Beyond antivirus defeating todays complex blended threats

1
Beyond anti-virus - defeating todays complex
blended threats

• Antony Gibson (Business Development Manager,
  Scandinavia)

2
Virus evolution
ELK CLONER THE PROGRAM WITH A PERSONALITY IT
WILL GET ON ALL YOUR DISKS IT WILL INFILTRATE
YOUR CHIPS YES ITS CLONER! IT WILL STICK TO
YOU LIKE GLUE IT WILL MODIFY RAM TOO SEND IN THE
CLONER!
1982 From kids having fun
to criminals out to defraud 2007
3
Malware today
4
Rapidly evolving threat landscape
Then
Now
Silent targeted
Noisy and random threats
Theft damage
Disruptive, IT systems crash
Accelerating web-based
Growing volume, spread on email
5
Yesterdays corporate environment
Todays dissolving perimeter

• Increased mobility
• Flexible working
• Non-managed users

6
Web threats

• Sophos currently finds 9500 new infected web
  pages EVERY DAY
• About 8 in every 10 are victims web pages that
  have been compromised by malware or a hacker
• Other 20 are hacker or malicious sites to lure
  in victims

7
What type of content is there?

• A random snapshot of 1 million blocked sites
  shows the breakdown of content into various
  categories
• Malware and adult content are each responsible
  for about a third of the sites blocked
• Spam messages with links to websites account for
  about 1 in 5 blocked sites

Source SophosLabs
8
Top web threats of 2007 so far

• The web continues to be a main vector for
  computer threats
• Mal/Iframe works by injecting malicious code into
  web pages
• 80 of all web threats reside on compromised
  sites, rather than hacker sites.
• Businesses need to block both by category and
  content
• Keep servers patched against security threats

Source SophosLabs
9
Size of the Web Threat

• 29,000 new web pages per day!
• Nearly one third of all websites blocked by
  Sophos are hosting malware
• 80 of those websites are legitimate sites that
  have been hacked

10
Rapidly changing web threat
11
Email threats

• 1 in 312 emails during 2007 was viral
• 2006 1 in 337 message were infected (about the
  same)
• Significant drop from 2005 1 in 44
• Does this mean that email no longer plays a role?
  No!
• Email is used to send spam to with links to
  infected sites

12
What kind of spam is being sent?
13
The rise in PDF spam

• A new trick used by spammers is to place their
  marketing messages into PDF attachments, which
  some security products find difficult reading
• This format is unlikely to set alarm bells
  ringing of even seasoned computer users
• June 2007 saw a spam campaign try to avoid
  detection by using PDFs, among other file
  attachment types

14
The enemys motive has changed
15
Money, not testosterone

• Most malware today is designed to make money
• It could be stealing resources from your
  computer
• send spam from your computer (which makes them
  money by selling goods, or manipulating stock
  prices)
• launching a DDoS attack (which makes money
  through blackmail)

16
Money, not testosterone

• Or it could be stealing information
• stealing online banking information, credit card
  details, spyware etc (which makes money for the
  bad guys)
• Or it could be generating revenue directly
• displaying adware pop-ups (make money for every
  click through)
• Other techniques include scareware, ransomware
  and industrial espionage

17
Denial of service blackmail

• Hackers use compromised computers to bombard
  commercial websites
• Demand cash with menaces
• Some DDoS blackmailers have been sent to jail
  after extorting millions of pounds

18
Phishing

• In the beginning, phishing was done by sending
  fraudulent emails pointing to bogus bank websites
• Now more and more malwarespies on users as they
  visit theirlegitimate banking websites,stealing
  information

19
Criminals stealing virtual goods

• Its not just banks and online stores that are
  being targeted by phishing malware
• In the last year we have seen a steady stream of
  malware that steal credentials from players of
  Massively Multiplayer Online Role-Playing Games
  (MMORPGs)
• Steal and sell virtual items whichcan make a
  real world profit
• 17 of malware written in Chinais designed to do
  this

20
Scareware

• Malware designed to display fake security
  warnings
• Tell innocent users to purchase bogus
  anti-spyware software
• More and more malware is preying on the publics
  security fears
• Some perpetrators behind scareware have been
  arrested and sentenced

21
The blackmarket for botnets

• Zombie computer networks (or botnets) are
  typically used to
• send spam
• steal information and spy (keypresses, passwords,
  usernames, webcam, files)
• launch distributed denial of service (DDoS)
  attacks
• distribute new malware
• install adware
• Hackers are selling access to botnets to
  othercybercriminals

22
Removable drive malware back

• 2007 saw a resurgence of malware infecting
  desktop drives
• Removable flash drive (USB keys) are now started
  to be targeted, as a less-well defended backdoor
  on to the network
• Infected USB drives can take advantage of the
  auto-run functionality that is often enabled by
  default
• Examples include LiarVB-A, which spreads
  information on AIDS and HIV, and the Hairy worm,
  which claimed that popular fictional teenage
  wizard Harry Potter had died

23
Skype Instant Messaging worm
24
(No Transcript)
25
Client security is key

• Are your guests as secure as you?
• Does your patch management leave holes?
• Can you really enforce your IT usage policies?
• Can you prove your answers?

26
Network Access Control (NAC)The Concept Explored

• What is Network Access Control?
• Assess the compliance of endpoints vs. corporate
  security policy prior to granting full access to
  the corporate network.
• Are antivirus, personal firewall, anti-spyware
  installed, running, and up-to-date?
• Is the machine fully patched?
• Is the machine and user known to me?
• If not
• Provide quarantined access which protects the
  network from infection
• Allow the endpoint to be remediated if
  appropriate

27
Sophos NACs Contextual Authentication
Extending AuthenticationBeyond just who is
connecting

• Relationship to company
• Employee, contractor, guest

• Security posture
• Applications running

• Wired / wireless
• Remote / LAN

• Signature updates
• Security patch updates

28
Protection

• Sophisticated co-ordinated spam-malware-adware
• Web, email, endpoint, device and network threat
  visibility
• Rapidly changing
• Global problem
• Need proactive and reactive response
• Need to secure users as well as networks, and
  control good as well as bad

29
Summary

• Web Threats are on the increase
• Nowhere on the web is safe
• Vulnerabilities continue to be found
• But the user is the main vulnerability!
• Need to control
• Who connects to your network
• How users connect and what they can access
• Security status of endpoints

30
Beyond anti-virus - defeating todays complex
blended threats

• Antony Gibson (Business Development Manager,
  Scandinavia)