SANET: Spam Analysis Network
Enrique Curiel Foruria Lead Software Engineer INTECO-CERT for Citizens
[email protected] National CERTs Collaboration Meeting, June 2007
Agenda
About INTECO Survey among Spanish home users Anti-spam strategy SANET system description SANET web site demo
2
About INTECO • Public limited company dependant on the Ministry of Industry, Tourism and Commerce of the Government of Spain. • Instrument for the development of Information Society in Spain • Fundamentals: Applied Research Services Rendering Training Around 100 employees, 50 in e-Confidence (IT Security)
3
About INTECO – Strategic Work Lines E-Confidence (Security) INTECO-CERT for SMEs and Citizens Showcase Centre for SMEs Information Security Observatory SW Quality National SW Quality Laboratory Training IT projects promotion Standards and normalization promotion Accessibility Reference Centre in web standards Promotion of technological accessibility and Public Administration application (websites, TDT platform, etc) Innovation in accessibility technologies 4
Agenda
About INTECO Survey among Spanish home users Anti-spam strategy SANET system description SANET web site demo
5
Survey among Spanish home users
Target: e-confidence and security assessment in Spanish Internet Home Users.
Sample population: Internet users from every Spanish region, age, gender and job activity.
6,357 online surveys 3,068 home computers scanned – Tool based on VirusTotal developed by Hispasec
December 2006 and January 2007. Next Waves → Trends and Evolution
6
Survey among Spanish home users Depending on the nature of the measures used → Security Classification:
Advanced Protection: Those using automated and proactive protection. Basic Protection. Mainly automated protection is used. Deficient Protection. Both automated and proactive very low protection levels.
35.6%
36.1%
Protection Level at home devices
28.3% Advanced Protection
Basic Protection
Deficient Protection 7
Survey among Spanish home users Security Measures inventory Antivirus Software Firewalls PopUp Killers Temporary files and cookies clearing Anti-spam Anti-Spy Passwords (computer and documents) OS Security Updates Main Files Backup Hard Disk Partitioning Boot Sector Backup Parental Control Software Document Encryption No Security Measure
Now 94.5 76.0 69.5 62.0 56.8 56.8 51.6 50.1 34.2 31.3 22.8 9.2 8.5 0.7
Next 3 months Forecast 95.8 79.3 73.5 68.6 64.3 64.1 57.0 62.2 52.7 38.3 37.3 12.9 13.1 -
8
Survey among Spanish home users Security Measures
Users mainly employ automated security measures. Lack of Proactive measures utilization. (Need more work from user)
95% claim to have an antivirus but in fact only 87% really have it installed and working.
More extended: Antivirus and Firewall. Less than 35% of users perform file
backups and less than 10% use
encryption for documents
Proactive measures are expected to grow more in next months. 9
Reasons not to use security mesures Security Measures Antivirus Software
Don’t Know
Unnecessary
Price
Slow Down Performance
Distrust
Ineffective
4.7
24.2
16.7
38.1
5.9
10.4
Firewalls
35.7
25.0
8.1
22.6
3.9
4.7
PopUp Killers
23.7
34.8
8.7
20.9
5.0
6.9
Temporary files and cookies clearing
18.8
59.4
5.2
7.2
3.6
5.8
Anti-spam
14.8
42.5
11.5
12.7
6.7
11.8
Anti-Spy
25.7
31.7
11.6
14.5
9.2
7.3
OS Security Updates
21.7
47.0
10.2
9.7
6.2
5.2
Passwords (computer and documents)
8.7
70.6
3.9
8.4
3.1
5.3
Main Files Backup
12.9
67.5
5.3
6.2
2.9
5.2
Hard Disk Partitioning
24.5
56.6
3.8
7.2
3.0
4.9
Boot Sector Backup
18.4
64.0
4.3
5.9
2.9
4.5
Document Encryption
28.6
56.4
4.3
5.5
3.0
2.2
Parental Control SW
9.0
77.3
3.4
4.3
2.1
3.9 10
Survey among Spanish home users
Antivirus. Firewalls and anti-Spy software are the most appreciated. Main reasons why not to apply security measures: Ignorance about the measure: 35.7% for firewalls. Believes them unnecessary: 24.2% for antivirus, 25.0% for firewalls and 31.7% for anti-spy, 67.5% Backups, 70.6% Passwords Believes that they slow down computer and web surfing performance : 38.1% for antivirus.
