WindowSecurity.com - Monthly Newsletter - April 2015

Welcome to the WindowSecurity.com newsletter by Richard Hicks (MCSE, MCITP:EA, Enterprise Security MVP), Technical Services Director for Celestix Networks. Each month we will bring you interesting and helpful information pertaining to Windows Security. We want to know what all of *you* are interested in hearing about, so please send your questions and suggestions for future newsletter content to winsec@richardhicks.com.


1. Editor's Corner

Each year the folks at Verizon produce a meticulously detailed and highly data-driven report called the Data Breach Investigations Report. This report should be considered essential reading for everyone working with modern data networks and information systems. It provides a valuable look at the threat landscape and, more importantly, the techniques attackers are using to successfully breach corporate defenses and compromise data. As an information security professional, this report sheds valuable light on current trends and provides actionable intelligence that can be used to immediately and effectively improve our security posture to better defend against attacks. Be sure to download and read this vital report today, and begin putting in to practice some of the recommendations it makes as soon as possible.

--Rich

Verizon 2015 Data Breach Investigations Report

The 2015 edition of the Verizon Data Breach Investigations Report dropped last week, and as usual it includes valuable data and information about the current threat landscape and methods attackers are using to successfully conduct data breaches for organizations large and small. This year’s report looks at demographics and breach trends, as well as indicators of compromise and commonly exploited vulnerabilities. The report delves into the prevalence of mobile malware and its effect on data breaches, which is surprisingly non-existent! Yes, there’s lots of mobile malware, predominantly on the Android platform, and although they steal a lot of individual private data from unsuspecting users, it has not (yet) been used as an attack vector for a successful corporate data breach.

The report goes on to explore the cost of data breaches, for which the estimates might surprise you. There are a lot of factors at play, but the big picture is that the larger the breach, the more substantial the cost (big surprise!).

A great deal of attention was dedicated to incident classification patterns for a variety of attack vectors. Although it may seem as though threats against corporate networks are seemingly infinite, the data in the reports tells a different story. In fact, it appears that threats are more limited than many anticipate, and are quite measurable. In addition, the data shows that the common denominator across the most popular attack patterns is people.

Point-of-Sale (PoS) systems continue to be a lucrative target for cyber criminals, as are payment card skimmers. Malicious software is often used, but unlike the security marketing people would have you believe, most are opportunistic and not advanced or persistent.

Web application attacks were prevalent in 2014, with most being opportunistic and often targeted at financial services institutions. Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks show no signs of abating and physical thefts have been problematic too.

Insider misuse has always been a particularly insidious attack, as these users are inherently trusted and notoriously difficult to prevent. Financial gain is the most common motivating factor for these attacks, and this year’s data shows that cashiers are not as prevalent as end users in leveraging these attacks. Detecting and preventing these types of attacks will require very diligent monitoring.

Miscellaneous errors (misconfigured network devices, default passwords, open anonymous FTP sites, etc.) and cyber espionage round out the list of common attacks, with manufacturing the most common target for espionage.

The report finishes by demonstrating that the vast number of breaches could have been prevented or significantly reduced in impact by the implementation of common security controls. For example, patching continues to be a challenge, as many vulnerabilities being exploited have had updates publicly available for more than a year. Don’t overlook the essentials of network and information security, and follow those patterns and practices diligently and you’ll go a long way to reducing the chance of your organization becoming a victim of a serious data breach.

2. Bulletproof SSL and TLS

With recent revelations of widespread surveillance by government agencies, a strong push is on to encrypt all types of communication regardless of sensitivity. With the popularity and ubiquity of web-based communication, Secure Sockets Layer (SSL) and Transport Layer Security (TLS) have quickly become essential tools to provide the highest level of security and protection for network communication. 

Ivan Ristic, one of the foremost experts in the field of SSL and TLS, recently released a comprehensive guide for deploying secure web servers and applications using SSL and TLS. The book provides a valuable overview of the SSL and TLS protocols along with PKI, and also includes detailed, prescriptive guidance for configuring and deploying systems using SSL and TLS, both Windows and open source.

Order your copy of Bulletproof SSL and TLS today!

Image

Click here to order your copy today!


3. Microsoft Security Bulletins for March 2015

For the month of April Microsoft released 11 security bulletins addressing 26 individual vulnerabilities. 5 are rated critical and 7 important. Updates for this month address vulnerabilities in all supported versions of Windows, Office, SharePoint, the .NET framework, and Internet Explorer. Two security updates really stand out this month – MS15-033 and MS15-034. MS15-033 addresses a serious vulnerability including 0-day in Word, while MS15-034 addresses a critical vulnerability in HTTP.sys. Both are remotely exploitable, although MS15-033 would require a user to open a malicious Word document (not that difficult, honestly!). For organizations running Internet-facing Microsoft IIS web servers, MS15-033 should be applied as soon as possible. Also, if you are using Microsoft Routing and Remote Access Service (RRAS) for DirectAccess or client-based VPN supporting SSTP, applying MS15-033 should be considered extremely urgent. For more information about April’s security bulletins click here.

