Preventive Protection for Large Companies

Transcription

Preventive Protection
for Large Companies
The information contained in this document represents the current
view of Panda Software, S.L. on the issues discussed herein as of
the date of publication. This document is for informational purposes
only. Panda Software, S.L. makes no warranties, express or implied,
in this document.
© Panda Software, S.L. 2004-2005.
Complying with all applicable copyright laws is the responsibility of
the user. Without limiting the rights under copyright, no part of this
document may be reproduced, stored in or introduced into a retrieval
system, or transmitted in any form or by any means (electronic,
mechanical, photocopying, recording or otherwise) or for any purpose,
without the express written permission of Panda Software , S.L.
Panda Software, S.L. may have patents, patent applications,
trademarks, copyrights or other intellectual property rights covering
subject matter in this document. Except as expressly provided in
any written license agreement from Panda Software, S.L. the
furnishing of this document does not give you any license to these
patents, trademarks, copyrights or other intellectual property.
T E C H N O L O G I E S
Compatible with
your current antivirus
The most intelligent technologies
to combat unknown viruses and intruders
www.pandasoftware.com
PREVENTIVE PROTECTION FOR LARGE COMPANIES
Contents
The Need For Preventive Security To Combat New Threats .................3
Target ....................................................................................................3
Executive Summary .................................................................................3
The Problem Posed By New Internet Threats........................................4
The Evolution Of Internet Threats ............................................................4
Impact On Companies .............................................................................7
What The Future Holds ..........................................................................10
The Need For A New Generation Of Security Solutions .............................12
Preventive Security ...............................................................................14
What Is Preventive Security? ..................................................................14
Phases Of Total Protection .....................................................................16
The Panda Approach..............................................................................17
TruPrevent Technologies ........................................................................18
A Practical Example ...............................................................................19
Now Is The Time To Take Actions...........................................................20
Conclusions ............................................................................................22
Appendix A. Panda Software Worldwide..............................................23
Appendix B. Glossary Of Terms.............................................................25
Appendix C. Abreviations And Acronyms..............................................27
Appendix D. References ........................................................................28
Index of tables and graphs
Figure 1. Evolution Of Computer Threats. .................................................................................................... 4
Table 1. Some Of The Biggest Threats To Emerge Over The Last Few Years. ..............................................6
Figure 2. The IT Security Threats That Caused The Most Problems For IT Managers In 2002. ..................7
Figure 3. IT Attacks In 2002. ......................................................................................................................... 8
Figure 4. IT Attacks In 2003. ......................................................................................................................... 9
Figure 5. Effects Of Virus Attacks In 2002. ................................................................................................... 10
Figure 6. Number Of Incidents Reported To Cert. ........................................................................................10
Figure 7. Damage Caused By Viruses In 2002.............................................................................................. 11
Figure 8. Attacks That Companies Will Have To Deal With...........................................................................11
Table 2. Conventional Security Systems. ....................................................................................................... 13
Figure 9. Proactive Security Philosophy. ...................................................................................................... 14
Figure 10. Phases Of Total Protection. ......................................................................................................... 16
Table 3. Methods Used By Internet Threats................................................................................................... 17
Figure 11. Expected Investment In IT Security. ............................................................................................. 20
Figure 12. Growth In Security Investment According To IDC. .....................................................................21
Figure 13. Number Of Security Products Deployed. .....................................................................................21
Contents
Copyright © 2004 Panda Software S.L. All rights reserved. This white paper is for information purposes only.
02
The Need For Preventive Security To
Combat New Threats
Target
This document is aimed at people in charge of any aspect of IT security in large companies:
IT security managers.
Systems administrators.
Security administrators.
CTO (Chief Technology Officer).
CIO (Chief Information Officer).
CSO (Chief Security Officer).
CPO (Chief Privacy Officer).
Executive Summary
IT attacks continue to cause losses in companies, despite high investment in security infrastructure,
such as firewalls or IDS (Intrusion Detection Systems). This leaves many IT (Information Technology)
security managers wondering why security holes keep opening in their companies, and what is the
best way to close them off, especially when it is getting more unmanageable to keep up with the
increasing number of security patches and upgrades released everyday.
The main weapons used by the majority of attacks to spread and penetrate corporate networks
are techniques like vulnerability exploits and social engineering, but also surprise and innovation.
A large number of attacks, including Code Red, SQLSlammer, MSBlaster, Mydoom, Netsky or Sasser,
have slipped past traditional security systems over the last few years, evidencing the need for new
preventive security tools that can detect and block new and unknown advanced threats before they
disrupt the business.
Panda Software understands that foresight and prevention are the most effective weapons for
combating the increasing number of attacks of all kinds. In this way, it is necessary a truly proactive
solution capable of minimizing the impact of new and unknown threats, while effectively complementing
traditional reactive security systems like firewalls, IDS and antivirus.
Based on this philosophy, Panda Software developed a solution that proactively protects IT assets
against massive or pinpoint attacks, that could compromise data integrity or cause financial damage
to companies. Pandas preventive security solution keeps network resources safe until security
patches and updates are released, maintaining productivity and reducing the cost of potential
attacks on vulnerable systems.
The need for preventive security to combat new threats
03
The Problem Posed By New Internet
Threats
The Evolution Of Internet Threats
Since the first generation of file infectors, boot viruses, etc., whose only means of transmission
was floppy disks, through the first macro viruses that appeared in 1995, to Internet viruses in 1999,
computer threats have become more widespread, sophisticated and damaging1.
