WindowSecurity.com - Monthly Newsletter - December 2015

Welcome to the WindowSecurity.com newsletter by Richard Hicks (MCSE, MCITP:EA, MCSA, Enterprise Security MVP), independent consultant and Microsoft network security and remote access expert. Each month we will bring you interesting and helpful information pertaining to Windows Security. We want to know what all of *you* are interested in hearing about, so please send your questions and suggestions for future newsletter content to winsec@richardhicks.com.


1. Editor's Corner

It’s that time again! This month, Microsoft released their biannual Security Intelligence Report (SIR) volume 19. The report is a valuable information source for those responsible for defending Windows-based systems in the enterprise or in the consumer market. It provides a wealth of information relating to how systems are being attacked and how they are being successfully compromised. Armed with these details, information security engineers can better plan and prepare to protect their assets. Microsoft invests a tremendous amount of time and effort preparing this report twice a year, and it is well worth the time reading it for sure. The data in this report provides all of us with a much broader and more complete view of the current threat landscape, which is essential when it comes to both proactive and reactive threat and vulnerability mitigation efforts.

--Rich

Microsoft Security Intelligence Report (SIR) Volume 19

This month Microsoft released their biannual Security Intelligence Report, volume 19, reporting on data from the first half of 2015. This should be required reading for security administrators everywhere, as it provides an important look at the current threat landscape, specifically as it pertains to the Windows ecosystem.

SIR volume 19 shows that although Java exploits are still common, they are becoming less effective, which is welcome news. On a related note, the Java Runtime Environment, once a veritable cesspool of vulnerabilities and a popular and highly effective attack vector for cyber criminals, is now no longer in the top 10 list of individual exploits! Changes to both Java and Microsoft Internet Explorer over the last few years have made it much more difficult for attackers to exploit the JRE. Personally, I would still avoid deploying the JRE if you can possibly avoid it.

Applications continue to be a popular attack vector, as they often represent a softer target due in no small part to security advances Microsoft has been making with the core operating system. However, there are some vulnerabilities in Windows that continue to be exploited. The most commonly targeted individual vulnerability is CVE-210-2568, a vulnerability in Windows shell. Sadly, there has been a patch for this vulnerability (MS10-046) available since August of 2010! Another commonly targeted Windows vulnerability is CVE-2014-6332, a vulnerability in Windows Object Linking and Embedding (OLE). Here again, this is a vulnerability for which an update has been available since November of 2014 (MS14-064).

Another important data point illuminated in the SIR is that the rate of infection as compared to the encounter rate is trending downward. This is a positive indication that efforts made to improve the malware resistance of the operating system and applications are effective. Definitely good news! The data also indicates that with each subsequent release of the Windows operating system, infection rates are lower. With the recent end of support for Windows XP and the rapid adoption of Windows 10, I expect to see significant improvement in this area over the next year.

The report also shows that enterprise computers encounter malware at a lower rate than consumer machines, which I expect is due to the defense in depth measures employed by most large organizations. With edge security gateways, inline network malware scanning, intrusion detection and prevention systems and more, it’s understandable that enterprise systems are less exposed to malware than consumer devices. It’s an indication that investments in these areas do have a positive effect.

Another bright spot is that telemetry data as reported by Microsoft shows that 75% of PCs worldwide that provide feedback are always protected with an antimalware solution (Microsoft or third party), which is welcome news.

Overall, the general takeaway here is that attackers, regardless of motivation or desire, have been using the same ways to compromise Windows systems for many years now. Unpatched vulnerabilities continue to be problematic for some reason, which is interesting since the Windows update platform is mature and well understood. Yet somehow these systems aren’t getting updated! Update management should be job #1 for security administrators everywhere. There’s no excuse at all for a Windows system to be compromised due to vulnerability for which a patch has been available for more than just a few months. Of course misconfigured computers are a popular target, as well as weak and default passwords. These too should be high on your radar to address.

Be sure to read the entire Microsoft Security Intelligence Report (SIR) volume 19 for H12015. You can download the report here [PDF].

