endpoint and server: the belt and braces anti-malware strategy
DESCRIPTION
Slides prepared for the Federal IT expo: FOSE. Should help employees and managers understand why anti-malware protection is needed at all endpoints and on all serves.TRANSCRIPT
![Page 1: Endpoint and Server: The belt and braces anti-malware strategy](https://reader030.vdocuments.site/reader030/viewer/2022012918/54b6f2014a7959085e8b45ca/html5/thumbnails/1.jpg)
Belt & Braces, Server & Endpoint: Why you need multiple levels of malware protection
Stephen Cobb, CISSPSenior Security Researcher, ESET NA
![Page 2: Endpoint and Server: The belt and braces anti-malware strategy](https://reader030.vdocuments.site/reader030/viewer/2022012918/54b6f2014a7959085e8b45ca/html5/thumbnails/2.jpg)
Today’s agenda
+
![Page 3: Endpoint and Server: The belt and braces anti-malware strategy](https://reader030.vdocuments.site/reader030/viewer/2022012918/54b6f2014a7959085e8b45ca/html5/thumbnails/3.jpg)
Today’s agenda• Full spectrum malware defense
![Page 4: Endpoint and Server: The belt and braces anti-malware strategy](https://reader030.vdocuments.site/reader030/viewer/2022012918/54b6f2014a7959085e8b45ca/html5/thumbnails/4.jpg)
Endpoints under attack
• Malware threat shows no signs of retreating
• Attacks come from– Cyber criminals– Hacktivists– Non-state actors– Nation states
![Page 5: Endpoint and Server: The belt and braces anti-malware strategy](https://reader030.vdocuments.site/reader030/viewer/2022012918/54b6f2014a7959085e8b45ca/html5/thumbnails/5.jpg)
Attacks from servers, mobile devices
• We now see large-scale server-based attacks
• In one operation: 1000s of servers taken over
• Used to attack 100s of 1000s of endpoints– Desktops, laptops, mobile devices
• Clearly we need to protect against malware at all levels, across all surfaces
![Page 6: Endpoint and Server: The belt and braces anti-malware strategy](https://reader030.vdocuments.site/reader030/viewer/2022012918/54b6f2014a7959085e8b45ca/html5/thumbnails/6.jpg)
2014 State of Endpoint Risk
• Are security threats created by vulnerabilities to endpoint more difficult to stop/mitigate: 71%
• Have you seen a major increase in malware incidents targeting your endpoints: 41%
• Have your mobile endpoints been the target of malware in the last 12 months: 68%
2014 State of Endpoint Risk, Ponemon Institute
![Page 7: Endpoint and Server: The belt and braces anti-malware strategy](https://reader030.vdocuments.site/reader030/viewer/2022012918/54b6f2014a7959085e8b45ca/html5/thumbnails/7.jpg)
April 2014 GAO report
• Information Security– Federal Agencies Need to
Enhance Responses to Data Breaches
• (GAO-14-487T)
• A lot of work still to be done, across numerous agencies– Improve security– Improve breach response
![Page 8: Endpoint and Server: The belt and braces anti-malware strategy](https://reader030.vdocuments.site/reader030/viewer/2022012918/54b6f2014a7959085e8b45ca/html5/thumbnails/8.jpg)
2009 2010 2011 2012 2013
29,999
41,776 42,85448,562
61,214
The scale of the problem
• Information security incidents reported to US-CERT by all federal agencies, 2009 – 2013
• GAO-14-487T
• Number of incidents way up– More data to defend?– Improved reporting?
![Page 9: Endpoint and Server: The belt and braces anti-malware strategy](https://reader030.vdocuments.site/reader030/viewer/2022012918/54b6f2014a7959085e8b45ca/html5/thumbnails/9.jpg)
Exposure of PII is growing
• More incidents involving Personally Identifiable Information
• Why?– Thriving black market for PII
• Impact– Serious costs/stress for victims– Growing public displeasure– Target CIO and CEO
2009 2010 2011 2012 2013
10,48113,028
15,584
22,156
25,566
![Page 10: Endpoint and Server: The belt and braces anti-malware strategy](https://reader030.vdocuments.site/reader030/viewer/2022012918/54b6f2014a7959085e8b45ca/html5/thumbnails/10.jpg)
A federal PII breach example
• July 2013, hackers get PII of 104,000+ people– From a DOE system
• Social Security numbers, birth dates and locations, bank account numbers– Plus security questions and answers
• DOE Inspector General: cost = $3.7 million– Assisting affected individuals and lost productivity
![Page 11: Endpoint and Server: The belt and braces anti-malware strategy](https://reader030.vdocuments.site/reader030/viewer/2022012918/54b6f2014a7959085e8b45ca/html5/thumbnails/11.jpg)
What happens to the stolen data?
