Title: Monitoring and Preventing Malicious Codes in Broadband Network Infrastructure
1Monitoring and Preventing Malicious Codesin
Broadband Network Infrastructure
- Dr. Charles Ahn
- CEO / AhnLab, Inc.
2Agenda
- Company Profile
- CEO Career Activities
- Attack Trend in Korea
- Malicious Codes in the Age of Broadband
- Case study SQL Slammer Worm
- How to Prevent Malicious Codes in the Age of
Broadband - AhnLabs Response System
3Company Profile
- History
- Foundation 1995
- IPO (KOSDAQ) Sept., 2001
- Number of Employees
- About 300 employees
- Business
- Anti-Virus and Secure Contents Management
- Integrated Security Software
- Security Management
- Security Consulting Services
- Financial Status
- 2002 Fiscal Revenues USD 25 million
- Market Share
- 65 of AV market in Korea (1st in Korea)
- Location
- Corporate Headquarter Seoul, Korea
- International Offices China, Japan
4CEO Career Activities
- Charles Ahn, MD / Ph.D / EMTM
- Feb.1986Medical Doctors degree from College of
Medicine, Seoul National University - Mar. 1986 Sep. 1989 Research assistant at
College of Medicine, Seoul National University - Sep. 1989 Feb. 1991 Full-time lecturer at
College of Medicine Head of the pre-medical
course, Dankook University - Feb. 1991 Ph.D. from College of Medicine, SNU
- May 1997 E.M.T.M.(Executive Master of Technology
Management) from Penn Engineering Wharton
School, University of Pennsylvania. - Oct. 2000 Completed venture business course,
Stanford University
5 Attack Trend in Korea
6Reported Incidents
Source KISA (Korea Information Security Agency)
7Attack-Type Distribution in Korea
- Port scanning attacks are increasing drastically.
- Miss-configuration of IT systems are being
exploited actively. - Infection through E-mail is continuously
increasing.
Source KISA (Korea Information Security Agency)
8Malicious Codes in the Age of Broadband
9The Evolution of Virus and Worm
- Utilization of vulnerabilities in IT
infrastructure - Increased sophistication of attacking techniques
- Integration of various technologies that poses
bigger threat
10Examples Internet Worm
- CodeRed
- More than 350,000 servers were infected.
- Approximately 2.6 billion were spent for
recovery. - Nimda
- More than 8.3 million servers were infected.
- The amount of financial loss reached 590
million. - .
- SQL Slammer
- Major ISP services in Korea were disrupted for
more than 9 hours.
Victim Attacker
11The Faster Appearance Cycle Internet Worms
12Future of Internet Worm
- Emergence of multiple spread paths
- Peer-to-Peer (P2P)
- Instant Messaging
- Mobile device
- Technical advancement of attacking methods
- Vulnerability attacks and blended attacks
- Intelligent technique to avoid detection
- Faster worm writing by automated tools
13CASE STUDY SQL Slammer Worm
14SQL Slammer Worm in Korea
- Nationwide Internet disruption for 9 hours from
1430 January 25, 2003. (GMT0900) - Shutdown of online trading, banking services,
business transactions, communications, etc. - Global impact 90 of vulnerable/un-patched
servers were infected within 10 minutes.
Infection status by SQL Slammer at 1500 January
25, 2003 (CAIDA report)
15The Influence of SQL Slammer Worm
- Direct Effect
- Overload of infected servers
- Network congestion due to the increased traffic
- Breakdown of international link (because 93 of
randomly chosen IP addresses are oversea traffic
in Korea)
- Side Effect
- DNS troubles
- In a DNS server, retry-query increased about 8
times more than the normal situation (ex. 472
queries per second, while 55 was normal). - The more traffic, the less communication speed
(circular effect).
16Country Statistics
Graph above shows 74,856 IP addresses that
generated malicious packets. (CAIDA report)
17Why Serious Damage in Korea?
- Well-established IT infrastructure
- Densely connected network and high broadband
usage rate - Large number of high performance servers
connected to the network - Lack of security awareness
- Open ports for unused services
- More infected servers
- Particularly high number of Infected SQL servers
in Korea (7 times more than Japan and twice more
than China)
18How to Prevent Malicious Codes in the Age of
Broadband
19Countermeasures (1)
- Vulnerability analysis of network infrastructure
- Patch management
- Systematic security-planning
- Strict enforcement of the law to eliminate
vulnerabilities of major organizations and
enterprises - More reliable network infrastructure
- Operation of a (replicated) root name server in
Korea - Dependable structure for load-balancing and
reliability enhancement - Capacity planning for emergency
- RD investment
- Continuous investment in network security and
antivirus technology - Research on integration of security and antivirus
technology - Continuous research for efficient defense
mechanisms
20Countermeasures (2)
- 24x7 monitoring system and emergency response
process - Early detection and prevention with a concrete
24/7 monitoring system - Set-up of emergency response organizations at the
government, major corporations and other public
organizations - Coordinated efforts among emergence response
organizations - Governmental initiatives
- Strict enforcement of the information security
regulations and policies nationwide - Long-term plan to improve the security level of
small and medium-sized businesses - Allotment of separate budget for security
information security
21 AhnLabs Response System - Specialized
Emergency Response Team - Early Warning
System - Virus Blocking Service
22Emergency Response Team
Customers
Non- customers
Alert
Service
ASEC Integrated Emergency Response (AhnLab
Security E-response Center)
Resource integration
New virus detection
Analysis
Engine Update
24/7 Monitoring
Virus Information
Prompt Customer Service
23Early Warning System, SAB SBTM
Outbreak Monitoring System SAB
24Early Blocking Interception Service, VBS
VBS Virus Blocking Service
- Blocks new malicious codes prior to the pattern
file creation. - Uses advanced Blocking engine. ? VBS Policy
- 24/7 service by dedicated technical support
engineers - Provides corporate virus-shield against new virus
threat in less than 15 minutes - Flexible service operating architecture
- Remote service
25VBS Virus Blocking Service
26Conclusion
Thank you.