1 / 38

Solution for Security

Solution for Security. The Antivirus Defense-in-Depth Guide. What Is Malware?. “ malicious software ” – viruses, worms, trojan horses Trojan horse – A program that appears to be useful or harmless but that contains hidden code designed to exploit.

teagan-kelly
Télécharger la présentation

Solution for Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Solution for Security The Antivirus Defense-in-Depth Guide

  2. What Is Malware? • “malicious software”– viruses, worms, trojan horses • Trojan horse – A program that appears to be useful or harmless but that contains hidden code designed to exploit. • Worm – A worm uses self-propagating malicious code. • Virus – A virus uses code written with the express intention of replicating itself.

  3. Malware Characteristics • Target Envirionments • Device, Operating systems, Applications • Carrier Objects • Executable files, Scripts, Macros, Boot sector • Transport Mechanisms • Removable media, Network shares, Network scaning, Peer-to-peer networks, E-mail, Remote exploit

  4. Payloads or Actions • Backdoor, Data corruption or deletion, Information theft, Denial of Service (DoS), Distributed Denial of Service (DDoS) • DoS and DDoS • System shutdowns, Bandwidth flooding, Network DoS, Service disruption

  5. Trigger Mechanisms • Manual execution • Social engineering • Semi-automatic execution • Automatic execution • Time bomb • Conditional

  6. Defense Mechanisms • Armor –สร้างเกราะ ทำให้ยากในการวิเคราะห์ • Stealth –หลบซ่อน • Encrypting – static decryption • Oligomorphic – two difference decryption • Polymorphic – unlimitted number of encryption

  7. What Is Not Malware? • Joke Software • Hoaxes • Scams –ทำ web site หลอก • Spam • Spyware– spy bot, tracking software • Adware • Internet Cookies

  8. Antivirus Software • Signature scanning • Heuristic scanning • Behavior blocking – Ex. an application attempts to open a network port

  9. A Typical “In the Wild” Malware Timeline • Conceive • Develop • Replicate • Deliver payload • Identify • Detect • Removal

  10. Malware Threat Vectors • External networks • Guest clients • Executables files • Documents • E-mail • Removable media

  11. The layers of defense-in-depth security model

  12. Data • Exploit to gain access to configuration data, organization data, or any data that is unique to a device the organization uses. • Application • Host • Internal Network • Perimeter Network – DMZ • Physical Security • Policies, Procedures and Awareness

  13. Focused antivirus defense-in-depth view

  14. Client Antivirus Protection Steps • Reduce the Attack Surface • All unnecessary applications or services should be removed or disabled on the computer • Apply Security Updates • Windows Update • Software Update Service • Enable a Host-based Firewall • Install Antivirus Software

  15. The use of multiple antivirus applications on the same • Is not a recommended approach and should be avoided if possible • Memory overhead • System crashes or stop errors • Performance loss • Loss of system access

  16. Test With Vulnerablility Scanners • The Microsoft Baseline Security Analyzer • Nessus • Use Least Privileges Policies • Restrict Unauthorized Application

  17. Client Application Antivirus Settings • E-mail clients • Desktop Applications • Instant Messaging Applications • Web Browsers • Peer-to-Peer Applications

  18. Server Defense • Reduce the attack surface • Apply security updates • Enable the host-based firewall • Test using vulnerability scanners

  19. General Server Antivirus Software • CPU utilization during scanning • Application reliability • Management overhead • Application interoperability

  20. The Network Defense Layer • Network Intrusion Detection System • Application Layer Filtering • Content Scanning • URL filtering • Block lists • Allow lists • Quarantine Networks - VPN

  21. Physical Security • Building security • Personnel security • Network access points • Server computers • Workstation computers • Mobile computers and devices

  22. Policies, Procedures, and Awareness • Antivirus scanning routines • Antivirus signature update routines • Policies on allowed applications and services • Change control • Network monitoring • Attack detection process • Home computer network access policy • Visitor network access policy • Wireless network policy

  23. Security Update Policy • Check for updates • Download updates • Test updates • Deploy updates

  24. Risk-based Policies • Standard client configuration • High-risk client configuration • Guest client configuration • Employee home computers • Partner or vendor computers • Guest computers

  25. Standard server configuration • High-risk server configuration • DMZ server • Role-specific configuration • Mail, Web, Database servers

  26. Automated Monitoring and Reporting Policies • User and Support team Awareness

  27. User Awareness • Opening e-mail attachments • Using weak passwords • Downloading applications and ActiveX control from untrusted Web sites • Running applications from unauthorized removable media • Allowing access to your organization’s data and networks

  28. Internal Malware Alerts • Organization notice boards • Voice mail systems • Logon messages • Intranet protals • E-mail systems

  29. Outbreak Control and Recovery

  30. Infection Confirmation • Infection Reporting • Unusual Activity Reporting • Gathering the Basic Information • Evaluating the Data • Gathering the Details • Unusual Activity Response • False Alarm, Hoax, Know infection, New infection

  31. Incident Response • Emergency Outbreak Control • Is to ensure that the infected computers are isolated from other devices. • Preparing for Recovery • Minimal disruption to the organization’s business • The fastest possible recovery time from the attack • The capture of information to support possible prosecution • The capture of information to allow for additional security measures to be developed, if required • Prevention from further attacks of this type for the recovered systems

  32. Malware Analysis • Examine the Operating System • Active processes and services • The local registry • Files in the MS Windows system folders • New user or group accounts, especially with Administrator privileges • Shared folders • Newly created files with normal looking file names but in unusual locations • Open network ports

  33. System Recovery • Restore missing or corrupted data • Remove or clean infected files • Confirm your computer systems are free of malware • Reconnect your computer systems to the network

  34. Cleaning Simple process, if cleaning tools are available Fewer steps to ensure data is clean Fewer resources required to use removal tools than to rebuild entire systems Risk of system still being infected. Rebuilding More complex process, especially if a backup and recovery solution is not in place prior to the infection More steps necessary to capture, backup, clean, scan, and restore data The rebuilding process is likely to consume a significant amount of time and resources to complete Little risk of system still being infected if restored from clean media and adequately managed data Clean or Rebuild ?

  35. Restore or Reinstall? • Recovering Data from the infected system • Operating system configuration data • Application data • User data • Restoring From an Image or Backup • Reinstalling the System

  36. Post recovery steps • Post Attack Review Meeting • Post Attack Updates

  37. ip route-cache flow • sh ip cache flow • http://antivirus.cattelecom.com/officescan • http://mail.cattelecom.com

  38. pornthep.n@cattelecom.com 09-155-7471 ICQ : 8091388 MSN : g40pon@hotmail.com

More Related