Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Devise a strategy to mitigate malware

                                                                      Ramsés Galleg...
Agenda

                    • Malware: what is it really?
                    • Different types of malware

              ...
Malware: what is it really?
                       • Malware is software designed to infiltrate or damage a computer syste...
A bigger problem than we think

                   • Malware is now economically motivated and backed by organized
       ...
It’s not for fun... It’s money!




                            • Consumers are now the prime target for ID Theft and othe...
Understanding the Risk
                                                                         The Market Value of Sensit...
Overview of crimeware families
                Crimeware is broken down into several categories

                         ...
What is spyware?
                 • Spyware is software installed on a computer that gathers information without the user'...
How spyware infiltrates
                        • People don’t purposefully and knowingly install spyware
                ...
Spyware threats organizations
                 • Wastes computing resources
                       –Sends back information...
How botnets are used to commit financial fraud

                 • A bot network consists of a “controller” and compromise...
And they are using new methods

                   • Botnets are beginning to use P2P networks to gain control
           ...
The problem of keylogging
                  • Keyloggers are programs that run in the background recording
               ...
Commercial Keylogger - Example




            © 2008 ISACA. All rights reserved

Wednesday, March 25, 2009
Commercial Keylogger - Example




            © 2008 ISACA. All rights reserved

Wednesday, March 25, 2009
Commercial Keylogger - Example




            © 2008 ISACA. All rights reserved

Wednesday, March 25, 2009
Commercial Keylogger - Example




            © 2008 ISACA. All rights reserved

Wednesday, March 25, 2009
Commercial Keylogger - Example




            © 2008 ISACA. All rights reserved

Wednesday, March 25, 2009
Sophisticated Social Engineering

         • Common social engineering techniques:

               – Spear-Phishing and ot...
No real bank would do this!




            © 2008 ISACA. All rights reserved

Wednesday, March 25, 2009
Infection strategies used by hackers

                     • Common infection strategies used by hackers

                ...
Overview of Targeted Attacks

      • Characteristics of Targeted Attacks:
             – Involve “Highly Critical” malwar...
Information? Ready available!
                     • IT departments know about sites...but so do all the other
           ...
…step-by-step guides available!

                 • You no longer need to go underground or to university to learn
       ...
…step-by-step guides available!

                 • You no longer need to go underground or to university to learn
       ...
© 2008 ISACA. All rights reserved

Wednesday, March 25, 2009
Do it yourself! Incredible!




            © 2008 ISACA. All rights reserved

Wednesday, March 25, 2009
Example - Denial of Service




            © 2008 ISACA. All rights reserved

Wednesday, March 25, 2009
Example - Denial of Service


             • You visit a web site and click
              on a link




            © 2008...
Example - Denial of Service


             • You visit a web site and click
              on a link


             • A few...
Example - Denial of Service


             • You visit a web site and click
              on a link


             • A few...
Example - Redirection of sites




            © 2008 ISACA. All rights reserved

Wednesday, March 25, 2009
Example - Redirection of sites



           • You connect to online banking to
            see your accounts




        ...
Example - Redirection of sites



           • You connect to online banking to
            see your accounts


          ...
Example - Redirection of sites



           • You connect to online banking to
            see your accounts


          ...
Example - Sending files in background




            © 2008 ISACA. All rights reserved

Wednesday, March 25, 2009
Example - Sending files in background



           • A postcard is received by email




            © 2008 ISACA. All ri...
Example - Sending files in background



           • A postcard is received by email



           • An applet executes a...
Example - Harm exectutables




            © 2008 ISACA. All rights reserved

Wednesday, March 25, 2009
Example - Harm exectutables

               • There is type of attack
                that seems to be from
              ...
Example - Phising and scam




            © 2008 ISACA. All rights reserved

Wednesday, March 25, 2009
Example - Phising and scam

                                         • Pakistan Earthquake – We found the URL http://
    ...
Example - Phising and scam

                                         • Pakistan Earthquake – We found the URL http://
    ...
Example - Phising and scam