1 According to Yankee Group, 80% of companies were hit by a virus or worm during 2003.
Similarly, according to the latest ICSA survey (ICSA Virus Prevalence Survey) 28% of large
organizations with more than 500 PCs have been affected by some kind of computer virus attack,
resulting in significant damage and financial costs. The result of sector studies show that computer
virus attacks cost companies worldwide 13,000 million dollars in 2001. This figure grew to 30,000
million dollars in 2002, and in 2003, the IT consultancy M12G put this cost to companies and
home users at 72,737 million dollars.
With the appearance of mass-mailing worms and blended threats over the last few years, attacks
have emerged that go beyond those of conventional viruses. Worms are programs that are very
similar to viruses, as they can also self-replicate and cause damage to computers. However, unlike
viruses, worms do not need to infect other files to replicate. They are used by hackers to reach
their targets and spread to as many computers as possible.
Figure 1. Evolution of computer threats.
The problem posed by new Internet threats
04
The risk posed by these types of threats can be largely attributed to the increased sophistication
of heterogeneous operating systems and applications used by companies, which results in multiple
security holes along corporate networks. Hackers use many different strategies to ensure that their
creations are spread and run, such as exploiting vulnerabilities or using social engineering.
Vulnerability exploits have recently become one of the biggest threats to the integrity of computer
systems. A software vulnerability is an unknown flaw in the design of applications which, if discovered,
can be exploited by a hacker in order to access the computer and carry out malicious actions. The
biggest danger of vulnerabilities lies in how they are discovered. Most vulnerabilities are discovered
by users that are not related in any way to the manufacturers of the affected application. In most
cases, these users inform the manufacturer, who then develops and releases patches to fix the
flaw. However, in the meantime, hackers work against the clock to develop viruses or attacks that
exploit these vulnerabilities.
Unfortunately, hackers usually win the race against time and get to users computers before the
patches do. This is due to a number of factors. New vulnerabilities that need urgent patching are
discovered every day and as network administrators need to dedicate more time to this tedious
task, the patches are applied either too late or not at all. Furthermore, even if they are installed,
many patches need to be configured and this couldnt be done properly. On the other hand, hackers
and virus writers are developing viruses that spread more rapidly. Finally, home users do not have
immediate access to security patches, thus they are more vulnerable and with potential knock-on
effects for companies whose workers connect to the corporate network from laptops or home PCs.
Another way in which hackers extend the impact of their attacks is what has been dubbed social
engineering. This technique involves getting the user to help spread the virus or its impact. An
example of social engineering is the mass-mailing of a message that pass itself off as a message
from financial entities like Barclays, Halifax, Nationwide, NatWest or Westpac in order to steal
confidential user information. This technique is known as phishing, and were done massively at the
end of 2003. Another example is the Gibe.C or W32/Swen worm, which reaches computers in an
e-mail message in HTML, which is a perfect imitation of a Microsoft web page in order to make
users believe that the attached file is a security patch. This worm tricks users into giving away
confidential information such as, e-mail addresses, passwords, etc.
The time it takes for exploits to be unleashed after vulnerabilities is dramatically reducing everyday.
On the other hand, the rate at which they spread is getting faster and hackers are using new
polymorphic and encryption techniques to prevent their worms from being detected. This is in
addition to the impact of new technologies like instant messaging, P2P (peer-to-peer), wireless
connections, etc., which are being widely used as new means of transmission.
Below are some examples of attacks that have caused the most damage worldwide over the last
few years. Each of these examples demonstrates a new development in the creativity of hackers
to find new attack strategies, but in all cases, the impact of these attacks is due to the fact that
they took users by surprise. New viruses usually cause the most damage in the first couple of weeks
after they have been released, as after a short while they can usually be detected and eliminated
by antivirus programs once signatures are available.
05
DESCRIPTION
ATTACK
Melissa
This was the forerunner to mass-mailing worms. This macro virus reaches
computers hidden in a Word document attached to an e-mail message with a
subject that entices the recipient into opening it. It spreads extremely rapidly,
as it automatically sends itself out to the first fifty contacts in the Outlook
Address Book.
Nimda
This worm was extremely contagious. Its danger lies in its capacity to spread
through different means: web pages, by exploiting a vulnerability in IIS to insert
a script; e-mail, by exploiting a vulnerability in Outlook to run when the message
is viewed in the Preview Pane; or Windows computer networks, by sharing
network drives and spreading across them.
Love Letter
This worm appeared in 2000, and set a precedent for other worms, like Sircam
by using social engineering techniques to spread. It uses a fake love letter as
bait and spreads via e-mail and IRC channels. It sends itself out by accessing
the Outlook Address Book, and deletes information from affected computers
and sends out confidential user information to the virus author.
Sircam
This worm reaches computers in an e-mail message that encourages the user
to open it. It automatically sends itself out to all the contacts in the address
book. This worm infects all the Windows NT workstations in a network, making
it particularly dangerous in corporate environments. Its main effects are: it
steals confidential user information, uses up the free space on the hard disk
and deletes the information stored on the hard disk.
Code Red
This Internet worm spreads across computer networks, and targets IIS servers
in particular by exploiting a buffer overflow vulnerability. It spreads rapidly to
other servers through port 80, slipping past network firewalls and IDS. It restarts
and crashes computers by flooding their memory.
Klez.I
This worm reaches computers in a file attached to an e-mail message that is
capable of automatically running when the message is viewed in the Preview
Pane by exploiting a vulnerability in Outlook. It uses camouflage techniques
and spreads automatically and rapidly to all the contacts in the Outlook Address
Book. It attacks user confidentiality by sending random data and files from the
affected computer to third-parties. It also deletes certain files from the computer
and drops the Elkern.C virus.
SQLSlammer
This worm exploits a buffer overflow vulnerability for which a patch was released
six months before this malicious code emerged. It is capable of attacking and
infecting Microsoft SQL servers, sending itself out, launching denial of service
(DoS) attacks on servers and collapsing networks due to the huge volume of
traffic it generates.
