Monthly Archives: May 2016

Next generation endpoint protection for end-users

29 May 2016

Application virtualization is a great means to deal with malware. In particular ransomware cannot create massive damage if the malicious program is executed in an isolated virtual container which prevents any interaction with the computing environment.

Unfortunately, most vendors of next generation endpoint protection solutions are directed on the protection of large private businesses and administrative bodies. End-user protection is falling increasingly by the wayside. Consumers must rely on inherently weak anti-malware solutions.

By now some products are available which overcome of the most severe deficits of anti-malware solutions. They offer protection e.g. against drive-by downloads, zero-day malware or file-less malware, for private businesses, administrative bodies and end-users alike.

The winners and finalists of the 2015 Homeland Security Awards in subcategory Best Anti-Malware Platform are :

  • Blue Ridge Networks (Winner)
  • Cylance (Finalist)
  • Malwarebytes (Finalist)

The products of these companies are available for end-users. During the next weeks and posts I will discuss my experience with this products, with special regards to their ability to block zero-day malware and usability.

Today I will share my first experiences with Blue Ridge Networks ‘AppGuard Zero Day Malware Protection‘.

AppGuard is installed on top of an anti-malware solution, in my case Windows Defender. In the AppGuard users guide one reads:

‘Conventional “detect and respond” approaches available are not enough in today’s cyber world. AppGuard is a breach prevention defense that stops breaches at the earliest stages. AppGuard delivers a multi-layered defense, protecting the endpoint at multiple points, including launch control, run-time application control, and memory protection to prevent one application from reading or writing to the memory of another. AppGuard protects your computer against certain applications with the greatest risk of malware, such as Microsoft and Adobe products. AppGuard stops the cyber attacks that traditional security products often miss, even zero-day and fileless malware. AppGuard prevents suspicious applications from running and stops even allowed applications such as your browser from performing high-risk activities that might result in an infected computer.’

Great zero-day malware is available from Malwr.com. Let’s get to work.

I used the following sample (zero-day malware, delivered by Microsoft Word document in zip file) for my first test:

Timestamp MD5 File Name File Type Antivirus
May 24, 2016,
2:53 p.m.		 60a59b324f63621a1e2577e87db4439f Security Notification3.zip Zip archive data 5/57

Security Notification3.zip is delivered by email. The zip file contains a Word Document which loads a file called harakiri.pfx from the attacker’s command and control server and executes this file afterwards.

At May 24, 2016, 6:46 p.m. only 6 of 57 anti-malware solutions on VirusTotal identified the malware:

Antivirus Result Update
AVware LooksLike.Macro.Malware.b (v) 20160524
Arcabit HEUR.VBA.Trojan.e 20160524
McAfee W97M/Downloader.bdx 20160524
Qihoo-360 virus.office.obfuscated.1 20160524
Rising Trojan.Obfus/VBA@DT!1.A540 20160524
VIPRE LooksLike.Macro.Malware.b (v) 20160524

With this, Security Notification3.zip is a perfect zero-day malware sample.

After running a standard installation, I customized AppGuard slightly only. I set the protection level to “Locked Down”:

Blue Ridge Networks AppGuard Main Menu

Blue Ridge Networks AppGuard Main Menu

I downloaded the sample file to my test environment and opened the file in word. AppGuard made a great job. The AutoOpen macro downloaded Harakiri.exe to the local temp folder and AppGuard blocked the execution:

AppGuard blocked Execution Notification

AppGuard blocked Execution Notification

I checked some more samples and got the same results in any case: AppGuard blocks the execution of the downloaded files.

With this, AppGuard fully meets my expectations about zero-day malware delivered by Word-documents.

By now Security Notification3.zip is detected by 35 of 56 anti-malware solutions on VirusTotal.com, e.g. as Trojan:O97M/Madeba.A!det by Windows Defender or  as W2KM_DRIDEX.YYSVD by TrendMicro.

Have a good weekend.

US Congress blocks Yahoo Mail after wave of ransomware attacks

14 May 2016

On reading this post in HOTforSecurity I was reminded of a discussion we had during a strategy meeting last week.

Many companies and organizations allow their employees the use of web mailers for staying connected, and, to some extent, for doing private business. This makes sense because the use of company accounts for private purposes poses more risk to the company.

The use of web mailers becomes a problem as soon as company resources are used, i.e. attachments are downloaded to a computer on the organizations network and opened for further processing.

Under normal conditions, when the connection with the web mail provider is encrypted, the anti-malware solution on the web-proxy has trouble analyzing the attachments in the data stream. Technical solutions for breaking up SSL secured communication are available, however they are not widely used, or just too expensive, or cannot be enforced due to legal or privacy constraints.

With this, the endpoint protection solution must solely deal with the malicious attachment. And this is not very effective, in particular in the case of zero-day malware.

But the main problem are the web mail providers themselves. Every day millions of emails with malicious attachments are routed by few mail providers through the internet. With an improved examination during posting and forwarding the email providers should be able to reduce the number of emails with malicious attachments dramatically. This will lead to massive increase in overall cyber security, to savings in the costs for the defense of cyber-crime and in the costs for the recovery from cyber-attacks.

Denise E. Zheng writes in the CSIS publication ‘Disrupting the Cyber Status Quo’:

Much can be done by the handful of companies that provide the majority of products and services that comprise the Internet and computer-operating systems, through more focused nudging and guidance from government.

and

Law and policymakers have shied away from tackling the root causes and key enablers of cyber crime and conflict.

Have a good weekend, and enjoy Denise’s report.

Patient privacy: Can past lessons prevent future failures?

7 May 2016

Niam Yaraghi’s post ‘Patient privacy: Can past lessons prevent future failures?’, published May 5, 2016 on Brookings Techtank Blog, is absolutely worth reading. The post is a summary of the research report ‘Hackers, phishers, and disappearing thumb drives: Lessons learned from major health care data breaches’. In this report Niam Yaraghi provides a superb root cause analysis of the data breaches in the U.S. health care industry of the last years, and some recommendations for getting a grip on the problem.

A big issue comes from HIPAA itself. HIPAA came into force in 1996. With that, it falls short of addressing modern cyber security challenges. The statements of a CIO on page 18 of the report make this impressively clear:

“HIPAA reflects how nerds thought about security 20 years ago.”

“HIPAA is in complete disconnect with the realities of today’s digital technology and we cannot expect a national standard to be agile enough and be in pace with cyber technology. For example, HIPAA has nothing about malware and ransomware, intrusion detection, specific cyber incident responses, or multifactor authentications.”

It is the same old story with standards. Without regular review and adaptation, the effectiveness of standards decreases dramatically. For that reason, ISO 27001 demands the implementation of a risk management process according to ISO 27005. This ensures that changes in external conditions, e.g. new cyber security challenges, are considered during risk assessment even if internal conditions have not changed.

The report lays out some recommendations on how to mitigate the problem.

  • The health care sector should embrace cyber insurance

This is a really interesting idea. A cyber insurance has the potential to become a game-changer because organizations will have a direct economic incentive to cut insurance costs.

  • OCR should establish a universal HIPAA certification system

To me, this sounds like reinventing the wheel. HIPAA should be developed further to meet today’s cyber security challenges. But this must not inevitably lead to a new umbrella standard.

I would propose to develop a smart HIPAA standard on top of a ISO 27001 ISMS. This has the big advantage that it can be quickly adapted to meet new cybersecurity challenges. In addition, health care businesses can start immediately managing risks by implementing an ISMS due to ISO 27001.

Have a good weekend.