Kevin Dean Technology Strategist Education Southeast Microsoft Corporation
Security Exploits History The Threat landscape today Microsoft Security Development Lifecycle State of Security today Trends in Software Vulnerability Disclosures Microsoft platform for security Resources
What happened in the past?
Blaster August 2003 Sasser April 2004 Zotob August 2005 MS08-067 October 2008 Alert and prescriptive guidance Online guidance/ Webcast Free worm removal tool Days after the patch we knew of 1 st exploit Products not affected by attacks Within 1 day Within 10 days Within 38 days Within 2 hours Within 2 days Within 3 days 2 days prior Same day Within 3 days Before publicly known (MAPP) 3 times, 2x Same day Didn t need one* +11 days +4 days +2 days -11 days none none XPSP2 Vista, Server 2008
Local Area Networks First PC virus Boot sector viruses Create notoriety or cause havoc Slow propagation 16-bit DOS Internet Era Macro viruses Script viruses Key loggers Create notoriety or cause havoc Faster propagation 32-bit Windows Broadband prevalent Spyware, Spam Phishing Botnets & Rootkits War Driving Financial motivation Internet wide impact Hyper jacking Peer to Peer Social engineering Application attacks Financial motivation Targeted attacks Network device attacks 32-bit Windows 64-bit Windows
Number of Digital IDs Exponential Growth of IDs Identity and access management challenging Increasingly Sophisticated Malware Anti-malware alone is not sufficient 160,000 B2E mobility B2C B2B 120,000 80,000 Number of variants from over 7,000 malware families (1H07) Internet 40,000 0 mainframe client/server Pre-1980s 1980s 1990s 2000s Crime On The Rise Source: Microsoft Security Intelligence Report (January June 2007) Attacks Getting More Sophisticated Traditional defenses are inadequate National Interest Personal Gain Personal Fame Curiosity Largest segment by $ spent on defense Largest area by $ lost Vandal Largest area by volume Thief Trespasser Author Spy Fastest growing segment User GUI Applications Drivers O/S Hardware Physical Examples Spyware Rootkits Application attacks Phishing/Social engineering Script-Kiddy Amateur Expert Specialist
Release Conception Protect Microsoft customers by Reducing the of vulnerabilities Reducing the of vulnerabilities Prescriptive yet practical approach Proactive not just looking for bugs Eliminate security problems early Secure by design
At Microsoft, we believe that delivering secure software requires Executive commitment SDL a mandatory policy at Microsoft since 2004 Training Requirements Design Implementation Verification Release Response Core training Analyze security and privacy risk Define quality gates Threat modeling Attack surface analysis Specify tools Enforce banned functions Static analysis Dynamic/Fuzz testing Verify threat models/attack surface Response plan Final security review Release archive Response execution Ongoing Process Improvements 6 month cycle
Infrastructure Optimization Microsoft Security Assessment Toolkit Microsoft Windows Vista Security Whitepapers Microsoft Security Intelligence Report Learning Paths for Security Professionals Microsoft IT Showcase Security Tools & Papers Security Readiness Education and Training
Major sections cover Software Vulnerability Disclosures Software Vulnerability Exploits Privacy and Security Breach Notifications Malicious Software and Potentially Unwanted Software Email, Spam and Phishing Threats www.microsoft.com/sir
Rogue security software infections spiked in 2H08 Microsoft products removed rogue security software from more than 10 million computers in 2H08
Rogue security software uses multiple social engineering techniques to persuade users to install the software Many rogues mimic genuine security software alerts
Further social engineering techniques are discussed in the SIR Worms and social engineering File Format Exploits Spear Phishing and Whaling Online Banking Malware Malware targeting Online Gamers Threats Targeting Music and Video Consumers See the full Security Intelligence Report for more
Operating system, Browser and Application Disclosures Industry Wide Operating system vulnerabilities 8.8% of the total Browser vulnerabilities 4.5% of the total Other vulnerabilities 86.7% of the total Industry-wide operating system, browser, and other vulnerabilities, 2H03-2H08 3,500 3,000 2,500 2,000 1,500 1,000 500 0 2H03 1H04 2H04 1H05 2H05 1H06 2H06 1H07 Operating System Vulnerabilities Browser Vulnerabilities All Other 2H07 1H08 2H08
Microsoft vulnerability disclosures Microsoft vulnerability disclosures mirror the industry totals, though on a much smaller scale Vulnerability disclosures for Microsoft and non-microsoft products, 2H03-2H08 3,500 3,000 2,500 2,000 1,500 1,000 500 0 Non-Microsoft Microsoft 2H03 1H04 2H04 1H05 2H05 1H06 2H06 1H07 2H07 1H08 2H08
