Download Allow and Block Emails Using White or Black Lists

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
Document related concepts

Web analytics wikipedia , lookup

Email spam wikipedia , lookup

Computer security wikipedia , lookup

Ad blocking wikipedia , lookup

Transcript 
Implementing Network Security Controls
Implementing Network Security Controls for CryptoLocker
for CryptoLocker
What is CryptoLocker?
CryptoLocker is a Trojan horse in terms of mechanism and a ransomware in terms of objective. Being
a Trojan horse, it comes in disguised forms and once unlocked it starts searching and encrypting the
files present on your local Hard Disks, shared networks or Cloud networks. This means that your
computer and software keep on working, but your personal files, such as documents, spreadsheets and
images, are encrypted.
Often, CryptoLocker arrives as a file with a double extension, such as .pdf.exe. Since Windows doesn’t
display file extensions by default, this file may look like a PDF file rather than an executable.
Targets of CryptoLocker
CryptoLocker targets files with following extensions:
*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk,
*.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd,
*.pdd, *.pdf, *.eps, *.ai, *.indd, *.cdr, *.jpg, *.jpe, *.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, * .cr2,
*.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f,
*.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c.
CryptoLocker then finds files that match with one of these types and encrypt the file using the pubic
encryption key.
History of CryptoLocker
CryptoLocker was first discovered in the fall of 2013 and targeted computers running on Microsoft
Windows. It displayed all the characteristics of a ransomware, i.e., the ability to target victims through
phishing and malicious email links, encryption of user files and a notification box demanding a ransom
for their return.
Implementing Network Security Controls for CryptoLocker
How it Works
CryptoLocker infects like normal malware, placing its files in Windows directories, and creating registry
entries that allow it to restart when you reboot. It then tries to contact its command and control (C&C)
server. The malware uses a random domain name generation algorithm to try and find the current C&C
server. Some sample CrytpoLocker domains might look like this:
o
o
jkamevbxhupg.co.uk
uvpevldfpfhoipn.info
Once CryptoLocker contacts its C&C, it generates a public/private cryptographic key for your specific
computer, using very strong and standard RSA and AES 2048-bit encryption. The private key is only
stored on the attacker’s C&C servers, but the public key is saved in a registry entry on your computer.
CryptoLocker then uses that key pair to encrypt many different types of files on your computer.
After encrypting your files, following screen will be displayed to you:
So the screen will have a warning message with the time left to decrypt your data and asks for money.
The payment mechanism includes receiving a key on payment which unlocks the encrypted files. And
those who deny paying before the timer expires, the corresponding private decryption key on a remote
server is claimed to be deleted and hold a fair risk of losing access to their files forever.
The malware sends out system information and creates registry entries to get started after system
reboots.
Implementing Network Security Controls for CryptoLocker
Modes of infection
Just like any other malware or Trojan attack, a CryptoLocker has common modes of infection. Some of
which include:





Spam
Emails
Infected portable data transfer devices
Click on an infected link
An infected system in the network
How Cyberoam can protect you?
Cyberoam Implements network based controls which can impact malware such as CryptoLocker and
while the Antivirus, Anti Spam, Web Filtering are important, the IPS Engine also has the ability to block
malware command & control (C&C) communications.
Following are some control mechanisms that you should follow to protect your network from malwares
such as CryptoLocker in Cyberoam:
 Keep your operating system and software up to date with patches: This lessens the chance
of malware sneaking onto your computer unnoticed through security holes. The CryptoLocker
authors didn't need to use fancy intrusion techniques in their malware because they used other
malware that had already broken in, to open the door for them.
Cyberoam issues maintenance releases regularly, these should be tested and installed as required
You can find the information about upgrading your Cyberoam Appliance from Upgrade Firmware of
Cyberoam Appliance
 Secure DNS Settings: DNS settings play an important role in protecting your network from
malwares. In DNS settings you need to consider following points:


