SlideShare a Scribd company logo

Malware and the risks of weaponizing code

Download as PPTX, PDF
Stephen Cobb
Stephen Cobb

Slides based on a paper by Andrew Lee and Stephen Cobb of ESET, delivered at the 6th Annual Conference on Cyber Conflict, NATO Cooperative Cyber Defence Centre of Excellence, Tallinn, Estonia. June 2014.

Technology
1 of 27
A. Lee S. Cobb CyCon 2014 Malware is Called Malicious for a Reason: The Risks of Weaponizing Code 6th Annual Conference on Cyber Conflict Proceedings NATO Cooperative Cyber Defence Centre of Excellence Tallinn, Estonia
A. Lee S. Cobb CyCon 2014 Authors • Andrew Lee • CEO, ESET North America • Former Chief Research Officer • MSc Computer Security (2010) • Stephen Cobb • Senior Security Researcher, ESET • CISSP (1996) • MSc Security & Criminology (2016, hopefully) ESET: Founded in Bratislava, Slovakia, 1992 Makes IT security products, like NOD32 AV
A. Lee S. Cobb CyCon 2014 Some history… • Stephen Cobb Complete Book of PC & LAN Security (1991) • Employee #5 at antivirus software testing company ICSA Labs (1995) • Adjunct Prof. Masters in IA, Norwich University (2002-2008) • First anti-spam router, acquired by Symantec (2004)
A. Lee S. Cobb CyCon 2014 Perspective and key points •A view from the front lines •The appeal of “good viruses” and “righteous malware” •Historical objections •Key risks of using malware for offense or active defense •Ideas for further research?
A. Lee S. Cobb CyCon 2014 The short version •Hurling infected bodies over city walls in 1710? • Bad idea •Deploying malicious code in 2014 • Bad idea •“Malware = biological weapons of cyber conflict” •White worms are mythical creatures
A. Lee S. Cobb CyCon 2014 Defining malware •Software or firmware intended to perform an unauthorized process that will have adverse impact on the confidentiality, integrity, or availability of an IS [Information System] •National Information Assurance (IA) Glossary •The definition of record for CIA/NSA/DoD/etc.
A. Lee S. Cobb CyCon 2014 Malware and the Tallinn Rules 43: Indiscriminate Means and Methods 48: Weapons Review 49: Indiscriminate Attacks 50: Clearly Separated Distinct Military Objectives 51: Proportionality
A. Lee S. Cobb CyCon 2014 Deploying malware •Virus, worm, Trojan •Email attachment •Website drive-by •Removable media •Chipping hardware •Updating firmware •Planting code
A. Lee S. Cobb CyCon 2014 Malicious Code in the Software Life Cycle 1. Acquisition 2. Requirements 3. Design 4. Construction 5. Testing 6. Installation (delivery, distribution, installation) 7. Maintenance (operation, maintenance, and disposal) Guidance for Addressing Malicious Code Risk, NSA, 2007
A. Lee S. Cobb CyCon 2014 What is “righteous malware” •It’s in the eye of the beholder • Software or firmware deployed with intent to advance a just cause by performing an unauthorized process that will have adverse impact on the confidentiality, integrity, or availability of an IS [Information System] •Examples? • Stuxnet, Shamoon, DarkComet RAT, Blackshades
A. Lee S. Cobb CyCon 2014 > 50,000 implants MALWARE INCLUDES IMPLANTS
A. Lee S. Cobb CyCon 2014 The “good” virus •A fascination as old as computing •Self-replicating code that performs beneficial functions (e.g. patching or backup) •Some virus writers persisted despite outbreaks of ‘benign’ code •Are ‘Good’ Computer Viruses Still a Bad Idea? • Vesselin Bontchev, Virus-L and comp.virus, EICAR ’94
A. Lee S. Cobb CyCon 2014 12 reasons why “good viruses” are a bad idea TECHNICAL REASONS Lack of Control Spread cannot be controlled, unpredictable results Recognition Difficulty Hard to allow good viruses while denying bad Resource Wasting Unintended consequences (typified by the Morris Worm) Bug Containment Difficulty of fixing bugs in code once released Compatibility Problems May not run when needed, or cause damage when run Effectiveness Risks of self-replicating code over conventional alternatives ETHICAL AND LEGAL REASONS Unauthorized Data Modification Unauthorized system access or data changes illegal or immoral Copyright and Ownership Problems Could impair support or violate copyright of regular programs Possible Misuse Code could be used by persons will malicious intent Responsibility Sets a bad example for persons with inferior skills, morals PSYCHOLOGICAL REASONS Trust Problems Potential to undermine user trust in systems Negative Common Meaning Anything called a virus is doomed to be deemed bad V. Bontchev, “Are ‘Good’ Computer Viruses Still a Bad Idea?” EICAR’94
A. Lee S. Cobb CyCon 2014 12 risks inherent in malware deployment TECHNICAL REASONS Lack of Control Spread cannot be controlled, unpredictable results Recognition Difficulty Hard to allow good viruses while denying bad Resource Wasting Unintended consequences (typified by the Morris Worm) Bug Containment Difficulty of fixing bugs in code once released Compatibility Problems May not run when needed, or cause damage when run Effectiveness Risks of self-replicating code over conventional alternatives ETHICAL AND LEGAL REASONS Unauthorized Data Modification Unauthorized system access or data changes illegal or immoral Copyright and Ownership Problems Could impair support or violate copyright of regular programs Possible Misuse Code could be used by persons will malicious intent Responsibility Sets a bad example for persons with inferior skills, morals PSYCHOLOGICAL REASONS Trust Problems Potential to undermine user trust in systems Negative Common Meaning Anything called a virus is doomed to be deemed bad V. Bontchev, “Are ‘Good’ Computer Viruses Still a Bad Idea?” EICAR’94
