Professional Documents
Culture Documents
McCloud
Malware issues (00:24)
Historical malware examples (00:24)
So I think a lot of you are here, undoubtedly, because you've been hearing about
everything that's been going on with malware. We, every week practically, hear
something in the news about somebody who was attacked, somebody who's lost
money, somebody whose reputation has been compromised, and some very
sophisticated piece of malware is behind it. I'd like to review some of the most
recent high-level events that we've seen in these terms.
So if we go back a couple of years, not even that far back, you probably
remember one of the most significant attacks involving malware in probably
recent history. This is incredibly sophisticated. This happened in Iran to their
Natanz Nuclear Processing Facility where they take, you know, low-grade
uranium fuel, enrich it into high-grade, and they were attacked by a virus, which
came to be known as Stuxnet. This was something that was developed by the
U.S. government and Israel, as it was later attributed, but they've never formally
admitted to it, but all the evidence seems to point in that direction. And this was
extremely sophisticated, because this malware was customized for that specific
environment in the nuclear processing facility in Iran, and how they got it into that
environment certainly required more than just computer hacking. It required a lot
of human intelligence, perhaps compromising people, espionage agents, and
malware was just one part of it that was ultimately used to destroy some of the
centrifuges there.
If we fast-forward a little bit, look at more of a corporate example, the offices of
RSA, a security company, were compromised not too long ago. A lot of you may
know RSA. They're a company that develops various security products, one of
them being these one-time secure password tokens. So if you use it-- if you have
a bank where you have to enter a one-time PIN before you log in, that all comes
from RSA, and one of the things that happened to RSA is, one of their
employees received an email with an Excel document attached to it, and that
Excel document had a piece of malware attached to it. The malware infected the
computer, spread into the network, and eventually compromised the proprietary
algorithm that RSA uses for these one-time PIN generations. Now, the
consequences of this attack are pretty far-reaching, and we don't know
everything that may have come out of it. One thing that is thought is that the
compromise of these PINs allowed people to get into Lockheed Martin's
infrastructure and steal blueprints for some military projects. So the
consequences here can be incredibly serious.
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public
Page 1 of 15
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public
Page 2 of 15
Subcategories (07:20)
Malware is a general, broad term, but if we look more specifically, there are
terms within that describe particular behavior of malware. Here you have a list of
general types of malware. So viruses, viruses are malware that attach
themselves to other things. So it may attach itself to a spreadsheet or to an
application and uses that as a vehicle to infect a system.
A worm is a type of malware that is capable of doing the infection and the
spreading all on its own, so it is a self-sustaining program that's written to get into
a system and propagate itself.
Trojan horse is a type of malware that usually masquerades as something else.
So somebody may try to convince you that your system has a virus on it, and in
order to inoculate yourself, you need to download a software package, when it
turns out that, in fact, that software that you downloaded to get rid of the virus
actually contains malware. And this is something we see a lot about out there,
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public
Page 3 of 15
Players/purpose/goal (09:25)
What is the goal behind this malware? And that very much depends on who's
using it. In the past, I think we would largely think of malware in terms of some
hacker or super intelligent person who's written this software to go out there and
crack into super secret sites. Certainly that still goes on out there, but malware, in
many ways, is increasingly a means to an end. When we talk about the Stuxnet
example that was very sophisticated, advanced malware pre-created by a wellfunded government, the United States and the Israeli government. What was
their purpose? Was their purpose just to hack in to the Iran facilities and see
what was going on? Or did they have a more strategic aim, to prevent, perhaps,
Iran from getting nuclear weapons?
So malware, in that case, was a means to an end, and governments see this as
a form of warfare. In fact, they describe it as the fifth dimension of warfare. You
have land, sea, air, space, and now cyberspace, the cyber dimension. Organized
crime is getting very big behind malware. When it comes to organized crime, you
know, generally, they don't care how they make money. They just care that they
do make money. So organized crime will get into drugs, human trafficking,
prostitution, arms distribution, all of these things. Well, if there's money to be
made someplace, they will go into that as well, and increasingly, organized crime
is involved in malware activities. And they've got a range of very sophisticated
businesses around this.
One, for example, is that if you have a piece of malware that you've written, but
you, perhaps, don't have the wherewithal to get it distributed-- you want
somebody else who has a network or who has ideas on how to distribute it to do
it for you-- you can approach certain companies which will take your malware,
and for a fee, for every, you know, X number of workstations it gets installed on,
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public
Page 4 of 15
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public
Page 5 of 15
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public
Page 6 of 15
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public
Page 7 of 15
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public
Page 8 of 15
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public
Page 9 of 15
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 10 of 15
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 11 of 15
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 12 of 15
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 13 of 15
In many ways, we could say the modern perimeter is not a static perimeter. It's
not just firewalled computers and devices. In modern circumstances, the modern
perimeter is identity and policy. And what that means is the ability to know what's
on your network, what, who is connecting to your network, and how it's being
used across all of the different devices in your infrastructure and at all the
different layers, the application layer, the network layer, the device layer. Identity
and policy is about being able to know, first of all, who is connecting to your
infrastructure? Being able to literally identify that to a person and know, is this
person somebody who belongs on our network? And what resources and rights
do they have? What permissions and access do they have on the infrastructure?
What kind of device is being used? How are they accessing the infrastructures?
We need to know if it's an Android-based device, an iOS-based device, a PC, a
Macintosh, what have you, and what type of hardware is it running on.
And again, policy gives us a level of control over permitting or denying that use.
Also, where are people connecting from, and when are they connecting? Are
they connecting from the office or from a remote location, during business hours
or outside of business hours? And then ultimately, what are they trying to get
access to? The information about being able to identify each of these, know what
they are, and associate them with a policy is what is the modern perimeter,
because this is what allows us to draw dynamic boundaries over interactions so
that you can say, "This person is allowed to access the infrastructure "using this
device in this location to get access to that resource." Monitor it, and control it. So
we very much now rely on identity and policy as the modern boundary or the
perimeter rather than simply locking everything down and ensuring that our
security controls are very static.
So we've covered a lot of territory here, and, of course, there's a lot more that we
can go into, but the key thing I want to impress upon you is that though malware
is a growing problem-- it's growing in sophistication; it's becoming more
complicated, more targeted; the actors behind it are becoming broader in their
goals, perhaps more undeterminable-- even though it's a growing problem out
there, we don't need to lose hope. What we need to do is adjust our approach to
how we deal with this situation, and as I've mentioned, it's not just about
technology.
In fact, technology, in many ways, is the final thing we bring in after we have
done a lot of other things, and that means taking an architectural approach where
we start with, what are the goals? What are we trying to achieve? How are we
gonna put those goals, if there's a goal, in an achievable way into practice in the
business? How are we gonna run the operations to make sure we're doing
secure things? And then ultimately, of course, use the correct infrastructure to
secure ourselves.
One thing I want to make clear: I'm in no way saying that we're getting rid of old
security infrastructure, antivirus, firewall, intrusion protection. These all serve a
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 14 of 15
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 15 of 15