Aug 14 2009 12:48PM GMT
Posted by: Troy Tate
malware,
bootkit,
rootkit,
antivirus,
threats,
vulnerabilities,
research,
blackhat,
hacker,
least user authority,
least user privilege
If you have not been nervous before about someone infecting computers without your knowledge then you should be much more nervous after reading this article.
In 1987 the Stoned boot sector virus came out and was one of the most prevalent viruses of the early personal computer era. As with most malware concepts, this old threat has been made new again.
An 18-year old security specialist gave a presentation on a bootkit/rootkit (STONED) at the annual Blackhat security conference. This bootkit is not your typical bootkit in that it can bypass disk encryption and load itself into memory before the disk encryption software is activated. The demonstration showed the bootkit loading before disk encryption is activated. Once the malware is loaded from the master boot record (MBR), it is then in memory and can download other malware such as trojans to capture banking credentials.
The bootkit software can be installed either by having physical access to the device or by a user with administrative credentials (this makes a good case for the “least user authority” (LUA) principle). Once the malware is installed and activated it is very difficult to detect. According to one article:
Once installed, Stoned cannot be detected with traditional anti-virus software because no modifications of Windows components take place in memory, says Kleissner. Stoned runs in parallel with the actual Windows kernel. Even an anti-virus function in the BIOS can’t stop the bootkit, as modern Windows versions modify the MBR without referring to the BIOS.
Our challenge as infosec professionals is laid out before us. How we deal with threats like these and protect our users and organizations becomes more difficult all of the time. We have to stay on top of our game because the rules and game conditions are always changing.
Thanks for reading & let’s continue to be good network citizens.
May 7 2009 7:33PM GMT
Posted by: Troy Tate
Midmarket security,
Unified Threat Management,
Defense in Depth,
Single Point of Failure,
UTM,
Security,
information security,
information security management,
threats,
vulnerabilities,
exploits
An ITKE poster recently asked a great question.
Experts tout unified threat management appliances as an ideal antimalware, intrusion prevention and content filtering firewall for midmarket companies. But doesn’t this counter the long-standing security practice of defense-in-depth? With a one vendor, platform, and management console, aren’t we talking about a dangerous single point of failure?
When is UTM good enough? When should we go with standalone devices?
Here’s the answer that I offered:
Actually it is defense in depth even though they are all contained on one appliance or device. Think about the layers in a bullet proof vest. They each work in tandem to prevent damage to the person wearing it. However just one type of layer by itself would likely not be enough protection against certain firearms.
Granted it is a single point of failure, but the ability to manage an entire suite of services from one console is attractive to many smaller organizations that may not be able to provide the care and feeding of single purpose devices. The ability of a vendor to patch the entire product suite against vulnerabilities is another good reason to go to a UTM device. If using multiple devices from different vendors, then the vulnerability exposure could potentially be greater if one vendor addresses a vulnerability in their appliance/service but another does not.
I would go to standalone devices if the potential threat to my organization could create capacity/performance issues on the UTM device.
How do you think about the UTM vs defense in depth issue? Do you agree with the answer I offered? What do you think?
Thanks for reading and let’s continue to be good network citizens.