Reliable DNS settings: Ensure your appliance is configured with reliable, trusted DNS server
settings.
You can configure DNS settings in Cyberoam from Network > DNS > DNS.
Secure Firewall Rule: Malware often spreads by changing DNS settings on devices to redirect
users to malware serving sites. To prevent this, you should lock down DNS so that devices use
only approved internal servers. The advantage of using approved internal server is that only
approved forwarders on the Internet are allowed to access that internal server.
To implement this, you can configure Cyberoam appliance as DNS server in the network settings
of each PC/Device, if you are using DHCP then the DHCP scope can be updated to distribute this
setting to the PC/Device.
 HTTPS Inspection: Malware often uses encrypted sessions and encrypted websites, to provide
the fullest coverage, you need to perform both HTTP and HTTPS inspection.
To do this successfully you will need to distribute and install the Self Signed Certificate or set the
appliance up as a trusted sub-ordinate authority to your existing Enterprise Certificate Authority
Information on SSL CA Certificate Installation Guide can be found at from the given link.
Implementing Network Security Controls for CryptoLocker
 Antivirus/Anti Spam Scanning: One of the modes of malware entering into the network is
through Emails. This makes it important to not only scan the Internet traffic but also Email
communication channels. To prevent this, configure following settings in your network :

Enable SMTP/SMTPS/POP3/IMAP/HTTP/HTTPS Antivirus scanning in your network : You
can enable SMTP/ SMTPS/ POP3/ HTTP/ HTTPS scanning in Cyberoam to scan Internet/Web
traffic, as shown in the following screen shot:

Secure SMTP Email Communication: You can define rules for SMTP/S scanning in Cyberoam
from Antivirus > Email > SMTP/s Scanning Rules. For more details refer Secure SMTP Email
Configuration.

Configure SMTP blocking of compressed attachments and other harmful attachments:
Data Leakage through Emails is a serious threat to business operations. Data Leakage Protection
is a key necessity of any organization. As a solution, Cyberoam provides means to control the
attachments in outgoing Emails. Information of how to do it can be found out at Blocking Email
Attachments over SMTP.

Configure Anti Spam with Spam, Possible Spam, Virus Outbreak and Probable Virus
Outbreak content action: You can configure these settings in Cyberoam by identifying the
Implementing Network Security Controls for CryptoLocker
mentioned content in the mail and then deciding the action for such content. You can configure
these settings from ANTI SPAM > Spam Rules as shown in the following screen shot:
 Enable IPS Scanning:
In case of CryptoLocker, the IPS engine can block the download of the encryption keys, which
means CryptoLocker is unable to encrypt the data on the End Point.
In order to achieve this, appropriate IPS policies should be implemented in Cyberoam.
Internet traffic (including encrypted HTTPS traffic) which is not monitored by the IPS is a potential
exposure which can facilitate C&C communication.
To achieve this, create an IPS Policy which includes Malware Communication signatures and apply
it on the relevant Firewall Rule(s).
 Web/URL Filtering:
To protect your network from malwares, you should filter Web/URL content as well. For Web or URL
filtering related settings, keep following points in mind:

Enable Pharming Protections
This allows the appliance to protect users against pharming by re-resolving the domain name of
the website using the DNS configured on the appliance.
Implementing Network Security Controls for CryptoLocker
You can enable pharming in Cyberoam from Web Filter > Settings > Settings, refer the below
screen shot for the same.