A. Lee S. Cobb CyCon 2014 All risks must be addressed, but focus on 4 TECHNICAL REASONS Lack of Control Spread cannot be controlled, unpredictable results Recognition Difficulty Hard to allow good viruses while denying bad Resource Wasting Unintended consequences (typified by the Morris Worm) Bug Containment Difficulty of fixing bugs in code once released Compatibility Problems May not run when needed, or cause damage when run Effectiveness Risks of self-replicating code over conventional alternatives ETHICAL AND LEGAL REASONS Unauthorized Data Modification Unauthorized system access or data changes illegal or immoral Copyright and Ownership Problems Could impair support or violate copyright of regular programs Possible Misuse Code could be used by persons will malicious intent Responsibility Sets a bad example for persons with inferior skills, morals PSYCHOLOGICAL REASONS Trust Problems Potential to undermine user trust in systems Negative Common Meaning Anything called a virus is doomed to be deemed bad
A. Lee S. Cobb CyCon 2014 All risks must be addressed, but focus on 4 1. Recognition Difficulty 2. Compatibility Problems & Effectiveness 3. Possible Misuse 4. Trust Problems
A. Lee S. Cobb CyCon 2014 1. Recognition Difficulty •Hard to allow good viruses while denying bad •No self-respecting antivirus company is going to give your righteous malware a free pass
A. Lee S. Cobb CyCon 2014 Bear in mind the AV community is global •Major AV vendors encompass many countries • ESET Slovakia AVG Czech Republic • McAfee USA Kaspersky Russia • Symantec USA Trend Micro Japan, • Avira Germany Avast! Czech Republic •Active in many more (e.g. ESET operates in 180) •“Your cyber defense is only as good as your relationship with industry.” – Dr. Jamie Shea
A. Lee S. Cobb CyCon 2014 2. Compatibility and Effectiveness •May not run when needed, or may cause damage when run •Huge potential for unintended consequences •Reduce risk with detailed intel on the target? •Raises issue of Effectiveness: • Does the effort to get enough intel to execute safely exceed the effort of a less risky path to same end?
A. Lee S. Cobb CyCon 2014 3. Possible Misuse •Could be re-used by persons with malicious intent •Yes, your own code could be used against you •The key ingredient for making malware is brains •Brains are very mobile, no country has a lock •"The most valuable cyber weapon you can possess? The talented individual.“ – Jarno Limnéll
A. Lee S. Cobb CyCon 2014 4. Trust Problems •Potential to undermine user trust in systems •60% now less trusting of technology companies • e.g. Internet service providers, software companies •Very real risk of economic damage Harris Poll on behalf of ESET, February 4-6, 2014, 2,034 U.S. adults ages 18 and older
A. Lee S. Cobb CyCon 2014 Companies and consumers impacted • Cloud providers • Banks • Companies like Cisco • Online retailers • Healthcare providers • Governments NASDAQ CSCO
A. Lee S. Cobb CyCon 2014 85% of Americans are aware of NSA revelations, 47% of them have changed their online behavior Harris Poll on behalf of ESET, February 4-6, 2014, 2,034 U.S. adults ages 18 and older
A. Lee S. Cobb CyCon 2014 Righteous malware deployment checklist: Control Can you control the actions of the code in all environments it may infect? Detection Can the code complete its mission before detection? Attribution Can you guarantee the code is deniable or claimable, as needed? Legality Will the code be illegal in any jurisdictions in which it is deployed? Morality Will deployment of the code violate any treaties, codes, and other international norms? Misuse Can the code, or its techniques, strategies or design principles be copied by adversaries, competing interests, or criminals? Erosion of Trust Have you considered harmful effects that deployment of the code, including knowledge of the deployment, could have on trust placed in your government and institutions including trade and commerce?
A. Lee S. Cobb CyCon 2014 Further research? •Mathematical model of malware risks • Enumerate variables • Calculate compound probabilities •Comprehensive survey of malware researchers • Update the “Good virus bad idea” paper
A. Lee S. Cobb CyCon 2014 Summary: deploying malware •Comes with many risks that are known and well- documented •Carries serious potential to undermine the very societies it is intended to defend
A. Lee S. Cobb CyCon 2014 Thank you! •Stephen.Cobb@ESET.com •Twitter @zcobb •www.SlideShare.net/zcobb •www.LinkedIn/in/StephenCobb •www.WeLiveSecurity.com

