1 / 34

Best practices in managing your devices and applications

Discover why organizations are increasing their IT security measures due to the rise of targeted attacks. Learn about the risks of botnets and the limitations of relying solely on antivirus solutions. Explore the benefits of application control and how it can enhance your network security.

dgeorge
Télécharger la présentation

Best practices in managing your devices and applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Best practices in managing your devices andapplications JérômeBei

  2. Did the bad guys surrender? • There have been no massive attacks lately... • Why? • Broadband attacks make CSO‘s increase their IT security • Lack of massive attacks makes CSO‘s think their systems are secure • Today, we‘re facing targeted attacks • silent and focussed • goal: steal know how • victims will hardly admit data theft

  3. Botnets Today 2 Million EndpointsControlled by Conficker • (source: Heise) Total CONFICKERinfections: 15 Million endpoints • (source: Heise) 300.000Endpointscontrolled by Torpig • (source: UCSB) 5% of all company hosts infected by botnetworms • (source: DAMBALLA STUDY) ARE YOU PART OF A BOTNET?

  4. Borderless Networks • Who enters your network? • Mobile Workers • Trading Partners • Customers • Vendors They walk right past your firewall! As a consequence, the security solution needs to be host based

  5. Do you feel safe with AV only? April 2006 16 leading anti-virus vendorstested for 243.671 pieces of known malware One vendor missed OVER 90.000pieces of malware 4 out of 16 missed over 10.000 of them! www.av-comparatives.org

  6. Do you feel safe with AV only? February 2007 15 leading anti-virus vendorstested for 481.850 pieces of known malware One vendor missed OVER 80.000pieces of malware Another vendor missed 30.000of them! NO vendor had all needed patterns! www.av-comparatives.org

  7. Do you feel safe with AV only? May 2009 16 leading anti-virus vendorstested for proactive heuristic detection One vendor missed OVER 86%of malware The best vendor still missed 31% NO vendor detected all tested malware! www.av-comparatives.org

  8. Remote Exploit – a complex task? http://www.remote-exploit.org/backtrack_download.html

  9. Ready-Made Exploit Frameworks MS08-067 RPC

  10. LumensionApplication Control

  11. Lumension Application Control Applications Malware AUTHORIZED Operating Systems Business Software KNOWN Viruses, Worms, Trojan Horses, Spyware Malware BLACK LIST APPROACH UNWANTED Games, Shareware, Unlicensed software UNKNOWN Viruses, Worms, Trojan Horses, Spyware RISK

  12. Lumension Application Control Applications Malware AUTHORIZED Operating Systems Business Software KNOWN Viruses, Worms, Trojan Horses, Spyware Malware WHITE LIST APPROACH UNWANTED Games, Shareware, Unlicensed software UNKNOWN Viruses, Worms, Trojan Horses, Spyware MANAGE

  13. Black List vs. White List Black List White List Unwanted Software (Games, Players, ...) Denied by default Not supported Only when new applications / patches are installed Updates Weekly, daily, hourly New malware is always one step ahead Zero day protection Implicit Kernel based (=fast), no pattern comparison required File filter slows down performance + pattern comparison Operational performance Heavy loaded PC with 50 applications has 25.000 signatures – STABLE - Today: 800.000 Tomorrow? Next Year? Scalability

  14. Individual User Groups of Users 0. IDENTIFY EXESOURCES 3. ASSIGN RIGHTS TO EXECUTE Organize into File Groups Operating Systems Admin Tools Entertainment Standard Software Signature Files Communication MS Office 1. COLLECT Customer specific applications etc... • Scan Explorer • Log Explorer • EXE Explorer Product Operation – Application Control • Accounting • Sales People • Network Admins • Support Team What do users / groups of users need to run on their machine to perform their allowed tasks? Users can now only run the executables they are allowed to USE SFD‘s

  15. Digital signature Digital signature SecureWave Application Server(s) Product Operation 6. Computer may leave corporate network and will stay secure due to local white list • Client boots, user logs on, • computer connects to the corporate network Policies Kernel Driver 5. The Access Rules are cached locally, policy enforcement is performed at kernel level • Client driver sends Identification message (= machine ID, user ID, domain ID, group ID’s, driver version, OS version). 4. The Access Rules are created, cryptographic signatures are added and Access Rules are pushed to the client driver • The Application Server queries the database for access rules and caches results. Active Directory / eDirectory synchronizes users, groups and computer accounts periodically SQL Database (Cluster)

  16. List of centrally authorized files signatures 0x7ddf86e8a4672a420760b8809a1c 0xcbac13bb07f7dd0e10e93f4b63de9 No Matching Signature 0x20ee7cf645efeba7C81bd660fe307 0xd535561209f0199f63b72c2ebc13c 0x4e4f36b5b2cf0c9ec85372ff8a7548 No File execution is denied How Application Control works Users Kernel Driver File signature generation using SHA-1 hash Application Execution Request 0x20ee7cf645efeba7C81bd660fe307 Comparison with list of centrally authorized files signature Authorization? Log