                                         • Pakistan Earthquake – We found the URL http://
    ...
Example - Phising and scam

                                         • Pakistan Earthquake – We found the URL http://
    ...
Example - Phising and scam

                                         • Pakistan Earthquake – We found the URL http://
    ...
Example - Phising and scam

                                         • Pakistan Earthquake – We found the URL http://
    ...
Strategy: Protect every vector




            © 2008 ISACA. All rights reserved

Wednesday, March 25, 2009
Strategy: Protect every vector




           Firewall




            © 2008 ISACA. All rights reserved

Wednesday, March...
Strategy: Protect every vector




                        Secure Content Manager



           Firewall




            ©...
Strategy: Protect every vector

                                                  Antivirus/
                             ...
Strategy: Protect every vector

                                                       Antivirus/
                        ...
Strategy: Protect every vector

                                                       Antivirus/
                        ...
Strategy: Consider other approaches

                                                                        Internet

   ...
Objective: Keep the bad guys out!




            © 2008 ISACA. All rights reserved

Wednesday, March 25, 2009
Objective: Keep the bad guys out!




            © 2008 ISACA. All rights reserved

Wednesday, March 25, 2009
THANK YOU
                                           Devise a strategy to mitigate malware
                               ...
Upcoming SlideShare
Loading in …5
×

