1 / 56

Stopping Blended Threats: Securing Data, Applications and Information in the Age of Web 2.0

Stopping Blended Threats: Securing Data, Applications and Information in the Age of Web 2.0. Introductions. Tim Roddy Senior Director, Product Marketing McAfee Tim_roddy@mcafee.com. Agenda. Overview of Security Challenges Then and Now Business Value of Web 2.0

chava
Download Presentation

Stopping Blended Threats: Securing Data, Applications and Information in the Age of Web 2.0

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Stopping Blended Threats: Securing Data, Applications and Information in the Age of Web 2.0

  2. Introductions Tim Roddy Senior Director, Product Marketing McAfee Tim_roddy@mcafee.com

  3. Agenda • Overview of Security Challenges Then and Now • Business Value of Web 2.0 • Blended Threat Overview • How to Stop Blended Threats • McAfee’s Comprehensive Technologies & Solutions • Discussion

  4. Threat Growth by Type Malware Growth (Main Variations) Threats 2,000,000 Virus and Bots PUP Trojan 1,800,000 3,900 % increase since 2006!!! 1,600,000 400,000 200,000 0 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 Source: McAfee Avert Labs

  5. The Changing Landscape

  6. Business Value of Web 2.0 New Marketing Channels Employee Life/Work Balance Collaboration Tools Find Employees

  7. Forrester’s survey 9% 12% 40% 14% 14% 12% • Online survey of IT decision-makers • Firms with 500 or more internet users • 253 respondents:

  8. “If access to social networking sites, such as MySpace and Facebook, is blocked, how would this impact your organization?” Base: 253 global IT decision makers Source: A commissioned study by Forrester Research on behalf of Secure Computing

  9. Data leak tops the list of web security concerns Data Leak Considerations Base: 253 global IT decision makers Source: A commissioned study by Forrester Research on behalf of Secure Computing

  10. Agenda • Overview of Security Challenges Then and Now • The Growing Value of Web 2.0 Applications • Blended Threat Overview • How to Stop Blended Threats • McAfee’s Comprehensive Technologies & Solutions • Discussion

  11. Typical Blended Threats? Attackers want end users to click on a web link (a URL) or execute a binary: • Email with Links or attachments • Malware infected Websites and ads • Links in Blogs, Wikis and social networking sites • Instant Messaging and Twitter

  12. Typical Blended Threats? Attackers want end users to click on a web link (a URL) or execute a binary: • Email with Links or attachments • Malware infected Websites and ads • Links in Blogs, Wikis and social networking sites • Instant Messaging and Twitter

  13. Social Engineering Title of presentation

  14. Phishing Attacks

  15. “Whaling” & “spear phishing” attacks on the increase • Targeted attacks at senior executives • Email addresses accurate • Small numbers of mails sent • Many government and financial organisations targeted in US and EMEA • Attack vectors: • Documents with embedded malware • URL links to malware • Data stolen: • Keystrokes • Screenshots • PGP keys • Passwords

  16. Combined attack - Storm • This Storm campaign temps user to click on a link ‘FBI wants instant access to Facebook’ – users are tempted to download ‘fbi_facebook.exe’ • In addition, the malicious Web site serves up a host of browser exploits Your download will start shortly. If you are unable to read the article,save itand run it on your computer.

  17. Typical Blended Threats? Attackers want end users to click on a web link (a URL) or execute a binary: • Email with Links or attachments • Malware infected Websites and ads • Links in Blogs, Wikis and social networking sites • Instant Messaging

  18. Types of Attack Malicious Ads • Requires user to click on executable Transparent (Drive-By) Attacks • Malvertizing • Script insertion via SQL Injection • Remote access toolkit (RAT) exploitation of Web 2.0 applications

  19. Trusted Sites Deliver Malware via Ads • 19

  20. Trusted Sites Deliver Malware via Ads • 20

  21. And on that note… • 214 of 2157 pages delivering malware • 721 script exploits and 4 trojans • http://blogs.zdnet.com/security/?p=1902 , Sept 15, 2008

  22. Example of a compromised Web Site(Realmedia Malvertising)

  23. What is Operation Aurora? • A coordinated attack targeting a rapidly growing list of companies, including Google, Adobe, Juniper, and others • Exploits a zero-day vulnerability in Microsoft IE • Lures users to malicious websites, installs Trojan malware on systems, uses Trojan to gain remote access • Uses remote access to gain entry to corporate systems, steal intellectual property (including source code), and penetrate user accounts McAfee provided multiple zero-day protections 23

  24. Steps of the Cyber Attack 1 2 3 1. Attack initiated.User with IE vulnerability visits website infected with Operation Aurora malware. 2. Attack in progress.Website exploits vulnerability; malware (disguised as JPG) downloaded to user system. 3. Attack setup complete.Malware installed on user system; malware opens back door (using custom protocol acting like SSL) that gives access to sensitive data. Zero-day products: Web Gateway, Network Threat Response Zero-day products: Firewall, Web Gateway, Application Control, Network Data Loss Prevention 24