By half year industry wide Vulnerability disclosures in 2H08 down 3% from 1H08 2008 as a whole down 12% from 2H07 Microsoft proportion only 5% of industry total Industry-wide vulnerability disclosures by half-year, 2H03-2H08 Vulnerability disclosures for Microsoft products, by full year, 2004-2008 3500 300 3000 250 2500 200 2000 1500 1000 150 100 500 50 0 0 2004 2005 2006 2007 2008
Adjust risk management processes to ensure that operating systems and applications are protected Security Risk Management Guide for IT professionals is available http://www.microsoft.com/technet/security/guidance/ complianceandpolicies/secrisk/default.mspx Free prescriptive guides for IT professionals http://www.microsoft.com/technet/security/guidance/ default.mspx Participate in IT security communities Example: The Microsoft IT Pro Security Zone community http://technet.microsoft.com/security Subscribe to the Microsoft Security Newsletter http://www.microsoft.com/technet/securitysecnews/ default.mspx
Browser-based exploits by operating system and software vendor On Windows XP-based machines, Microsoft vulnerabilities accounted for 40.9% of the exploits On Windows Vista-based machines, Microsoft vulnerabilities account for only 5.5% of the exploits Browser-based exploits targeting Microsoft and third-party software on computers running Windows XP, 2H08 Browser-based exploits targeting Microsoft and third-party software on computers running Windows Vista, 2H08 Microsoft, 5.5% Microsoft, 40.9% 3rd Party, 59.1% 3rd Party, 94.5%
Top 10 browser-based exploits on Windows XP-based machines On Windows XP-based machines Microsoft software accounted for 6 of the top 10 vulnerabilities The most commonly exploited vulnerability was disclosed and patched by Microsoft in 2006 The 10 browser-based vulnerabilities exploited most often on computers running Windows XP, 2H08 10% Microsoft Vulnerabilities Third-Party Vulnerabilities 8% 6% 4% 2% 0%
Top 10 browser-based exploits on Windows Vista-based machines On Windows Vista-based machines Microsoft software accounted for none of the top 10 vulnerabilities The 10 browser-based vulnerabilities exploited most often on computers running Windows Vista, 2H08 20% 15% 10% Third-Party Vulnerabilities 5% 0%
Exploits against common document formats Data from submissions of malicious code to Microsoft One vulnerability was the target of 91.3% of all attacks Microsoft Office file format exploits, by percentage, encountered in 2H08 CVE-2008-0081 1.5% CVE-2008-2244, 2.2% CVE-2006-0022, 2.6% CVE-2007-1747, 1.3% CVE-2006-6456 0.9% CVE-2007-0671 0.2% CVE-2006-2492, 91.3%
Always run up to date software Enable Automatic Updates in Windows Periodically check the Web sites of third-party vendors Uninstall software you don t actively use Use up-to-date anti-malware software from a known, trusted source Enable Data Execution Prevention (DEP) in compatible versions of Windows Enable Structured Exception Handling Overwrite Protection (SEHOP) in Windows Vista SP1 and Windows Server 2008 Set Internet and local intranet security settings in Internet Explorer to High Avoid browsing to Web sites that you do not trust Enable User Account Control in Windows Vista Read e-mail messages in plain text format Use the Microsoft Security Assessment Tool (MSAT)
Use Microsoft Update instead of Windows Update Ensure that security update MS06-027 has been applied to any affected software in your environment Keep your third-party and Microsoft software up to date If possible, upgrade your applications to the most recent versions Avoid opening attachments or clicking links to documents that arrive unexpectedly Use up-to-date anti-malware software from a known, trusted source
Inbound messages blocked by Forefront Online Security for Exchange content filters, by category, during the last six weeks of 2H08 Phishing, 1.6% Gambling, 1.1% Get Rich Quick, Stock, 0.6% 1.7% Malware, 1.8% Software, 0.5% 419 Scam, 1.9% Fraudulent Diplomas, 2.8% Financial, 3.1% Dating/Sexually Explicit Material, 5.2% Image only, 7.3% Pharmacy - sexual, 10.0% Pharmacy - non sexual, 38.6% Non-pharmacy product ads, 23.6%
Phishing Sites and Traffic Active phishing site numbers increased, but each site received far less traffic than 1H08 Phishing sites tracked each month in 2H08 and their target institution types, indexed to the monthly average for 2H08 1.4 1.2 1.0 0.8 0.6 0.4 0.2 0.0 July August September October November December Commerce Financial Social Networking Web Service
