Giving the Heave-Ho to Worms, Spyware, and Bots!

Tammy L Clark, CISSP, CISM, CISACISO, Georgia State University

William Monahan, CISSP, CISA, CISMInformation Security Administrator Lead

2

Malware

All exploits leverage a specific weak link in a program. This is done through various means.

Social engineering on the other hand exploits the human behavioral link.

What results when both an exploit and social engineering are combined?

3

“New Vulnerability in Excel..” On June 15th, the following was reported… “A new vulnerability, which is being actively exploited, has

been discovered in Microsoft Office Excel that could allow a remote attacker to run and execute commands on the local system. This vulnerability can be exploited if a user visits a malicious web page which is specifically crafted to exploit this vulnerability. However, a more important concern is that this vulnerability can be exploited by receiving and executing the malicious Excel (.XLS) email attachments which are not likely to be blocked by email filters.”

As the malware threat begins to spread, AV vendors rush to get updated signatures out…more computers are turned into ‘bots’ and ‘zombies’ over the internet…different versions of the threat resurface and are once again neutralized…

Does anyone still believe that antivirus software is sufficient to prevent malware infections and compromised computers at this point?

4

Is It Really Possible to Have a Malware-free Campus Network? Microsoft issued a white paper June 12th about their

malicious software removal tool--among the report's major findings:

The tool removed at least one backdoor trojan each, mostly bots, from about 3.5 million computers.

Of the 5.7 million computers on which the tool has removed malware, 62 percent contained at least one backdoor trojan.

Rootkits were present in 14 percent of the computers on which the tool cleaned malicious software.

Social engineering served as a major source of malware attacks. Worms spreading through email, instant messaging (IM) or peer-to-peer networks were found on 35 percent of the computers cleaned by the tool.

Backdoor trojans made up the most prevalent threat removed by the tool, followed by email worms, rootkits, peer-to-peer worms, exploit worms, viruses and IM worms.

5

Malware—The Pervasive Threat USB thumb drives—often given away for free by

vendors at trade shows, cheap and easy to use—a great vehicle to evade existing security controls and propagate malware

Blended Threats—whether exploiting a vulnerability in an application or OS or coming in through emails, instant messaging, P2P, etc…spammers/hackers are constantly testing to find the fastest methods of propagating worms to victim computers and from there taking advantage of back door trojans that are installed along with them to get in and out quickly, to offload sensitive data and to install bot software, spam engines, and warez servers that are often undetectable without specialized tools or methods

6

Data Breaches Are Popping Up Everywhere Lately… According to the Privacy Rights Clearinghouse,

there have been 184 data breaches reported since the Choicepoint incident in February 2005

Of this number, 73 were universities reporting sensitive data leaks (How many go unreported?)

113 of the total breaches reported were a result of unauthorized access/intrusions

71 of these incidents involved backup tapes, paper documents, and/or computers containing sensitive data repositories that were stolen

7

Case Studies of Interest to Higher Ed Practitioners “When Bots Attack,” Baseline Magazine’s April 2006 Issue

(discusses Auburn University’s experiences with IRC Bots) http://www.baselinemag.com/current_issue/0,1542,i=1818,00.asp

“Remote Control Wars,” SC Magazine’s June 2006 Issue (discusses defense-in-depth approach to mitigating the bot threat) http://www.scmagazine.com/us/news/article/562997/remote+control+wars

“Attack of the iPods,” CSO Magazine’s May 2006 Issue (discusses the threat of malware implanted on iPods, MP3 players and USB devices) http://www.csoonline.com/read/050106/ipods.html

“Security Survival Guide,” Baseline Magazine’s May 2006 Issue (discusses tips & techniques to survive the malware onslaught) http://www.baselinemag.com/article2/0,1540,1962511,00.asp

“Invasion of the Computer Snatchers,” Washington Post Feb 2006 Article (discusses the methods by which hackers are commandeering computers to steal sensitive data, send spam, etc.) http://www.washingtonpost.com/wp-dyn/content/article/2006/02/14/AR2006021401342.html

8

So What Can We Do About the Malware Invasion? Having effective visibility of your network traffic coupled with

the ability to prevent a very high percentage of known malware from coming into your campus network is critical

