Best practices in managing your

devices and applications

Jérôme Bei

Did the bad guys surrender?

There have been no massive attacks lately...

WHY?• Broadband attacks make CSO‘s increase their IT security

• Lack of massive attacks makes CSO‘s think their systems are secure

• Today, we‘re facing targeted attacks• silent and focussed• goal: steal know how• victims will hardly admit data theft

Botnets Today

2 MILLION ENDPOINTS CONTROLLED BY CONFICKER

(SOURCE: HEISE)

TOTAL CONFICKER INFECTIONS: 15 MILLION ENDPOINTS

(SOURCE: HEISE)

300.000 ENDPOINTS CONTROLLED BY TORPIG(SOURCE: UCSB)

5% OF ALL COMPANY HOSTS INFECTED BY BOTNET WORMS

(SOURCE: DAMBALLA STUDY)

ARE

YOU PART OF A BOTNET?

Borderless Networks

Who enters your

network?

• Mobile Workers• Trading Partners• Customers• Vendors THEY WALK RIGHT PAST YOUR

FIREWALL!

As a consequence, the security solution needs to be host

based

Do you feel safe with AV only?

April 2006

16 leading anti-virus vendors tested

for 243.671 pieces of known malwareOne vendor missed OVER 90.000 pieces

of malware

4 out of 16 missed over 10.000 of them!

www.av-comparatives.org

Do you feel safe with AV only?

February 2007

15 leading anti-virus vendors tested

for 481.850 pieces of known malwareOne vendor missed OVER 80.000 pieces

of malware

Another vendor missed 30.000 of them!

NO vendor had all needed patterns! www.av-comparatives.org

Do you feel safe with AV only?

May 2009

16 leading anti-virus vendors tested

for proactive heuristic detectionOne vendor missed OVER 86% of malware

The best vendor still missed 31%NO vendor detected all tested malware!

www.av-comparatives.org

Remote Exploit – a complex task?

HTTP://WWW.REMOTE-EXPLOIT.ORG/BACKTRACK_DOWNLOAD.HTML

Ready-Made Exploit Frameworks

MS08-067 RPC

LumensionApplication Control

Lumension Application Control

RIS

KApplicati

onsMalwareMalware

AUTHORIZEDOperating SystemsBusiness Software

KNOWNViruses, Worms, Trojan Horses,

Spyware

UNWANTEDGames, Shareware, Unlicensed software

UNKNOWNViruses, Worms, Trojan Horses,

Spyware

BLACK LISTAPPROACH

Lumension Application Control

MA

NA

GE

Applications

MalwareMalware

AUTHORIZEDOperating SystemsBusiness Software

KNOWNViruses, Worms, Trojan Horses,

Spyware

UNWANTEDGames, Shareware, Unlicensed software

UNKNOWNViruses, Worms, Trojan Horses,

Spyware

WHITE LISTAPPROACH

Black List vs. White List

Unwanted Software(Games, Players, ...) Not supported Denied by default

Updates Weekly, daily, hourlyOnly when new applications / patches are installedZero day protection

New malware is always one step ahead

Implicit

Operational performanceFile filter slows down performance + pattern comparison

Kernel based (=fast), no pattern comparison requiredScalability Today: 800.000

Tomorrow? Next Year?

Heavy loaded PC with 50 applications has 25.000 signatures – STABLE -

Black List White List

Product Operation – Application Control

Individual User Groups of Users

• Accounting• Sales People

• Network Admins• Support Team

0. IDENTIFY

EXESOURCES

Operating Systems

Standard Software

Customer specific

applications

USE SFD‘s

1. COLLECT• Scan

Explorer• Log

Explorer• EXE

Explorer

SignatureFiles

Organize intoFile Groups

Admin Tools

Entertainment

Communication

MS Office

etc...

3. ASSIGN RIGHTS

TO EXECUTE

What do users / groups of users need to run on their machine to perform their allowed tasks?Users can now only run the executables they are allowed to

Product Operation

1. Client boots, user logs on,

computer connects to the

corporate network

2. Client driver sends Identification

message (= machine ID, user ID, domain ID, group ID’s,

driver version, OS version).

3. The Application Server queries the

database for access rules and caches

results.

4. The Access Rules are created,

cryptographic signatures are

added and Access Rules are pushed to

the client driver

5. The Access Rules are cached locally, policy enforcement

is performed at kernel level

SQLDatabase(Cluster)

Kernel Driver

Active Directory / eDirectory

synchronizes users, groups and

computer accounts

periodically

SecureWaveApplication

Server(s)

6. Computer may leave corporate

network and will stay secure due to

local white list

Digital signature

Digital signature

Policies

How Application Control works

Users Kernel Driver

Application ExecutionRequest

File signature generation using SHA-1 hash

0x20ee7cf645efeba7C81bd660fe307

Comparison with list of centrally authorized files signature

0x7ddf86e8a4672a420760b8809a1c

0xcbac13bb07f7dd0e10e93f4b63de9

0xd535561209f0199f63b72c2ebc13c

0x4e4f36b5b2cf0c9ec85372ff8a7548

Authorization?

Log

No

List of centrally authorized files signatures

File execution is denied

0x20ee7cf645efeba7C81bd660fe307

No Matching S

ignature

How Application Control works

0x7ddf86e8a4672a420760b8809a1c

0xcbac13bb07f7dd0e10e93f4b63de9

0xd535561209f0199f63b72c2ebc13c

0x20ee7cf645efeba7C81bd660fe307

List of centrally authorized files signatures

Users Kernel Driver

Application ExecutionRequest

File signature generation using SHA-1 hash

0x20ee7cf645efeba7C81bd660fe307

Comparison with list of centrally authorized files signature

Authorization?