Recommended

Malware is Called Malicious for a Reason: The Risks of Weaponizing Code
Malware is Called Malicious for a Reason: The Risks of Weaponizing CodeMalware is Called Malicious for a Reason: The Risks of Weaponizing Code
Malware is Called Malicious for a Reason: The Risks of Weaponizing Code
Stephen Cobb
 
The Intersection Between Open Source and Cybersecurity
The Intersection Between Open Source and CybersecurityThe Intersection Between Open Source and Cybersecurity
The Intersection Between Open Source and Cybersecurity
Black Duck by Synopsys
 
Allianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draftAllianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draft
Eoin Keary
 
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDN
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDNOliver Schuermann - Integrated Software in Networking - the Mystery of SDN
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDN
centralohioissa
 
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
DevOps Indonesia
 
Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...
Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...
Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...
Core Security
 
New Horizons SCYBER Presentation
New Horizons SCYBER PresentationNew Horizons SCYBER Presentation
New Horizons SCYBER Presentation
New Horizons Computer Learning Centers / 5PE
 
IT system security principles practices
IT system security principles practicesIT system security principles practices
IT system security principles practices
gufranresearcher
 

Recommended

Malware is Called Malicious for a Reason: The Risks of Weaponizing Code
Malware is Called Malicious for a Reason: The Risks of Weaponizing CodeMalware is Called Malicious for a Reason: The Risks of Weaponizing Code
Malware is Called Malicious for a Reason: The Risks of Weaponizing Code
Stephen Cobb
 
The Intersection Between Open Source and Cybersecurity
The Intersection Between Open Source and CybersecurityThe Intersection Between Open Source and Cybersecurity
The Intersection Between Open Source and Cybersecurity
Black Duck by Synopsys
 
Allianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draftAllianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draft
Eoin Keary
 
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDN
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDNOliver Schuermann - Integrated Software in Networking - the Mystery of SDN
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDN
centralohioissa
 
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
DevOps Indonesia
 
Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...
Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...
Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...
Core Security
 
New Horizons SCYBER Presentation
New Horizons SCYBER PresentationNew Horizons SCYBER Presentation
New Horizons SCYBER Presentation
New Horizons Computer Learning Centers / 5PE
 
IT system security principles practices
IT system security principles practicesIT system security principles practices
IT system security principles practices
gufranresearcher
 
No More SIlos: Connected Security - Mike Desai and Ryan Rowcliffe
No More SIlos: Connected Security - Mike Desai and Ryan RowcliffeNo More SIlos: Connected Security - Mike Desai and Ryan Rowcliffe
No More SIlos: Connected Security - Mike Desai and Ryan Rowcliffe
Core Security
 
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Core Security
 
Skillful scalefull fullstack security in a state of constant flux
Skillful scalefull fullstack security in a state of constant fluxSkillful scalefull fullstack security in a state of constant flux
Skillful scalefull fullstack security in a state of constant flux
Eoin Keary
 
Chris Haley - Understanding Attackers' Use of Covert Communications
Chris Haley - Understanding Attackers' Use of Covert CommunicationsChris Haley - Understanding Attackers' Use of Covert Communications
Chris Haley - Understanding Attackers' Use of Covert Communications
centralohioissa
 
Managing Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber SecurityManaging Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber Security
Priyanka Aash
 
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
APNIC
 
Amy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsAmy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOps
SeniorStoryteller
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
Mike Spaulding
 
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and DevelopersThe DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
DevOps.com
 
Microsoft power point closing presentation-greenberg
Microsoft power point closing presentation-greenbergMicrosoft power point closing presentation-greenberg
Microsoft power point closing presentation-greenberg
ISSA LA
 
Insider Threat: How Does Your Security Stack Measure Up?
Insider Threat: How Does Your Security Stack Measure Up?Insider Threat: How Does Your Security Stack Measure Up?
Insider Threat: How Does Your Security Stack Measure Up?
ThinAir
 
Keeping Secrets on the Internet of Things - Mobile Web Application Security
Keeping Secrets on the Internet of Things - Mobile Web Application SecurityKeeping Secrets on the Internet of Things - Mobile Web Application Security
Keeping Secrets on the Internet of Things - Mobile Web Application Security
Kelly Robertson
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Threat Dissection - Alberto Soliño Testa Research Director, Core Security
Threat Dissection - Alberto Soliño Testa Research Director, Core SecurityThreat Dissection - Alberto Soliño Testa Research Director, Core Security
Threat Dissection - Alberto Soliño Testa Research Director, Core Security
Core Security
 
