Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Giving The Heave Ho To Worms, Spyware, And Bots!


Published on

  • Be the first to comment

  • Be the first to like this

Giving The Heave Ho To Worms, Spyware, And Bots!

  1. 1. Giving the Heave-Ho to Worms, Spyware, and Bots! Tammy L Clark, CISSP, CISM, CISA CISO, Georgia State University William Monahan, CISSP, CISA, CISM Information Security Administrator Lead
  2. 2. Malware <ul><li>All exploits leverage a specific weak link in a program. This is done through various means. </li></ul><ul><li>Social engineering on the other hand exploits the human behavioral link. </li></ul><ul><li>What results when both an exploit and social engineering are combined? </li></ul>
  3. 3. “New Vulnerability in Excel..” <ul><li>On June 15 th , the following was reported… </li></ul><ul><li>“ A new vulnerability, which is being actively exploited, has been discovered in Microsoft Office Excel that could allow a remote attacker to run and execute commands on the local system. This vulnerability can be exploited if a user visits a malicious web page which is specifically crafted to exploit this vulnerability. However, a more important concern is that this vulnerability can be exploited by receiving and executing the malicious Excel (.XLS) email attachments which are not likely to be blocked by email filters.” </li></ul><ul><li>As the malware threat begins to spread, AV vendors rush to get updated signatures out…more computers are turned into ‘bots’ and ‘zombies’ over the internet…different versions of the threat resurface and are once again neutralized… </li></ul><ul><li>Does anyone still believe that antivirus software is sufficient to prevent malware infections and compromised computers at this point? </li></ul>
  4. 4. Is It Really Possible to Have a Malware-free Campus Network? <ul><li>Microsoft issued a white paper June 12 th about their malicious software removal tool--among the report's major findings: </li></ul><ul><li>The tool removed at least one backdoor trojan each, mostly bots, from about 3.5 million computers. </li></ul><ul><li>Of the 5.7 million computers on which the tool has removed malware, 62 percent contained at least one backdoor trojan. </li></ul><ul><li>Rootkits were present in 14 percent of the computers on which the tool cleaned malicious software. </li></ul><ul><li>Social engineering served as a major source of malware attacks. Worms spreading through email, instant messaging (IM) or peer-to-peer networks were found on 35 percent of the computers cleaned by the tool. </li></ul><ul><li>Backdoor trojans made up the most prevalent threat removed by the tool, followed by email worms, rootkits, peer-to-peer worms, exploit worms, viruses and IM worms. </li></ul>
  5. 5. Malware—The Pervasive Threat <ul><li>USB thumb drives—often given away for free by vendors at trade shows, cheap and easy to use—a great vehicle to evade existing security controls and propagate malware </li></ul><ul><li>Blended Threats—whether exploiting a vulnerability in an application or OS or coming in through emails, instant messaging, P2P, etc…spammers/hackers are constantly testing to find the fastest methods of propagating worms to victim computers and from there taking advantage of back door trojans that are installed along with them to get in and out quickly, to offload sensitive data and to install bot software, spam engines, and warez servers that are often undetectable without specialized tools or methods </li></ul>
  6. 6. Data Breaches Are Popping Up Everywhere Lately… <ul><li>According to the Privacy Rights Clearinghouse, there have been 184 data breaches reported since the Choicepoint incident in February 2005 </li></ul><ul><li>Of this number, 73 were universities reporting sensitive data leaks (How many go unreported?) </li></ul><ul><li>113 of the total breaches reported were a result of unauthorized access/intrusions </li></ul><ul><li>71 of these incidents involved backup tapes, paper documents, and/or computers containing sensitive data repositories that were stolen </li></ul>
  7. 7. Case Studies of Interest to Higher Ed Practitioners <ul><li>“ When Bots Attack,” Baseline Magazine’s April 2006 Issue (discusses Auburn University’s experiences with IRC Bots),1542,i=1818,00.asp </li></ul><ul><li>“ Remote Control Wars,” SC Magazine’s June 2006 Issue (discusses defense-in-depth approach to mitigating the bot threat) </li></ul><ul><li>“ Attack of the iPods,” CSO Magazine’s May 2006 Issue ( discusses the threat of malware implanted on iPods, MP3 players and USB devices ) </li></ul><ul><li>“ Security Survival Guide,” Baseline Magazine’s May 2006 Issue (discusses tips & techniques to survive the malware onslaught),1540,1962511,00.asp </li></ul><ul><li>“ Invasion of the Computer Snatchers,” Washington Post Feb 2006 Article (discusses the methods by which hackers are commandeering computers to steal sensitive data, send spam, etc.) </li></ul>
  8. 8. So What Can We Do About the Malware Invasion? <ul><li>Having effective visibility of your network traffic coupled with the ability to prevent a very high percentage of known malware from coming into your campus network is critical </li></ul><ul><li>In cases where hackers do gain unauthorized access or zero day malware infections occur, you need to be able to quickly detect the presence of malware, contain the spread, get the compromised system(s) off your network, and deter the attacker/threat from continuing or returning… </li></ul><ul><li>Implementing a defense in depth strategy that applies customized levels of protection to networked systems & devices is imperative in being able to successfully combat malware invasions and prevent data breaches </li></ul><ul><li>Behind the scenes, you must continually educate campus users and systems administrators, conduct security audits and risk analyses, and put systems (technology), policies and procedures in place that address access, authentication, authorization, protection of sensitive information, and regulatory compliance </li></ul>