Use an up-to-date anti-malware product from a known, trusted source Keep your operating system up to date Consider upgrading to the most recent versions of software you use Consider disabling autorun functionality Consider using a user account which does not have administrator privileges for your daily work Use passwords for any network share you configure Avoid opening attachments or clicking links in e-mail or instant messages that are received unexpectedly
Use a mail client that suppresses active content and blocks unintentional of executable attachments Use a robust spam filter to guard against fraudulent and dangerous e-mail If you receive an e-mail from a bank or commerce site, visit their site using a pre-bookmarked link or by typing in the link from your monthly statement Deploy inbound and outbound e-mail authentication to protect against e-mail spoofing and forgery Online gamers are at risk from malware that tries to steal their game assets or credentials
Download and use the Malicious Software Removal Tool (MSRT) Support new legislation to help take legal action against criminals Use the Microsoft Security Assessment Tool Keep yourself up to date about emerging threats
Core improvements to the Operating Systems
Windows Vista Foundation Streamlined User Account Control Enhanced Auditing Security Development Lifecycle process Kernel Patch Protection Windows Service Hardening DEP & ASLR Internet Explorer 8 inclusive Mandatory Integrity Controls Make the system work well for standard users Administrators use full privilege only for administrative tasks File and registry virtualization helps applications that are not UAC compliant XML based Granular audit categories Detailed collection of audit results Simplified compliance management
First Year of Vulnerabilities Unfixed Fixed 400 350 300 250 200 150 100 50 0 Windows XP Windows Vista RHEL4 reduced UbuntuLTS reduced Mac OS X 10.4 Metric Windows Vista (year 1) Windows XP (year 1) Red Hat rhel4ws reduced (year 1) http://blogs.technet.com/security Ubuntu 6.06 LTS reduced (year 1) Mac OS X 10.4 (year 1) Vulnerabilities fixed 36 65 360 224 116 Security Updates 17 30 125 80 17 Patch Events 9 26 64 65 17 Weeks with at least 1 Patch Event 9 25 44 39 15
First Year of Vulnerabilities Low Medium High 300 250 200 150 100 50 0 Windows XP SP2 Windows Vista RHEL4 reduced Ubuntu 6.06 LTS reduced Mac OS X Windows Vista in 2007 20% fewer vulnerabilities than Windows XP 74% fewer vulnerabilities than the next closest (Ubuntu) 47% fewer high severity vulnerabilities than the next closest (Red Hat) Source: http://blogs.technet.com/security
Secure Platform Security Development Lifecycle (SDL) Windows Server Virtualization (Hypervisor) Role Management Tool OS File Integrity Data Protection Rights Management Services (RMS) Full volume encryption (Bitlocker) USB Device-connection rules with Group Policy Improved Auditing Windows Server Backup Network Protection Network Access Protection (NAP) Server and Domain Isolation with IPsec End-to-end Network Authentication Windows Firewall With Advanced Security On By Default Identity Access Read-only Domain Controller (RODC) Active Directory Federation Services (ADFS) Administrative Role Separation PKI Management Console Online Certificate Status Protocol
Vulnerabilities in First 90 Days 10 8 6 4 2 0 9 9 Windows Server 2003-all Windows Server 2003-gui Windows Server 2008-all Windows Server 2008-gui 6 4 3 Windows Server 2008-core Source: internal study by Jeff Jones
4000 10.0% 3500 3000 9.0% 8.0% 7.0% 2500 6.0% 2000 5.0% 9.5% 1500 1000 500 0 3179 3268 3296 2573 2815 1954 2712 1138 1391 708 631 44 66 64 88 75 87 98 168 146 4.0% 3.0% 2.0% 1.0% 0.0% 5.9% 5.3% 5.9% 3.7% 3.3% 3.0% 4.9% 4.2% 3.1% 2.9% 90 80 MSFT vulns non-msft vulns MSFT % of All Disclosures Source: http://blogs.technet.com/security
Secure the Platform Windows7/Server 2008 Secure the Data RMS, EFS, BitLocker (Plus features in Office, SharePoint, etc.) Secure the Network NAP Secure the Wireless Server 2008 Secure the Edge ISA/IAG Secure the Communications Forefront Server, OCS, Exchange Secure the Desktops and Servers Forefront Client Security
Services A well Managed Secure Infrastructure is the key! Edge Server Applications Active Directory Federation Services (ADFS) Client and Server OS Certificate Lifecycle Management Information Protection Identity & Access Management Systems Management Operations Manager 2007 Configuration Manager 2007 Data Protection Manager Mobile Device Manager 2008 SDL TWC
microsoft.com/security_essentials/ microsoft.com/sir microsoft.com/protect microsoft.com/forefront Malicious Software Removal Tool (MSRT) Microsoft Customer Service & Support Security incidents are FREE
2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.