Cloud – Helps or Hurts Insider Threat?
Cloud – Helps or Hurts Insider Threat?Cloud – Helps or Hurts Insider Threat?
Cloud – Helps or Hurts Insider Threat?
ThinAir
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Tools
centralohioissa
 
Silver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSilver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security Solutions
SeniorStoryteller
 
Hardware Security on Vehicles
Hardware Security on VehiclesHardware Security on Vehicles
Hardware Security on Vehicles
Priyanka Aash
 
Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!
centralohioissa
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
Tej Luthra
 
Getting Started with Business Continuity
Getting Started with Business ContinuityGetting Started with Business Continuity
Getting Started with Business Continuity
Stephen Cobb
 
The mobile health IT security challenge: way bigger than HIPAA?
The mobile health IT security challenge: way bigger than HIPAA?The mobile health IT security challenge: way bigger than HIPAA?
The mobile health IT security challenge: way bigger than HIPAA?
Stephen Cobb
 

More Related Content

What's hot

Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Core Security
 
Chris Haley - Understanding Attackers' Use of Covert Communications
Chris Haley - Understanding Attackers' Use of Covert CommunicationsChris Haley - Understanding Attackers' Use of Covert Communications
Chris Haley - Understanding Attackers' Use of Covert Communications
centralohioissa
 
Managing Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber SecurityManaging Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber Security
Priyanka Aash
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
Mike Spaulding
 
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and DevelopersThe DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
DevOps.com
 
Microsoft power point closing presentation-greenberg
Microsoft power point closing presentation-greenbergMicrosoft power point closing presentation-greenberg
Microsoft power point closing presentation-greenberg
ISSA LA
 
Insider Threat: How Does Your Security Stack Measure Up?
Insider Threat: How Does Your Security Stack Measure Up?Insider Threat: How Does Your Security Stack Measure Up?
Insider Threat: How Does Your Security Stack Measure Up?
ThinAir
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!
centralohioissa
 

What's hot (20)

No More SIlos: Connected Security - Mike Desai and Ryan Rowcliffe
No More SIlos: Connected Security - Mike Desai and Ryan RowcliffeNo More SIlos: Connected Security - Mike Desai and Ryan Rowcliffe
No More SIlos: Connected Security - Mike Desai and Ryan Rowcliffe
 
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
 
Skillful scalefull fullstack security in a state of constant flux
Skillful scalefull fullstack security in a state of constant fluxSkillful scalefull fullstack security in a state of constant flux
Skillful scalefull fullstack security in a state of constant flux
 
Chris Haley - Understanding Attackers' Use of Covert Communications
Chris Haley - Understanding Attackers' Use of Covert CommunicationsChris Haley - Understanding Attackers' Use of Covert Communications
Chris Haley - Understanding Attackers' Use of Covert Communications
 
Managing Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber SecurityManaging Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber Security
 
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
 
Amy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsAmy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOps
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
 
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and DevelopersThe DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
 
Microsoft power point closing presentation-greenberg
Microsoft power point closing presentation-greenbergMicrosoft power point closing presentation-greenberg
Microsoft power point closing presentation-greenberg
 
Insider Threat: How Does Your Security Stack Measure Up?
Insider Threat: How Does Your Security Stack Measure Up?Insider Threat: How Does Your Security Stack Measure Up?
Insider Threat: How Does Your Security Stack Measure Up?
 
Keeping Secrets on the Internet of Things - Mobile Web Application Security
Keeping Secrets on the Internet of Things - Mobile Web Application SecurityKeeping Secrets on the Internet of Things - Mobile Web Application Security
Keeping Secrets on the Internet of Things - Mobile Web Application Security
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Threat Dissection - Alberto Soliño Testa Research Director, Core Security
Threat Dissection - Alberto Soliño Testa Research Director, Core SecurityThreat Dissection - Alberto Soliño Testa Research Director, Core Security
Threat Dissection - Alberto Soliño Testa Research Director, Core Security
 
Cloud – Helps or Hurts Insider Threat?
Cloud – Helps or Hurts Insider Threat?Cloud – Helps or Hurts Insider Threat?
Cloud – Helps or Hurts Insider Threat?
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Tools
 
Silver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSilver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security Solutions
 
Hardware Security on Vehicles
Hardware Security on VehiclesHardware Security on Vehicles
Hardware Security on Vehicles
 
Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
 

Viewers also liked

Cybercrime and the Hidden Perils of Patient Data
Cybercrime and the Hidden Perils of Patient DataCybercrime and the Hidden Perils of Patient Data
Cybercrime and the Hidden Perils of Patient Data
Stephen Cobb
 
Future of Cybersecurity 2016 - M.Rosenquist
Future of Cybersecurity 2016 - M.RosenquistFuture of Cybersecurity 2016 - M.Rosenquist
Future of Cybersecurity 2016 - M.Rosenquist
Matthew Rosenquist
 

Viewers also liked (20)

Getting Started with Business Continuity
Getting Started with Business ContinuityGetting Started with Business Continuity
Getting Started with Business Continuity
 
The mobile health IT security challenge: way bigger than HIPAA?
The mobile health IT security challenge: way bigger than HIPAA?The mobile health IT security challenge: way bigger than HIPAA?
The mobile health IT security challenge: way bigger than HIPAA?
 
