Enhancing network security by preventing user-initiated malware execution

Although organizations have invested significant resources in security hardware, software and training to implement a strategy known as "defense in depth", the attacks they experience are increasing in number, sophistication and cost of recovery and litigation. One difficult class of attack to defend against is user-initiated malicious software (malware) execution. User-initiated malware penetrates the security perimeter with assistance provided, either intentionally or unintentionally, by and enterprise\´s end users. These users assist the attacker by downloading malware from a Web site, invoking malware arriving as e-mail attachments and introducing malware inside the perimeter via the unauthorized use of foreign media, e.g., floppy disks, CD-ROMs, or unauthorized media devices, e.g., USB drives, or unauthorized wireless networking hardware. In this paper, we describe characteristics of the most widely used defense techniques for the blocking of user-initiated malware and why these techniques are insufficient. We then introduce a module verification strategy that eliminates, or at least severely reduce, this problem by extending the classic "defense in depth" network security strategy. We then describe how the augmentation of a standard operating system loader to include references to a database of cryptographic hashes of module executables can be used to implement this strategy. Finally, we describe our efforts towards the creation of a prototype system that implements the module verification strategy.