Bugbear.B
Autorooter
This dangerous mass-mailing worm is capable of automatically running when
the message is viewed in the Preview Pane by exploiting a vulnerability in
Outlook, and also spreads across net shares. It is designed to infect a large
number of files and open a port, allowing a hacker to gain remote access to
the resources on the affected computer. It contains a long list of domains, the
majority of which belonged to financial entities. If it detects an e-mail address
belonging to one of these domains it obtains the network dial-up connection
password and sends it out via e-mail. Finally, it captures the keystrokes entered
by the user of the affected computer in order to steal confidential data like
passwords, bank account numbers and credit card numbers. This worm is
difficult for antivirus programs to detect, as it uses polymorphic techniques.
This Trojan exploits a vulnerability in the Windows operating system in order
to open a port and log on with the same privileges as the user of the affected
computer. It also creates a backdoor, allowing hackers to gain remote control
and steal or destroy information.
06
DESCRIPTION
ATTACK
Blaster
This worm exploits a buffer overflow vulnerability to spread to as many
computers as possible. It launches denial of service (DoS) attacks by sending
a large number of data packets through TCP port 80. Blaster spreads by
attacking randomly-generated IP addresses and downloading a copy of itself
to the affected computer through its own TFTP server.
Mydoom.A
This worm spreads via e-mail in a message with variable characteristics and
through P2P file sharing online applications like KaZaA. It launches distributed
denial of service (DDoS) attacks, and opens a backdoor in affected computers,
allowing opportunistic hackers to gain remote access.
Doomjuice
This worm uses a new attack strategy, as it exploits computers infected
by Mydoom to carry out its actions.
Table 1. Some of the biggest threats to emerge over the last few years.
Attack strategies used by worms are becoming more sophisticated, as they can spread either using
social engineering techniques or without user intervention by exploiting vulnerabilities or sneaking
in through communication ports. These techniques allow to drop viruses in computers directly
through the Internet, launch denial of service attacks against servers and even open backdoors
into computers to allow hacker to gain remote access.
Many of these viruses are still infecting computers and causing damages to corporations, even
though the patches that fix the vulnerabilities that many of them exploit are available to be applied.
Impact On Companies
The graph below shows the consequences of computer attacks for the IT security managers of
large companies along 2002.
Figure 2. The IT security threats that caused the most problems for IT managers in 2002.
07
The actions of the Melissa virus caused companies like Microsoft, Intel or Lucent to block their
connections to the Internet. Nimda interrupted IT services to the New York Times and damage
reached the amount of 530 million dollars worldwide. Nimda attacked 86,000 computers, causing
huge problems in companies that, before this worm appeared, were thought to be well protected,
and even forced them to temporarily disconnect from the Internet. Love Letter caused financial
losses of 10,000 million euros around the globe, and Code Red affected 360,000 servers in less than
14 hours, resulting in losses valued at 2.62 billion dollars.
Even though SQLSlammer exploited a buffer overflow vulnerability for which a patch was released
six months before this malicious code emerged, in January 2003 this worm shut down Internet
service providers in South Korea, disrupted plane schedules and knocked out automatic teller
machines. It affected thousands of servers worldwide and caused losses of over 900 million dollars.
Slammer infected the monitoring system at Davis-Besse nuclear power plant in Ohio, leaving the
system that monitors the functioning of the plant out of action for five hours.
Sobig.F affected the US Department of Defense and caused a significant increase in the volume of
spam circulating around the globe. Blaster exploited a known Windows vulnerability for which a
patch had already been released and made available, but still spread like wildfire and infected
570,000 computers in just one week. This extremely dangerous virus even got into the US Federal
Reserve, interrupting the activity of many US companies, shutting down Internet services to 20,000
TeliaSonera clients in Sweden, and affecting companies like Boeing, BMW and several networks
in China. Mydoom reach record levels of transmission, infecting 500,000 computers around the
globe, thousands of which belonged to corporate networks. CNN puts the financial costs generated
by this worm, due to technical support costs, etc., at 250 million dollars, the same as Microsoft
and SCO offered as reward for information leading to the arrest and conviction of the individual
or individuals responsible for creating the Mydoom virus".
Figure 3. IT attacks in 2002.
08
Figure 4. IT attacks in 2003.
A report published by the Yankee Group concludes that four out of every five companies were hit
by a virus or worm in 2003. Similarly, according to the latest ICSA Virus Prevalence Survey, 28%
of large organizations with more than 500 PCs have been affected by some kind of computer virus
attack, resulting in significant damage and financial loss. Furthermore, the average cost of an
attack of this kind is 81,000 dollars. According to the 2003 CSI/FBI survey, 251 companies reported
losses of 202 million dollars as a result of IT attacks.
The objectives of hackers can range from notoriety or revenge to damage for damages sake, and
some even set themselves personal challenges by targeting a specific objective. All of this is done
by creating a mass-mailing worm, exploiting a vulnerability to reach a specific target or even using
a Trojan that silently damages the computer. Around mid-2003 attacks like Sobig introduced a new
objective of viruses: to transmit spam by setting up users computers around the world to act as
involuntary mail relay servers.
However, the direct or indirect target of any of these attacks can be your company. Even though
these kinds of attacks can have many different effects, as demonstrated in the graph below, they
always have economic consequences.
09
Figure 5. Effects of virus attacks in 2002.
What The Future Holds
Attacks created in the future are expected to continue looking for ways to exploit new vulnerabilities
in widely used software in order to spread far and wide. In fact, the use of this strategy has been
increasing for sometime now, as all too often, it has proved extremely effective. Similarly, the time
between the vulnerability being discovered and the exploit being unleashed is getting shorter. The
following graph shows the evolution of the number of incidents reported to CERT over the last
years.