Malware mitigation

2,753 views

Published on

Published in: Business, Technology
  • Be the first to comment

Malware mitigation

  1. 1. Devise a strategy to mitigate malware Ramsés Gallego CISM, CGEIT, CISSP, SCPM, ITIL, Six Sigma Black Belt Certified General Manager Entel Security & Risk Management rgallego@entel.es © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  2. 2. Agenda • Malware: what is it really? • Different types of malware • We are under attack... but how? And why? • Let me show you • Strategy on how to mitigate those risks © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  3. 3. Malware: what is it really? • Malware is software designed to infiltrate or damage a computer system without the owner's informed consent. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code • Software is considered malware based on the perceived intent of the creator rather than any particular features. Malware includes computer viruses, worms, trojan horses, most rootkits, spyware, dishonest adware, crimeware and other malicious and unwanted software © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  4. 4. A bigger problem than we think • Malware is now economically motivated and backed by organized crime and foreign interest • The development of highly critical malware such as targeted attacks is also on the rise • The level of sophistication behind malware makes it extremely difficult for traditional solutions to detect and remove • There are many bot networks to de-fraud business models and consumers through sophisticated social engineering © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  5. 5. It’s not for fun... It’s money! • Consumers are now the prime target for ID Theft and other on-line fraud • Traditional signature based anti-virus solutions have become useless to these new sophisticated attacks © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  6. 6. Understanding the Risk The Market Value of Sensitive Data 980€-4.900€ 147€ Trojan to steal account Birth certificate information 98€ 490€ Social Security card Credit Card Number with PIN 6€-24€ 78-294€ Credit card number Billing data 6€ 147€ PayPal account Driver's license logon and password © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  7. 7. Overview of crimeware families Crimeware is broken down into several categories • Banking Trojans Limbo PayRob.A Sinowal Aifone.A Banbra Variants • Keyloggers (Banbra, Cimuz) • Bots (Clickbot.a, Botnet.A, Aifone.A) • Phishing (Barclays, PayPal) • Targeted Trojans © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  8. 8. What is spyware? • Spyware is software installed on a computer that gathers information without the user's knowledge and relays that information to advertisers or other 3rd parties • Several subcategories of spyware: –Adware • Advertising-supported software that displays pop-up advertisements whenever the program is running. Often collect personal information and web surfing habits –System monitors • Programs that capture everything you do on your computer, from keystrokes, emails and chat room dialogue, to which sites you visit and which programs you run –Trojan horses • Malicious programs that appear harmless but steal or destroy data or provide unauthorised external access © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  9. 9. How spyware infiltrates • People don’t purposefully and knowingly install spyware –Can be included with applications you want to install, such as peer-to-peer clients or desktop utilities –Some silently load when you visit a seemingly-innocent Web page (‘The Ghost in the browser’) • Installed silently in the background – most users never know their computers are infected © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  10. 10. Spyware threats organizations • Wastes computing resources –Sends back information periodically, often daily –Consumes an organisation’s bandwidth • Exposes proprietary information –It could send files to a competitor’s server –It could monitor e-mail and send out the contents • Poses serious security risks –It could send emails on behalf of the user –It could provide a spy or hacker with a backdoor into the systems –It could change documents and specifications on systems to damage research or other projects • May introduce compliance risks © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  11. 11. How botnets are used to commit financial fraud • A bot network consists of a “controller” and compromised zombie PCs. There have been cases of bot networks containing up to 1.5 Million zombie PCs like in the Dutch botnet case • The bots that infect systems can perform several actions such as relay spam, launch malware and perform ID theft • Some of the common methods for bot infection is through websites that contain exploits and vulnerabilities that actively transmit malware to the PC visiting the site. • Components can also be downloaded such as ActiveX controls, etc that will then deal with the rest of the infection process • Social engineering techniques also exist to infect systems through spam, phishing and other content. Once a PC has become infected it can receive remote commands from the “bot master” remotely © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  12. 12. And they are using new methods • Botnets are beginning to use P2P networks to gain control of more computers • Researchers were previously able to shut down a botnet by targeting its Command & Control center (and IRC channel or website). Hackers are now using P2P networks to connect bots in a more “horizontal,” peer manner, which makes shutting down the botnets much more difficult © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  13. 13. The problem of keylogging • Keyloggers are programs that run in the background recording all keystrokes and which may also send those keystrokes (potentially including passwords or confidential information) to an external party • 2 types of Keylogger programs: –Commercial –Viral (included as part of blended threat with Worm, Trojan Horse, BOT, etc.. © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  14. 14. Commercial Keylogger - Example © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  15. 15. Commercial Keylogger - Example © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  16. 16. Commercial Keylogger - Example © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  17. 17. Commercial Keylogger - Example © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  18. 18. Commercial Keylogger - Example © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  19. 19. Sophisticated Social Engineering • Common social engineering techniques: – Spear-Phishing and other highly targeted scams – Spam with exploits – Phishing emails that direct users to web-sites with hidden Trojans – Malware through IM channels © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  20. 20. No real bank would do this! © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  21. 21. Infection strategies used by hackers • Common infection strategies used by hackers –A web site is physically hacked and seeded with Trojans (i.e. Superbowl website case) –Phishing emails with exploits –Malware through IM channels –Malware attached to freeware and shareware –Malware in the form of video codecs –Infection through botnets © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  22. 