In cases where hackers do gain unauthorized access or zero day malware infections occur, you need to be able to quickly detect the presence of malware, contain the spread, get the compromised system(s) off your network, and deter the attacker/threat from continuing or returning…

Implementing a defense in depth strategy that applies customized levels of protection to networked systems & devices is imperative in being able to successfully combat malware invasions and prevent data breaches

Behind the scenes, you must continually educate campus users and systems administrators, conduct security audits and risk analyses, and put systems (technology), policies and procedures in place that address access, authentication, authorization, protection of sensitive information, and regulatory compliance

9

A Little Background Info Georgia State’s information security

program launched in 2000 Currently, 3 dedicated staff

members serve the campus community

6000-10,000 staff and faculty 25,000+ students Decentralized information

technology environment

10

Giving Bots, Spyware and Malware the Heave-Ho Prior to 2005, we had between 20-50

incidents a day involving compromised or malware infected systems

As we implemented key security solutions, polices, and procedures in 2005…our incident percentages dropped dramatically to between 1-5 a week and 99% of these involve transient systems brought in by students using wireless or various labs & classrooms on campus

11

Georgia State’s Security Architecture In addition to AV on the desktops and/or servers, robust

gateway AV scanning and anti-spam appliances… √ Dynamic blocking at the edge via IPS…√ Centrally-maintained “push” patch management √ IPS on desktops and servers√ Ability to mandate use of “strong” passwords, through a

combination of policy and technology √ VPN required for remote access √ Encrypted data transmission √ Vulnerability assessment and risk analysis √ A SIM or central logging facility to gather disparate data

gathered daily from firewalls, IDS, IPS, AV, etc., with data correlation and reporting

24/7 monitoring and incident detection/response

12

Security Architecture Continued Regulatory compliance in ensuring minimum

levels of security on networked devices processing sensitive info √

An online security awareness course (we used WebCT Vista) that can be distributed to faculty, staff, and students √

Establishment of secure, trusted zones that are separated from the rest of the network √

Access/authentication requirements on every wired port (except public access stations) and wireless areas √

Identity management system Self defending networks

13

Our Information Security Roadmap Information Security Plan based on ISO 17799 Prioritized Yearly Action Plans Risk Analyses and Security Assessments Policy and Procedures Building Consensus through Collaborations with

Committees and Taskforces Security Solutions that can be managed centrally,

and distributed to trained departmental sys admins Security Operations that take advantage of

automated alerts and reporting to allow data center or network ops folks to monitor 24/7

Security Awareness Defense In Depth through layering in new solutions

14

IPS at The Edge, Anyone? We implemented McAfee’s Intrushield 4000 appliance in early

2005 We selected Intrushield as it allows us to create thousands of

virtual ‘child’ domains with just one appliance that can apply very granular, customized policies to protect networked devices. Unlike our ISS Realsecure IDS, which we still maintain due to auditing capabilities that allow us to easily detect IRC bots and compromised systems, the Intrushield IPS allows us to dynamically block attacks in realtime, 24/7

We maintain an overall GSU policy that is applied to networked devices not housed under specific child domains. We also shield a group of high risk devices with a very restrictive policy. We create child domains for various colleges and departments and allow them to specify additional things they want to restrict via their departmental policies, such as P2P applications

We provide training to campus systems administrators and allow them to obtain a child domain, maintain their own policies and gain access to the management console to view all activity on just their specific areas

15

Intrushield

16

IPS on Desktops and Servers We deployed ISS SiteProtector in 2003, a central console that

can manage network, server, and desktop sensors. The network sensors perform the IDS function and the server and desktop sensors have IPS capabilities built in.

We began distributing desktop IPS clients in 2004 to residential students. From there, we provided them to staff maintaining campus labs and classrooms. Various systems administrators are in the process of deploying server sensors to protect their critical systems.

We group desktop and server sensors by colleges and departments and we also create sub-domains underneath these groupings that apply more granular policies to specific systems.