• Sold to criminal enterprises – For identity theft, raiding bank accounts, buying
luxury goods, laundering money
• Lucrative scams like tax identity fraud
![Page 12: Endpoint and Server: The belt and braces anti-malware strategy](https://reader030.vdocuments.site/reader030/viewer/2022012918/54b6f2014a7959085e8b45ca/html5/thumbnails/12.jpg)
The market for stolen data has matured
![Page 13: Endpoint and Server: The belt and braces anti-malware strategy](https://reader030.vdocuments.site/reader030/viewer/2022012918/54b6f2014a7959085e8b45ca/html5/thumbnails/13.jpg)
![Page 14: Endpoint and Server: The belt and braces anti-malware strategy](https://reader030.vdocuments.site/reader030/viewer/2022012918/54b6f2014a7959085e8b45ca/html5/thumbnails/14.jpg)
![Page 15: Endpoint and Server: The belt and braces anti-malware strategy](https://reader030.vdocuments.site/reader030/viewer/2022012918/54b6f2014a7959085e8b45ca/html5/thumbnails/15.jpg)
All driven by proven business strategies
Specialization Modularity
Division of labor Standards
Markets
![Page 16: Endpoint and Server: The belt and braces anti-malware strategy](https://reader030.vdocuments.site/reader030/viewer/2022012918/54b6f2014a7959085e8b45ca/html5/thumbnails/16.jpg)
Market forces in malware strategy
• Dirty deeds that pay well:– Click fraud– DDoS– Spam– Infection
![Page 17: Endpoint and Server: The belt and braces anti-malware strategy](https://reader030.vdocuments.site/reader030/viewer/2022012918/54b6f2014a7959085e8b45ca/html5/thumbnails/17.jpg)
Malware profitability requires:
• Devices that are always on, on good bandwidth
• Was: desktop-based botnets• Now: server-based, website, VPS, etc.• With mobile devices on the rise
![Page 18: Endpoint and Server: The belt and braces anti-malware strategy](https://reader030.vdocuments.site/reader030/viewer/2022012918/54b6f2014a7959085e8b45ca/html5/thumbnails/18.jpg)
Example: Operation Windigo
• 25,000+ servers compromised in last 2 years
• About 10,000 still infected• 35 million spam messages per day• 500,000 web redirects per day• Currently installing
• Click fraud malware • Spam sending malware
![Page 19: Endpoint and Server: The belt and braces anti-malware strategy](https://reader030.vdocuments.site/reader030/viewer/2022012918/54b6f2014a7959085e8b45ca/html5/thumbnails/19.jpg)
• Evolving since 2011 as modular multi-OS design• Apple OS X, OpenBSD, FreeBSD, Microsoft Windows
(Cygwin), Linux, including Linux on ARM
• Stealthy, with strong use of cryptography • Halts operation to avoid detection• Maximizes resources by varying activity
Complex malware infrastructure
![Page 20: Endpoint and Server: The belt and braces anti-malware strategy](https://reader030.vdocuments.site/reader030/viewer/2022012918/54b6f2014a7959085e8b45ca/html5/thumbnails/20.jpg)
Structure
• Bad guys install on root-level compromised hosts:– By replacing SSH related binaries (ssh, sshd, ssh-add, etc.) – Or via a shared library used by SSH (libkeyutils)
• Servers used to: – Serve malware, redirect traffic to infected hosts– Act as domain servers for malicious sites
• Infecting web users through drive-by downloads• Redirect web traffic to advertisement networks
![Page 21: Endpoint and Server: The belt and braces anti-malware strategy](https://reader030.vdocuments.site/reader030/viewer/2022012918/54b6f2014a7959085e8b45ca/html5/thumbnails/21.jpg)
![Page 22: Endpoint and Server: The belt and braces anti-malware strategy](https://reader030.vdocuments.site/reader030/viewer/2022012918/54b6f2014a7959085e8b45ca/html5/thumbnails/22.jpg)
The need for belt and braces is clear
• Endpoint – Scanning all incoming files, as they enter– From email, websites, removable media
• Server– Email, File, Sharepoint, Gateway
• Mobile– Antivirus, remote lock, and wipe
![Page 23: Endpoint and Server: The belt and braces anti-malware strategy](https://reader030.vdocuments.site/reader030/viewer/2022012918/54b6f2014a7959085e8b45ca/html5/thumbnails/23.jpg)
![Page 24: Endpoint and Server: The belt and braces anti-malware strategy](https://reader030.vdocuments.site/reader030/viewer/2022012918/54b6f2014a7959085e8b45ca/html5/thumbnails/24.jpg)
Belt, braces, encryption, authentication
![Page 25: Endpoint and Server: The belt and braces anti-malware strategy](https://reader030.vdocuments.site/reader030/viewer/2022012918/54b6f2014a7959085e8b45ca/html5/thumbnails/25.jpg)
Preferably: One interface to manage them all
![Page 26: Endpoint and Server: The belt and braces anti-malware strategy](https://reader030.vdocuments.site/reader030/viewer/2022012918/54b6f2014a7959085e8b45ca/html5/thumbnails/26.jpg)
Don’t neglect the real end point
![Page 27: Endpoint and Server: The belt and braces anti-malware strategy](https://reader030.vdocuments.site/reader030/viewer/2022012918/54b6f2014a7959085e8b45ca/html5/thumbnails/27.jpg)
Resources to tap
• Industry associations• CompTIA• ISSA, SANS, (ISC)2
• Booth number 826• My talk tomorrow• Websites
![Page 28: Endpoint and Server: The belt and braces anti-malware strategy](https://reader030.vdocuments.site/reader030/viewer/2022012918/54b6f2014a7959085e8b45ca/html5/thumbnails/28.jpg)
![Page 29: Endpoint and Server: The belt and braces anti-malware strategy](https://reader030.vdocuments.site/reader030/viewer/2022012918/54b6f2014a7959085e8b45ca/html5/thumbnails/29.jpg)
Thank you!
• Stephen Cobb• [email protected]
• We Live Security• www.welivesecurity.com
• Webinars• www.brighttalk.com/channel/1718
• Booth number 826