James, I agree on the application whitelisting front. But its a lot of work and its still based on trust. ( If you trust something bad) then you have still let the determined attacker in the door, but the caveat is if you control the code execution on your endpoints, then you change the game into your favor.
Other aspects to think of: Will application whitelisting work for mobile devices: (Iphone, Android, Tablets, all of which can act like storage devices in a way. Questions to be answered: Which devices do you allow to be attached to your systems to transfer data? (Policies, procedures, enforcement with technical controls and auditing and followup with administrative controls for compliance? (Do we allow the Apple devices, but not the Android, or do we allow just Ironkey devices, and whom should have them and what data should they be able to take ( DLP/DRM etc etc) And we all should know by now that AV is next near worthless against current malware trends, so why does the compliance regulations still require this ( PCI-DSS especially). Working on App whitelisting right now, its been interesting and complex at the time, but at the end I feel it will be worth it. Z Edward E. Ziots, CISSP, CISA, Security +, Network + Security Engineer Lifespan Organization [email protected] Work:401-444-9081 This electronic message and any attachments may be privileged and confidential and protected from disclosure. If you are reading this message, but are not the intended recipient, nor an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that you are strictly prohibited from copying, printing, forwarding or otherwise disseminating this communication. If you have received this communication in error, please immediately notify the sender by replying to the message. Then, delete the message from your computer. Thank you. [Description: Description: Lifespan] From: James Rankin [mailto:[email protected]] Sent: Tuesday, April 16, 2013 10:21 AM To: NT System Admin Issues Subject: Re: Dropsmack Malware C&C via Dropbox Way to beat that nasty...whitelisting. I guess that vector would work for a lot of these synchronization clients, so I guess good whitelisting is the only way. Luckily as I've started using AppSense DataNow instead of DropBox for mine, I get AppSense Application Manager along with it, which is probably the best whitelisting product I've seen. Very interesting read though, just shows that traditional AV can't really fend off a determined hacker. Cheers, JR On 16 April 2013 15:07, Ziots, Edward <[email protected]<mailto:[email protected]>> wrote: Here is the slide deck on this: https://media.blackhat.com/eu-13/briefings/Williams/bh-eu-13-dropsmack-jwilliams-slides.pdf Good reading, scary thought but a lot are using Dropbox and not thinking about the consequences.... http://www.techrepublic.com/blog/security/dropsmack-using-dropbox-to-steal-files-and-deliver-malware/9332?tag=nl.e036&s_cid=e036&ttag=e036 Food for thought, especially from regulatory compliance standpoint. Z Edward E. Ziots, CISSP, CISA, Security +, Network + Security Engineer Lifespan Organization [email protected]<mailto:[email protected]> Work:401-444-9081<tel:401-444-9081> This electronic message and any attachments may be privileged and confidential and protected from disclosure. If you are reading this message, but are not the intended recipient, nor an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that you are strictly prohibited from copying, printing, forwarding or otherwise disseminating this communication. If you have received this communication in error, please immediately notify the sender by replying to the message. Then, delete the message from your computer. Thank you. [Description: Description: Lifespan] ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin -- James Rankin Technical Consultant (ACA, CCA, MCTS) http://appsensebigot.blogspot.co.uk<http://appsensebigot.blogspot.co.uk/> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
<<inline: image001.jpg>>