  25. Typical Blended Threats? Attackers want end users to click on a web link (a URL) or execute a binary: • Email with Links or attachments • Malware infected Websites and ads • Links in Blogs, Wikis and social networking sites • Instant Messaging and Twitter

  26. Social Engineering • Video links resulting in requirement to download fake flash player updates

  27. TrustedSource Reputation Not youtube!

  28. Typical Blended Threats? Attackers want end users to click on a web link (a URL) or execute a binary: • Email with Links or attachments • Malware infected Websites and ads • Links in Blogs, Wikis and social networking sites • Instant Messaging and Twitter

  29. Instant Message Blended Threat Example

  30. Twitter • 900 percent growth in users last year • Beginning to see use as new promotion and marketing tool • Security Risks • Malicious Links • Tweets have 141 character limit • URL shortened to TinyURL • Users can’t tell where URL goes when mouse/scroll over • Exploits “trust” : “message is from my friend” • Now being used for phishing • Tweets with TinyURL to visit certain blogs • Bogus URL leads to login page to steal login credentials • Twitter site hacked in Early January • One individual compromised the system • Hacked Britney Spears, CNN’s Rick Sanchez and Barack Obama’s Twitter sites • 33 accounts hacked

  31. Koobface uses Twitter to Attack • MacWorld, July 10, 2009 • Koobface replicates by checking to see if user of infected PC is logged into Twitter or other social networking app • Posts fraudulent messages with tiny URL link • Link leads to malicious web site • Web site link is to “video” • Trick user into Flash Video Upgrade

  32. Four Characteristics of a Blended Threat A blended threat typically includes: More than one means of propagation -- for example, distributing a hybrid virus/worm via email that will self-replicate and infect a Web server, so that contagion will spread through all visitors to a particular site; Exploitation of vulnerabilities, which may be preexisting or even caused by malware distributed as part of the attack; The intent to cause real harm (rather than just causing minor computer problems for victims), for example, by launching a denial of service (DOS) attack against a target, or delivering a Trojan horse that will be activated at some later date; Automationthat enables increasing contagion without requiring user actions, such as opening attachments 1 2 3 4 Searchsecurity.com Definition: http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci961251,00.html

  33. Today’s Threat Lifecycle More Malware Variations Malicious Code Threats in 12 months 133% 68% of top Malware infections exposed confidential data Web 2.0is the Catalyst! Increasing Attack Success! of Malware infections are Web application exploits 80% of Vulnerable Websites get fixed! 4% Attack TargetUsers vs Machines 500% Increase in Phishing Sites!

  34. Case Study: The Cost of Malware • Mounds View School District • 10,000 students and 1,400 staff • 3,500 computers 40 servers required rebuilding • 3 hrs per computer to reformat • ~10,500 hours of work • At $30 per hour that is $315K • At $50 per hour that is $525K • Between Feb 10 and Feb 18 12 staff members working 15 hour days • Source: startribune.com and twincities.com, Feb 19, 2009

  35. “In the past fiscal year, how much did your organization spend on malware cleanup?” Base: 253 global IT decision makers Source: A commisioned study by Forrester Research on behalf of Secure Computing

  36. Agenda • Overview of Security Challenges Then and Now • The Growing Value of Web 2.0 Applications • Blended Threat Overview • How to Stop Blended Threats • McAfee’s Comprehensive Technologies & Solutions • Discussion

  37. What is the norm? • BLOCKING ACCESS is the norm at the Web gateway • URL filtering enforces the “block/allow” rules of the Web Acceptable Use Policy • Authentication controls “block/allow” rights to Web access • Anti-Virus protection (if used) completely “blocks” access to infected sites TYPICAL ENTERPRISE DEPLOYMENTS INTERNET TRAFFIC URL FILTERING Incomplete Active Content Protection Firewall End Users Proxy servers WEB GATEWAY Web 1.0 Security is based upon “Blocking” access

  38. Holding Back the Tide: Typical Examples

  39. Creating a culture of “YES”! In the Language of Security • Negative Security Models (known bad) can only BLOCK access and CANNOT scale and protect against these new threats – Infinity and Invisibility cannot be effectively blocked • A new Positive Security (defined good) PARADIGM is the only practical solution that enables Web 2.0 applications access • Web 2.0 access can be successfully enabled by: • Global Reputation • Local Intent Analysis

  40. Protecting against Blended Threats • Deploy proactive protection on email • Minimize SPAM exposure with 99%+ detection capability • Stop zero hour mail threat with Reputation based protection • Deploy proactive protection on web access • Deploy reputation based Web filtering • Filtering incoming web pages, on all web protocols, proactively for malware, including encrypted traffic • Apply protection to http, https and ftp traffic • Apply reputation based Web filtering and malware protection on IM traffic • Inspect all outbound email, web and IM traffic for data leakage • Define DLP policy • Detect possible policy violations • Enforce • Audit and Report