  9. 9. A Little Background Info <ul><li>Georgia State’s information security program launched in 2000 </li></ul><ul><li>Currently, 3 dedicated staff members serve the campus community </li></ul><ul><li>6000-10,000 staff and faculty </li></ul><ul><li>25,000+ students </li></ul><ul><li>Decentralized information technology environment </li></ul>
  10. 10. Giving Bots, Spyware and Malware the Heave-Ho <ul><li>Prior to 2005, we had between 20-50 incidents a day involving compromised or malware infected systems </li></ul><ul><li>As we implemented key security solutions, polices, and procedures in 2005…our incident percentages dropped dramatically to between 1-5 a week and 99% of these involve transient systems brought in by students using wireless or various labs & classrooms on campus </li></ul>
  11. 11. Georgia State’s Security Architecture <ul><li>In addition to AV on the desktops and/or servers, robust gateway AV scanning and anti-spam appliances… √ </li></ul><ul><li>Dynamic blocking at the edge via IPS … √ </li></ul><ul><li>Centrally-maintained “push” patch management √ </li></ul><ul><li>IPS on desktops and servers √ </li></ul><ul><li>Ability to mandate use of “strong” passwords, through a combination of policy and technology √ </li></ul><ul><li>VPN required for remote access √ </li></ul><ul><li>Encrypted data transmission √ </li></ul><ul><li>Vulnerability assessment and risk analysis √ </li></ul><ul><li>A SIM or central logging facility to gather disparate data gathered daily from firewalls, IDS, IPS, AV, etc., with data correlation and reporting </li></ul><ul><li>24/7 monitoring and incident detection/response </li></ul>
  12. 12. Security Architecture Continued <ul><li>Regulatory compliance in ensuring minimum levels of security on networked devices processing sensitive info √ </li></ul><ul><li>An online security awareness course (we used WebCT Vista) that can be distributed to faculty, staff, and students √ </li></ul><ul><li>Establishment of secure, trusted zones that are separated from the rest of the network √ </li></ul><ul><li>Access/authentication requirements on every wired port (except public access stations) and wireless areas √ </li></ul><ul><li>Identity management system </li></ul><ul><li>Self defending networks </li></ul>
  13. 13. Our Information Security Roadmap <ul><li>Information Security Plan based on ISO 17799 </li></ul><ul><li>Prioritized Yearly Action Plans </li></ul><ul><li>Risk Analyses and Security Assessments </li></ul><ul><li>Policy and Procedures </li></ul><ul><li>Building Consensus through Collaborations with Committees and Taskforces </li></ul><ul><li>Security Solutions that can be managed centrally, and distributed to trained departmental sys admins </li></ul><ul><li>Security Operations that take advantage of automated alerts and reporting to allow data center or network ops folks to monitor 24/7 </li></ul><ul><li>Security Awareness </li></ul><ul><li>Defense In Depth through layering in new solutions </li></ul>
  14. 14. IPS at The Edge, Anyone? <ul><li>We implemented McAfee’s Intrushield 4000 appliance in early 2005 </li></ul><ul><li>We selected Intrushield as it allows us to create thousands of virtual ‘child’ domains with just one appliance that can apply very granular, customized policies to protect networked devices. Unlike our ISS Realsecure IDS, which we still maintain due to auditing capabilities that allow us to easily detect IRC bots and compromised systems, the Intrushield IPS allows us to dynamically block attacks in realtime, 24/7 </li></ul><ul><li>We maintain an overall GSU policy that is applied to networked devices not housed under specific child domains. We also shield a group of high risk devices with a very restrictive policy. We create child domains for various colleges and departments and allow them to specify additional things they want to restrict via their departmental policies, such as P2P applications </li></ul><ul><li>We provide training to campus systems administrators and allow them to obtain a child domain, maintain their own policies and gain access to the management console to view all activity on just their specific areas </li></ul>
  15. 15. Intrushield
  16. 16. IPS on Desktops and Servers <ul><li>We deployed ISS SiteProtector in 2003, a central console that can manage network, server, and desktop sensors. The network sensors perform the IDS function and the server and desktop sensors have IPS capabilities built in. </li></ul><ul><li>We began distributing desktop IPS clients in 2004 to residential students. From there, we provided them to staff maintaining campus labs and classrooms. Various systems administrators are in the process of deploying server sensors to protect their critical systems. </li></ul><ul><li>We group desktop and server sensors by colleges and departments and we also create sub-domains underneath these groupings that apply more granular policies to specific systems. </li></ul><ul><li>We provide training to campus systems administrators and allow them to manage their sensor groups, distribute and install sensors, maintain their own policies and gain access to the management console to view activity on just their specific areas </li></ul>
  17. 17. ISS SiteProtector
  18. 18. Managed Antivirus <ul><li>We distribute Symantec antivirus to all Windows and Mac systems on campus and allow users to install it on remote systems as well </li></ul><ul><li>We provide a managed client that allows us to “push” AV updates as they come out and group the clients by the college or department they fall into. We also provide an unmanaged client for our remote users </li></ul><ul><li>We provide targeted information about worms and viruses to campus administrators and plan to allow them access to their own groups on our management console once Symantec releases the ability to distribute management of AV clients </li></ul>