Figure 6. Number of incidents reported to CERT.
10
Figure 7. Damage caused by viruses in 2002.
The most common attack is from worms, as shown in figure 8. Their capacity to spread rapidly
and carry Trojans make them an excellent means of launching and spreading massive attacks.
Additionally the most damaging threats that are going to be exploited are blended attacks, which
use different techniques (viruses, worms, Trojans, vulnerability exploits, etc.) combined in the same
attack.
Figure 8. Attacks that companies will have to deal with.
11
It is also worth highlighting the probable increase in the number of hacker attacks, who will be
given a helping hand from backdoor Trojans and hacking tools like those that have emerged over
the last few months.
As blended attacks against the most widely used systems and applications are increasing in both
number and sophistication and worms are spreading much faster than users can react, a good
method of preventing and detecting these attacks and a quick response to vulnerabilities are the
best forms of defense.
The Need For A New Generation Of Security
Solutions
Over the last few years, protection against Internet threats have been based on security systems
like firewalls, IDS (Intrusion Detection Systems) and antivirus software, and it has been almost enough.
Firewalls were first implemented to control inbound and outbound network traffic, and formed part
of the perimeter defense. Firewalls filters traffic according to a series of rules or policies, being
extremely effective against certain types of network attacks, as they inspect network protocols and
IP addresses, blocking traffic that does not meet certain predefined rules. In order to ensure that
the firewall is effective, its policies must be correctly configured and updated, which is not always
the case, causing the firewall is useless. Rules define what type of network attacks the firewall
must block.
However, hackers know how to slip past firewalls through attacks that use reliable protocols that
contain the real attack, whose target is located inside the corporate network. These new types of
attacks avoid firewalls by sneaking in through open ports, for example, and target internal components
of the network. What hackers actually does is attacking applications, by-passing network-level
controls.
Another usual security device is IDS (Intrusion Detection System). IDS is based on inspecting network
traffic or system logs for patterns that indicate some kind of intrusion. These systems work using
predefined types, which means that if an unknown intrusion attack is launched, they do not react.
When they detect an attack, they generate and save events and send warnings to administrators
so that they take the appropriate measures. By doing this, an IDS can detect intrusions and send
warnings, but it cannot block them. This type of system is only useful for preventing known attacks.
Anyway, its main disadvantage is that it returns a large number of false positives, resulting in
increased traffic, making it difficult to distinguish useful information from the useless and requiring
a lot of time.
Antivirus software has proved to be the most effective tool for preventing downtime and maintaining
productivity if a company is hit by any kind of virus attack. Antivirus programs scan attachments
and executable files, comparing them with known virus signatures, and are capable of eliminating
all traces of known viruses. Antivirus software has been improved with the incorporation of heuristic
techniques based on identifying certain static patterns that, although they do not necessarily match
those of known viruses, are common in known viruses. Antivirus programs are similar to IDS in
their reactive response to attacks, when an attack is first launched, there is not much they can
do.
12
Weaknesses
Functions
Antivirus
Antivirus programs scan
attachments and executable files,
comparing them with known virus
signatures.
Network
firewalls
Firewalls inspect network data
packets. They allow traffic through
or block it when it tries to enter a
network segment or system,
according to predefined rules.
IDS
Detect known intrusions when they
are taking place and warn the
administrator who will take the
appropriate action.
They are not effective at combating
Internet viruses and unknown viruses.
Firewalls offer minimum protection at
application level, as firewalls need ports
to be left open in order to communicate.
IDS informs that an intrusion attack has
taken place, but it does not block it or
prevent it from causing damage.
Table 2. Conventional security systems.
Taking into consideration the table above, and due to the consequences of attacks like Code Red,
SQLSlammer or Mydoom.A, it can be concluded that, even though large companies have made
important investments in security systems, corporate networks are still vulnerable to new attacks
that use combined attack techniques.
The reason for this is that traditional defense systems like firewalls, IDS or antivirus software are
not designed to combat unknown threats, as they are reactive. This does not mean that traditional
security systems are useless in fact, if used properly, they are extremely effective at protecting
against known attacks and viruses, but they do need to be complemented by new preventive
solutions developed specifically to combat these kind of threats.
13
Preventive Security
What Is Preventive Security?
Earlier it was explained how traditional security mechanisms need to be complemented with new
solutions to deal with unknown threats. The most interesting approach to this problem is the use
of what has become known as proactive or preventive security, a new technological philosophy
designed to complement current techniques which anticipates and blocks unknown attacks. These
new solutions can drastically reduce losses caused by hackers.
The basic premise of preventive security is the anticipation against all kinds of threats and security
risks. This philosophy centers not just on the detection of problems but also on their prevention,
heading off attacks before any damage is incurred. Achieving this is not trivial, but applying certain
advanced techniques can result in very interesting overall performance.
Figure 9. Proactive security philosophy.
A proactive and preventive security approach allows real time blocking of attacks, rather than just
detection, even if they have breached firewalls or IDS. In the event of new viruses or worms, this
preventive technology requires no prior specific knowledge of the code as it is based on the analysis
of certain parameters to detect and block without needing signatures. What makes preventive
security a complement to antivirus solutions is the ability to detect complex, newly created viruses,
without having previously identified them and even if they dont follow the pattern of other known
viruses.
Preventive Security
14
At the same time, the information obtained from the detection of new viruses can be very useful,
as it helps to reconfigure firewalls and IDS to improve their effectiveness. When it comes to really
revolutionary types of attack, preventive solutions are the ideal defense mechanism. The danger
of worms like Nimda lies in their ability to spread and infect. With behavioral analysis techniques,
it is possible to block an attack of this type, as it causes buffer overflows in applications and uses
e-mail to spread to other victims.
