How does malware enter the enterprise?

Executable code can hide in various forms in different places

  • Embedded objects anywhere in files e.g.
    • macros
    • scripts
  • Reloadable objects in mails or browser content
  • Objects automatically (re-) loaded by the operating system e.g. LNK attack
  • Application Plug-ins
  • (Automatically loaded) patches
  • Controllers and firmware (e.g. BadUSB)
  • ...

RSA Security 2015 in San Francisco:

Marcus Murray demonstrates a simple method in order to hide malicious code in image files - and
to take over a web server

  • Murray hides malicious code as a comment in the EXIF information of image files.
  • The malicious code is executed in the user‘s rightspace without a user noticing.
    malicious code hiding places exist in all file formats: Video, Office documents, pdf, etc.
  • Risks are contained in all executable elements / macros, etc.
  • How can potentially risky files be imported, edited, archived and be further processed on any computer?

Data lock & data sanitizing

Potentially harmful data from external sources (web, e-mail, USB stick, iPhone / mobiles, own
applications ...) should be smuggled into a secure network cleanly and free of (malicious) code,
enriched with further data (e.g. metadata) in a clearly defined process converted into standardized
formats and processed further in the secure network or stored long-term (preserved).

For this purpose, the data is collected in an isolated airlock system that is designed as a victim
system. The system itself is hardened by a security policy and software/hardware separation.

Potentially harmful data is passed on to the „cleaning system“ and cleaned.

Datenschleuse: Reinigen – Bsp.: JPG