賽門鐵克全球網路安全威脅研究報告icstwebstorage.blob.core.windows.net... · advanced...

賽門鐵克全球網路安全威脅研究報告

第18期

台灣賽門鐵克資深技術顧問張士龍

2012年網路安全威脅現象 I

小型企業成為駭客攻擊的新目標

• 針對性攻擊事件數量激增四成以上(42%)

• 三分之一(31%)的針對性攻擊是瞄準250名員工以下的企業

• 少於250人的小型企業遭受針對式攻擊的比例，從2011年的18%成長到2012年的31%

Presentation Identifier Goes Here 2

2012年網路安全威脅現象 II

駭客集團環伺周圍

• Elderwood是近三年來的新興網路組織，而有些駭客集團

攻擊目的不僅僅著眼於商業利益

• 攻擊目標愈見精準、攻擊手法益發精密

• 新興的水坑攻擊(watering hole)，能在短時間內造成大規模損害


2012年網路安全威脅現象 III

行動裝置最大的威脅並非漏洞，而是惡意程式

• 行動惡意程式數量激增58%

• 惡意程式家族數量和變種惡意程式比例從1:5增加到1:38，呈現戲劇性成長

• 行動裝置作業系統漏洞激增，自2011年315個，成長到去年415個漏洞，成長幅度超過三成(31%)。儘管目前看來漏洞數

量與惡意程式無關，但難保未來不被利用

• 五成以上的手機惡意軟體的設計目的是竊取資訊及追蹤使用

者動態，而他們最終極的目的是獲利


2012年網路安全威脅現象 III


2012年網路安全威脅現象 IV

蘋果電腦不再安全

• Mac惡意程式數量自2011年6個家族成長至2012年10個家族，增幅高達66%

• 在Mac上發現的威脅中，僅有2.5%是專為Mac而寫的惡意程式；然而，一個威脅卻能感染高達60萬台蘋果電腦！


報告重點

• 針對式攻擊

• 漏洞攻擊

• 行動惡意程式

• Mac安全威脅

Internet Security Threat Report 2013 :: Volume 18 7

針對式攻擊

Internet Security Threat Report 2013 :: Volume 18 8 8

Internet Security Threat Report 2013 :: Volume 18

2012年針對式攻擊次數

增加 42%

9

小型企業成為駭客攻擊的新目標


50%

9%

2% 3%

5%

31% 18% in 2011

2,501人以上的企業 2,501人以下的企業

1,501~2,500

1,001~1,500

501~1,000

251~500

1~250

製造業躍升為針對式攻擊目標首位

Internet Security Threat Report 18 12

24%

19%

17%

8%

10%

2%

2% 2%

1%

3%

針對性攻擊職務類別分佈變化

Presentation Identifier Goes Here 13 13


感染網站並等待使用者上鉤

水坑式攻擊

寄電子郵件給目標攻擊對象

魚叉式網路釣魚

攻擊手法愈見精準、受害規模愈來愈大

什麼是水坑式攻擊？


1. 攻擊者會分析被害者平時喜歡瀏覽網站

2. 攻擊者開始測試網站所存在的漏洞

3. 攻擊者入侵網站伺服器後，駭客透過Inject JavaScript 或 HTML ，以重導式攻擊讓受害者執行惡意程式碼

4. 已經被入侵的網站伺服器現在正等待零時差攻擊讓受害者上鉤

1個水坑式攻擊

可在24小時內


水坑式攻擊能在短時間內造成大規模損害

感染500家企業

水坑式攻擊案例

• 2013年，水坑式攻擊將會被廣泛使用

• 今年二月份，數個知名企業淪為水坑式攻擊的受害者


水坑式攻擊鎖定iOS開發者



.jar file

CVE-2013-1493

Svchost

.jpg

appmgmt.dll

Request Web Page 1

2

Request svchost.jpg 3

Svchost.jpg 4

5

Contact C&C server 6

C&C Server 110.173.55.187

“Water Hold” Compromised Web Server

水坑式攻擊案例 – 結合 Java 零時差漏洞

2


漏洞攻擊

總數量

Stuxnet

Elderwood

2006

14

2007 2008 2009 2010 2011 2012 0

2

4

6

8

10

12

14

16

13

15

9

12

14

8

4

2

3 4


• 單一群組能顯著影響年度漏洞數量

• Elderwood 為零時差漏洞數量成長的主要原因

零時差漏洞攻擊


漏洞數量未有顯著變化

網頁式攻擊成長30%


許多網站會對使用者造成損害


53% 的合法網站有未修補的漏洞

24% 的網站有重大未修補的漏洞

61% 的惡意網站為合法網站

25

1個惡意威脅感染超過 100萬網站！偽裝成防毒軟體

下次你遇上的，

可能就是勒索軟體！

Liza

許多網站會對使用者造成損害


26 Internet Security Threat Report 2013 :: Volume 18

不付錢就撕票


勒索軟體持續橫行


電腦重要檔案被惡意加鎖


勒索軟體 (Ransomware)


16 組罪犯集團參與此網路犯罪

去年受害者被敲詐的金額總計約為

1億5,000萬台幣

一個威脅在18天的周期內產生的平均攻擊次數為

500,000次


行動惡意程式

Android 惡意程式成長概況

32

5,000

4,500

4,000

3,500

3,000

2,500

2,000

1,500

1,000

500

0

Cumulative Android Families 2011-2012

Cumulative Android Variants 2011-2012


惡意程式家族數量和變種惡意程式比例從1:5增加到1:38

漏洞多寡與行動惡意程式數量無關

儘管行動作業系統的漏洞的數量與惡意程式數量沒有明顯的關係，但這樣的狀況在未來可能會改變


作業系統漏洞數量

Apple iOS 387

Android 13

Blackberry 13

Windows Mobile

2

裝置類型惡意程式數量

Apple iOS 1

Android 103

Symbian 3

Windows 1

行動惡意程式的設計目的


竊取資訊

傳統威脅

追蹤使用者

傳送訊息

惡意廣告

更改裝置設定


竊取資訊的惡意程式

以Android.Sumzand為例…

1. 使用者收到內含應用程式下載的電子郵件

2. 竊取聯絡人資訊

3. 寄送推銷應用程式下載的電子郵件寄給所有聯絡人

35

假冒防毒軟體



Mac安全威脅

40

Mac惡意程式家族數量激增


以惡意程式數量來看，使用Mac似乎比較安全….