Cyber security
Cyber securityCyber security
Cyber security
 
HIPAA, Privacy, Security, and Good Business
HIPAA, Privacy, Security, and Good BusinessHIPAA, Privacy, Security, and Good Business
HIPAA, Privacy, Security, and Good Business
 
Global threat landscape
Global threat landscapeGlobal threat landscape
Global threat landscape
 
The Year Ahead in Cyber Security: 2014 edition
The Year Ahead in Cyber Security: 2014 editionThe Year Ahead in Cyber Security: 2014 edition
The Year Ahead in Cyber Security: 2014 edition
 
Using Technology and Techno-People to Improve your Threat Resistance and Cybe...
Using Technology and Techno-People to Improve your Threat Resistance and Cybe...Using Technology and Techno-People to Improve your Threat Resistance and Cybe...
Using Technology and Techno-People to Improve your Threat Resistance and Cybe...
 
Cybercrime and the Hidden Perils of Patient Data
Cybercrime and the Hidden Perils of Patient DataCybercrime and the Hidden Perils of Patient Data
Cybercrime and the Hidden Perils of Patient Data
 
A Career in Cybersecurity
A Career in CybersecurityA Career in Cybersecurity
A Career in Cybersecurity
 
Using Technology and People to Improve your Threat Resistance and Cyber Security
Using Technology and People to Improve your Threat Resistance and Cyber SecurityUsing Technology and People to Improve your Threat Resistance and Cyber Security
Using Technology and People to Improve your Threat Resistance and Cyber Security
 
Enjoy Safer Technology and Defeat Cyber Criminals
Enjoy Safer Technology and Defeat Cyber CriminalsEnjoy Safer Technology and Defeat Cyber Criminals
Enjoy Safer Technology and Defeat Cyber Criminals
 
Cybersecurity for the non-technical
Cybersecurity for the non-technicalCybersecurity for the non-technical
Cybersecurity for the non-technical
 
2015: The year-ahead-in-cyber-security
2015: The year-ahead-in-cyber-security2015: The year-ahead-in-cyber-security
2015: The year-ahead-in-cyber-security
 
NCSAM = Cyber Security Awareness Month: Trends and Resources
NCSAM = Cyber Security Awareness Month: Trends and ResourcesNCSAM = Cyber Security Awareness Month: Trends and Resources
NCSAM = Cyber Security Awareness Month: Trends and Resources
 
Future of Cybersecurity 2016 - M.Rosenquist
Future of Cybersecurity 2016 - M.RosenquistFuture of Cybersecurity 2016 - M.Rosenquist
Future of Cybersecurity 2016 - M.Rosenquist
 
Skills For Career In Security
Skills For Career In SecuritySkills For Career In Security
Skills For Career In Security
 
Cyber Security Career Advice
Cyber Security Career AdviceCyber Security Career Advice
Cyber Security Career Advice
 
Navigating Your Career in Cyber Security - Steve Santini & Drew Fearson
Navigating Your Career in Cyber Security - Steve Santini & Drew FearsonNavigating Your Career in Cyber Security - Steve Santini & Drew Fearson
Navigating Your Career in Cyber Security - Steve Santini & Drew Fearson
 
AVAR Sydney 2014: Lemming Aid and Kool Aid: Helping the Community to Help Its...
AVAR Sydney 2014: Lemming Aid and Kool Aid: Helping the Community to Help Its...AVAR Sydney 2014: Lemming Aid and Kool Aid: Helping the Community to Help Its...
AVAR Sydney 2014: Lemming Aid and Kool Aid: Helping the Community to Help Its...
 
2016 Trends in Security
2016 Trends in Security 2016 Trends in Security
2016 Trends in Security
 

Similar to Malware and the risks of weaponizing code

What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
Anne Oikarinen
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
Black Duck by Synopsys
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
Tim Mackey
 
NTXISSACSC2 - Software Assurance (SwA) by John Whited
NTXISSACSC2 - Software Assurance (SwA) by John WhitedNTXISSACSC2 - Software Assurance (SwA) by John Whited
NTXISSACSC2 - Software Assurance (SwA) by John Whited
North Texas Chapter of the ISSA
 

Similar to Malware and the risks of weaponizing code (20)

Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best Practices
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
 
The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...
 
