Kevin Dean Technology Strategist Education Southeast Microsoft Corporation

Transcription

1 Kevin Dean Technology Strategist Education Southeast Microsoft Corporation

2 Security Exploits History The Threat landscape today Microsoft Security Development Lifecycle State of Security today Trends in Software Vulnerability Disclosures Microsoft platform for security Resources

3 What happened in the past?

4 Blaster August 2003 Sasser April 2004 Zotob August 2005 MS October 2008 Alert and prescriptive guidance Online guidance/ Webcast Free worm removal tool Days after the patch we knew of 1 st exploit Products not affected by attacks Within 1 day Within 10 days Within 38 days Within 2 hours Within 2 days Within 3 days 2 days prior Same day Within 3 days Before publicly known (MAPP) 3 times, 2x Same day Didn t need one* +11 days +4 days +2 days -11 days none none XPSP2 Vista, Server 2008

5

6 Local Area Networks First PC virus Boot sector viruses Create notoriety or cause havoc Slow propagation 16-bit DOS Internet Era Macro viruses Script viruses Key loggers Create notoriety or cause havoc Faster propagation 32-bit Windows Broadband prevalent Spyware, Spam Phishing Botnets & Rootkits War Driving Financial motivation Internet wide impact Hyper jacking Peer to Peer Social engineering Application attacks Financial motivation Targeted attacks Network device attacks 32-bit Windows 64-bit Windows

7 Number of Digital IDs Exponential Growth of IDs Identity and access management challenging Increasingly Sophisticated Malware Anti-malware alone is not sufficient 160,000 B2E mobility B2C B2B 120,000 80,000 Number of variants from over 7,000 malware families (1H07) Internet 40,000 0 mainframe client/server Pre-1980s 1980s 1990s 2000s Crime On The Rise Source: Microsoft Security Intelligence Report (January June 2007) Attacks Getting More Sophisticated Traditional defenses are inadequate National Interest Personal Gain Personal Fame Curiosity Largest segment by $ spent on defense Largest area by $ lost Vandal Largest area by volume Thief Trespasser Author Spy Fastest growing segment User GUI Applications Drivers O/S Hardware Physical Examples Spyware Rootkits Application attacks Phishing/Social engineering Script-Kiddy Amateur Expert Specialist

8

9 Release Conception Protect Microsoft customers by Reducing the of vulnerabilities Reducing the of vulnerabilities Prescriptive yet practical approach Proactive not just looking for bugs Eliminate security problems early Secure by design

10 At Microsoft, we believe that delivering secure software requires Executive commitment SDL a mandatory policy at Microsoft since 2004 Training Requirements Design Implementation Verification Release Response Core training Analyze security and privacy risk Define quality gates Threat modeling Attack surface analysis Specify tools Enforce banned functions Static analysis Dynamic/Fuzz testing Verify threat models/attack surface Response plan Final security review Release archive Response execution Ongoing Process Improvements 6 month cycle

11 Infrastructure Optimization Microsoft Security Assessment Toolkit Microsoft Windows Vista Security Whitepapers Microsoft Security Intelligence Report Learning Paths for Security Professionals Microsoft IT Showcase Security Tools & Papers Security Readiness Education and Training

12 Major sections cover Software Vulnerability Disclosures Software Vulnerability Exploits Privacy and Security Breach Notifications Malicious Software and Potentially Unwanted Software , Spam and Phishing Threats

13

14 Rogue security software infections spiked in 2H08 Microsoft products removed rogue security software from more than 10 million computers in 2H08

15 Rogue security software uses multiple social engineering techniques to persuade users to install the software Many rogues mimic genuine security software alerts

16 Further social engineering techniques are discussed in the SIR Worms and social engineering File Format Exploits Spear Phishing and Whaling Online Banking Malware Malware targeting Online Gamers Threats Targeting Music and Video Consumers See the full Security Intelligence Report for more

17

18 Operating system, Browser and Application Disclosures Industry Wide Operating system vulnerabilities 8.8% of the total Browser vulnerabilities 4.5% of the total Other vulnerabilities 86.7% of the total Industry-wide operating system, browser, and other vulnerabilities, 2H03-2H08 3,500 3,000 2,500 2,000 1,500 1, H03 1H04 2H04 1H05 2H05 1H06 2H06 1H07 Operating System Vulnerabilities Browser Vulnerabilities All Other 2H07 1H08 2H08

