Challenges in combating malware technologies

15 February 2012 | In Development | 242 views | By

Click & share: 

Segurança onlineUntil a short time ago, combating malicious software (malware) virus control was restricted to, worms, In addition to some types of spyware that sought to understand the users ' browsing behavior on the internet. The main challenge, until then, was to understand the difference between virus and worm, remembering that the virus is commonly associated with a user action and relies on an external vector propagation (inside an executable file, a DOC file, etc). Now the worm has the characteristic of spread alone across the network, usually by exploiting a vulnerability, either on the server or on a user equipment.

To be able to block this type of malicious artifact is required the existence of a signature (in antivirus ou regras para os IPS de nova geração) for identifying and blocking, in such a way as to prevent contamination of a server. Incidentally, This is one of the major paradigm shifts we face nowadays, where the server is no longer the favorite target of these types of virtual plague. What happens with increasing frequency is the operation of the user's machine, What we call”client side attacks”. In this type of attack, the important thing is to exploit vulnerabilities that exist in the user's browser (Internet Explorer, Firefox, etc) or in applications that are installed in these equipments (especially Flash Player, Adobe Acrobat Reader).

Companies often worry too much about the application of security patches on servers, In addition to the use of perimeter protection tools, as a Firewall, IPS, Content filter etc, but very little is done to keep the users ' equipment. The use of security tools combined with a correct security policy, constant monitoring of the environment, staff training on the techniques of attack and defense (Yes, This is critical), certainly helps a lot in combating various virtual pests.

It is very important never to forget the mobility equipment (laptops, mobile phones, tablets) and that, at the same time, expand the concept that we have on the outer perimeter. Uma vez que esses devices móveis estejam fora da rede corporativa, all existing defences on the company network disappear and they are experiencing a much larger risk. Examples abound: equipment using wi-fi networks in locations such as airports, networks of hotels, sem contar quando deixamos o filho instalar algum game ou baixar algo em redes de Torrent.

As if already not enough salad of acronyms that we are obliged to memorize (viruses, worm, spyware, trojan, phishing, etc), now, We still have the “such” of APT (Advanced Persistent Threat). A new name for old techniques.

The big difference of APT in relation to what already existed is that: rather than a generic email about viagra – or about that African Prince – We need your help to withdraw his country's fortune, in the case of an APT, We have the use of a Spear Phishing. Spear Phishing is a targeted attack for the employee/user who works in the target company. Since this employee perform the file or somehow contaminate the machine, This company's network and equipment shall be controlled remotely.

Definitely, It is not difficult to prepare a targeted attack. Just a search on Google for @ to verify the amount of emails that are sent to newsgroups,etc. A few years ago, in a test performed on a particular customer invasion, Unable to identify a network user that attending a discussion group about Christianity. Não preciso nem dizer qual foi a efetividade de enviar para este usuário um link para fazer download de uma novíssima versão Electronics da bíblia (properly prepared for remote control of the victim's equipment, course). I.e., just use any subject that has attracted the interest of this user (employee). Chances are almost 100% that it click or do anything.

To summarize, There is no magic formula that avoids all attacks referred to, but certainly we can list some basic recommendations:

1. Monitor, monitor and monitor. If possible, also monitor. A well-trained team and who has the right tooling and correlate logs collection, Surely you can identify network traffic anomalies, and that can represent the existence of an APT;

2. You have the right tools: SIEM, IPS, Firewall, Content filter and AntiSPAM, Antivirus (Yes, are useful and important as well), AntiMalware (especially those who understand anomalous behavior);

3. Have a rigid policy of vulnerability management. It is essential to maintain the upgraded environment. Yes, We know that there are attacks that exploit vulnerabilities 0-day, but you can ensure that represent a very small universe of attacks. There are still contaminated machines that are on the Internet user's fault or the company that have not implemented a simple patch;

4. Trained staff is motivated team. The subject information security is quite comprehensive and stimulating. The other side is highly motivated and exchanges information all the time. If your company cannot rely on a team prepared for such, hire a company that can and keep a hard SLA;

5. Never neglect the Endpoint. Antivírus é importante mas não pode ser a única camada de defesa em um desktop/laptop/tablet. Increasingly the attacks using techniques that masks its presence and tools that are based only on subscriptions cannot identify them.

With olhardigital information. .br

Webdesigner, Técnico em Hardware, Técnico em Mecatrônica e estudante de Medicina.

A bit about us

    The Group generally appeared in Tips 2007 from innovative ideas on troubleshooting problems faced daily by those who use the technology and computer science, both ordinary users and technicians. But where did, why and what is the purpose of this site?

Click here to read!

Siga o Dicas em Geral no Google+

Video of the week