Security BSides Las Vegas will be held on July 31st & August 1st, and so we continue our series highlighting some of the many interesting sessions that are scheduled for the conference.
We first covered a session about a free Windows web server tool called OMENS, followed by a review of Fun with WebSockets Using Socket Puppet and a session titled Matriux Leandros – An Open Source Penetration Testing and Forensic Distribution, which examines the first Debian-based security distribution for pentesting and forensic investigations.
This week we look at a session titled Vulnerabilities in Application whitelisting: Malware Case Studies by co-presenters Jared Sperli (@JaredSperli) and Joe Kovacic (@itSoSafe), which seeks to demonstrate how malware can accomplish negative outcomes by manipulating application certificates and using file system filter drivers to defeat Application whitelisting efforts.
Whitelisting, one of the newer breeds of antimalware strategies, is already falling prey to malware with features developed to impede this new technology’s adoption rate with techniques, like “causing unwanted behavior in the solution to directly altering the execution of the security solution to avoid detection while making it appear as though it is operating correctly,” according to Sperli and Kovacic, who will also discuss how to factor these kinds of vulnerabilities into your security decision making process.
Kovacic is the CEO and principal engineer for itSoftware, whcih specializes in Windows security solutions, and Sperli acts as COO and “principal chauffeur” for the company which the two co-founded.
Kovacic started his career as an IT Helpdesk Software Engineer and later applied his Windows expertise to software development at VMware, while Sperli is an Army military intelligence veteran with training in computer network operations.
Sperli said he and Kovacic chose the topic of whitelisting vulnerabilities because they were already interested in embedded security options for Windows devices, and malware had been winding up on more Windows embedded devices recently.
“While the market for enterprise computer protection is very crowded, the embedded device security market is bare,” Sperli said.
“What we saw were a few different application whitelisting products since blacklisting products would not work with most of the designed devices. We figured that there was malware already in existence that defeats these types of security as well since whitelisting has been around for a few years.”
Sperli and Kovacic designed the presentation to be of interest to a rather wide ranging audience – namely anyone who is responsible for securing Windows devices or computers.
“There are a few different technologies that try to stop malware on the Windows operating system,” Sperli explained. “Most people are familiar with antivirus and its shortcomings. The lesser known technologies include application whitelisting, behavioral based detection, and automatic execution detection.”
Sperli said about one-fourth of their talk will focus on advice for security professionals to help them secure their Windows machines, and they plan on providing more than a few lessons for the attendees to walk away with.
“One key lesson is to engage with your security vendors about the known weaknesses of their solution,” Sperli said. “Vendors need to be honest and should offer mitigation tips when discussing their solutions.”
Sperli emphasized that it is really important to dedicate a significant amount of time customizing your security environment to make it unique, and thus that much harder for an attacker to defeat.
“It is also important to understand the weaknesses of every security solution an enterprise purchases, because if you don’t have that information you won’t know where to focus your security review efforts,” Sperli said.
It is a given that malware writers will continue to try and defeat the latest security solutions, Sperli asserts, and there is just too much money and information at stake.
The question remains as to whether enterprises will continue making it easy for malware writers by simply maintaining the status quo, or if they will become more dynamic and adopt new technologies while working to close remaining vulnerabilities.
“I predict the organizations that experience a catastrophic event will embrace change,” Sperli said.
“But most will wait and hope a catastrophic event doesn’t occur.”
Title image courtesy of ShutterStock