Filter Websites that can cause security issues
To protect your network from malwares like CryptoLocker, lock following categories for all users and
firewall rules:
Hacking: Sites that provide information about or promote illegal or questionable access to or use
of computer or communication equipment, software, or databases.
Illegal/ Unethical: Websites that feature information, methods, or instructions on fraudulent actions
or unlawful conduct (non-violent) such as scams, counterfeiting, child abuse, tax evasion, petty
theft, blackmail, etc.
Phishing and Fraud: Sites gathering personal information (such as name, address, credit card
number, school, or personal schedules) that may be used for malicious intent.
SPAM URL: This category includes URLs that arrive in unsolicited Spam emails. Spam URL
content ranges from product marketing to potentially offensive or fraudulent sites.
IP Address: Sites accessed through IP address, this will stop people accessing websites directly
via the IP Address. This is not normal/expected user behavior as most people use domain names
which means this is often not user based traffic, often it is odd malware serving websites.
Parked Domain: This category includes sites that once served content, but their domains have
been sold and are no longer registered. Parked domains do not host their own unique content, but
usually redirect users to a generic page that states the domain name is for sale or redirect users to
a generic search engine and portal page, some of which provide valid search engine results.
Some of these orphaned domains may redirect users to malware serving sites.
Spyware: Sites or pages that download software that without the user's knowledge.
How the above implementation will look like is showing in the below screen shot:
Implementing Network Security Controls for CryptoLocker
In Cyberoam, You can configure above settings from Web Filter. For more information about creating
the policy and applying it to user or firewall rule consider Configuring Web Filter Policy article.
 Application Filtering
Controls should be implemented to restrict undesired applications in the network, this will normally block
“Torrents” and applications that “tunnel other apps” and “can bypass firewall policy”. It may also include
undesired “P2P” Applications.
Failing to block tunneling applications and other applications that can be used to bypass firewall rules
leaves you open to communication channels that are beyond regular control mechanisms.
In Cyberoam you can configure these settings from Application Filter, by considering the Category,
Risk, Characteristics and Technology for individual applications.
For more information about blocking of particular application, refer Block P2P Applications. In the same
way you can block other application as well.
Configuration for application filtering for blocking particular application is shown in the below screen
shot:
Implementing Network Security Controls for CryptoLocker
 GEO Blocking:
Another option in controlling inbound and outbound security issues is GEO Blocking. In many situations
malware and attacks can be tracked to specific countries. So, blocking traffic from these countries can
be a precautionary measure to minimize the impact of malware.
If you are able to identify the countries or regions with higher concentration of suspicious traffic you can
choose to block them, and you can create specific bypass rules to minimize exposure.
In Cyberoam, you can implement GEO blocking by creating Country-based firewall rules. By doing so
you can block or manage traffic to/from a particular country or group of counties.
To implement GEO blocking in Cyberoam, first create Country Based Host from Objects > Hosts >
Country Hosts and then create Firewall rule for the country from Firewall > Rule > Rule. For more
details about GEO blocking, refer the article of Creating Country based Firewall Rules.
Conclusion
So to summarize, CryptoLocker is aggressively spreading, and has infected many victims. However,
Cyberoam can detect and block it using various security services and control mechanisms mentioned
above. CryptoLocker can also spread internally through network shares, which network security
solutions can’t prevent. Ultimately, your best defence is awareness and vigilance.
Document Version: 1.0 – 30 June, 2015
Related documents
Digital Citizenship - Information Privacy
Digital Citizenship - Information Privacy
Emsisoft Internet Security
Emsisoft Internet Security
Read More - Wauchula State Bank
Read More - Wauchula State Bank
Panoptes: Detecting Malware Activity in Home Networks Sarthak Grover, Nick Feamster Problem Panoptes
Panoptes: Detecting Malware Activity in Home Networks Sarthak Grover, Nick Feamster Problem Panoptes
Cyberoam CR50ia Datasheet
Cyberoam CR50ia Datasheet
Do you know someone may be watching you?
Do you know someone may be watching you?
the Presentation
the Presentation
slides - University of Cambridge Computer Laboratory
slides - University of Cambridge Computer Laboratory
Authentication and Access Control
Authentication and Access Control
Threats – dangers on the web - Youth of Europe connect to a "Right
Threats – dangers on the web - Youth of Europe connect to a "Right