ul><ul><li>Enabled outbound denied logging </li></ul>
  12. 13. Case Study: Conficker/Downadup <ul><li>Windows Server service vulnerability (MS08-067) </li></ul><ul><li>W32.Downadup A, B, C, E </li></ul><ul><li>Propagates through network file shares, flash disks </li></ul><ul><li>Disables User Accounts in AD </li></ul><ul><li>Blocks access to security sites and MS updates </li></ul><ul><li>Stops security tools and softwares “self-protection” </li></ul>
  13. 15. Summary <ul><li>Use a good antivirus which has a high detection rate </li></ul><ul><li>Patch OS + 3 rd party applications </li></ul><ul><li>Use Application Whitelisting + Device Control </li></ul><ul><li>Block access to malicious, media, downloads, and blogs </li></ul><ul><li>Network segmentations </li></ul><ul><li>Web content filtering policy </li></ul>
  14. 16. Thank You <ul><li>E-mail me: </li></ul><ul><li> </li></ul>
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.