Primer for Information Security Programs
Primer for Information Security ProgramsPrimer for Information Security Programs
Primer for Information Security Programs
 
20th Anniversary - OWASP Top 10 2021.pptx
20th Anniversary - OWASP Top 10 2021.pptx20th Anniversary - OWASP Top 10 2021.pptx
20th Anniversary - OWASP Top 10 2021.pptx
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber risk
 
Application Whitelisting - Complementing Threat centric with Trust centric se...
Application Whitelisting - Complementing Threat centric with Trust centric se...Application Whitelisting - Complementing Threat centric with Trust centric se...
Application Whitelisting - Complementing Threat centric with Trust centric se...
 
Malware
MalwareMalware
Malware
 
Declaration of malWARe
Declaration of malWAReDeclaration of malWARe
Declaration of malWARe
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021
 
Beyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentBeyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability Assessment
 
Cyber Security for Financial Planners
Cyber Security for Financial PlannersCyber Security for Financial Planners
Cyber Security for Financial Planners
 
NTXISSACSC2 - Software Assurance (SwA) by John Whited
NTXISSACSC2 - Software Assurance (SwA) by John WhitedNTXISSACSC2 - Software Assurance (SwA) by John Whited
NTXISSACSC2 - Software Assurance (SwA) by John Whited
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security Basics
 

More from Stephen Cobb

More from Stephen Cobb (11)

Cybercrime-as-health-crisis-shared.pptx
Cybercrime-as-health-crisis-shared.pptxCybercrime-as-health-crisis-shared.pptx
Cybercrime-as-health-crisis-shared.pptx
 
Cybersecurity Risk Perception and Communication
Cybersecurity Risk Perception and CommunicationCybersecurity Risk Perception and Communication
Cybersecurity Risk Perception and Communication
 
What Makes a Good CISO
What Makes a Good CISOWhat Makes a Good CISO
What Makes a Good CISO
 
Sizing the Cyber Skills Gap
Sizing the Cyber Skills GapSizing the Cyber Skills Gap
Sizing the Cyber Skills Gap
 
Security and Wearables: Success starts with security
Security and Wearables: Success starts with securitySecurity and Wearables: Success starts with security
Security and Wearables: Success starts with security
 
The Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityThe Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise Security
 
The Evolution of Cybercrime
The Evolution of CybercrimeThe Evolution of Cybercrime
The Evolution of Cybercrime
 
Safer Technology Through Threat Awareness and Response
Safer Technology Through Threat Awareness and ResponseSafer Technology Through Threat Awareness and Response
Safer Technology Through Threat Awareness and Response
 
Endpoint and Server: The belt and braces anti-malware strategy
Endpoint and Server: The belt and braces anti-malware strategyEndpoint and Server: The belt and braces anti-malware strategy
Endpoint and Server: The belt and braces anti-malware strategy
 
Cyberskills shortage: Where is the cyber workforce of tomorrow
Cyberskills shortage: Where is the cyber workforce of tomorrowCyberskills shortage: Where is the cyber workforce of tomorrow
Cyberskills shortage: Where is the cyber workforce of tomorrow
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
 

Recently uploaded

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
Safe Software
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
WSO2
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 

Recently uploaded (20)

How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cf
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
Navigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseNavigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern Enterprise
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Quantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingQuantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation Computing
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Modernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaModernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using Ballerina
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 