4. Microsoft Security Advisories for March 2015

Microsoft released security advisory 3045755, which outlines and update that improves authentication used by the Public Key Cryptography User-to-User (PKU2U) security support provider (SSP) in Windows 8.1 and Windows Server 2012 R2. In addition, security advisory 3009008 was revised to announce the release of security update 3038314 to disable SSL 3.0 by default in IE 11.


5. Security Articles of Interest

  1. Microsoft is hard at work adding new and interesting security features to Windows 10. They recently announced new biometric authentication support that includes facial recognition, iris scanning, and traditional fingerprint recognition. There’s no question the password needs to die, so hopefully these new capabilities will accelerate the schedule.
    http://www.zdnet.com/article/microsoft-to-add-enterprise-grade-biometric-security-to-windows-10/

  2. Shortly after last month’s WindowSecurity.com monthly newsletter was submitted, Microsoft released security advisory 3046310 to address improperly issued digital certificates for certain Microsoft domains.
    https://technet.microsoft.com/en-us/library/security/3046310

    http://www.zdnet.com/article/microsoft-blacklists-improperly-issued-ssl-certificate-affecting-all-versions-of-windows/

  3. Microsoft continues to pile up accreditations and certifications for their public cloud offerings. They announced recently that they’ve become the first major cloud service provider to attain the ISO/IEC 27018 certification for cloud privacy.
    http://news.thewindowsclub.com/microsoft-adopts-isoiec-27018-certification-assures-customers-data-protection-76077/

  4. In their continuing effort to disrupt malware attacks, Microsoft partnered with Interpol to take down the command and control infrastructure for the Simda.AT malware threat. The Microsoft Malware Protection Center (MMPC) along with the Microsoft Digital Crimes Unit (DCU) with the help of several industry leading antimalware solution providers teamed up for the operation.
    http://blogs.technet.com/b/mmpc/archive/2015/04/12/microsoft-partners-with-interpol-industry-to-disrupt-global-malware-attack-affecting-more-than-770-000-pcs-in-past-six-months-39-simda-at-39-designed-to-divert-internet-traffic-to-disseminate-other-types-of-malware.aspx

  5. The folks at DigiCert announced a service called “CertCentral”, which is a platform used for the continuous monitoring of an organization’s digital certificates. The service aims to monitor the use of certificates that are variants of the organizations actual domains, which are often used by attackers to deceive unsuspecting users and make them believe they are connecting to an authentic service.
    https://threatpost.com/digicert-offers-continuous-monitoring-of-digital-certificates-to-defeat-fraud/112227

  6. The researches at Seculert published their “State of Perimeter Security Defenses Report” that includes findings gained from evaluating the effectiveness of current popular edge security solutions at preventing infected hosts from communicating with command and control servers on the public Internet. The results are eye-opening, and quite depressing. It is definitely time for some new thinking regarding network security and traditional defense mechanisms. Not that they should go by any means, but it is clear that we’ve got to do a better job of preventing unwanted communication for infected hosts.
    http://www.seculert.com/news-media/press-releases/seculert-research-finds-critical-gaps-gateway-solutions/

  7. It was recently disclosed that nearly 1 million ADSL routers provided to customers by ISPs around the world contain serious flaws that allow an attacker to take complete control of them remotely. Sadly, the vast majority (if not all!) of these devices will never be updated. It is quite likely that these vulnerabilities will remain active until these devices are removed from service (retired or upgraded).
    http://www.computerworld.com/article/2899663/at-least-700k-routers-given-to-customers-by-isps-can-be-hacked.html

  8. In today’s complex world of interconnected systems and threat actors seemingly everywhere, a common position now being taken by many organizations is to assume that you’ve been breached and invest in detecting and preventing command and control commination and data exfiltration. For Windows systems, an excellent source of information about possible intrusions is the event log. Here is an excellent reference for detecting possible security breaches by monitoring the event log.
    http://www.petri.com/monitoring-windows-event-logs-for-security-breaches.htm


6. WindowSecurity.com Articles of Interest

  1. Security: A Shared Responsibility – Part 5
  2. Assessing the Security of Mobile Applications – Part 1
  3. Netikus EventSentry voted WindowSecurity.com Readers’ Choice Award Winner – Event Log Monitoring
  4. Security: A Shared Responsibility – Part 6
  5. Video: Granting Elevated Privileges to users in Active Directory – Part 1
  6. Securing your Network in an Internet of Things – Part 1
  7. Reader’s Choice Awards Yearly Roundup 2014

7. Windows Security Tip of the Month

As I mentioned previously. Verizon has released their annual Data Breach Investigations Report (DBIR) for 2015. This report contains a wealth of information about how recent data breaches occurred and what techniques attackers are most successful with. If you are responsible for the security of an organization large or small, this is a must read. You can find more information and download the Verizon 2015 DBIR here.