We provide training to campus systems administrators and allow them to manage their sensor groups, distribute and install sensors, maintain their own policies and gain access to the management console to view activity on just their specific areas

17

ISS SiteProtector

18

Managed Antivirus We distribute Symantec antivirus to all Windows

and Mac systems on campus and allow users to install it on remote systems as well

We provide a managed client that allows us to “push” AV updates as they come out and group the clients by the college or department they fall into. We also provide an unmanaged client for our remote users

We provide targeted information about worms and viruses to campus administrators and plan to allow them access to their own groups on our management console once Symantec releases the ability to distribute management of AV clients

19

Symantec Antivirus

20

GSU’s Secure Computing Initiative In response to regulatory requirements to protect customer

information, we established a program that mandates (yes, you heard this right!) the use of IPS, strong passwords, secure device configurations, and an electronic security awareness course

ISS Proventia’ desktop IPS and Symantec’s antivirus client. We also ask systems admins to either obtain ISS’ server sensor or allow us to place their device behind the “shield” with a restrictive policy

We require college/department information technology representatives to provide us with an inventory of systems and a survey questionnaire specifying what steps they are taking in the areas of backups, disaster recovery, etc. We provide them with training on the ISS SiteProtector management system, checklists that specify configuration requirements on XP and 2000 workstations (which are prevalent on our campus), and conduct a risk analysis of their area

College/department technology representatives distribute and install the IPS and antivirus software, ensure that users’ systems are configured via our checklist requirements, and we contact users to take the security awareness course

21

HIPAA Compliance Matrix

22

Risk Analyses and Security Reviews As colleges and dept’s at GSU acquire new

technology from vendors to assist in their academic or business endeavors, we get involved in assessing the potential risk that new devices, software, etc., can introduce

We run vulnerability scans on these vendor-supplied systems

We also conduct risk analyses to determine the use of encryption in data transmission, examine security configurations, determine whether sensitive data is involved

We work with vendors to resolve problems prior to systems going into production; we also place high risk systems behind the “shield”

23

Security Operations We have several security monitoring systems that provide

critical information to us about attacks and intrusions 24/7 We establish automated alerting and reporting

mechanisms within Intrushield and ISS Siteprotector to provide targeted information

We are offering training to network operations and helpdesk technicians to allow them to field alerts 24/7 and create Remedy helpdesk tickets, make notifications, and contact us to analyze information that comes in about potential attacks and incidents

We have an experienced security operations/incident handler in our department who collects data and manages incidents during business hours. We also have a CSIRT on campus and a policy that we are allowed to decide to disrupt network services to any device that represents a threat to the university if necessary without prior notification

24

Security Awareness We provide security awareness presentations

on demand and are in the process of distributing a WebCT Vista security awareness course to campus users

We are working to have this electronic course distributed to all incoming freshman students as part of their “freshman communities” curriculum. We require everyone on campus processing sensitive information to take the course and achieve a passing score on the test that accompanies it

We are working with human resources staff members to include the course in their new employee orientations

25

Defense In Depth Strategy The challenge we all face in seeking to protect customer

information and university technical resources is achieving a delicate balance between applying controls and utilizing these resources at optimum levels of efficiency and effectiveness

From 2000 to the third quarter of 2004, we layered existing technological solutions, devised processes that often required the active participation of the campus community and we found that we could not stem the tide of blended malware threats that managed to evade our controls

The emergence of IPS at the edge, on servers and desktops, along with regulatory requirements that mandate minimum levels of security have evolved our efforts to allow us to be more proactive, to manage security efforts “end to end” on the network, rather than exist in a purely reactive mode. These controls are transparent for the most part to our campus community, as we do not deploy some of the more intrusive measures these solutions are capable of..

26

Defense in Depth Cont. We constantly devise policies and processes that

can be instituted to better protect network devices, more often than not, without user intervention. We focus on educating staff, faculty, and users about policies, mandated requirements, and about the threats and vulnerabilities they will encounter when they utilize systems connected to the internet…

We’ve achieved a measure of success at this point, but we continue to examine new technologies that surface such as ‘self defending networks’ and complex ones such as ‘IDMS’ to allow us to mitigate the effects of mobile users bringing infected systems to campus and access/authentication issues

27

Of Interest to Higher Ed Information Security Staffs www.educause.edu/security The

EDUCAUSE Security Task Force and a wealth of downloadable content

http://www.educause.edu/securityconference The Security Professionals Conference Archive

http://www.ren-isac.net/ Research and Education Networking – Information Sharing and Analysis Center

28

Questions?

Copyright Tammy L. Clark, June 2006. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.