Malware and the risks of weaponizing code

  • 1. A. Lee S. Cobb CyCon 2014 Malware is Called Malicious for a Reason: The Risks of Weaponizing Code 6th Annual Conference on Cyber Conflict Proceedings NATO Cooperative Cyber Defence Centre of Excellence Tallinn, Estonia
  • 2. A. Lee S. Cobb CyCon 2014 Authors • Andrew Lee • CEO, ESET North America • Former Chief Research Officer • MSc Computer Security (2010) • Stephen Cobb • Senior Security Researcher, ESET • CISSP (1996) • MSc Security & Criminology (2016, hopefully) ESET: Founded in Bratislava, Slovakia, 1992 Makes IT security products, like NOD32 AV
  • 3. A. Lee S. Cobb CyCon 2014 Some history… • Stephen Cobb Complete Book of PC & LAN Security (1991) • Employee #5 at antivirus software testing company ICSA Labs (1995) • Adjunct Prof. Masters in IA, Norwich University (2002-2008) • First anti-spam router, acquired by Symantec (2004)
  • 4. A. Lee S. Cobb CyCon 2014 Perspective and key points •A view from the front lines •The appeal of “good viruses” and “righteous malware” •Historical objections •Key risks of using malware for offense or active defense •Ideas for further research?
  • 5. A. Lee S. Cobb CyCon 2014 The short version •Hurling infected bodies over city walls in 1710? • Bad idea •Deploying malicious code in 2014 • Bad idea •“Malware = biological weapons of cyber conflict” •White worms are mythical creatures
  • 6. A. Lee S. Cobb CyCon 2014 Defining malware •Software or firmware intended to perform an unauthorized process that will have adverse impact on the confidentiality, integrity, or availability of an IS [Information System] •National Information Assurance (IA) Glossary •The definition of record for CIA/NSA/DoD/etc.
  • 7. A. Lee S. Cobb CyCon 2014 Malware and the Tallinn Rules 43: Indiscriminate Means and Methods 48: Weapons Review 49: Indiscriminate Attacks 50: Clearly Separated Distinct Military Objectives 51: Proportionality
  • 8. A. Lee S. Cobb CyCon 2014 Deploying malware •Virus, worm, Trojan •Email attachment •Website drive-by •Removable media •Chipping hardware •Updating firmware •Planting code
  • 9. A. Lee S. Cobb CyCon 2014 Malicious Code in the Software Life Cycle 1. Acquisition 2. Requirements 3. Design 4. Construction 5. Testing 6. Installation (delivery, distribution, installation) 7. Maintenance (operation, maintenance, and disposal) Guidance for Addressing Malicious Code Risk, NSA, 2007
  • 10. A. Lee S. Cobb CyCon 2014 What is “righteous malware” •It’s in the eye of the beholder • Software or firmware deployed with intent to advance a just cause by performing an unauthorized process that will have adverse impact on the confidentiality, integrity, or availability of an IS [Information System] •Examples? • Stuxnet, Shamoon, DarkComet RAT, Blackshades
  • 11. A. Lee S. Cobb CyCon 2014 > 50,000 implants MALWARE INCLUDES IMPLANTS
  • 12. A. Lee S. Cobb CyCon 2014 The “good” virus •A fascination as old as computing •Self-replicating code that performs beneficial functions (e.g. patching or backup) •Some virus writers persisted despite outbreaks of ‘benign’ code •Are ‘Good’ Computer Viruses Still a Bad Idea? • Vesselin Bontchev, Virus-L and comp.virus, EICAR ’94
  • 13. A. Lee S. Cobb CyCon 2014 12 reasons why “good viruses” are a bad idea TECHNICAL REASONS Lack of Control Spread cannot be controlled, unpredictable results Recognition Difficulty Hard to allow good viruses while denying bad Resource Wasting Unintended consequences (typified by the Morris Worm) Bug Containment Difficulty of fixing bugs in code once released Compatibility Problems May not run when needed, or cause damage when run Effectiveness Risks of self-replicating code over conventional alternatives ETHICAL AND LEGAL REASONS Unauthorized Data Modification Unauthorized system access or data changes illegal or immoral Copyright and Ownership Problems Could impair support or violate copyright of regular programs Possible Misuse Code could be used by persons will malicious intent Responsibility Sets a bad example for persons with inferior skills, morals PSYCHOLOGICAL REASONS Trust Problems Potential to undermine user trust in systems Negative Common Meaning Anything called a virus is doomed to be deemed bad V. Bontchev, “Are ‘Good’ Computer Viruses Still a Bad Idea?” EICAR’94
  • 14. A. Lee S. Cobb CyCon 2014 12 risks inherent in malware deployment TECHNICAL REASONS Lack of Control Spread cannot be controlled, unpredictable results Recognition Difficulty Hard to allow good viruses while denying bad Resource Wasting Unintended consequences (typified by the Morris Worm) Bug Containment Difficulty of fixing bugs in code once released Compatibility Problems May not run when needed, or cause damage when run Effectiveness Risks of self-replicating code over conventional alternatives ETHICAL AND LEGAL REASONS Unauthorized Data Modification Unauthorized system access or data changes illegal or immoral Copyright and Ownership Problems Could impair support or violate copyright of regular programs Possible Misuse Code could be used by persons will malicious intent Responsibility Sets a bad example for persons with inferior skills, morals PSYCHOLOGICAL REASONS Trust Problems Potential to undermine user trust in systems Negative Common Meaning Anything called a virus is doomed to be deemed bad V. Bontchev, “Are ‘Good’ Computer Viruses Still a Bad Idea?” EICAR’94