11
Survey among Spanish home users
Careful and not supportive: has an individual approach to security.
Centered on own system security and not sharing experiences.
Careful and supportive. Concerned not only about individual protection, but also about sharing and reciprocal support in security affairs.
Reckless: Does not follow any caution rule or habit. Does not change his
customs even having severe incidents. 33.4%
User Distribution in groups according to utilization habits
57.9% 8.7%
Reckless
Careful and supportive
Careful and not supportive 12
Survey among Spanish home users Security Key Performance Indicators vs security habit roles and average 100 87
90
82
80 70
72
70 62
64
77
74
58
70 74 61
59
60
44
48
50
55
38
40
25
30
27
12 17
20 10 0 Security
Supportive
Ow n Security
Reckless
Com puters w ith
High Risk
Spread-Risk
Equipm ent
Behaviour
Opinion
Behaviour
any m alw are incident
Leveled Com puters
Leveled Com puters
Reckless
Careful and supportive
Careful and not supportive
Average 13
Survey among Spanish home users Security Key Performance Indicators vs security habit roles and average
7 objective Security Key Performance indicators Most users define themselves they are quite careful when surfing the web. Users are self-confident about their security surfing the web (76.4 over 100) Most computers analized have malware (72.6 over 100): 51.8 are high-risk leveled and 27.3 out of 100 are spread-risk leveled.
Real security depends on security habits together with tools and measures installed. Conclusions:
Raising awareness in users is determinant Increasing Training: Security guidelines, HowTos, Best Practices Next Wave Reports → Evolution in User´s Security 14
Agenda
About INTECO Survey among Spanish home users Anti-spam strategy SANET system description SANET web site demo
15
Anti-spam strategy spam is about money
€$
€$ Spam Dubious Business
€$
Botnet e-mail users Overloaded mailboxes Malware infections
€$
Hacked Servers
16
Anti-spam strategy Apply pressure against spam in as much points as possible Legal Heavy fines in Spain for spammers and illegal personal data exchange Raise Awareness Measure problem size and highlight malware relationship [SANET] Do not help spam Promote current solutions - Content filters, Reputation lists, Blacklists, malicious IPs [SANET] Correlate incidents and security events from all of our sources. Research and Promote new technical solutions [planned Servers – Protocol extensions, SPF/DKIM Secure e-mail as anti-spam? 17
Agenda
About INTECO Survey among Spanish home users Anti-spam strategy SANET system description SANET web site demo
18
SANET system overview Sensor
SANET Sever
Anti-spam filter
Users
logs Web site
SANET report
Internet
rOLAP report
<XML> IODEF
Validation load
Bzip2 S/MIME (to do)
OLTP Database
whois ASN domain Public Databases 19
SANET system overview Sensor
Perl scripts process e-mail and anti-spam logs Reports are sent every 4 hours
AntiAnti-spam filter logs SANET report
<XML> IODEF Bzip2 S/MIME (to (to do)
Agregated data 236 3 1.27 0 0.00 3 100.00 0 0.00 44 20
SANET system overview Sensor
relay data – average 50.000 per report during testing 72.184.53.128 ...
21
SANET system overview Current platform
SANET Sever BETA STAGE numbers
2x Intel Xeon 50xx 8GB RAM SATA RAID
Around 200.000 relay IPs processed in 1.5h
SLES 10 x86_64
Around 7M different IPs
rOLAP Database Optimizations
Web site
OLTP: 36M records /month
“LOAD DATA INFILE” MySQL tuning
Validation load
Threaded PERL scripts whois ASN domain
XML Schema Validation (PHP) OLTP Database
Public Databases 22
SANET system overview Sensor
SANET Sever
Internet
Sensor Feedback Benchmark strategies and techniques Anti-spam methods success
Joomla CMS! Web site
Users rOLAP
Statistical Data Sampling
Raise Awareness Next steps Malware correlation ¿Nepenthes? Anti-spam methods success
OLTP Database 23
Agenda
About INTECO Survey among Spanish home users Anti-spam strategy SANET system description SANET web site demo http://ersi.inteco.es 24
www.inteco.es
SANET system overview
26