19 Microsoft vulnerability disclosures Microsoft vulnerability disclosures mirror the industry totals, though on a much smaller scale Vulnerability disclosures for Microsoft and non-microsoft products, 2H03-2H08 3,500 3,000 2,500 2,000 1,500 1, Non-Microsoft Microsoft 2H03 1H04 2H04 1H05 2H05 1H06 2H06 1H07 2H07 1H08 2H08

20 By half year industry wide Vulnerability disclosures in 2H08 down 3% from 1H as a whole down 12% from 2H07 Microsoft proportion only 5% of industry total Industry-wide vulnerability disclosures by half-year, 2H03-2H08 Vulnerability disclosures for Microsoft products, by full year,

21 Adjust risk management processes to ensure that operating systems and applications are protected Security Risk Management Guide for IT professionals is available complianceandpolicies/secrisk/default.mspx Free prescriptive guides for IT professionals default.mspx Participate in IT security communities Example: The Microsoft IT Pro Security Zone community Subscribe to the Microsoft Security Newsletter default.mspx

22 Browser-based exploits by operating system and software vendor On Windows XP-based machines, Microsoft vulnerabilities accounted for 40.9% of the exploits On Windows Vista-based machines, Microsoft vulnerabilities account for only 5.5% of the exploits Browser-based exploits targeting Microsoft and third-party software on computers running Windows XP, 2H08 Browser-based exploits targeting Microsoft and third-party software on computers running Windows Vista, 2H08 Microsoft, 5.5% Microsoft, 40.9% 3rd Party, 59.1% 3rd Party, 94.5%

23 Top 10 browser-based exploits on Windows XP-based machines On Windows XP-based machines Microsoft software accounted for 6 of the top 10 vulnerabilities The most commonly exploited vulnerability was disclosed and patched by Microsoft in 2006 The 10 browser-based vulnerabilities exploited most often on computers running Windows XP, 2H08 10% Microsoft Vulnerabilities Third-Party Vulnerabilities 8% 6% 4% 2% 0%

24 Top 10 browser-based exploits on Windows Vista-based machines On Windows Vista-based machines Microsoft software accounted for none of the top 10 vulnerabilities The 10 browser-based vulnerabilities exploited most often on computers running Windows Vista, 2H08 20% 15% 10% Third-Party Vulnerabilities 5% 0%

25 Exploits against common document formats Data from submissions of malicious code to Microsoft One vulnerability was the target of 91.3% of all attacks Microsoft Office file format exploits, by percentage, encountered in 2H08 CVE % CVE , 2.2% CVE , 2.6% CVE , 1.3% CVE % CVE % CVE , 91.3%

26 Always run up to date software Enable Automatic Updates in Windows Periodically check the Web sites of third-party vendors Uninstall software you don t actively use Use up-to-date anti-malware software from a known, trusted source Enable Data Execution Prevention (DEP) in compatible versions of Windows Enable Structured Exception Handling Overwrite Protection (SEHOP) in Windows Vista SP1 and Windows Server 2008 Set Internet and local intranet security settings in Internet Explorer to High Avoid browsing to Web sites that you do not trust Enable User Account Control in Windows Vista Read messages in plain text format Use the Microsoft Security Assessment Tool (MSAT)

27 Use Microsoft Update instead of Windows Update Ensure that security update MS has been applied to any affected software in your environment Keep your third-party and Microsoft software up to date If possible, upgrade your applications to the most recent versions Avoid opening attachments or clicking links to documents that arrive unexpectedly Use up-to-date anti-malware software from a known, trusted source

28

29 Inbound messages blocked by Forefront Online Security for Exchange content filters, by category, during the last six weeks of 2H08 Phishing, 1.6% Gambling, 1.1% Get Rich Quick, Stock, 0.6% 1.7% Malware, 1.8% Software, 0.5% 419 Scam, 1.9% Fraudulent Diplomas, 2.8% Financial, 3.1% Dating/Sexually Explicit Material, 5.2% Image only, 7.3% Pharmacy - sexual, 10.0% Pharmacy - non sexual, 38.6% Non-pharmacy product ads, 23.6%

30 Phishing Sites and Traffic Active phishing site numbers increased, but each site received far less traffic than 1H08 Phishing sites tracked each month in 2H08 and their target institution types, indexed to the monthly average for 2H July August September October November December Commerce Financial Social Networking Web Service

