2. Today’s Speakers Paul Henry Security & Forensics Analyst MCP+I, MCSE, CCSA, CCSE, CFSA, CFSO, CISSP,-ISSAP, CISM, CISA, CIFI, CCE Paul Zimski VP of Solution Strategy Lumension
3. Shifting IT Risk… from Servers and Operating Systems to Endpoints and Applications
4. IT Networks 2000: Static Networks Corporate HQ Remote Offices & Subsidiaries WAN Corporate Data Center Data centers used to house an organization’s critical information inside a safe and well- defined perimeter
12. Web Applications are the Leading Attack Path The applications we use today for productivity Collaborative / Browser-based / Open Source Social Communities, Gadgets, Blogging and Widgets open up our networks to increasing risk everyday. Source: Verizon, 2010 Data Breach Investigations Report
17. The Social Attack Vector Evolves Source: Verizon, 2010 Data Breach Investigations Report
18. Social Media has Changed the Attack Vector Botnet driven operations --Worm spreads via address replicator -- Members trust downloads MALWARE installed: --Pitches scareware --Steals cookies --Installs Waldac email spamming engine --Installs ZeuS banking Trojan --Carries out click-through fraud Sample CAPTCHA: smwm CAPTCHA protection Member account Koobface unleashed with help of CAPTCHA breakers
22. Adobe Application Support Adobe Reader Adobe Flash Player Adobe Shockwave Player Adobe Acrobat Pro Adobe Photoshop Adobe Air Adobe InDesign Lumension has more coverage than any other patch vendor!
Organizations must manage and secure a large, complex, and globally distributed. remote, and mobile computing environment all accessing corporate assets housed within the corporate network as well as corporate assets/resources housed and maintained in a 3rd party service providers infrastructure ;
The use of these Web 2.0 technologies is pervasive, across all industries. Application use of all types is consistent , irrespective of geography or industry, yet the level of risk varies based on the specific industry. • Application usage is amazingly consistent between financial and healthcare networks and universities or other more traditionally open networks, but the risks are much greater in many cases. Overshadowing the frequency of usage is the increased intensity of usage, measured by bandwidth consumed on a per organization basis. Bandwidth consumed was nearly 3 terabytes (TB). Use of social networking within the healthcare and financial services industries was consistent with other industries, yet the implied business and security risks are quite different. The use of social networking at work is an assumed right —so reigning in the use as a means of protecting data may introduce employee dissatisfaction . Or worse yet, employees may find a way around the control mechanisms . Instant Messaging although often allowed for business purposes, can open an organization to attack, when as many as 12 to 15 different IM technologies are being used in the same organization. IT’s challenge is enabling it’s end users, while still protecting them.
browser is delivering unprecedented levels of business productivity and IT risk everyday to your endpoint environment. Most organizations can’t stop it business productivity younger workforce blends social-business-personal communications together as one Social networking applications are in use in 95% of businesses today 78% of these applications support file transfers, many are known to be propagators of malware and have vulnerabilities associated with them. Same in industries like Fin Services and healthcare-95% usage of social network across the board Cybercriminals are targeting these social applications greatest opportunities for them is the amount of trust end users put into these social applications. Once in they can replicate their malware with amazing speed and devastating impact. browser based risk we then are in reality starting to talk about cloud computing. isn’t anyone in IT today who hasn’t heard or discussed cloud computing.
The web continues to be a common path of infection. Among web-based malware, we distinguish auto-executed “drive-by downloads” from those involving user interaction. Many of the latter incorporate a social engineering aspect (“click to clean your system”). The web installation vector is more opportunistic in nature than the “installed by attacker” variety that usually targets a pre-selected victim. Once the system is infected, the malware alerts an external agent who will then initiate further attacks. The web is a popular vector for the simple reason of that’s where the users are. Overly-trusting browsers and users operating with administrative privileges only add to this popularity. While not extremely common, we did observe several cases in which malware was coded directly into an existing program or script. This, of course, requires access to the system but also knowledge of how the code works. Not surprisingly, these often involve malicious insiders who developed the code or administer the system on which it runs. However, a few very interesting cases of this type were committed by outsiders. One of these involved an external agent that had access to the system for over six months. During this time, he studied the input/output process and developed a custom script to siphon data when new accounts were created.
Vulnerabilities affecting a typical end-user PC from 2007-2009 almost doubled from 220 to 420 and its expected to double again in 2010 (Secunia Half Year Report 2010) A PC with 50 programs installed had 3.5 times more vulnerabilities in the 24 third party programs installed than in the 26 Microsoft programs installed. It is expected that this ratio will increase to 4.4 in 2010. ( Secunia Half Year Report 2010) Discover: Gain complete visibility of all IT assets, both managed and unmanaged. Assess: Perform a deep analysis and thorough OS, application and security configuration vulnerability assessments. Prioritize: Focus on your most critical security risks first. Remediate: Automatically deploy patches to an entire network per defined policy to support all OS’s and applications. Report: Provide operational and management reports that consolidate discovery, assessment and remediation information on a single management console.
The new way of thinking means nothing will execute unless we know it’s trusted. This shift in thinking requires asking new questions about change coming into our IT environment,… … such as is where did this application come from, who or what installed it, and what vendor wrote it.
Application control or whitelisting provides a new layer in the foundation for endpoint protection. Whitelisting is about identifying the known good and by default not letting anything other than what’s on the whitelist from executing. Simply put, any executable – whether a business application, a video driver, or a web browser plug-in – not specified on the whitelist cannot load and run. It’s the most effective security layer as its prevents execution in the kernel.