  41. -100 -200 -350 • No of transactions • Timely payments • Late payments 1 10 Credit Score Physical World - What is Your Reputation? Length:I do not pay bills on time. Width:I short pay my bills. Height: I have been doing this for 20 years! CREDIT AGENCY Length: How many tardy payment records do we have?Height: How long has this behavior been recognized? MonitorBusinesses Globally Credit Score created using the multiple dimensions. This score dynamically changes over time with improved or worsened behavior. Analysis using Global Intelligence Credit score dictates the terms and conditions that companies are willing to transact business. Proactive Protection Deny/Approve Loan, Terms

  42. -100 -200 -350 • Connection volume • Behavior patterns • Location 1 10 Credit Score Physical World - What is Your Reputation? Length: How long has the domain or site existed? Width: How active is it? Height: Associated with spam or malware? REPUTATION SYSTEM Length: How long has the domain existed?Height: How long has this behavior been recognized? MonitorGlobalInternet Reputation Score created using multiple dimensions. This score dynamically changes over time with improved or worsened behavior. Analysis using Global Intelligence Reputation score used to decide whether the email is received or web page viewed. Proactive Protection Deny/Approve network connections

  43. Reputation Based Anti-Spam Protection GLOBAL LOCAL Statistical & Heuristic Protection Connection Protection 99.5%+ Spam removed Message Reputation IP Reputation INTERNET Spam Blocked ~ 99.5+% Spam Blocked ~ 90% Spam Blocked ~ 80% Spam Blocked ~ 50%

  44. Web 1.0 URL Filter Overview Web Filter • Increase employee Productivity • Reduce Liability • Manage Bandwidth • Security to Prevent access to malicious sites Shopping Gambling Business IM Porn Security Business FilteringDatabase SecurityPornographyHate SitesGamblingShoppingBusinessIM

  45. Reputation-Based Web Filtering: How it Works Reputation Enhanced URL Filtering Traditional URL Filtering 100% eBay.com Amazon.com ActionAllow Porn.com XXX.com • Playboy.com • Hustler.com • Porn.com • XXX.com TrustworthyThreshold bobsbikeshop.com Online advertisements ActionBlock 0% “PORN” “ONLINE SHOPPING” Reputation based filtering adds a second dimension of scoring: The Trustworthiness of a web site. http://www.networkworld.com/news/2008/013008-expedia-rhapsody-malware.html

  46. Anti-Malware Protection for Web 2.0 Visual Basic for Apps macros in Office documents JavaScript (in HTML, Stand-alone, in PDF).Visual Basic Script Windows Executables& Dynamic LinkLibraries Java Applets &Applications ActiveX Controls &Browser Helper Objects • Buffer overflow exploit detection • Generic Trojan downloader detection • Shell code detection • Several other detection algorithms Intent Analysis: Active code Fragments extracted or blocked Security Policy maps classification into action Local Intent Analysis engines enforce the conditions set by the site’s reputation, protecting from malicious active scripts, determining Intent when a signature cannot exist. “Local Enforcement of Global Reputation.”

  47. Anti-Malware is More Than Anti-Virus Signature based detection is not enough to cover today’s targeted Malware attacks Anti-Malware Anti-Virus Intent Analysis • Prevents OS, browser and application exploits as a result of: • Protects from known malicious code • Protects from unknown malicious mobile code for which no signature exists • Signature based Anti-Virus is important part of Anti-malware protection • Stops “known threats” • However it is only a single aspect of the complete solution • Signature based detection is not enough to cover today’s targeted Web 2.0 Malware attacks • Code authentication – Checks for Digital Signature on active code • Media Type Filter -verification via “magic byte” analysis not MIME • Behavioral Malware detector - scans for malicious script intent and removes offending function calls • Behavioral exploit detector – inspects code for hostile behavior like buffer overflows, etc. = + … Anti-Malware is a unique combination of Signature-based Anti-Virus PLUS intent analysis of mobile code

  48. Enabling Web 2.0 Applications via SSL The invisible “privacy” tunnel is a wonderful means to deliver malware from “compromised” Web 2.0 applications What is currently in place to mitigate risks delivered via SSL? • Block SSL Traffic (port 443) • Prohibitively conservative • Impractical as more business applications use SSL • URL Filtering Databases to block SSL URLS • New SSL URLS every day • Not a 100% solution • Does not address the content transferred • Ignore • Live with the risks of unmanaged SSL traffic • Deal with malware or content leak when it occurs • 30-40% of Web traffic

  49. The Solution to the SSL Blindspot 3 HTTPS Proxy Web Server 2 1 Client Internet 6 4 McAfee Web Gateway(Webwasher) 5 Client/Proxy handshake Proxy/Web server handshake Certificate verification Web site sends encrypted content Decrypted content scanned at the proxy Re-encrypted content sent to client No decrypted content on the wire at any time!

More Related