These new technologies are highly effective when implemented at network endpoints (servers and
desktops), which are so often the target of attacks either because they contain the assets that
are the real target of the attack or because they are the means by which the infection will spread.
If an attack can breach firewall control by using legitimate network protocol to enter, it will still
be detected in the host, by this low level scan.
Solutions of this type applied in network endpoints are known as HIPS (Host Intrusion Prevention
Systems) and may combine various techniques. The method which has so far proved to be most
effective is behavioral analysis at operating system level. This technique is based on monitoring
calls to the operating system kernel from the applications and processes running on a computer,
looking out for suspicious behavior that can correspond to an attack.
Preventive Security
15
Phases Of Total Protection
When a new vulnerability is discovered, two parallel processes are set in motion: the software
manufacturer develops a patch and viruses and attacks are created that try to exploit this vulnerability.
From the moment a vulnerability is discovered, users are at risk, as you they can never know what
kind of attack will be unleashed and how it will arrive.
By combining a preventive solution and antivirus protection, you can dramatically reduce this risk,
as you will be completely protected against worm attacks, for example.
Proactive analysis detects and blocks worms based on his behavior.
The antivirus eliminates the cause of the attack, once signature is available.
It blocks the entry point, fixing the vulnerability with the patch.
Figure 10. Phases of total protection.
Preventive protection is the most effective way of protecting computers from unknown attacks in
the short term. If a virus or worm attacks, it will be detected and blocked until the corresponding
signature is added to the antivirus and the malicious code is completely eliminated.
Preventive Security
16
The Panda Approach
For Panda Software, preventive security means a set of tools necessary for preventing attacks
before they are launched. For this reason, its new preventive security solutions use behavioral
analysis techniques, capable of detecting malicious activity before it damages computers.
As new threats are unknown for reactive security systems, they are extremely difficult to detect.
As it can be seen in the table below, the most damaging worms that have appeared recently exploit
vulnerabilities and use a combination of techniques to reach their objectives avoiding detection
systems.
Exploits
vulnerabilities
Nimda
Code
Red
Klez.I
Yes
Yes
Yes
Bugbear.B Autorooter
Yes
Yes
Blaster
Yes
Uses social
engineering
Yes
Uses e-mail
Yes
Modifies files
Yes
Opens
communication
ports
Opens
backdoors
Mydoom
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Table 3. Methods used by Internet threats
Pandas solution combines several technologies in order to get the best of breed approximation
to proactive security by analyzing every symptom that can be caused by an attack, and applying
different techniques appropriately in order to block only malicious activity.
In order to guarantee that effective protection is implemented across the corporate IT infrastructure,
it is essential to protect every network component, from workstations and database, application
and mail servers to network gateways, etc. Panda Software protects every layer of your corporate
infrastructure, safeguarding the information transmitted across your network, and the business
processes associated to your applications. Centralized management of all elements provides maximum
control of resources and corporate network security.
Preventive Security
17
TruPrevent Technologies
Panda Software has developed solutions based on TruPrevent Technologies, capable of protecting
the corporate environment in an effective way against new threats. They combine several technologies,
such as process behavioral analysis and event correlation, and they have been optimized by Panda
to minimize organizational impact of any external malicious exploit, going beyond simply unknown
viral attack detection, and without false positive generation.
Your systems will be effectively protected against threats such as new virus and Trojan, worm
pandemics, vulnerabilities exploits using buffer overflow flaws and network virus using packages
instead of files as propagation method. This type of attacks usually pass antivirus control, because
antivirus solutions are based on a reactive technology.
TruPrevent Corporate solution by Panda Software allows you to extend your current antivirus
protection with an additional layer of preventive protection, fully efficient on detection and
neutralization of unknown and new threats targeting your corporate network. If you have already
deployed an antivirus solution, which ever it is, you can install TruPrevent Corporate with no
hassle, because this solution is totally compatible, and unnoticeable to your system performance.
It is also a second opinion in your antivirus analysis, and a powerful way to insure a better protection
against unknown threats. Simply, it will detect attacks which evade traditional security products
like antiviruses.
BusinesSecure with TruPrevent Technologies and EnterpriSecure with TruPrevent
Technologies are the global security options presented by Panda Software to let you own
simultaneously and from a single point both technologies, antivirus and TruPrevent Technologies.
Management is accomplished from a single administration console, AdminSecure, in a truly centralized
and global manner.
TruPrevent Technologies protection is transparent to end-user. Your employees wont need
specific skills to use the product, because protection acts in background to reduce client perception
about it.
System administrators will manage these solutions in an easy and centralized way, accessing to
any incident-related information and having the option of delivering any suspicious process to
PandaLabs, Panda Software laboratories, in order to get a full certainty about the problem scope
and its solution.
Panda Software solutions include TruPrevent Technologies to keep your organization safe from
new threats, letting your employees grow while reducing unnecessary costs.
Preventive Security
18
A Practical Example
There are several parameters that can be used to demonstrate how much damage any of the
attacks described earlier can cause to a company. Below is an example of the implications of the
issues discussed in this white paper in a company with 500 employees.
Consider a company with 500 employees with an average annual salary of $20,000 and a
turnover of 100 million dollars at optimum levels of productivity.
As a rule of thumb, a company of this size will usually invest 5% of its annual turnover
in IT. The latest ISM survey shows that 5% of the IT budget is dedicated to security, and therefore
this company would assign a budget of $250,000 per year to security solutions. Imagine that this
company assigns $190,000 to implementing security solutions.
Imagine that the cost of implementing a preventive security solution is $90 per computer and the
company in this example has 580 computers, between workstations and servers, the total cost of
the preventive security solution would be $52,200.