 

2. Bulletproof SSL and TLS

With recent revelations of widespread surveillance by government agencies, a strong push is on to encrypt all types of communication regardless of sensitivity. With the popularity and ubiquity of web-based communication, Secure Sockets Layer (SSL) and Transport Layer Security (TLS) have quickly become essential tools to provide the highest level of security and protection for network communication. 

Ivan Ristic, one of the foremost experts in the field of SSL and TLS, recently released a comprehensive guide for deploying secure web servers and applications using SSL and TLS. The book provides a valuable overview of the SSL and TLS protocols along with PKI, and also includes detailed, prescriptive guidance for configuring and deploying systems using SSL and TLS, both Windows and open source.

Order your copy of Bulletproof SSL and TLS today!

Image

Click here to order your copy today!


3. Microsoft Security Bulletins for December 2015

For the month of December Microsoft released 12 security bulletins, 8 of which are rated critical and 4 important. Affected software includes Internet Explorer and Microsoft Edge, Microsoft Office, Lync, Skype for Business, Silverlight, the .NET Framework, and all supported versions of Windows. The most urgent update this month is MS15-127, an update to address a remote code execution (RCE) vulnerability in Windows DNS. If you are running a public-facing Windows-based DNS server, update immediately. Keep in mind that DNS is running on your domain controllers too, so plan to patch soon. In addition, pay close attention to MS15-135 which addresses a critical 0-day vulnerability in the Windows kernel.

For more information about December’s security bulletins click here.

4. Microsoft Security Advisories for November 2015

For the month of December, Microsoft released security advisory 3123040 to address a vulnerability caused by an inadvertently disclosed digital certificate. In addition, security advisories 2755801, which addresses vulnerabilities in Adobe Flash Player in IE and Edge browsers, along with security advisory 3057154, which addressed an update to harden the use of DES encryption, were both updated this month.