  • 15. A. Lee S. Cobb CyCon 2014 All risks must be addressed, but focus on 4 TECHNICAL REASONS Lack of Control Spread cannot be controlled, unpredictable results Recognition Difficulty Hard to allow good viruses while denying bad Resource Wasting Unintended consequences (typified by the Morris Worm) Bug Containment Difficulty of fixing bugs in code once released Compatibility Problems May not run when needed, or cause damage when run Effectiveness Risks of self-replicating code over conventional alternatives ETHICAL AND LEGAL REASONS Unauthorized Data Modification Unauthorized system access or data changes illegal or immoral Copyright and Ownership Problems Could impair support or violate copyright of regular programs Possible Misuse Code could be used by persons will malicious intent Responsibility Sets a bad example for persons with inferior skills, morals PSYCHOLOGICAL REASONS Trust Problems Potential to undermine user trust in systems Negative Common Meaning Anything called a virus is doomed to be deemed bad
  • 16. A. Lee S. Cobb CyCon 2014 All risks must be addressed, but focus on 4 1. Recognition Difficulty 2. Compatibility Problems & Effectiveness 3. Possible Misuse 4. Trust Problems
  • 17. A. Lee S. Cobb CyCon 2014 1. Recognition Difficulty •Hard to allow good viruses while denying bad •No self-respecting antivirus company is going to give your righteous malware a free pass
  • 18. A. Lee S. Cobb CyCon 2014 Bear in mind the AV community is global •Major AV vendors encompass many countries • ESET Slovakia AVG Czech Republic • McAfee USA Kaspersky Russia • Symantec USA Trend Micro Japan, • Avira Germany Avast! Czech Republic •Active in many more (e.g. ESET operates in 180) •“Your cyber defense is only as good as your relationship with industry.” – Dr. Jamie Shea
  • 19. A. Lee S. Cobb CyCon 2014 2. Compatibility and Effectiveness •May not run when needed, or may cause damage when run •Huge potential for unintended consequences •Reduce risk with detailed intel on the target? •Raises issue of Effectiveness: • Does the effort to get enough intel to execute safely exceed the effort of a less risky path to same end?
  • 20. A. Lee S. Cobb CyCon 2014 3. Possible Misuse •Could be re-used by persons with malicious intent •Yes, your own code could be used against you •The key ingredient for making malware is brains •Brains are very mobile, no country has a lock •"The most valuable cyber weapon you can possess? The talented individual.“ – Jarno Limnéll
  • 21. A. Lee S. Cobb CyCon 2014 4. Trust Problems •Potential to undermine user trust in systems •60% now less trusting of technology companies • e.g. Internet service providers, software companies •Very real risk of economic damage Harris Poll on behalf of ESET, February 4-6, 2014, 2,034 U.S. adults ages 18 and older
  • 22. A. Lee S. Cobb CyCon 2014 Companies and consumers impacted • Cloud providers • Banks • Companies like Cisco • Online retailers • Healthcare providers • Governments NASDAQ CSCO
  • 23. A. Lee S. Cobb CyCon 2014 85% of Americans are aware of NSA revelations, 47% of them have changed their online behavior Harris Poll on behalf of ESET, February 4-6, 2014, 2,034 U.S. adults ages 18 and older
  • 24. A. Lee S. Cobb CyCon 2014 Righteous malware deployment checklist: Control Can you control the actions of the code in all environments it may infect? Detection Can the code complete its mission before detection? Attribution Can you guarantee the code is deniable or claimable, as needed? Legality Will the code be illegal in any jurisdictions in which it is deployed? Morality Will deployment of the code violate any treaties, codes, and other international norms? Misuse Can the code, or its techniques, strategies or design principles be copied by adversaries, competing interests, or criminals? Erosion of Trust Have you considered harmful effects that deployment of the code, including knowledge of the deployment, could have on trust placed in your government and institutions including trade and commerce?
  • 25. A. Lee S. Cobb CyCon 2014 Further research? •Mathematical model of malware risks • Enumerate variables • Calculate compound probabilities •Comprehensive survey of malware researchers • Update the “Good virus bad idea” paper
  • 26. A. Lee S. Cobb CyCon 2014 Summary: deploying malware •Comes with many risks that are known and well- documented •Carries serious potential to undermine the very societies it is intended to defend
  • 27. A. Lee S. Cobb CyCon 2014 Thank you! •Stephen.Cobb@ESET.com •Twitter @zcobb •www.SlideShare.net/zcobb •www.LinkedIn/in/StephenCobb •www.WeLiveSecurity.com

Editor's Notes

  1. Industry perspective 1,000s of people around the world go to work every day to fight against malicious code and repair the damage done by malware.
  2. If not at Reval > a biological warfare attack at siege of Caffa, 1346 by which the Black Death is widely believed to have reached Europe from the Crimea: “Tartars, stunned and stupefied by the immensity of the disaster brought about by the disease…ordered corpses to be placed in catapults1 and lobbed into the city in the hope that the intolerable stench would kill everyone inside.2 What seemed like mountains of dead were thrown into the city, and the Christians could not hide or flee or escape from them, http://wwwnc.cdc.gov/eid/article/8/9/01-0536_article.htm
  3. Clealry NSA sees threats at all levels. Ironically this is their advice on protection, but also a good guide for those who want to protect against NSA malware. But wait, surely code used to protect our interests is good and RIGHTEOUS
  4. John von Neumann article on the "Theory of self-reproducing automata" 1949. EICAR = European Institute for Computer Antivirus Research
  5. ALSO RISKS
  6. FBI example German example
  7. ESET
  8. Internet Worm onwards Stuxnet outside of Iran -- Conficker just keeps going – support calls about “weird” effects are legion
  9. From papers