  19. 19. Symantec Antivirus
  20. 20. GSU’s Secure Computing Initiative <ul><li>In response to regulatory requirements to protect customer information, we established a program that mandates (yes, you heard this right!) the use of IPS, strong passwords, secure device configurations, and an electronic security awareness course </li></ul><ul><li>ISS Proventia’ desktop IPS and Symantec’s antivirus client. We also ask systems admins to either obtain ISS’ server sensor or allow us to place their device behind the “shield” with a restrictive policy </li></ul><ul><li>We require college/department information technology representatives to provide us with an inventory of systems and a survey questionnaire specifying what steps they are taking in the areas of backups, disaster recovery, etc. We provide them with training on the ISS SiteProtector management system, checklists that specify configuration requirements on XP and 2000 workstations (which are prevalent on our campus), and conduct a risk analysis of their area </li></ul><ul><li>College/department technology representatives distribute and install the IPS and antivirus software, ensure that users’ systems are configured via our checklist requirements, and we contact users to take the security awareness course </li></ul>
  21. 21. HIPAA Compliance Matrix
  22. 22. Risk Analyses and Security Reviews <ul><li>As colleges and dept’s at GSU acquire new technology from vendors to assist in their academic or business endeavors, we get involved in assessing the potential risk that new devices, software, etc., can introduce </li></ul><ul><li>We run vulnerability scans on these vendor-supplied systems </li></ul><ul><li>We also conduct risk analyses to determine the use of encryption in data transmission, examine security configurations, determine whether sensitive data is involved </li></ul><ul><li>We work with vendors to resolve problems prior to systems going into production; we also place high risk systems behind the “shield” </li></ul>
  23. 23. Security Operations <ul><li>We have several security monitoring systems that provide critical information to us about attacks and intrusions 24/7 </li></ul><ul><li>We establish automated alerting and reporting mechanisms within Intrushield and ISS Siteprotector to provide targeted information </li></ul><ul><li>We are offering training to network operations and helpdesk technicians to allow them to field alerts 24/7 and create Remedy helpdesk tickets, make notifications, and contact us to analyze information that comes in about potential attacks and incidents </li></ul><ul><li>We have an experienced security operations/incident handler in our department who collects data and manages incidents during business hours. We also have a CSIRT on campus and a policy that we are allowed to decide to disrupt network services to any device that represents a threat to the university if necessary without prior notification </li></ul>
  24. 24. Security Awareness <ul><li>We provide security awareness presentations on demand and are in the process of distributing a WebCT Vista security awareness course to campus users </li></ul><ul><li>We are working to have this electronic course distributed to all incoming freshman students as part of their “freshman communities” curriculum. We require everyone on campus processing sensitive information to take the course and achieve a passing score on the test that accompanies it </li></ul><ul><li>We are working with human resources staff members to include the course in their new employee orientations </li></ul>
  25. 25. Defense In Depth Strategy <ul><li>The challenge we all face in seeking to protect customer information and university technical resources is achieving a delicate balance between applying controls and utilizing these resources at optimum levels of efficiency and effectiveness </li></ul><ul><li>From 2000 to the third quarter of 2004, we layered existing technological solutions, devised processes that often required the active participation of the campus community and we found that we could not stem the tide of blended malware threats that managed to evade our controls </li></ul><ul><li>The emergence of IPS at the edge, on servers and desktops, along with regulatory requirements that mandate minimum levels of security have evolved our efforts to allow us to be more proactive, to manage security efforts “end to end” on the network, rather than exist in a purely reactive mode. These controls are transparent for the most part to our campus community, as we do not deploy some of the more intrusive measures these solutions are capable of.. </li></ul>
  26. 26. Defense in Depth Cont. <ul><li>We constantly devise policies and processes that can be instituted to better protect network devices, more often than not, without user intervention. We focus on educating staff, faculty, and users about policies, mandated requirements, and about the threats and vulnerabilities they will encounter when they utilize systems connected to the internet… </li></ul><ul><li>We’ve achieved a measure of success at this point, but we continue to examine new technologies that surface such as ‘self defending networks’ and complex ones such as ‘IDMS’ to allow us to mitigate the effects of mobile users bringing infected systems to campus and access/authentication issues </li></ul>
  27. 27. Of Interest to Higher Ed Information Security Staffs <ul><li> The EDUCAUSE Security Task Force and a wealth of downloadable content </li></ul><ul><li> The Security Professionals Conference Archive </li></ul><ul><li> Research and Education Networking – Information Sharing and Analysis Center </li></ul>
  28. 28. Questions? <ul><li>Copyright Tammy L. Clark, June 2006. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. </li></ul>