To sum up, by spending 27% of the annual security budget on implementing a preventive
security solution like Pandas, this company would be protected against the types of
threats that, according to Yankee Group, affected 80% of companies in 2003 and which according
to several other studies, will increase in number and cause more damage over the next few years.
Due to the noticeable increase in the security incidents reported to CERT, it can be concluded that
over the next few years, most companies will probably be hit by at least one attack per year.
Furthermore, according to ICSA Labs, the average cost of a virus attack is $81,000, which means
that by preventing a single attack, it would return the investment made in this solution,
which would protect the network as soon as it was installed and would continue protecting it for
a lot longer than a year.
Preventive Security
19
Now Is The Time To Take Action
Large companies have already started taking action after an alarming increase in the number of
attacks and threats they face. Corporate investment in IT security system has increased this year
to 70,000 million dollars, and is expected to reach 116,000 million dollars in 2007 in order to stop
threats in their tracks.
Figure 11. Expected investment in IT security.
As figure 11 shows, 91% of companies will invest the same or more in security over the next few
years, whereas, 54% will increase investment in security over the next three years. The graphs
below give quantitative data.
Preventive Security
20
Figure 12. Growth in security investment
according to IDC.
Figure 13. Number of security products deployed.
The large majority of the 1,138 professionals consulted in Information Securitys 2003 Product
Survey said that they would deploy more IT security products in the next two years than they have
in the previous two years. According to this study, intrusion detection and prevention will become
the most important issue, with annual growth rates of over 40% between 2001 and 2005.
Panda TruPrevent Technologies allow you to focus on your business activity without needing
to worry about keeping up-to-date on the latest security issues, such as new hacking techniques,
software patches, etc. Similarly, it alleviates the burden of restoring networks after attacks by new
threats.
Preventive Security
21
Conclusions
Although they are effective against known network attacks, viruses and worms, traditional security
solutions cannot combat latest attacks specially created by hackers to penetrate corporate networks
and spread across the systems rapidly.
There is an evident need for a new generation of preventive security solutions, capable of detecting
and blocking new and unknown threats, which according to ICSA Labs costs companies an average
of 81,000 dollars per attack.
TruPrevent Technologies are a set of preventive security technologies included on Panda
Software's solutions that covers this need, protecting corporate networks from new and unknown
attacks, minimizing costs related to security issues, while safeguarding productivity and reputation.
About Panda Software
Panda Software (http://www.pandasoftware.com/), a world leader in virus and intrusion prevention, offers
unrivalled proactive security solutions for all types of users, from the largest corporations through small and
medium-sized companies to home users. Its corporate products offer hassle-free automatic and centralized
administration and provide network-wide protection, via multi-layer security technology, to ensure uniform
protection across the enterprise, from remote users and workstations to mail gateways and internal and perimeter
servers. Panda Softwares solutions have received awards and quality certifications from the sectors most
widely-respected organizations, including ICSA Labs and Checkmark and its commitment to customer service,
innovative products, and the pioneering concept of 24h-365d tech support have revolutionized the IT security
industry.
Conclusions
22
Appendix A. Panda Software Worldwide
Panda Headquarters Europe
Ronda de Poniente 19
Tres Cantos
28760 Madrid, Spain
Phone: +34 91 806 37 00
E-mail: [email protected]
Panda Headquarters USA
230 N. Maryland, Suite 303
P.0. Box 10578
Glendale, CA 91209, USA
E- mail: [email protected]
Panda Software Argentina
Calle Roque Saenz Peña 1160, piso9b
Buenos Aires
Phone: +00 5411 43823448
Panda Software Austria
Dr.-Detlev-Karsten-Rohwedder-Str. 19
47228 Duisburg
Phone: +49 20 65 9 87 654
Phone: +00 5411 43823448
Panda Software Belgium
Mechelsesteenweg 311
1800 Vilvoorde
Phone: +32 2 756 08 80
Panda Software Bolivia
Calle Miguel de Cervantes Nro. 2725,
Sopocachi, La Paz
Phone: +591 2 411823
Panda Software Brazil
Rua Dr Barcelar 173 Conjunto 114
Vila Clementino
04026-000 Sao Paulo SP
Phone: +55 61 5082 4414
Panda Software Bulgaria
126, Tzar Boriss III Blvd.
office 111
1612 Sofía-Bulgaria
Phone: +359 2 9556575
Panda Software Chile
Mosqueto 428, oficina 502
6500426, Santiago
Phone: +56 2 639 7541
Panda Software Colombia
Carrera 41 N.46-26 Itagui
Antioquia
Phone: + 57 4-3735588
Panda Software Denmark
Ny Vestergardsvej 15
DK 3500 Værløse
Phone: +45 44 355 375
Panda Software France
33 bis Boulevard Gambetta.