5. Security Articles of Interest

  1. As mentioned earlier, the Microsoft Security Intelligence Report (SIR) volume 19, covering the first half of 2015 (January-June) is now available for download. It contains hundreds of pages of new threat intelligence that you’ll want to be aware of. Be sure to check it out soon!
    http://blogs.microsoft.com/cybertrust/2015/11/18/microsoft-security-intelligence-report-volume-19-is-now-available/
  2. Windows Defender, the antimalware software included in Windows, is an effective solution to detect and prevent malicious software. Windows Defender makes extensive use of machine learning technologies, making Windows 10 a much more secure client operating system. More details here.
    https://blogs.technet.microsoft.com/mmpc/2015/11/16/windows-defender-rise-of-the-machine-learning/
  3. Microsoft continues to strengthen its public cloud offering, Azure. To address the specific requirements of the U.S. public sector, Microsoft launched Azure Government a while back and it continues to be an incredible success. If you are in the U.S. Department of Defense (DoD) and are considering public cloud solutions, Azure Government is definitely worth investigating.
    https://azure.microsoft.com/en-us/blog/microsoft-azure-government-growth-and-enabling-new-cloud-capabilities-for-defense-customers/
  4. This was certainly an eye-opening news story from last month. Apparently a computer outage shutdown a Paris area airport. Not surprising on the face of it, until you learn that the computer was still running Windows 3.1! Nothing like having to rely on a 23 year old operating system for critical service! Obviously it is sometimes necessary to operate a system past it’s supported date, but this is pretty ridiculous. Hopefully they can get this upgraded soon!
    http://www.zdnet.com/article/a-23-year-old-windows-3-1-system-failure-crashed-paris-airport/
  5. Security is a key concern for organizations moving infrastructure to the cloud. Microsoft announced recently that Azure virtual machines, running either Windows or Linux, now support disk encryption for cloud-hosted virtual machines. This is a really big step forward in ensuring that customers' data remains protected in the cloud. Today it is in public preview, but expect it to be generally available in the near future.
    http://blogs.msdn.com/b/azuresecurity/archive/2015/11/17/azure-disk-encryption-for-linux-and-windows-virtual-machines-public-preview.aspx
  6. Azure Security Center, a recently announced offering from Microsoft, is an incredible technology that can allow administrators much greater visibility and control over the security of their virtual machines and applications hosted in Azure. Even more compelling is that Azure Security Center can integrate with on-premises systems and even machines hosted in Amazon AWS too. If you haven’t had the opportunity to look at Azure Security Center, be sure to do so soon!
    http://www.cio.com/article/3005607/public-cloud/new-microsoft-azure-cloud-security-tools-will-work-on-prem-in-amazons-cloud-too.html
  7. In a speech that has been referred to as Microsoft’s Trustworthy Computing Initiative 2.0, Microsoft CEO Satya Nadella spoke about the company’s one billion dollar USD investment in security in Windows Office 365, and Azure. It includes a framework of intelligence sharing across a variety of Microsoft platforms including Windows, Xbox, Microsoft’s online services and public cloud offerings, and more. Details here:
    https://redmondmag.com/blogs/the-schwartz-report/2015/11/nadella-intelligent-security-graph.aspx
  8. Conficker seems to be the virus that just won’t die. The vulnerability it exploits has been patched since October of 2008 (MS08-067) but somehow it still lives on. Recently the malware was identified infecting police body cameras. Plugging the camera in to the network would of course result in further compromise if any non-patched hosts exist on the network.
    http://www.theregister.co.uk/2015/1/14/remember_conficker_its_back_and_its_infecting_police_body_cams/
  9. In a blog post by the Windows Server Security and Assurance team, a number of important technologies that are used to protect your datacenter and cloud are outlined. This includes privileged access management, privileged workloads (virtual machines), threat detection and response, and more.
    http://blogs.technet.com/b/windowsserver/archive/2015/11/18/protecting-your-datacenter-and-cloud-november-update.aspx
  10. Potentially Unwanted Applications (PUA) are not only a nuisance, but a potential security risk too. For me, there’s nothing worse than installing a program and finding out it installed another program at the same time (e.g. installing Google Chrome when installing Adobe Acrobat Reader). After being burned a few times, I’ve become aware enough to always choose the “advanced” installation and look carefully for additional software. Microsoft now has a new opt-in feature for enterprise users that can stop PUA automatically. It requires that you have System Center Endpoint Protection (SCEP) deployed in your environment to take advantage of it. Looks like a good feature though!
    https://blogs.technet.microsoft.com/mmpc/2015/11/25/shields-up-on-potentially-unwanted-applications-in-your-enterprise/
  11. Microsoft and their Malware Protection Center are undergoing efforts to revise and update the standard for antimalware test scoring. As it turns out, the standard methods may not be so relevant today. Microsoft is seeking to ensure that malware prevalence is considered more heavily when ranking malicious software. Makes good sense, as a risk that is lower but more prevalent might want to be addressed before higher risk but less prevalent attacks.
    https://blogs.technet.microsoft.com/mmpc/2015/11/23/does-prevalence-matter-a-different-approach-to-traditional-antimalware-test-scoring/
  12. IPv6. It’s coming, no doubt. With the depletion of IPv4 addresses and the explosion of IP-enabled “things” in the world, IPv6 is inevitable. IPv6 deployments are more common on the public Internet and at the edge, but there are many compelling reasons to deploy IPv6 on the enterprise LAN. When doing so, it’s a good idea to consider security when planning and designing an IPv6 deployment. Here, veteran IPv6 security expert Enno Rey lays out part 1 and 2 of developing an enterprise IPv6 security strategy.
    https://www.insinuator.net/2015/12/developing-an-enterprise-ipv6-security-strategy-part-1-baseline-analysis-of-ipv4-network-security/

    https://www.insinuator.net/2015/12/developing-an-enterprise-ipv6-security-strategy-part-2-network-isolation-on-the-routing-layer/

 


6. WindowSecurity.com Articles of Interest

  1. Microsoft Ignites a New Focus on Security – Part 7
  2. Microsoft Ignites a New Focus on Security – Part 8
  3. Video: Automatically Archiving Windows Security Logs
  4. Product Review: Specops uReset Self Service Password Reset
  5. Microsoft Ignites a New Focus on Security – Part 9

7. Windows Security Tip of the Month

The Microsoft Threat Modeling tool is an essential resource that can be leveraged by organizations that take information security and defense seriously. The tool can be used early in the design phase by development teams to define their software’s default and maximum attack surface. This can significantly reduce the changes that a given application can be compromised. For more information about the Microsoft Threat Modeling tool and to download the tool itself, click here.