Maximize Computer Security With Limited Ressources
1 like654 views
Dr. Stefan Frei discusses the challenges faced by CIOs in securing endpoints against evolving cyber threats with limited resources. He highlights the increasing vulnerabilities in software, particularly third-party programs, and stresses the importance of effective patch management to mitigate risks. The presentation emphasizes that proactive patching is crucial to protect organizations from opportunistic attacks and reduce exposure to malware.
Maximize Computer Security With Limited Ressources
- 1. How Can a CIO Secure a Moving Target with Limited Resources? Dr. Stefan Frei Research Analyst Director Secunia Session ID: SPO2-302 Session Classification: Intermediate
- 2. Know your Enemy The Changing Threat Environment Fastest growing Personal Theft segment Motivation Gain Author Tools created by Personal of experts now Fame Tools used by less- Vandalism skilled criminals, for personal gain Curiosity Script- Hobbyist Expert Kiddy Hacker Attackers’ Expertise
- 3. Availability of Malware Tools leads to .. High degree of attack automation More opportunistic attacks
- 4. Malware as a Service (MaaS) Malware offered for $249 with a Service Level Agreement and replacement warranty if the creation is detected by any anti-virus within 9 months Source: www.turkojan.com
- 5. Malware Construction Kit Live Demonstration We “trojanize” Windows Minesweeper using an off-the-shelf malware construction kit Absolutely no coding expertise required!
- 6. Full Remote Control.. List / start / stop / disable services Read clipboard List and kill processes Read / modify registry Life capture and control of desktop Life capture of webcam or Remote command console microphone Online / offline keylogger Disable taskbar / desktop icons / start- Execute commands button, reboot, .. Restart / update trojan. Load new plug-ins
- 7. Malware Development Process Obfuscation & Quality Assurance 1 Original Malware Create core malicious functionality: DDoS, steal data, spread infection, .. 2 Permutations 3 Quality 4 Deployment Assurance Only malware that Obfuscate malware. Create multiple serial Test new creations passed QA (not variants to thwart against a number of detected) is used for detection engines up-to-date anti-virus deployment engines Reject if detected
- 8. An Arms Race … 286 million virus samples counted in 2010 783,562 samples / day 32,648 samples / hour 544 samples / minute 9 samples / second Source: Symantec Internet Security Threat Report (ISTR), Volume 16
- 9. Limitations of traditional defense We are to loose this Arms Race .. 25% of 123 publicly known exploits missed by top 10 prevention products 40% missed after slight tweaking of the exploits NSS Labs Test of 2010/Q3 Up to 9% of the end-points in enterprises are found to be bot infected NSS Labs Anti-Malware Test Report 2010Q3 Damballa on Darkreading, 2010
- 10. From a Criminal’s Perspective #Hosts x #Vulnerabilities = Opportunity
- 11. Worldwide Internet Usage 2,095 Million estimated Internet users on March 31st, 2011 penetration of 31% population 448% growth from 2000 to 2010 Source: http://www.internetworldstats.com 12
- 12. 2,095 Million potential victims.. End-points are increasingly targeted End-point are where the most valuable 1 data is found to be the least protected By definition, end-point PCs have access to all data needed to conduct their business End-points are difficult to secure 2 Highly dynamic environment and unpredictable usage patterns by users A single vulnerable program is enough 3 Cybercriminals only need a single vulnerable program to compromise the entire system
- 13. From a Criminal’s Perspective #Hosts x #Vulnerabilities = Opportunity
- 14. Analysis What does an end-point look like? Data: Scan results from more than 4.8 Mio users of the Secunia Personal Software Inspector PSI Secunia PSI is a lightweight scanner to enumerate and identify insecure programs automatically install missing patches Free for personal use http://secunia.com/psi
- 15. Distribution of Distribution of #vendors #programs
- 16. The Top-50 Software Portfolio .. Covers the 50 most prevalent programs to represent a typical end-point: 28 Microsoft and 22 third-party (non MS) programs from 12 different vendors 12 28 22 Third- Vendors Microsoft party Top-50 Portfolio as of December 2011
- 17. An alarming trend .. in # of end-point vulnerabilities Number of vulnerabilities continuously increased since 2007 870 Vulnerabilities in 2011 doubled in two years 421 in 2009 229 in 2007 18
- 18. A relevant trend .. in criticality and type of vulnerabilities 800+ Vulnerabilities of which >50%
- 19. What is the source of this increasing trend? ? OS MS TP Operating Microsoft Third-party System Programs Programs
- 20. It is third-party programs Non-Microsoft programs are found to be almost exclusively responsible for this increasing trend OS What you 12% MS patch 10% TP Third-party Programs 78% Cybercriminals Origin of vulnerabilities in the Top-50 Portfolio as of Dec 2011 don’t care
- 21. The Operating System & Top-50 Software Portfolio Top 50 Portfolio 2011 + Vulnerabilities 870 Vulnerabilities 867 Vulnerabilities 869
- 22. How do we keep a typical end-point up to date?