78300 Poissy
Phone: +33 1 30 06 15 15
Panda Software China
Room 501, No.20, 421 Siping Rd.,
Shangai 200020
Phone: +86 21 6351 9020
Panda Software Costa Rica
Calle 25, Ave 6 y 8 #648
San José
Phone: 00 506 258 0100
Panda Software Finland
P.O.BOX 636
33101 Tampere
Phone: +358 3 339 26 700
Panda Software Germany
Dr.-Detlev-Karsten-Rohwedder-Str. 19
47228 Duisburg
Phone: +49 20 65 9 87 654
Panda Software Greece
Botsari 12-14
18538 Pireaus
Phone: +30 210 4588 085
Panda Software Guatemala
Avenida Reforma 8-60 Zona 9
Edificio Galería Reforma, Torre 1 Oficina 1102
Ciudad de Guatemala
Phone: +502 385 6657
Panda Software Hungary
Szugló utca 54
1145 Budapest
Phone: +36 1 469 70 97
Panda Software Israel
43 Hamelacha street, New Industrial Zone
42504 Natanya
Phone: +972 9 - 8859611
Panda Software Italy
Viale E. Marelli 165
20099 Sesto S. Giovanni (Mi)
Phone: 02-24 20 22 08
Panda Software Japan
Nakameguro GT Tower 7F, 2-1-1 Kamimeguro,
Meguro-ku, Tokyo 153-0051
Phone: +81-3-6412-6020
Panda Software Latvia
Merkela Street 1
1050 Riga
Phone: +371 7211636
Panda Software Lithuania
emaites g. 21
LT-2009 Vilnius -Lithuania
Phone: +370 5 2397833
23
Panda Software Luxembourg
Mechelsesteenweg 311
1800 Vilvoorde
Phone: +32 2 756 08 80
Panda Software México
Tuxpan #39, Despacho 503
06760 México, D.F.
Phone: +52 5 2642127
Panda Software Netherlands
Fellenoord 23 Postbus 2020
5600 CA Eindhoven
Phone: +31 40 233-3501
Panda Software Norway
ViroSafe Norge AS
Midtbyen Park
Skolegt. 2
2315 Hamar
Phone: 00 47 62 53 96 80
Panda Software Paraguay
Eliseo Reclus 247 Calle Guido Spano,
República del Paraguay
Asunción
Phone: +00 595 21 607594
Panda Software Poland
Ul. Wiktorska 63
02-587 Warszawa Poland
Phone: +48 (22) 540 18 06
Panda Software Puerto Rico / Dominican
Rep.
Av. Luis Muñoz Rivera 1058, Suite 1
Pto. Nuevo
Puerto Rico, 00920
Phone: +1 787 296 1139
Panda Software Slovak Republic
Lublanska 1
83102 Bratislava
Phone: +421 2 444 55 702
Panda Software Spain
Ronda de Poniente 19
Tres Cantos
28760 Madrid
Phone: 902 365 505
Panda Software Switzerland
Route Champ-Colin, 10
1260 Nyon
Phone: +41 22 994 89 40
Panda Software Turkey
Darulaceze Cad
Karatas Sok. SNS Plaza Nº 6
80270 Okmeydani Istanbul
Phone: 90 212 222 1520/90 212 210 2200
Panda Software United Kingdom
5 Signet Court, Swanns Road
Cambridge CB5 8LA
Phone: +44 (0)870 444 5640
Panda Software Uruguay
Jose Enrique Godó 1955
11200 Montevideo
Phone: +5982 4020673
Panda Software Peru
Calle Lord Cochrane 521
Miraflores Lima 18 - Perú
Phone: 00 51 1 221 6001/ 221 0159
Panda Software Portugal
Quinta da francelha - Edificio Sagres, 7B
2685-338 Prior Velho
Phone: + 351 219426800
Panda Software Russia
Tveritina 38/3
Ekaterinburg, 620026 Russia
Phone: +7 3432 78-31-27
Panda Software Slovenia
Stari trg 5A,
SI-8210 Trebnje
Phone: +386 7 34 61 020
Panda Software Sweden
P. O. Box 26026
100 41 Stockholm
Phone: +46 8-545 25030
Panda Software Thailand
192 Soi Laprao 107
Bangkapi, Bangkok 10240
Phone: 00 662 7311480
Panda Software United Arab Emirates
Bldg-5 Office No. 5G-15
P O Box 41573 Hamriyah
Free Zone, Sharjah, United Arab Emirates
Phone: +971 (6-526.30.14)
Panda Software United States
230 N. Maryland, Suite 303
P.0. Box 10578
Glendale, CA 91209, USA
E- mail: [email protected]
Panda Software Venezuela
Av. Libertador, C.C. Libertador, PH-7
Caracas
Phone: +5821 276188 60
24
Appendix B. Glossary Of Terms
TecnologíaThese are programs that scan the memory,
Antivirus /
Antivirus Program
Backdoor Trojan
Boot virus
Browser
Buffer
Buffer overflow
disk drives and other parts of a computer for
viruses.
This is a program that enters the computer
and creates a backdoor through which it is
possible to control the affected system without
the user realizing.
A virus that specifically affects the boot sector
of both hard disks and floppy disks.
A browser is the program that lets users view
Internet pages. The most common browsers
are: Internet Explorer, Netscape Navigator,
Opera, etc.
This is an intermediary memory space used
to temporarily save information transferred
between two units or devices (or between
components in the same system).
This is a vulnerability that is frequently used
by hackers to attack a computer. It involves
using a certain part of the memory of the
computer to insert malicious code in order to
run it and cause damage.
DdoS
Distributed Denial of Service: This is a Denial
of Service (DoS) attack where multiple
computers attack a single server at the same
time.
Desktop /
Workstation
A computer used by the employees of a
company. It is usually a personal computer
connected to a network.
DoS / Denial
of Service
This is a type of attack, sometimes caused by
viruses, that prevents users from accessing
certain services ( in the operating system, web
servers etc.).
Estación
Máquina dedicada a servir de puesto de trabajo
de un usuario dentro de una empresa.
Normalmente es un ordenador personal
conectado en red.
Encryption
Exploit
Firewall
Gateway
This is a mechanism for protecting information
which involves varying the format of the data
according to certain criteria in order to prevent
unauthorized access
This can be a technique or a program that
takes advantage of a vulnerability or security
hole in a certain communication protocol,
operating system, or other IT utility or
application.
This is a barrier that can protect information
in a system or network when there is a
connection to another network, for example,
the Internet.
A computer that allows communication between
different types of platforms, networks,
computers or programs. To do this it translates
the various communication protocols that it
handles.
