Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Malware Defense-in-Depth 2.0

4,450 views

Published on

Published in: Technology
  • Be the first to comment

Malware Defense-in-Depth 2.0

  1. 1. Malware Defense-in-Depth 2.0 A practical  approach to secure your enterprise against viruses,  worms and rootkits Aa’ed Alqarta
  2. 2. The Problem <ul><li>Security defenses can’t keep up with latest threats </li></ul><ul><li>Malware is penetrating the network and infecting computers </li></ul><ul><li>Antivirus software is not a silver bullet for all threats </li></ul><ul><li>We are losing the war against malware </li></ul>
  3. 4. What is a Malware? <ul><li>According to NIST, </li></ul><ul><li>“ Malware (NIST, 2005) refers to a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim’s data, applications, or operating system (OS) or of otherwise annoying or disrupting the victim.” </li></ul><ul><li>NIST: National Institute of Standards and Technology </li></ul>
  4. 5. Types of Malwares <ul><li>Viruses </li></ul><ul><li>Worms </li></ul><ul><li>Backdoors </li></ul><ul><li>Spywares </li></ul><ul><li>Bots “Botnets” </li></ul><ul><li>Rootkits </li></ul><ul><li>Ransomware </li></ul>
  5. 6. Top Malware Targets
  6. 7. Attack Anatomy <ul><li>Attackers discover vulnerabilities and write exploits for them (e.x JS) </li></ul><ul><li>They infect web sites to attack visitors </li></ul><ul><li>A visitor browse the site and immediately get infected </li></ul><ul><li>A virus will be installed in the background and infect the client software </li></ul><ul><li>Infected computers will attack internal clean machines (Workstations/Servers) </li></ul>
  7. 8. Web URL Filtering <ul><li>Enable AV scanning for malicious files/URLs </li></ul><ul><li>Block access to malicious categories (Porn/Hacking/Downloads/Video/P2P/Torrent/Blogs/Infected Hosts/IM) </li></ul><ul><li>Block downloads of executables (exe/dll/com) </li></ul><ul><li>Inspect SSL traffic for malicious traffic </li></ul>
  8. 9. Application Control (Whitelisting) <ul><li>Allow business approved applications only </li></ul><ul><ul><li>Office, Accounting, Finance, …etc </li></ul></ul><ul><li>Protect critical system files from modifications </li></ul><ul><li>Block any unapproved applications (including malwares) </li></ul><ul><li>The ability to block zero-day malware if AV is not detecting it </li></ul><ul><li>Monitoring of all applications usage in the net </li></ul>
  9. 10. Device Control <ul><li>Block the usage of removable drives (Flash / IPod / H.D / Camera) </li></ul><ul><li>If you should allow Flash drives in the network: </li></ul><ul><li>Use “Secure” Flash disks (Encryption, AV, Password </li></ul><ul><li>Disable “Autorun” and block exe/Autorun.inf </li></ul>
  10. 11. Network Access Control <ul><li>Only allows compliance computers in the network </li></ul><ul><ul><li>AV is running and updated </li></ul></ul><ul><ul><li>FW is running </li></ul></ul><ul><ul><li>Latest Service Pack </li></ul></ul><ul><ul><li>Domain User </li></ul></ul><ul><li>Quarantine infected computers in a separate “Remediation Environment” </li></ul><ul><ul><li>WSUS, AV Server, Proxy </li></ul></ul>
  11. 12. FW Best Practices <ul><li>No “Any Any” rules </li></ul><ul><li>Out-bound SMTP for Exchange servers only </li></ul><ul><li>HTTP/HTTPS/FTP are a good start for end user </li></ul><ul><li>Block Infected computers </li></ul><ul><li>Enabled outbound denied logging </li></ul>
  12. 13. Case Study: Conficker/Downadup <ul><li>Windows Server service vulnerability (MS08-067) </li></ul><ul><li>W32.Downadup A, B, C, E </li></ul><ul><li>Propagates through network file shares, flash disks </li></ul><ul><li>Disables User Accounts in AD </li></ul><ul><li>Blocks access to security sites and MS updates </li></ul><ul><li>Stops security tools and softwares “self-protection” </li></ul>
  13. 15. Summary <ul><li>Use a good antivirus which has a high detection rate </li></ul><ul><li>Patch OS + 3 rd party applications </li></ul><ul><li>Use Application Whitelisting + Device Control </li></ul><ul><li>Block access to malicious, media, downloads, and blogs </li></ul><ul><li>Network segmentations </li></ul><ul><li>Web content filtering policy </li></ul>
  14. 16. Thank You <ul><li>E-mail me: a.qarta@gmail.com </li></ul><ul><li>http://extremesecurity.blogspot.com </li></ul>

×