- 23. Complexity hurts 12 different update mechanisms .. 11 Update 1 Update Mechanisms OS Mechanism 12% TO PATCH MS TO PATCH 10% 22 third-party programs TP Third-party OS+28 Microsoft programs fix 78% of the Programs fix 22% of the vulnerabilities vulnerabilities 78%
- 24. Cybercriminals know patch available ≠ patch installed
- 25. Patch Complexity .. has a measurable effect on security Percent of unpatched programs Third-Party Microsoft 2.7% insecure Microsoft programs 2011 average 6.5% insecure Third-Party programs
- 26. You can’t hide Even rare programs have exploits Programs with low market share are FALLACY not exposed - as no exploits exist Exploit availability vs. market share of programs 22% of the programs with 10-20% market share have exploits
- 27. Are we doomed?
- 28. The Good News most patches are available on time! 72% of the patches are available on the day of vulnerability Patch Availability disclosure 72% 28%
- 29. Cybercriminals .. don’t need zero-day exploits! Malware propagation methods: of the attacks had no patch available at the < 1% day of attack (zero-day attack) Microsoft SIR 11 Report 1H2011 Cybercriminals always find more than enough opportunity in unpatched and well understood program vulnerabilities
- 30. Instant patching of all programs is a major challenge What patching strategy yields the largest risk reduction with limited resources available ?
- 31. Simulation Static vs. Dynamic Patching Say you have a portfolio of the 200 most prevalent programs On average, how many programs do you need to patch every year to get a 80% risk reduction? Static Approach Dynamic Approach Patch the N most prevalent Patch the N most critical programs every year programs every year
- 32. Statically patching .. the most prevalent programs Percentage of risk remediated Patching N of 200 programs by patching N programs Strategy 1: Static 100% Risk remediated by patching the Percentage of risk remediated N most prevalent programs 80% 60% 40% 20% 80% risk reduction achieved 0% 37 by patching the 37 most 0 20 40 60 prevalent programs Number of programs patched
- 33. Statically patching .. the most critical programs Percentage of risk remediated Patching N of 200 programs by patching N programs Strategy 1: Static 100% Risk remediated by patching the Percentage of risk remediated N most prevalent programs 80% 60% Strategy 2: By Criticality Risk remediated by patching the 40% N most critical programs 20% 80% risk reduction achieved 0% 12 37 by either patching the 12 most 0 20 40 60 critical programs, or by patch- Number of programs patched ing the 37 most prevalent programs
- 34. Why? .. chasing a moving target Programs vulnerable in one year, but not 39% in the previous or following year of the programs vulnerable in one year are not vulnerable in the next year or vice versa Not vulnerable in other year
- 35. Job Security .. It depends when you get 0wned ✓ ✓ ✗ time Patch not Patch available Patch available available not installed & installed valid excuse, no excuse needed can’t do a lot #@!;#$ limited feasible protection available, exploitation protection not implemented no more possible Patch released Patch installed
- 36. A patch provides better protection than thousands of signatures it eliminates the root cause
- 37. Properties of a Patch .. from a risk & operations perspective No false positives (no false alarms) No false negatives (no missed attacks) No latency or other delays introduced No resources whatsoever consumed after deployment A patch essentially terminates the arms race with cybercriminals
- 38. The Known Unknowns Business Criminals View View Your Infrastructure Microsoft Third Party Programs Programs 1/5 4/5
- 39. The Known Unknowns Business Criminals View View Your Infrastructure Microsoft Third Party Programs Programs 1/5 4/5 business critical programs programs you know about programs you don’t know about
- 40. The Known Unknowns Business Criminals View View Your Infrastructure Microsoft Third Party Programs Programs 1/5 4/5 What you business critical patch programs programs you know about programs you don’t know about
- 41. The Known Unknowns Business Criminals View View Your Infrastructure Microsoft Third Party Programs Programs 1/5 4/5 What they What you business critical attack patch programs programs you know about programs you don’t know about
- 42. Common Fallacy Business Cybercriminal Program X is not Program X is just the business critical, attack vector to therefore we won’t compromise the entire spend time patching it system X = { Adobe Flash, Reader, Firefox, Java, .. } Exploitation of any program can compromise the entire end-point
- 43. Failure of End-Point Security What is needed: Reduce Complexity We need tools to simplify and automate patch management in order to master the complexity Intelligence We need tools to enumerate and identify all critical programs to ensure we spend resources on the relevant parts
- 44. Conclusion - I Know your enemy and risks Microsoft is still perceived as the primary attack vector Our defense likely locks the front door while the back door remains wide open Intelligence Knowing all programs and the risks is critical in this dynamic environment This saves resources in remediation process
- 45. Conclusion - II Know your tools We need Antivirus, IDS/IPS, .. But we also need to know the limitations of those technologies Patching is a primary security measure Given the effectiveness of eliminating the root cause, and the availability of patches
- 46. Stay Secure! Dr. Stefan Frei Mail: sfrei@secunia.com Twitter: @stefan_frei secunia.com
- 47. Supporting Material Secunia 2011 Yearly Report http://secunia.com/company/2011_yearly_report/ How to Secure a Moving Target with Limited Resources http://bit.ly/hzzlPi RSA Paper “Security Exposure of Software Portfolios” http://bit.ly/eQbwus Secunia Quarterly Security Factsheets http://secunia.com/factsheets Secunia Personal Software Inspector (PSI) free for personal use http://secunia.com/psi