don’t let your website spread malware – a new approach to web app security
Post on 19-Oct-2014
338 views
DESCRIPTION
TRANSCRIPT
Cecilia Zuvic Jason Kent
Will Bechtel
Webcast Series – May 2013
Don’t let Your Website Spread Malware – a New Approach to Web App Security
Transforming IT Security & Compliance
Agenda
• Website Malware Risk
• Detecting Website Malware
• How Malware is Different
• Better Website Security
• Summary
2
Identifying Malware with Web Application Scanning Website Malware Risk
• 2012 Verizon Data Breach Investigations Report (DBIR)
– Involvement of Malware in Data Breaches is increasing
– 2011 - 69% incorporated malware (+20%)
– 2011 - Associated with breaches that involved 95% of records compromised
• 2013 Symantec Internet Security Threat Report (ISTR)
– Web-based Malware Attacks on the Rise: “We have seen the number of Web-based attacks increase by almost a third. “
– Lurking Danger: “silently infect enterprise and consumer users when they visit a compromised website”
– Hard to Detect: “rendering enterprises that rely on signature-based antivirus
– protection unable to protect themselves against these silent attacks”
3
Identifying Malware with Web Application Scanning Malware Involvement in Data Breaches
4 *Verizon 2012 Data Breach Investigations Report
Identifying Malware with Web Application Scanning Malware Involvement in Data Breaches
5 *Verizon 2012 Data Breach Investigations Report
Identifying Malware with Web Application Scanning Malware Involvement in Data Breaches
6 *Verizon 2012 Data Breach Investigations Report
Identifying Malware with Web Application Scanning What happens if your site and users are infected?
Users are infected, and blame your organization
Your organization website is blacklisted.
You spend time trying to get off the blacklist
Reputation Damage &
Lost Revenue
7
Identifying Malware with Web Application Scanning How does an attacker get malware on a website?
Victim Website
Web Application or Indirect Vulnerability • Known vulnerability in an
app or platform component
• Discovered vulnerability in developed application (XSS, etc)
Phishing, spyware or social engineering • Steal password or execute
other attack to gain access
Paying to host an advertisement that contains the infection • Malvertizing - legitimate
websites can infect users without being directly compromised
8
Identifying Malware with Web Application Scanning Detecting Website Malware – Traditional Approach
Signature Based Detection on systems/web gateways
9
Malware is identified and
Analyzed (typically after
many infections)
Signature is created
Signature is distributed to end points/gateways
Zero Day Protection Gap
Identifying Malware with Web Application Scanning Detecting Website Malware – Traditional Approach
Advantage Disadvantage
10
Identifying Malware with Web Application Scanning Detecting Website Malware – a Better Approach
• Identify reference to site that is known to host malware
• Instrument a system- watch for exploitation
• detect zero day
• For common scripting techniques, etc.
• For downloadable documents like PDFs
Antivirus Heuristic
Reputation Check
Behavioral Analysis
11
Identifying Malware with Web Application Scanning Detecting Website Malware – a Better Approach
12
Setup a vulnerable browsing platform on
a VM
Instrument the browser using API
hooking
Input parameters, return values, and
data logged in various points within the browser and OS.
Watch for exploitation
When done scanning or when
compromised, destroy VM and start another
Identifying Malware with Web Application Scanning How Malware is Different
• Malware Distribution
– Unlike vulnerabilities which are accidental software flaws, attackers try to place malware in high traffic areas
– OWASP type vulnerabilities should be distributed randomly (XSS, SQLi)
– Malware will typically be positioned to infect all users (not just authenticated)
• Malware detection does not have the impact
– Detection uses ‘passive’ and not ‘active’ techniques
– Safe for daily scans
13
Identifying Malware with Web Application Scanning Better Website Security
• Detect both OWASP vulnerabilities and website malware
– Run daily passive scans on websites to identify malware, notify immediately
– Perform active scans on a regular basis to identify OWASP vulnerabilities
• How you benefit
– Identify and fix vulnerabilities hackers could exploit or malware distributors could use to infect your site and other users
– Protect your revenue, brand reputation and users from malware impact
– Ensure you are covered from both threats, making it hard for attackers to exploit
14