IIS (Internet
Information
Server)
This is a Microsoft server (Internet Information
Server), designed for publishing and maintaining
web pages and portals.
IP (Internet
Protocol)
/ TCP-IP
An IP address is a code that identifies each
computer. The TCP/IP protocol is the system,
used in the Internet, which interconnects
computers and prevents address conflicts.
Kernel
This is the central module of an operating
system.
LAN (Local
Area Network)
A network of interconnected computers in a
reasonably small geographical area (generally
in the same city or town or even building).
Log
Macro
Fragment of information that is registered
when an event occurs. Logs are usually
generated by detection systems so that they
can then be studied.
A macro is a series of instructions defined so
that a program, say Word, Excel, PowerPoint,
or Access, carries out certain operations. As
they are programs, they can be affected by
viruses. Viruses that use macros to infect are
known as macro viruses.
Macro virus
A virus that affects macros in Word documents,
Excel spreadsheets, PowerPoint presentations,
etc.
Malware
Programs, documents or messages liable to
have negative effects on IT systems. MALicious
softWARE.
Means of
infection
A fundamental characteristic of a virus. This
is the way in which a virus infects a computer.
Means of
transmission
A fundamental characteristic of a virus. This
is the way in which a virus spreads from one
computer to another.
P2P (Peer
to peer)
Polymorphic/
Polymorphism
A program -or network connection- used to
offer services via the Internet (usually file
sharing), which viruses and other types of
threats can use to spread. Some examples of
this type of program are KaZaA, Emule, eDonkey,
etc.
Technique used by viruses to encrypt their
signature in a different way every time and
even the instructions for carrying out the
encryption.
POP (Post
This is a protocol for receiving and sending
Office Protocol) e-mails.
Port /
Point through which a computer transfers
Communication information (inbound / outbound) via TCP/IP.
port
Proactivity
Capacity to forecast events, using any technique
to act in advance to deal with an expected
difficulty.
Script /
Script Virus
The term script refers to files or sections of
code written in programming languages like
Visual Basic Script (VBScript), JavaScript, etc.
Security patch
A set of additional files for original software,
tools or computer applications, which are used
to solve deficiencies, vulnerabilities or bugs.
This is like the virus passport number. A
sequence of characters (numbers, letters, etc.)
that identify the virus.
Hacker
Someone who accesses a computer illegally
or without authorization.
Signature
Hoax
This is not a virus, but a trick message warning
of a virus that doesnt actually exist.
Spam
Host
This refers to any computer that acts as a
source of information.
Unsolicited e-mail, normally containing
advertising. These messages, usually massmailings, can be highly annoying and waste
both time and resources.
25
Trojan /
Trojan horse
Virus
Vulnerability
Strictly speaking, a Trojan is not a virus,
although it is often thought of as such. Really
they are programs that enter computers
appearing to be harmless programs, install
themselves and carry out actions that affect
user confidentiality. Its name comes from the
famous wooden horse in which Greek soldiers
hid so that they could enter the city of Troy
undetected.
Windows
Registry
This is a file that stores all configuration and
installation information of programs installed,
including information about the Windows
operating system.
Worm
This is similar to a virus, but it differs in that
all it does is make copies of itself (or part of
itself).
Viruses are programs that can enter computers
or IT systems in a number of ways, causing
effects that range from simply annoying to
highly-destructive and irreparable.
Flaws or security holes in a program or IT
system, and often used by viruses as a means
of infection.
26
Appendix C. Abbreviations And Acronyms
CERT
Computer Emergency Response Time.
DoS
Denial of Service.
FBI
Federal Bureau of Investigation.
HIPS
Host Based Intrusion Prevention System.
IDS
Intrusion Detection System.
IT
Tecnologías de la información.
IIS
Internet Information Server. Microsoft
LAN
Local Area Network.
P2P
Peer To Peer.
OS
Operating System
SQL
Structured Query Language.
TFTP
Trivial File Transfer Protocol.
WLAN
Wireless Local Area Network.
Appendix C. Abbreviations And Acronyms
27
Appendix D. References
ICSA Labs 8th Annual Computer Virus Prevalence Survey 2002 - ICSA, 2003.
2002 ISM Survey. ISM, 2002.
2003 Global Security Survey. Deloitte Touche Tohmatsu, 2003.
2003 ISM Product Survey. ISM, 2003.
Intrusion Detection, Systems for Today and Tomorrow. SANS Institute, 2001.
Event Correlation Systems. SANS Institute, 2003.
Evolution of the Computer Virus. SANS Institute, 2002.
GIAC Security Essentials. SANS Institute, 2003.
The Security Revolution - CIO 2002.
The UCLA Internet Report. UCLA Center For Communications Policy, 2003.
Threats of the Future. RSA, 2003.
Viruses and Worms: What Can We Do About Them? CERT, 2003.
A Patch in Time Information Security, 2004.
Mydoom lesson: Take proactive steps to prevent DDoS attacks Computerworld, 2004.
Dawn of the Superworm PCWorld, 2003.
Security Threats Will Get More Serious PC World, 2003.
Virus costs keep rising VNUNET, 2003.
Emerging IT Security Threats Underscore Need for Vigilance. FRBC, 2003.
Appendix D. References
28

Preventive Protection for Large Companies

Transcription

Similar documents

Why Panda Security? “Its reliability, its simple and remote

LQHS BLAGKHAWK BRIGADE LQHS BLACKHAWK BRIGADE

kung fu panda 2 board game

The State of Security

Weslayan Plaza - Regency Centers

E. Guliyev, M. Kavatsyuk, P. J. J. Lemmens, H. Löhner, T. Poelmann

the panda express success story