Software security threats and employee awareness trainingDate: Jul 15, 2009
How secure is the software produced today? Is it possible to keep attackers out of your network if they're determined to get in? What strategies for employee security awareness training are most effective at stopping malware?
In part one of this video series, Greg Hoglund explains how enterprises can face these challenging questions in order to strengthen their security programs and keep sensitive data in the right hands.
Part two: Latest malware threats
About the speaker:
Greg Hoglund is the CEO of HBGary Inc. and creator of the first rootkit.
Read the full transcript from this video below:
Software security threats and employee awareness training
Greg Hoglund: I still hold the same opinion, same problem is simply that the attacker was always going to engineer a way into the network and so that's all they do. They have something to gain, and so they're going to get in and they're going to build superior technology, that technology will be able to bypass whatever security technology commercially, in many cases, that an enterprise has. One thing just to keep in mind about this, is an attacker has the ability to obtain that technology themselves, so it shouldn't take a rocket scientist to figure out they can actually evaluate an equality assurance process whether or not they're weapons are able to bypass those technologies. Vulnerabilities are always available in products, they are reported about every week and those products have more vulnerabilities these days with things like desktop applications, Adobe products, Microsoft Office Suite, Excel spreadsheets, PDF, ActiveX, these are the methods by which people are getting into the networks. They can obtain access to this technology very easily, analyze it for vulnerabilities.
Let's say that you have a virus scanner on your computer or at the enterprise level. What do you know? The bad guy can purchase that virus scanner as well. He can purchase every single virus scanner that's down there on the floor today at RSA, and he can have a copy of every single one and make sure that his attack, his or her attack, does not have any detections occurring in the products, blocked in any way. It's no surprise that 80% of the malware that's released, the top three AV vendors can't detect. I forget where that quote came from, ZDNet, I think. I picked that up a while back. So that's a pretty daunting figure, 80% of the malware that's coming out daily is not detected by the AV vendors. That's a pretty serious problem for the enterprise.
One of the interesting ways that detection technology works is, usually its signature-based. Signature-based, that word has some meaning and some background. Usually there is a description that's very specific to the format of the attack, the exploit vector or the malware itself is placed onto a computer. The "bad guys," if you want to call them that, these guys have created software mechanisms to change the way that a binary, executable formatted, one of these ways is known as a packer, another term that may be used is anti-detection, or anti-forensics, and what it does is it changes the format in which it comes onto the computer so that the signature no longer will match against. It's a matching problem and one of the numbers at HPGary can kick around internally is there's about 55,000 new malware every single day being released. Obviously a developer can't sit there and write 55,000 new pieces of software every morning. They're taking toolkits and they're using them with automation to repackage them, and repackage them and repackage them, so that they don't look the same, and thus, the signature-based analysis doesn't pick it up.
Remember this, just because something is signed and its whitelisted and its part of a gold billed, these are some of the things that people are talking about in the industry right now. Whitelisting is a great example of that. Just because its white listed, does not mean it's secure, and this is not meant as an offense against Microsoft, but we are whitelisting and signing all these Microsoft binaries but those binaries are also, every time a new patch Tuesday rolls around, a lot of these binaries have vulnerabilities that are being fixed. It's just the nature of software. So don't make a mistaken assumption that because it was signed, it's secure.
Once it's signed and loaded up on a clean system, that's great, but soon as you put that system online and use it for real work, you're bringing in data from the cloud, if you will. You're bringing in data from your social networks, you're bringing in data from your co-workers, spear phishing, other types of things and other attacks can come in. Websites that you visit bring data into your system bring data into your system. The surfaces that are rendering that data is rich content, showing you the PDF document, showing you the ActiveX, these are vulnerable, and they're vulnerable and they can be exploited and malware can be placed on the machine. Vulnerable in the strictest sense by things like a good old buffer overflow. Other types of vulnerabilities, just oversights in the security architecture that allow, let me use an example. An ActiveX control to place a file somewhere that it shouldn't be able to place a file there. It's not an exploit in the sense that it's a buffer overflow, it's just this piece of code can do more than it should be able to do in your environment.
Then, of course, there's the good old Trojan. Just executes as your permissions when you open a document. Let's say that I get an Excel spreadsheet. One of those was actually sent to HBGary not too long ago, it was the spear phishing attack. It was very clearly a spear phishing attack, open it in Excel, in a virtual environment and it did downloaded malware, got a dropper from a site over in China, sucked it down, started executing it. Excel spreadsheet with a special little extra something in there.
I would say one of the challenges that enterprises should focus on is the training. Train the employees not to trust attachments and messages from their co-workers that come in through social networking type applications. I'll give you an example. If someone were to penetrate my computer at work and send one of my engineers an instant message from me with a file or a link to click on, it's very likely they would click on that because they believe it to be coming from me.
Last year a fellow released a worm, took advantage of AOL instant messenger. He infected over 250,000 computers by simply sending spoof messages to everybody in the contacts list. The only thing he didn't do was make sure that his botnet, that was then installed, didn't attack government sites and China lake surface these guys over here. They actually detected the attack and busted the guy. People are in the habit of trusting face to face conversations, so we're having this conversation, you're standing right in front of me, we're belly to belly and we're having a conversation.
So when you say something to me, I know Neil's talking to me. Let's say that we're having a conversation through an instant messaging session. It's human nature for me to imagine it's you at the other end and I treat that the same way I trust, I treat you in a face-to-face conversation, but someone can very easily impersonate you in a digital environment where it'd be very, very difficult, unless you have a twin brother or someone, to impersonate you here right now. That's the problem. Bad guys can even automate that process of impersonation and so people should just be trained. Don't trust a digital conversation the same way you would treat one in the lunchroom.