22. Overview of Targeted Attacks • Characteristics of Targeted Attacks: – Involve “Highly Critical” malware tailored towards attacking a specific target (i.e. Bank Of America) – Such malware target a specific set of confidential information to capture and send to a 3rd party – Targeted attacks always involve a hacker hired to design malware to bypass specific defenses – Attacks are very localized; therefore, distribution is limited. In most cases AV labs do not receive a sample which results in no signature file – Current security solutions will not detect the malware because the hacker has prepared against commonly used AV programs – Hackers are using sophisticated stealth techniques such as rootkits to hide the presence of malware © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  23. 23. Information? Ready available! • IT departments know about sites...but so do all the other departments! –Question is…do we know who, when, where and how? –More importantly…do we have the means to stop it? • Information is easy to find! (27,000,000 results returned on Google when the search term ‘How To Hack’ is used) • Hacking tools can be easy to use –Some don’t require any programming skills at all! (Keyloggers can come with nice user interfaces, such as ‘The Perfect Keylogger’) with a ‘Next’, ‘Next’, ‘Next’ install! © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  24. 24. …step-by-step guides available! • You no longer need to go underground or to university to learn how to become a successful hacker! © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  25. 25. …step-by-step guides available! • You no longer need to go underground or to university to learn how to become a successful hacker! © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  26. 26. © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  27. 27. Do it yourself! Incredible! © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  28. 28. Example - Denial of Service © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  29. 29. Example - Denial of Service • You visit a web site and click on a link © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  30. 30. Example - Denial of Service • You visit a web site and click on a link • A few seconds later, many applications start to run in the computer © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  31. 31. Example - Denial of Service • You visit a web site and click on a link • A few seconds later, many applications start to run in the computer • You can only close the program to prevent the attack. The machine does not work © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  32. 32. Example - Redirection of sites © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  33. 33. Example - Redirection of sites • You connect to online banking to see your accounts © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  34. 34. Example - Redirection of sites • You connect to online banking to see your accounts • A hostile applet sends an identical page © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  35. 35. Example - Redirection of sites • You connect to online banking to see your accounts • A hostile applet sends an identical page • You introduce your credentials while a hacker is receiving them or they are being sent to an Internet directory © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  36. 36. Example - Sending files in background © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  37. 37. Example - Sending files in background • A postcard is received by email © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  38. 38. Example - Sending files in background • A postcard is received by email • An applet executes an animation • That applet is copying the last Word document and is sending it in the background to the Internet © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  39. 39. Example - Harm exectutables © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  40. 40. Example - Harm exectutables • There is type of attack that seems to be from known companies who invite to install the last security patch or Service Pack • The executable file is a Trojan or malicious code that puts our environment at risk © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  41. 41. Example - Phising and scam © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  42. 42. Example - Phising and scam • Pakistan Earthquake – We found the URL http:// pakistanhelp.com © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  43. 43. Example - Phising and scam • Pakistan Earthquake – We found the URL http:// pakistanhelp.com • We analyzed it and we saw that there were signs of phising © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  44. 44. Example - Phising and scam • Pakistan Earthquake – We found the URL http:// pakistanhelp.com • We analyzed it and we saw that there were signs of phising © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  45. 45. Example - Phising and scam • Pakistan Earthquake – We found the URL http:// pakistanhelp.com • We analyzed it and we saw that there were signs of phising © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  46. 46. Example - Phising and scam • Pakistan Earthquake – We found the URL http:// pakistanhelp.com • We analyzed it and we saw that there were signs of phising •In this case, the ‘help’ options include the download of an Excel file to be sent by fax •A real and legal organization would never do this…. © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  47. 47. Example - Phising and scam • Pakistan Earthquake – We found the URL http:// pakistanhelp.com • We analyzed it and we saw that there were signs of phising •In this case, the ‘help’ options include the download of an Excel file to be sent by fax •A real and legal organization would never do this…. © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  48. 48. Strategy: Protect every vector © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  49. 49. Strategy: Protect every vector Firewall © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  50. 50. Strategy: Protect every vector Secure Content Manager Firewall © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  51. 51. Strategy: Protect every vector Antivirus/ Antispyware Secure Content Manager Firewall © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  52. 52. Strategy: Protect every vector Antivirus/ Antispyware Secure Content Manager Firewall VPN © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  53. 53. Strategy: Protect every vector Antivirus/ Data Leak Prevention Antispyware Secure Content Manager Firewall VPN © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  54. 54. Strategy: Consider other approaches Internet • Effectiveness vs. Efficiency • SaaS approach • UTM devices • More than one solution will leverage your security • Education, education, education • Centralised management © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  55. 55. Objective: Keep the bad guys out! © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  56. 56. Objective: Keep the bad guys out! © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
  57. 57. THANK YOU Devise a strategy to mitigate malware Ramsés Gallego CISM, CGEIT, CISSP, SCPM, ITIL, Six Sigma Black Belt Certified General Manager Entel Security & Risk Management rgallego@entel.es © 2008 ISACA. All rights reserved Wednesday, March 25, 2009

×