File executes

Log

Yes

0x20ee7cf645efeba7C81bd660fe307

0x20ee7cf645efeba7C81bd660fe307

Major Features

White List

Full Macro Protection

Instant Policy Updates

Offline Protection

NT / AD Domain / Novell eDirectory support

Silent Unattended Installation

Optimized Network Communication

Learning Mode

Logging & Auditing

Demo

Social Engineering the USB way

Security Audit at a credit union (Source: http://www.darkreading.com)

Step 1Prepare 20 USB drives with a trojan horse that gathers critical data (such as user account information) from the PC it is connected to and sends it by email

Step 2Drop these USB drives within the accomodations of the company

Step 3Wait 3 days ...

Result15 out of 20 drives have been used by employees, critical data from their PC‘s has been exposed

Consequences of theft and data loss

LumensionDevice Control

Assign and Go

Individual User Groups of Users

• Accounting• Sales People

• Network Admins• Support Team

1.1 PREDEFINED DEVICE CLASSES

3. ASSIGN ACCESS

ATTRIBUT

ES

What are users / user groups’ needs in terms of device / mediaaccess rights to perform their allowed tasks?

Users can now access their allowed devices / mediaaccording to their granted attributes

0. IDENTIFY DEVICES AND

MEDIA

Unique MediaCD / DVD, Zip

drives, Disk on key

1.2 SPECIFIC DEVICE TYPE / BRAND

1.3 ADD SPECIFIC MEDIA

DEVICESCD / DVD ROMs

MODEM

REMOVABLE MEDIA

USB PRINTER

USB Disk Pro

SND1 MP3 Player

MEDIA LIST

Managed Device Access Control

Users

Device AccessRequest

Kernel Driver

Known Device check

List of classes & known devices

Known device?

Log

Device Policies

Users, Groups,Device Classes, Devices

and Access Attributes

AuthorizationDevice Access

Yes

Yes

Managed Device Access Control

Users

Device AccessRequest

Kernel Driver

Known Device check

List of classes & known devices

Known device?

Log

Device Policies

Users, Groups,Device Classes, Devices

and Access Attributes

Authorization

Yes

NoNo Access

Implementing Device Control

Requirement Gathering Security Requirements Operational Implications

Sales

Use Memory Keys Only with encryptionAudit of copied data

Standard rule for sales to use memory keys

with decentralized encryption and

shadowing

Wireless Network Only outside corporate network

Offline rule for notebooks with wireless cards

Marketing

Usage of digital cameras

Only during business hours

No misuse as data storage

Time-based rule for digital camera usage,

with filter on image data (JPG, GIF,

BMP)

Usage of CD‘s / DVD‘s

Only specific media Explicit assignment of specific media

Implementing Device Control

Requirement Gathering Security Requirements Operational Implications

Front Desk

Badge printing Deny usage of any other device

Machine-based „Lockdown“, standard

rule for local printer

Support Dept.

Usage of customer devices

Prevent data loss (custromer data /

internal data)

Standard rule for Read Only-access to

customer devices

Production server

Maximum stability Deny any device usage

Machine-based „Lockdown“

Encryption with Device Control

1) Administrator creates encryption rule

2) User plugs in memory key

3) Transparent encryption on corporate computers

4) Volume Browser tool on stick for 3rd party computers

Access Attributes

•Read and / or Write•Scheduled Access

• From 08:00h to 18:00h Monday to Friday•Temporary Access

• For the next 15 minutes• Starting next Monday, for 2 days

•Online / Offline• Assign permissions when no network connection is

present, all device classes supported•Quota Management

• Limit copied data to 100 MB / day•Encryption enforcement

• Access is granted only if medium has been encrypted (decentralized encryption) with password recovery option

•File Type Filtering• Limit the access to specific file types

Attributes can be allocated to...

• A complete device class• All USB Printers

• A device sub class• USB printer HP 7575, CD/DVD Nec 3520A

• A unique device based on• Encryption• serial number

• Specific CD‘s / DVD‘s• Specific Bus (USB, IrDa,

Firewire...)• Groups of devices

Security Features

• Kernel Driver• Invisible (no task manager process)• Fast (no performance loss)• Compatible (no conflict with other software)

• Encryption of devices with AES• AES 256 = market standard• Fast and transparent within the network• Strong password enforcement for usage outside the

corporate network• Client / Server Traffic

• Private/Public key mechanism• Impossible to tamper with• Easily generated and deployed

Security Features

• Client Hardening• Even a local administrator cannot uninstall the client

• Prevention from Keyloggers• Removable Media Encryption

• Assign any removable media to any user and then encrypt the media. Encrypted device is accessible only by the user who owns the access rights on the removable media

• Offline Protection• Local copy of the latest devices access permission list

stored on the disconnected workstation or laptop

Auditing & Logging

• User Actions Logging• Read Denied / Write denied• Device entered / Medium inserted• Open API for 3rd party reporting tools

• Shadowing of all copied data• Level 1: shows File Name and attributes of

copied data• Level 2: Captures and retains full copy of data

written to extenal device or read from such a device

• Administrator Auditing• Keeps track of all policy changes made by SDC admins

Demo