Only 2.5% of threats found on

Macs are Mac malware


But in 2012

1 Mac Threat infected 600,000

Machines.

相較PC惡意程式，針對Mac的惡意程式破壞力更強！

Internet Security Threat Report 17 44

企業防護之道

Symantec Defenses

Advanced Persistent Threats: Cutting Through the Hype 45

Detect, Prevent, Monitor and Analyze

Protect endpoints from malware and data loss. Provide strong authentication to ensure the user and devices are trusted.

Protect critical servers and systems with sensitive data.

Provide global and local threat intelligence and correlation through threat monitoring

and reporting services

Stop inbound malware attacks, outbound callbacks, and data loss at the gateway.

• Manage Security Services (MSS)

• Symantec Security Assessment Services

• DeepSight Intelligent Services

• Managed PKI

• VIP Authentication Service

• Skeptic

• Attachement Filtering

• Endpoint Protection

• Network Access Control

• VIP Client

• Mobile Management

• Endpoint Protection Mobile Edition

• DLP for Tablet

• Critical System Protection


• Control Compliance Suite

• DLP Protection

• File/Email Encryption

• Altiris Management Suite

• Security Information Manager

• Mail Security for Exchange/Domino

• Two-factor Authentication

• Protection Center


• DLP Endpoint Prevention

• Endpoint Encryption

• Control Compliance Suite

• Altiris Management Suite

惡意程式防護

Internet Security Threat Report, Vol. 17

• Use more than just AV – use full functionality of endpoint protection including heuristics, reputation-based, behavior-based and other technologies

• Restrict removable devices and turn off auto-run to prevent malware infection Layered Endpoint Protection

• Ensure employees become the first line of defense against socially engineered attacks, such as phishing, spear phishing, and other types of attacks Security Awareness Training

• Detect and block new and unknown threats based on global reputation and ranking Advanced Reputation Security

• Monitor globally for network intrusions, propagation attempts and other suspicious traffic patterns, including using reputation-based technologies

• Network protection is more than just blacklisting Layered Network Protection

46

目標式攻擊防護


• Detect and block new and unknown threats based on global reputation and ranking

• Use true host-based intrusion detection and prevention technologies to set strong permissions around applications, servers and clusters, according to sensitivity of information processed

• Restrict removable devices and functions to prevent malware infection

Advanced Reputation Security

Employ Offensive Protection Strategies

Removable Media Device Control

• Scan and monitor inbound/outbound email and web traffic and block accordingly

• Discover data spills of confidential information that are targeted by attackers • Detect and prevent exfiltration of confidential information that are targeted by

attackers

• Create and enforce security policies so all confidential information is encrypted

Email & Web Gateway Filtering

Data Loss Prevention

Encryption

• Monitor globally for network intrusions, propagation attempts and other suspicious traffic patterns, including using reputation-based technologies

Network Threat and Vulnerability Monitoring

47

資料外洩防護


• Determine what sensitive information exists in your organization • Categorize it appropriately and protect it according to its classification level

• Detect and prevent exfiltration of sensitive information that is targeted by attackers

• Enforce rules prohibiting access of confidential data using applications

• Locks down key systems that contain confidential information • Prevents any unauthorized code to run — independent of AV signatures

Data Classification

Data Loss Prevention

Host-based Intrusion Detection and Prevention

• Scan and monitor inbound/outbound email and web traffic and block accordingly

• Create and enforce security policy so all confidential information is encrypted

Email & Web Gateway Filtering

Encryption

• Use two-factor authentication to protect against credential theft Strong Authentication

48

行動裝置威脅防護


• Remotely wipe devices in case of theft or loss • Update devices with applications as needed without physical access • Get visibility and control of devices, users and applications

Device Management

• Guard mobile device against malware and spam • Prevent the device from becoming a vulnerability • Enforce compliance across organization, including security standards &

passwords

Device Security

• Identify confidential data on mobile devices and use technologies to prevent future exposure

• Protect data from moving between applications • Encrypt mobile devices to prevent lost devices from turning into lost

confidential data

Content Security

• Provide strong authentication and authorization for access to enterprise applications and resources

• Ensure safe access to enterprise resources from right devices with right postures

Identity and Access

49

企業安全防護建議

• 採用縱深防禦策略，加強重重防禦關卡，以形成一個可互補的防禦系統，避免因任何單一環節出現安全問題。

• 網路端：加強網頁安全與流量檢測分析。

• 伺服器端：異常行為分析能力

• 端點部份：自動化端點防護機制（標準化檢測）

• 加強用戶端的管理, 以及使用者的安全教育。

Internet Security Threat Report, Vol. 17 50

Thank you!

Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

Thank you!


賽門鐵克全球網路安全威脅研究報告icstwebstorage.blob.core.windows.net... · advanced...

Documents