31

32

33 Use an up-to-date anti-malware product from a known, trusted source Keep your operating system up to date Consider upgrading to the most recent versions of software you use Consider disabling autorun functionality Consider using a user account which does not have administrator privileges for your daily work Use passwords for any network share you configure Avoid opening attachments or clicking links in or instant messages that are received unexpectedly

34 Use a mail client that suppresses active content and blocks unintentional of executable attachments Use a robust spam filter to guard against fraudulent and dangerous If you receive an from a bank or commerce site, visit their site using a pre-bookmarked link or by typing in the link from your monthly statement Deploy inbound and outbound authentication to protect against spoofing and forgery Online gamers are at risk from malware that tries to steal their game assets or credentials

35 Download and use the Malicious Software Removal Tool (MSRT) Support new legislation to help take legal action against criminals Use the Microsoft Security Assessment Tool Keep yourself up to date about emerging threats

36 Core improvements to the Operating Systems

37 Windows Vista Foundation Streamlined User Account Control Enhanced Auditing Security Development Lifecycle process Kernel Patch Protection Windows Service Hardening DEP & ASLR Internet Explorer 8 inclusive Mandatory Integrity Controls Make the system work well for standard users Administrators use full privilege only for administrative tasks File and registry virtualization helps applications that are not UAC compliant XML based Granular audit categories Detailed collection of audit results Simplified compliance management

38 First Year of Vulnerabilities Unfixed Fixed Windows XP Windows Vista RHEL4 reduced UbuntuLTS reduced Mac OS X 10.4 Metric Windows Vista (year 1) Windows XP (year 1) Red Hat rhel4ws reduced (year 1) Ubuntu 6.06 LTS reduced (year 1) Mac OS X 10.4 (year 1) Vulnerabilities fixed Security Updates Patch Events Weeks with at least 1 Patch Event

39 First Year of Vulnerabilities Low Medium High Windows XP SP2 Windows Vista RHEL4 reduced Ubuntu 6.06 LTS reduced Mac OS X Windows Vista in % fewer vulnerabilities than Windows XP 74% fewer vulnerabilities than the next closest (Ubuntu) 47% fewer high severity vulnerabilities than the next closest (Red Hat) Source:

40 Secure Platform Security Development Lifecycle (SDL) Windows Server Virtualization (Hypervisor) Role Management Tool OS File Integrity Data Protection Rights Management Services (RMS) Full volume encryption (Bitlocker) USB Device-connection rules with Group Policy Improved Auditing Windows Server Backup Network Protection Network Access Protection (NAP) Server and Domain Isolation with IPsec End-to-end Network Authentication Windows Firewall With Advanced Security On By Default Identity Access Read-only Domain Controller (RODC) Active Directory Federation Services (ADFS) Administrative Role Separation PKI Management Console Online Certificate Status Protocol

41 Vulnerabilities in First 90 Days Windows Server 2003-all Windows Server 2003-gui Windows Server 2008-all Windows Server 2008-gui Windows Server 2008-core Source: internal study by Jeff Jones

42 % % 8.0% 7.0% % % 9.5% % 3.0% 2.0% 1.0% 0.0% 5.9% 5.3% 5.9% 3.7% 3.3% 3.0% 4.9% 4.2% 3.1% 2.9% MSFT vulns non-msft vulns MSFT % of All Disclosures Source:

43 Secure the Platform Windows7/Server 2008 Secure the Data RMS, EFS, BitLocker (Plus features in Office, SharePoint, etc.) Secure the Network NAP Secure the Wireless Server 2008 Secure the Edge ISA/IAG Secure the Communications Forefront Server, OCS, Exchange Secure the Desktops and Servers Forefront Client Security

44 Services A well Managed Secure Infrastructure is the key! Edge Server Applications Active Directory Federation Services (ADFS) Client and Server OS Certificate Lifecycle Management Information Protection Identity & Access Management Systems Management Operations Manager 2007 Configuration Manager 2007 Data Protection Manager Mobile Device Manager 2008 SDL TWC

45 microsoft.com/security_essentials/ microsoft.com/sir microsoft.com/protect microsoft.com/forefront Malicious Software Removal Tool (MSRT) Microsoft Customer Service & Support Security incidents are FREE

46 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.