  17. List of centrally authorized files signatures 0x7ddf86e8a4672a420760b8809a1c 0xcbac13bb07f7dd0e10e93f4b63de9 0x20ee7cf645efeba7C81bd660fe307 0xd535561209f0199f63b72c2ebc13c 0x20ee7cf645efeba7C81bd660fe307 0x20ee7cf645efeba7C81bd660fe307 Yes File executes How Application Control works Users Kernel Driver File signature generation using SHA-1 hash Application Execution Request 0x20ee7cf645efeba7C81bd660fe307 Comparison with list of centrally authorized files signature Authorization? Log

  18. Major Features White List Full Macro Protection Instant Policy Updates Offline Protection NT / AD Domain / Novell eDirectory support Silent Unattended Installation Optimized Network Communication Learning Mode Logging & Auditing

  19. Demo

  20. Social Engineering the USB way Security Audit at a credit union (Source: http://www.darkreading.com) Step 1 Prepare 20 USB drives with a trojan horse that gathers critical data (such as user account information) from the PC it is connected to and sends it by email Step 2 Drop these USB drives within the accomodations of the company Step 3 Wait 3 days ... Result 15 out of 20 drives have been used by employees, critical data from their PC‘s has been exposed

  21. Consequences of theft and data loss

  22. LumensionDevice Control

  23. Individual User Groups of Users 0. IDENTIFY DEVICES AND MEDIA 3. ASSIGN ACCESS ATTRIBUTES DEVICES CD / DVD ROMs MODEM REMOVABLE MEDIA USB Disk Pro SND1 MP3 Player Unique Media CD / DVD, Zip drives, Disk on key USB PRINTER Assign and Go • Accounting • Sales People • Network Admins • Support Team Users can now access their allowed devices / media according to their granted attributes What are users / user groups’ needs in terms of device / mediaaccess rights to perform their allowed tasks? 1.1 PREDEFINED DEVICE CLASSES 1.2 SPECIFIC DEVICE TYPE / BRAND 1.3 ADD SPECIFIC MEDIA MEDIA LIST

  24. Device Access Managed Device Access Control Users Kernel Driver List of classes & known devices Device Access Request Known Device check Known device? Yes Device Policies Users, Groups, Device Classes, Devices and Access Attributes Authorization Yes Log

  25. No Access Managed Device Access Control Users Kernel Driver List of classes & known devices Device Access Request Known Device check Known device? Yes Device Policies Users, Groups, Device Classes, Devices and Access Attributes Authorization No Log

  26. Sales Marketing Standard rule for sales to use memory keys with decentralized encryption and shadowing Use Memory Keys Only with encryption Audit of copied data Offline rule for notebooks with wireless cards Wireless Network Only outside corporate network Usage of digital cameras Time-based rule for digital camera usage, with filter on image data (JPG, GIF, BMP) Only during business hours No misuse as data storage Usage of CD‘s / DVD‘s Explicit assignment of specific media Only specific media Implementing Device Control Requirement Gathering Security Requirements Operational Implications

  27. Front Desk Support Dept. Badge printing Deny usage of any other device Machine-based „Lockdown“, standard rule for local printer Standard rule for Read Only-access to customer devices Usage of customer devices Prevent data loss (custromer data / internal data) Production server Maximum stability Deny any device usage Machine-based „Lockdown“ Implementing Device Control Requirement Gathering Security Requirements Operational Implications

  28. 1) Administrator creates encryption rule 2) User plugs in memory key 3) Transparent encryption on corporate computers 4) Volume Browser tool on stick for 3rd party computers Encryption with Device Control

  29. Access Attributes • Read and / or Write • Scheduled Access • From 08:00h to 18:00h Monday to Friday • Temporary Access • For the next 15 minutes • Starting next Monday, for 2 days • Online / Offline • Assign permissions when no network connection is present, all device classes supported • Quota Management • Limit copied data to 100 MB / day • Encryption enforcement • Access is granted only if medium has been encrypted (decentralized encryption) with password recovery option • File Type Filtering • Limit the access to specific file types

  30. Attributes can be allocated to... • A complete device class • All USB Printers • A device sub class • USB printer HP 7575, CD/DVD Nec 3520A • A unique device based on • Encryption • serial number • Specific CD‘s / DVD‘s • Specific Bus (USB, IrDa, Firewire...) • Groups of devices

  31. Security Features • Kernel Driver • Invisible (no task manager process) • Fast (no performance loss) • Compatible (no conflict with other software) • Encryption of devices with AES • AES 256 = market standard • Fast and transparent within the network • Strong password enforcement for usage outside the corporate network • Client / Server Traffic • Private/Public key mechanism • Impossible to tamper with • Easily generated and deployed

  32. Security Features • Client Hardening • Even a local administrator cannot uninstall the client • Prevention from Keyloggers • Removable Media Encryption • Assign any removable media to any user and then encrypt the media. Encrypted device is accessible only by the user who owns the access rights on the removable media • Offline Protection • Local copy of the latest devices access permission list stored on the disconnected workstation or laptop

  33. Auditing & Logging • User Actions Logging • Read Denied / Write denied • Device entered / Medium inserted • Open API for 3rd party reporting tools • Shadowing of all copied data • Level 1: shows File Name and attributes of copied data • Level 2: Captures and retains full copy of data written to extenal device or read from such a device • Administrator Auditing • Keeps track of all policy changes made by SDC admins

  34. Demo

More Related