Hope is not a strategy

Download Report

Transcript Hope is not a strategy 

Best practices
in managing your
devices and applications
Jérôme Bei
Did the bad guys surrender?
There have been no massive attacks lately...
• Broadband attacks make CSO‘s increase their IT security
• Lack of massive attacks makes CSO‘s think their
systems are secure
• Today, we‘re facing targeted attacks
• silent and focussed
• goal: steal know how
• victims will hardly admit data theft
Botnets Today
Borderless Networks
Who enters your network?
• Mobile Workers
• Trading Partners
• Customers
• Vendors
As a consequence, the security solution needs to be host based
Do you feel safe with AV only?
April 2006
16 leading anti-virus vendors tested
for 243.671 pieces of known malware
One vendor missed OVER
pieces of malware
4 out of 16 missed over
www.av-comparatives.org
of them!
Do you feel safe with AV only?
February 2007
15 leading anti-virus vendors tested
for 481.850 pieces of known malware
One vendor missed OVER
pieces of malware
Another vendor missed
of them!
vendor had all needed patterns!
www.av-comparatives.org
Do you feel safe with AV only?
May 2009
16 leading anti-virus vendors tested
for proactive heuristic detection
One vendor missed OVER
of malware
The best vendor still missed
vendor detected all tested malware!
www.av-comparatives.org
Remote Exploit – a complex task?
Ready-Made Exploit Frameworks
MS08-067 RPC
Lumension
Application Control
Lumension Application Control
Applications
AUTHORIZED
RISK
Operating Systems
Business Software
UNWANTED
Games, Shareware,
Unlicensed software
Malware
Malware
KNOWN
Viruses, Worms,
Trojan Horses,
Spyware
UNKNOWN
Viruses, Worms,
Trojan Horses,
Spyware
Lumension Application Control
MANAGE
Applications
AUTHORIZED
Operating Systems
Business Software
UNWANTED
Games, Shareware,
Unlicensed software
Malware
Malware
KNOWN
Viruses, Worms,
Trojan Horses,
Spyware
UNKNOWN
Viruses, Worms,
Trojan Horses,
Spyware
Black List vs. White List
Black List
Unwanted Software
(Games, Players, ...)
Updates
White List
Not supported
Denied by default
Weekly, daily, hourly
Only when new applications /
patches are installed
Zero day protection
New malware is always one step
ahead
Operational performance
File filter slows down performance +
pattern comparison
Kernel based (=fast), no pattern
comparison required
Today: 800.000
Tomorrow? Next Year?
Heavy loaded PC with 50
applications has 25.000 signatures
– STABLE -
Scalability
Implicit
Product Operation – Application Control
Individual User
•Accounting
•Sales People
•Network Admins
•Support Team
Groups of Users
What do users / groups of users need to run on their machine to
Users can now only run the executables they are allowed to
perform their allowed tasks?
0. IDENTIFY
EXESOURCES
Operating Systems
3. ASSIGN RIGHTS
TO EXECUTE
Organize into
File Groups
USE SFD‘s
Admin Tools
Entertainment
Standard Software
Customer specific
applications
1. COLLECT
• Scan Explorer
• Log Explorer
• EXE Explorer
Signature
Files
Communication
MS Office
etc...
Product Operation
1.
6.
Client boots, user logs on,
computer connects to the
corporate network
Policies
Computer may leave corporate
network and will stay secure due to
local white list
Kernel Driver
2.
Client driver sends Identification
message (= machine ID, user ID, domain ID,
group ID’s, driver version, OS version).
5.
Digital
signature
Digital
signature
SecureWave
Application
Server(s)
3.
The Application Server queries the
database for access rules and caches
results.
SQL
Database
(Cluster)
4.
The Access Rules are cached
locally, policy enforcement is
performed at kernel level
The Access Rules are created,
cryptographic signatures are added
and Access Rules are pushed to
the client driver
Active Directory / eDirectory
synchronizes users, groups and
computer accounts periodically
How Application Control works
Users
Kernel Driver
File signature generation
using SHA-1 hash
Application Execution
Request
List of centrally
authorized files
signatures
0x7ddf86e8a4672a420760b8809a1c
0xcbac13bb07f7dd0e10e93f4b63de9
0x20ee7cf645efeba7C81bd660fe307
Comparison with list of
centrally authorized files
signature
No
Authorization?
File execution is denied
Log
0xd535561209f0199f63b72c2ebc13c
0x4e4f36b5b2cf0c9ec85372ff8a7548
How Application Control works
Users
Kernel Driver
Application Execution
Request
File signature
generation using
SHA-1 hash
List of centrally
authorized files
signatures
0x7ddf86e8a4672a420760b8809a1c
0xcbac13bb07f7dd0e10e93f4b63de9
0x20ee7cf645efeba7C81bd660fe307
Comparison with list
of centrally authorized
files signature
Yes
Authorization?
File executes
Log
0xd535561209f0199f63b72c2ebc13c
0x20ee7cf645efeba7C81bd660fe307
Major Features
White List
Full Macro Protection
Instant Policy Updates
Offline Protection
NT / AD Domain / Novell eDirectory support
Silent Unattended Installation
Optimized Network Communication
Learning Mode
Logging & Auditing
Demo
Social Engineering the USB way
