IT-security in theIT-security in the

Ubiquitous Computing WorldUbiquitous Computing World

Chris KuoChris Kuo, CISSP, CISA, CISSP, CISA

Chris_kuo@acer.com.twChris_kuo@acer.com.twAcer eDC (e-Enabling Data Center)Acer eDC (e-Enabling Data Center)

Acer Inc.Acer Inc.

2007/3/272007/3/27

2

Goals of Information SecurityGoals of Information Security

Target of Protection: DataTarget of Protection: Data

Goals of Protection: Confidentiality, Integrity and Goals of Protection: Confidentiality, Integrity and Availability of DataAvailability of Data

IntegrityAvailability

Confidentiality

Ensure the data isavailable and timely

Ensure the data is not disclosed improperly

Ensure the data is correct

3

Attacks on availability of PC GridAttacks on availability of PC GridEnterprises may use PC grid to run complicated Enterprises may use PC grid to run complicated and critical applications where businesses rely onand critical applications where businesses rely on

PC grid relies on the health of underlying PCsPC grid relies on the health of underlying PCs

PC PC PC.....

A virtualized computer using security mechanisms ofauthentication, digital signature, encryption, etc

Critical AP Critical AP Critical AP

4

Emerging Client Security Issues (I)Emerging Client Security Issues (I)

Client security becomes more importantClient security becomes more important– In the past, security has been focused on perimeter (net

work devices) and servers– Performance and capacities of client machines are incre

asing– Client devices, such as NBs & PCs, are assuming greate

r roles in infrastructure as P2P and other emerging applications

– Clients may contain vital information just as servers

5

Emerging Security Issues (II)Emerging Security Issues (II)

Attack origins shiftAttack origins shift– Security deployment of client machines are often neglec

ted• Virus pattern not updated, AV software turned off, …

– Client devices are easier than servers to hack• More unprotected channels: via e-mail or web-browsing

• Loose security sense of device owners

– Clients are becoming the target of more and more attacks (malware: Trojans, backdoors, …)

– Client-originated outward communications are rarely blocked, and becomes the major channel for information leakages

– Client-originated internal attacks are much more effective than direct external assaults

6

Detection& RemovalEffort

Malware Breakout ScenariosMalware Breakout Scenarios(A)(A) Known virusKnown virus

due to faulty Anti-Virus (AV) software deployment(B)(B) Virus variantVirus variant

incapable to remove variant version of virus by existing AV(C)(C) New malwareNew malware

beyond the detection of any AV or IDS system

malware: virus, backdoor (Trmalware: virus, backdoor (Trojan), spyware, bot, …ojan), spyware, bot, …

Risk

Low High

Low

High

AV systemAV

MonitoringAnti-MalwareMonitoring

Virus Malware

(A) known virus

(B) virus variant

(C) new malware

7

Targeted Phishing Mail AttacksTargeted Phishing Mail Attacks

Hacker

VPN

Firewall

IntrusionDetection

Authentication

Critical info leakage

PC User

Social Engineering(Phishing Mail)

8

Phishing Mail Testing ResultsPhishing Mail Testing Results

1st test 2nd test

Number of tested persons

981 981

Number of mails for each person

10 10

Number of victims 300+ 200+

Ratio of Victims 35%+ 25%+

Number of total test mails

9810 9810

Successful mails 1000+ 500+

Successful rate 10%+ 5%+

9

Fail to Detect MalwareFail to Detect Malware

http://www.virustotal.com/en/indexf.htmlhttp://www.virustotal.com/en/indexf.html

10

Detection& RemovalEffort

Defense Against MalwareDefense Against Malware

Risk

Low High

Low

High

AV systemAV

MonitoringAnti-MalwareMonitoring

Virus Malware

(A) known virus

(B) virus variant

(C) new malware

Cause:Cause:

new malware cannot bnew malware cannot be detected by AV or IDe detected by AV or IDSS

Phenomena:Phenomena:

network congestion or systemnetwork congestion or system overload overload

un-noticed information leak byun-noticed information leak by backdoor backdoor

devices can be illegally devices can be illegally controlled remotely controlled remotely

Solution:Solution:

monitor network behavior monitor network behavior to catch malware activities to catch malware activities

identify malware hostsidentify malware hosts

perform forensics on hostsperform forensics on hosts

11

Malware Detection Example(I)Malware Detection Example(I)Set filtering rules and get interested eventsSet filtering rules and get interested events– Outbound connections for hosts in China and the connections were

denied by firewall

12

Malware Detection Example(II)Malware Detection Example(II)The Event Diagram shows suspicious hostsThe Event Diagram shows suspicious hostsInspect the hosts to get suspicious filesInspect the hosts to get suspicious files

13

Malware MonitoringMalware MonitoringInformation Source: FirewallInformation Source: Firewall– Firewall contains logs of all traffic transactions permitte

d or denied– Considerable resources and capabilities are required to

effectively analyze firewall logs, “in real-time!”• In Acer SOC, about 100M event per day!

Network Behavior ModelNetwork Behavior Model– By firewall logs, the legal/illegal network behavior model

of a site may be constructed– Rules to allow or detect/alert network behavior must be

established– Illegal behavior, once identified, must be alerted in the f

orm of “security incidents”– Response team must address security incidents in spec

ified time (under SLA) and perform forensic actions to understand the intrusion

In 2006, Acer SOC uncovered >200 new malware!In 2006, Acer SOC uncovered >200 new malware!

14

Security Management FlowSecurity Management Flow

EventEventSourcesSources

Workflow LayerWorkflow Layer Case Assignment Trouble Shooting Resolution and Tracking

Intelligence LayerIntelligence Layer

Analysis & Trend Analysis & Trend TrackingTracking

Behavior ModelsBehavior Models

Automatic Case Automatic Case CreationCreation

Import LayerImport Layer Message Aggregation Message Normalization

FirewallFirewallVPNVPN

IDS/IPSIDS/IPSAnti-VirusAnti-Virus

SwitchSwitch......

Security InformationManagement System

Operation WorkflowSystem

15

Security Management PlatformSecurity Management PlatformA system to monitor/manage 1000+ customersA system to monitor/manage 1000+ customers

A system worth 2M~3M US dollarsA system worth 2M~3M US dollars

A distributed PC grid may save money and management effortsA distributed PC grid may save money and management efforts

16

SummarySummary

Ubiquitous computing(like PC grid) has raised the importanUbiquitous computing(like PC grid) has raised the importance of client devicesce of client devices

Network behavior of client devices must be constructed to Network behavior of client devices must be constructed to allow comprehensive view on securityallow comprehensive view on security– Firewall logs is the sole source for the understanding of comp

rehensive network behavior

– Network behavior is monitored in real-time via SOC operations

Existing AV systems, along with SOC, are part of defense inExisting AV systems, along with SOC, are part of defense infrastructurefrastructure

Defense weaponryDefense weaponry– AV system: to detect any known virus events

– AV monitoring: collecting AV event messages from AV server

– Anti-malware monitoring: collecting firewall logs

Grid computing has the potential to be used in security infoGrid computing has the potential to be used in security information managementrmation management

17

Q&AQ&A