Transcript Document 7349182

Malware, spyware, addware - detekce,
optimální nastavení systému
Jan Písařík
Senior system engineer
ComDay3
27. ledna 2005, Jihlava
Agenda
Současný stav na poli bezpečnosti
Co je škodlivý software?
Jak se bránit?
2
Security Incidents
… rostou
140,000
Incidents
120,000
100,000
80,000
60,000
40,000
20,000
0
1996 1997 1998 1999 2000 2001 2002 2003
Source: Goldman Sachs 2/19/04
3
 Nové technologie (WiFi,
Mobile)
Security
IT svět se mění
Větší nároky na bezpečnost
Mnoho uživatelských kategorií: zaměstnanci, cestující uživatelé,
konzultanti, zákazníci, dodavatelé
Distribuované systémy potřebují komplexní síťovou strukturu
Vulnerabilities are Rising
Time to Remediate is Shrinking
Quantity
7000
300
6000
250
5000
200
4000
150
3000
2000
100
1000
50
0
'95 - '99
00' -01'
02'-03'
0
Nimda
SQL
Slammer
Welchia
Blaster
Source: Gartner, 8/04
4
Days
350
8000
Spyware
Je všude a je to velký problém
9 z 10 PC připojených k internetu
je nakaženo spyware.*
Audit - Earthlink a Webroot
 27.5 výskytu spyware na PC
 Za čtvrt roku - 40 milionů spyware
na 1.5 mil. PC
Spyware Rising
Number of Reports
Thousands
600
500
400
300
200
100
0
531,694
151,975
8,903
Mar Jun Sep Dec Mar Jun Sep Dec Mar
02 02 02 02 03 03 03 03 04
*National Cyber Security Alliance, June 2003
5
Spyware / Adware / Trackware
 Malware - malicious software, software navržený k
narušení nebo zničení systému
 Spyware – program, který se usadí na Vašem PC a
dokonale špehuje a krade Vaše hesla, historii navštívených
stránek, čísla kreditních karet, mění Vaše úvodní stránky na
internetu a pod. a poté vše zasílá určitému uživateli
- Adware – obtěžuje reklamou
- Browser helper - DLL knihovna, která umožňuje
programátorům změnit a sledovat Internet Explorer
- Hijacker – mění home page
- Dialer
- Keystroke logger
- Remote admin
- Trackware
6
Proč?
Peníze
 Pop up okna
 Hackeři – PIN, …
 Programátoři – P2P, XXX, dialery
7
Příznaky
Pomalý start PC
Vyskakující okna
Přesměrovnání volání
Záhadné chování desktopu
Nežádoucí home page
…
8
Security Management
Bezpečnost perimetru není dostatečné řešení
100 % bezpečnost zařízení není možná, potřebujeme
opakovaně skenovat a monitorovat nové zranitelnosti a hrozby
Zranitelnosti – zvyšuje se počet, intenzita a frekvence útoků
Integrované bezpečnostní řešení:
 Patch Management
 Anti-Spyware
 Vulnerability Management
9
LANDesk® Security Suite
Device Discovery
• Discovery
• Baseline Configuration
Monitor / Denial
Audit / Compliance
• Unauthorized
software detection
• Application Block
• Threat Analyzer
– User-Resources settings
Spyware
Network Access
• Detection
• Removal
• Central Management
• Connection Control Manager
–Inclusive / Exclusive
Restrict drive/port/
wireless access
Patch Management
10
• OS / Application / Custom
• Vulnerability Assessment
• Enterprise Remediation
LANDesk Security Suite
Connection Control Manager
Ability to control the networks
that a client can access
Approved or disapproved list of
authorized connections
Enable or disable the following
based on network connection





USB Ports
(allow mouse/keyboard)
Modems
Drives
- Floppy
- CD/DVD
- Removable
- Tape
Ports
- Serial
- Parallel
- Infrared
- Firewire
Wireless
- 802.11
- Bluetooth
Alerts are generated based on
unauthorized access
11
LANDesk Security Suite
Threat Analyzer
Eliminate potential security
threats by verifying:














12
Administrator Group Membership
Available Shares
Check for Unnecessary Services
Domain Controller
File System Type
Guest Account Status
Internet Connection Firewall Status
Local Account Passwords
Operating System Version
Password Expiration
Restrict Anonymous Users
SQL Guest and Service Account Status
Internet Explorer Security Settings
And more…
LANDesk Security Suite
Spyware Detection and Removal
Scan
 Trojans, Malware, Trackers, Keyloggers, Hijackers, Dialers, Cookies
Detection
 Inclusion and exclusion of definitions
from search
Removal
 Auto fix capability, spyware removal
Recovery
 Ability to restore files and registry
settings removed during a removal
process
Reporting
 To verify and see trends and repair
rates
13
LANDesk Security Suite
Application Blocker
Detection
 Predefined list of suggested
applications to block
 Content provided by LANDesk
 Configurable list that can be
supplemented with custom
applications
Denial
 Block and deny the execution
of detected unwanted
applications
 Block applications that don’t
comply with corporate
standards
 Increases security and
productivity
14
LANDesk Security Suite
Patch Manager
Patch Install History
 Display of patches installed
on node
Patch uninstall capability
 Detect patches installed by
LANDesk or other means
 Right click option to remove
installed patch
Heterogeneous platform support
 Linux Vulnerability
Assessment
- Red Hat (WS, AS, ES)
- Suse v9.1

15
Macintosh Remediation
Product Overview
Patch Manager (cont)
Enhanced Client Configuration
 Run settings for Security and
Patch Scanner
- At login (Run key)
- Local Scheduler
 Never Reboot
 Never Auto-fix
 Select “end user setting” for
client when the scan is run at
login or by local scheduler.
16
Product Overview
Patch Manager (cont)
Create/Edit End User Settings




17
General
- Show Scan Progress
- Allow user to cancel scan
Repair
- Custom prompt before repair
- Bandwidth Control percentage
Reboot
- Custom prompt before reboot
- Snooze or delay of reboot
- Allow User to cancel reboot
- Behavior when there is not
interaction at client within specified
time
MSI
- Package location and authentication
Product Overview
Patch Manager (cont)
Reports
 Added 30+ Security and Patch Manager reports to the WinConsole
 Added Vulnerability Reports to WebConsole
18
Product Overview
Patch Manager (cont)
Pre-stage Patches
 Select to have the patch
deployed to the clients but not
initiate an install or repair.
 This all occurs while decisions
are being made whether to
install or not
 Once the “GO” is decided,
follow with a second job that
only installs the patch that is in
the cache.
19
LANDesk Security Suite
LANDesk Updates
Update definitions and patches
will be hosted on content site to
provide updates for LANDesk
Management Suite
LANDesk update will support
updating the Core, Console,
WebConsole, & Client
Update of LANDesk components
 Download up-to-date definitions
from LANDesk
 Select which updates to scan for
 Create policies to update
LANDesk software.
20
LANDesk Security Suite
New “Security Suite” SKU
 Stand-alone offering
 Add-on to LANDesk
Management Suite
Security Suite components







21
Patch Management
Anti-Spyware
Security Threat Analyzer
Application Blocker
User-defined Vulnerabilities
Connection Control Manager
LANDesk Updates
Stop Counting Attacks
Start Closing Gaps
Děkuji za pozornost
22