Security Audit at a credit union
(Source: http://www.darkreading.com)
Step 1
Prepare 20 USB drives with a trojan horse that gathers critical data (such as user account information)
from the PC it is connected to and sends it by email
Step 2
Drop these USB drives within the accomodations of the company
Step 3
Wait 3 days ...
Result
15 out of 20 drives have been used by employees, critical data from their PC‘s has been exposed
Consequences of theft and data loss
Lumension
Device Control
Assign and Go
Individual User
Groups of Users
•Accounting
•Sales People
•Network Admins
•Support Team
What Users
are users
can /now
useraccess
groups’their
needs
allowed
in terms
devices
of device
/ media
/ media
access
according
rights totoperform
their granted
their allowed
attributes
tasks?
0. IDENTIFY
DEVICES AND MEDIA
3. ASSIGN ACCESS
ATTRIBUTES
1.1 PREDEFINED
DEVICE CLASSES
1.2 SPECIFIC DEVICE
TYPE / BRAND
Unique Media
CD / DVD, Zip drives, Disk
on key
DEVICES
CD / DVD ROMs
MODEM
REMOVABLE MEDIA
USB Disk Pro
SND1 MP3 Player
USB PRINTER
1.3 ADD SPECIFIC MEDIA
MEDIA LIST
Managed Device Access Control
Users
Kernel Driver
Device Access
Request
List of classes
& known devices
Known Device check
Known device?
Yes
Device Access
Authorization
Yes
Log
Device Policies
Users, Groups,
Device Classes, Devices
and
Access Attributes
Managed Device Access Control
Users
Kernel Driver
Device Access
Request
List of classes
& known devices
Known Device check
Known device?
Yes
No Access
Authorization
No
Log
Device Policies
Users, Groups,
Device Classes, Devices
and
Access Attributes
Implementing Device Control
Requirement Gathering
Security Requirements
Operational Implications
Sales
Use Memory Keys
Only with encryption
Audit of copied data
Wireless Network
Only outside
corporate network
Standard rule for sales
to use memory keys
with decentralized
encryption and
shadowing
Offline rule for
notebooks with
wireless cards
Marketing
Usage of digital
cameras
Only during business
hours
No misuse as data
storage
Time-based rule for
digital camera usage,
with filter on image
data (JPG, GIF, BMP)
Usage of CD‘s /
DVD‘s
Only specific media
Explicit assignment of
specific media
Implementing Device Control
Requirement Gathering
Security Requirements
Operational Implications
Front Desk
Badge printing
Deny usage of any
other device
Machine-based
„Lockdown“, standard
rule for local printer
Prevent data loss
(custromer data /
internal data)
Standard rule for Read
Only-access to
customer devices
Deny any device
usage
Machine-based
„Lockdown“
Support Dept.
Usage of customer
devices
Production server
Maximum stability
Encryption with Device Control
1) Administrator creates encryption rule
2) User plugs in memory key
3) Transparent encryption on corporate
computers
4) Volume Browser tool on stick for
3rd party computers
Access Attributes
•Read and / or Write
•Scheduled Access
•
From 08:00h to 18:00h Monday to Friday
•
•
For the next 15 minutes
Starting next Monday, for 2 days
•
Assign permissions when no network connection is present, all device classes supported
•
Limit copied data to 100 MB / day
•
Access is granted only if medium has been encrypted (decentralized encryption) with password
recovery option
•Temporary Access
•Online / Offline
•Quota Management
•Encryption enforcement
•File Type Filtering
•
Limit the access to specific file types
Attributes can be allocated to...
• A complete device class
• All USB Printers
• A device sub class
• USB printer HP 7575, CD/DVD Nec 3520A
• A unique device based on
• Encryption
• serial number
• Specific CD‘s / DVD‘s
• Specific Bus (USB, IrDa, Firewire...)
• Groups of devices
Security Features
• Kernel Driver
• Invisible (no task manager process)
• Fast (no performance loss)
• Compatible (no conflict with other software)
• Encryption of devices with AES
• AES 256 = market standard
• Fast and transparent within the network
• Strong password enforcement for usage outside the corporate network
• Client / Server Traffic
• Private/Public key mechanism
• Impossible to tamper with
• Easily generated and deployed
Security Features
• Client Hardening
•
Even a local administrator cannot uninstall the client
• Prevention from Keyloggers
• Removable Media Encryption
• Assign any removable media to any user and then encrypt the media. Encrypted device is
accessible only by the user who owns the access rights on the removable media
• Offline Protection
• Local copy of the latest devices access permission list stored on the disconnected workstation or
laptop
Auditing & Logging
• User Actions Logging
• Read Denied / Write denied
• Device entered / Medium inserted
• Open API for 3rd party reporting tools
• Shadowing of all copied data
• Level 1: shows File Name and attributes of copied data
• Level 2: Captures and retains full copy of data written to extenal device or read
from such a device
• Administrator Auditing
• Keeps track of all policy changes made by SDC admins
Demo