Endpoint and Server: The belt and braces anti-malware strategy
-
Upload
stephen-cobb -
Category
Technology
-
view
71 -
download
0
description
Transcript of Endpoint and Server: The belt and braces anti-malware strategy
Belt & Braces, Server & Endpoint: Why you need multiple levels of malware protection
Stephen Cobb, CISSPSenior Security Researcher, ESET NA
Today’s agenda
+
Today’s agenda• Full spectrum malware defense
Endpoints under attack
• Malware threat shows no signs of retreating
• Attacks come from– Cyber criminals– Hacktivists– Non-state actors– Nation states
Attacks from servers, mobile devices
• We now see large-scale server-based attacks
• In one operation: 1000s of servers taken over
• Used to attack 100s of 1000s of endpoints– Desktops, laptops, mobile devices
• Clearly we need to protect against malware at all levels, across all surfaces
2014 State of Endpoint Risk
• Are security threats created by vulnerabilities to endpoint more difficult to stop/mitigate: 71%
• Have you seen a major increase in malware incidents targeting your endpoints: 41%
• Have your mobile endpoints been the target of malware in the last 12 months: 68%
2014 State of Endpoint Risk, Ponemon Institute
April 2014 GAO report
• Information Security– Federal Agencies Need to
Enhance Responses to Data Breaches
• (GAO-14-487T)
• A lot of work still to be done, across numerous agencies– Improve security– Improve breach response
2009 2010 2011 2012 2013
29,999
41,776 42,85448,562
61,214
The scale of the problem
• Information security incidents reported to US-CERT by all federal agencies, 2009 – 2013
• GAO-14-487T
• Number of incidents way up– More data to defend?– Improved reporting?
Exposure of PII is growing
• More incidents involving Personally Identifiable Information
• Why?– Thriving black market for PII
• Impact– Serious costs/stress for victims– Growing public displeasure– Target CIO and CEO
2009 2010 2011 2012 2013
10,48113,028
15,584
22,156
25,566
A federal PII breach example
• July 2013, hackers get PII of 104,000+ people– From a DOE system
• Social Security numbers, birth dates and locations, bank account numbers– Plus security questions and answers
• DOE Inspector General: cost = $3.7 million– Assisting affected individuals and lost productivity
What happens to the stolen data?
• Sold to criminal enterprises – For identity theft, raiding bank accounts, buying
luxury goods, laundering money
• Lucrative scams like tax identity fraud
The market for stolen data has matured
All driven by proven business strategies
Specialization Modularity
Division of labor Standards
Markets
Market forces in malware strategy
• Dirty deeds that pay well:– Click fraud– DDoS– Spam– Infection
Malware profitability requires:
• Devices that are always on, on good bandwidth
• Was: desktop-based botnets• Now: server-based, website, VPS, etc.• With mobile devices on the rise
Example: Operation Windigo
• 25,000+ servers compromised in last 2 years
• About 10,000 still infected• 35 million spam messages per day• 500,000 web redirects per day• Currently installing
• Click fraud malware • Spam sending malware
• Evolving since 2011 as modular multi-OS design• Apple OS X, OpenBSD, FreeBSD, Microsoft Windows
(Cygwin), Linux, including Linux on ARM
• Stealthy, with strong use of cryptography • Halts operation to avoid detection• Maximizes resources by varying activity
Complex malware infrastructure
Structure
• Bad guys install on root-level compromised hosts:– By replacing SSH related binaries (ssh, sshd, ssh-add, etc.) – Or via a shared library used by SSH (libkeyutils)
• Servers used to: – Serve malware, redirect traffic to infected hosts– Act as domain servers for malicious sites
• Infecting web users through drive-by downloads• Redirect web traffic to advertisement networks
The need for belt and braces is clear
• Endpoint – Scanning all incoming files, as they enter– From email, websites, removable media
• Server– Email, File, Sharepoint, Gateway
• Mobile– Antivirus, remote lock, and wipe
Belt, braces, encryption, authentication
Preferably: One interface to manage them all
Don’t neglect the real end point
Resources to tap
• Industry associations• CompTIA• ISSA, SANS, (ISC)2
• Booth number 826• My talk tomorrow• Websites
Thank you!
• Stephen Cobb• [email protected]
• We Live Security• www.welivesecurity.com
• Webinars• www.brighttalk.com/channel/1718
• Booth number 826