How does malware enter the enterprise?
Executable code can hide in various forms in different places
- Embedded objects anywhere in files e.g.
- macros
- scripts
- Reloadable objects in mails or browser content
- Objects automatically (re-) loaded by the operating system e.g. LNK attack
- Application Plug-ins
- (Automatically loaded) patches
- Controllers and firmware (e.g. BadUSB)
- ...
RSA Security 2015 in San Francisco:
Marcus Murray demonstrates a simple method in order to hide malicious code in image files - and
to take over a web server
- Murray hides malicious code as a comment in the EXIF information of image files.
- The malicious code is executed in the user‘s rightspace without a user noticing.
malicious code hiding places exist in all file formats: Video, Office documents, pdf, etc. - Risks are contained in all executable elements / macros, etc.
- How can potentially risky files be imported, edited, archived and be further processed on any computer?
Data lock & data sanitizing
Potentially harmful data from external sources (web, e-mail, USB stick, iPhone / mobiles, ownapplications ...) should be smuggled into a secure network cleanly and free of (malicious) code,
enriched with further data (e.g. metadata) in a clearly defined process converted into standardized
formats and processed further in the secure network or stored long-term (preserved).
For this purpose, the data is collected in an isolated airlock system that is designed as a victim
system. The system itself is hardened by a security policy and software/hardware separation.
Potentially harmful data is passed on to the „cleaning system“ and cleaned.