Slides prepared for the Federal IT expo: FOSE. Should help employees and managers understand why anti-malware protection is needed at all endpoints and on all serves.
4. Endpoints under attack
• Malware threat shows
no signs of retreating
• Attacks come from
– Cyber criminals
– Hacktivists
– Non-state actors
– Nation states
5. Attacks from servers, mobile devices
• We now see large-scale server-based attacks
• In one operation: 1000s of servers taken over
• Used to attack 100s of 1000s of endpoints
– Desktops, laptops, mobile devices
• Clearly we need to protect against malware at
all levels, across all surfaces
6. 2014 State of Endpoint Risk
• Are security threats created by vulnerabilities to
endpoint more difficult to stop/mitigate: 71%
• Have you seen a major increase in malware
incidents targeting your endpoints: 41%
• Have your mobile endpoints been the target of
malware in the last 12 months: 68%
2014 State of Endpoint Risk, Ponemon Institute
7. April 2014 GAO report
• Information Security
– Federal Agencies Need to Enhance
Responses to Data Breaches
• (GAO-14-487T)
• A lot of work still to be done,
across numerous agencies
– Improve security
– Improve breach response
8. 29,999
41,776 42,854
48,562
61,214
2009 2010 2011 2012 2013
The scale of the problem
• Information security incidents
reported to US-CERT by all
federal agencies, 2009 – 2013
• GAO-14-487T
• Number of incidents way up
– More data to defend?
– Improved reporting?
9. Exposure of PII is growing
• More incidents involving Personally
Identifiable Information
• Why?
– Thriving black market for PII
• Impact
– Serious costs/stress for victims
– Growing public displeasure
– Target CIO and CEO
10,481
13,028
15,584
22,156
25,566
2009 2010 2011 2012 2013
10. A federal PII breach example
• July 2013, hackers get PII of 104,000+ people
– From a DOE system
• Social Security numbers, birth dates and
locations, bank account numbers
– Plus security questions and answers
• DOE Inspector General: cost = $3.7 million
– Assisting affected individuals and lost productivity
11. What happens to the stolen data?
• Sold to criminal enterprises
– For identity theft, raiding bank accounts, buying luxury
goods, laundering money
• Lucrative scams like tax identity fraud
17. Malware profitability requires:
• Devices that are always on, on good bandwidth
• Was: desktop-based botnets
• Now: server-based, website, VPS, etc.
• With mobile devices on the rise
18. Example: Operation Windigo
• 25,000+ servers compromised in last 2 years
• About 10,000 still infected
• 35 million spam messages per day
• 500,000 web redirects per day
• Currently installing
• Click fraud malware
• Spam sending malware
19. • Evolving since 2011 as modular multi-OS design
• Apple OS X, OpenBSD, FreeBSD, Microsoft Windows
(Cygwin), Linux, including Linux on ARM
• Stealthy, with strong use of cryptography
• Halts operation to avoid detection
• Maximizes resources by varying activity
Complex malware infrastructure
20. Structure
• Bad guys install on root-level compromised hosts:
– By replacing SSH related binaries (ssh, sshd, ssh-add, etc.)
– Or via a shared library used by SSH (libkeyutils)
• Servers used to:
– Serve malware, redirect traffic to infected hosts
– Act as domain servers for malicious sites
• Infecting web users through drive-by downloads
• Redirect web traffic to advertisement networks
21.
22. The need for belt and braces is clear
• Endpoint
– Scanning all incoming files, as they enter
– From email, websites, removable media
• Server
– Email, File, Sharepoint, Gateway
• Mobile
– Antivirus, remote lock, and wipe