IT-security in the Ubiquitous Computing World Chris Kuo, CISSP, CISA [email protected] Acer eDC...
Transcript of IT-security in the Ubiquitous Computing World Chris Kuo, CISSP, CISA [email protected] Acer eDC...
IT-security in theIT-security in the
Ubiquitous Computing WorldUbiquitous Computing World
Chris KuoChris Kuo, CISSP, CISA, CISSP, CISA
[email protected][email protected] eDC (e-Enabling Data Center)Acer eDC (e-Enabling Data Center)
Acer Inc.Acer Inc.
2007/3/272007/3/27
2
Goals of Information SecurityGoals of Information Security
Target of Protection: DataTarget of Protection: Data
Goals of Protection: Confidentiality, Integrity and Goals of Protection: Confidentiality, Integrity and Availability of DataAvailability of Data
IntegrityAvailability
Confidentiality
Ensure the data isavailable and timely
Ensure the data is not disclosed improperly
Ensure the data is correct
3
Attacks on availability of PC GridAttacks on availability of PC GridEnterprises may use PC grid to run complicated Enterprises may use PC grid to run complicated and critical applications where businesses rely onand critical applications where businesses rely on
PC grid relies on the health of underlying PCsPC grid relies on the health of underlying PCs
PC PC PC.....
A virtualized computer using security mechanisms ofauthentication, digital signature, encryption, etc
Critical AP Critical AP Critical AP
4
Emerging Client Security Issues (I)Emerging Client Security Issues (I)
Client security becomes more importantClient security becomes more important– In the past, security has been focused on perimeter (net
work devices) and servers– Performance and capacities of client machines are incre
asing– Client devices, such as NBs & PCs, are assuming greate
r roles in infrastructure as P2P and other emerging applications
– Clients may contain vital information just as servers
5
Emerging Security Issues (II)Emerging Security Issues (II)
Attack origins shiftAttack origins shift– Security deployment of client machines are often neglec
ted• Virus pattern not updated, AV software turned off, …
– Client devices are easier than servers to hack• More unprotected channels: via e-mail or web-browsing
• Loose security sense of device owners
– Clients are becoming the target of more and more attacks (malware: Trojans, backdoors, …)
– Client-originated outward communications are rarely blocked, and becomes the major channel for information leakages
– Client-originated internal attacks are much more effective than direct external assaults
6
Detection& RemovalEffort
Malware Breakout ScenariosMalware Breakout Scenarios(A)(A) Known virusKnown virus
due to faulty Anti-Virus (AV) software deployment(B)(B) Virus variantVirus variant
incapable to remove variant version of virus by existing AV(C)(C) New malwareNew malware
beyond the detection of any AV or IDS system
malware: virus, backdoor (Trmalware: virus, backdoor (Trojan), spyware, bot, …ojan), spyware, bot, …
Risk
Low High
Low
High
AV systemAV
MonitoringAnti-MalwareMonitoring
Virus Malware
(A) known virus
(B) virus variant
(C) new malware
7
Targeted Phishing Mail AttacksTargeted Phishing Mail Attacks
Hacker
VPN
Firewall
IntrusionDetection
Authentication
Critical info leakage
PC User
Social Engineering(Phishing Mail)
8
Phishing Mail Testing ResultsPhishing Mail Testing Results
1st test 2nd test
Number of tested persons
981 981
Number of mails for each person
10 10
Number of victims 300+ 200+
Ratio of Victims 35%+ 25%+
Number of total test mails
9810 9810
Successful mails 1000+ 500+
Successful rate 10%+ 5%+
9
Fail to Detect MalwareFail to Detect Malware
http://www.virustotal.com/en/indexf.htmlhttp://www.virustotal.com/en/indexf.html
10
Detection& RemovalEffort
Defense Against MalwareDefense Against Malware
Risk
Low High
Low
High
AV systemAV
MonitoringAnti-MalwareMonitoring
Virus Malware
(A) known virus
(B) virus variant
(C) new malware
Cause:Cause:
new malware cannot bnew malware cannot be detected by AV or IDe detected by AV or IDSS
Phenomena:Phenomena:
network congestion or systemnetwork congestion or system overload overload
un-noticed information leak byun-noticed information leak by backdoor backdoor
devices can be illegally devices can be illegally controlled remotely controlled remotely
Solution:Solution:
monitor network behavior monitor network behavior to catch malware activities to catch malware activities
identify malware hostsidentify malware hosts
perform forensics on hostsperform forensics on hosts
11
Malware Detection Example(I)Malware Detection Example(I)Set filtering rules and get interested eventsSet filtering rules and get interested events– Outbound connections for hosts in China and the connections were
denied by firewall
12
Malware Detection Example(II)Malware Detection Example(II)The Event Diagram shows suspicious hostsThe Event Diagram shows suspicious hostsInspect the hosts to get suspicious filesInspect the hosts to get suspicious files
13
Malware MonitoringMalware MonitoringInformation Source: FirewallInformation Source: Firewall– Firewall contains logs of all traffic transactions permitte
d or denied– Considerable resources and capabilities are required to
effectively analyze firewall logs, “in real-time!”• In Acer SOC, about 100M event per day!
Network Behavior ModelNetwork Behavior Model– By firewall logs, the legal/illegal network behavior model
of a site may be constructed– Rules to allow or detect/alert network behavior must be
established– Illegal behavior, once identified, must be alerted in the f
orm of “security incidents”– Response team must address security incidents in spec
ified time (under SLA) and perform forensic actions to understand the intrusion
In 2006, Acer SOC uncovered >200 new malware!In 2006, Acer SOC uncovered >200 new malware!
14
Security Management FlowSecurity Management Flow
EventEventSourcesSources
Workflow LayerWorkflow Layer Case Assignment Trouble Shooting Resolution and Tracking
Intelligence LayerIntelligence Layer
Analysis & Trend Analysis & Trend TrackingTracking
Behavior ModelsBehavior Models
Automatic Case Automatic Case CreationCreation
Import LayerImport Layer Message Aggregation Message Normalization
FirewallFirewallVPNVPN
IDS/IPSIDS/IPSAnti-VirusAnti-Virus
SwitchSwitch......
Security InformationManagement System
Operation WorkflowSystem
15
Security Management PlatformSecurity Management PlatformA system to monitor/manage 1000+ customersA system to monitor/manage 1000+ customers
A system worth 2M~3M US dollarsA system worth 2M~3M US dollars
A distributed PC grid may save money and management effortsA distributed PC grid may save money and management efforts
16
SummarySummary
Ubiquitous computing(like PC grid) has raised the importanUbiquitous computing(like PC grid) has raised the importance of client devicesce of client devices
Network behavior of client devices must be constructed to Network behavior of client devices must be constructed to allow comprehensive view on securityallow comprehensive view on security– Firewall logs is the sole source for the understanding of comp
rehensive network behavior
– Network behavior is monitored in real-time via SOC operations
Existing AV systems, along with SOC, are part of defense inExisting AV systems, along with SOC, are part of defense infrastructurefrastructure
Defense weaponryDefense weaponry– AV system: to detect any known virus events
– AV monitoring: collecting AV event messages from AV server
– Anti-malware monitoring: collecting firewall logs
Grid computing has the potential to be used in security infoGrid computing has the potential to be used in security information managementrmation management
17
Q&AQ&A