WindowSecurity.com - Monthly Newsletter - March 2015

Welcome to the WindowSecurity.com newsletter by Richard Hicks (MCSE, MCITP:EA, Enterprise Security MVP), Technical Services Director for Celestix Networks. Each month we will bring you interesting and helpful information pertaining to Windows Security. We want to know what all of *you* are interested in hearing about, so please send your questions and suggestions for future newsletter content to winsec@richardhicks.com.


1. Editor's Corner

A major news story here in the U.S. caught my attention recently, not just for the political fallout, but more for the security implications. It was discovered that former Secretary of State Hillary Clinton was using her own private email system to conduct official U.S. government business. She used this private system exclusively; she did not have a government-issued email address at all. While the news anchors debate with their guests about the potential political impact of this event, as an information security engineer I cringed when I heard this news, albeit for very different reasons. The first thing that came to my mind is the security management of the system. Who is managing it? Is it covered by a documented security policy? What security controls does it have in place? Is it using strong cryptography? Or any at all? Is it using multifactor authentication? Has anyone performed a security audit or conducted penetration tests against it? Is there a document retention policy? Message archiving? My security concerns are nearly limitless here. Mrs. Clinton, during her two years serving as Secretary of State, had the highest security clearance and access to detailed and highly sensitive information. The fact that her electronic communication was not under the full control of the U.S. government is beyond comprehension, from a security perspective alone. The legal and political implications make matters even worse.

I have no doubt that security-minded people at the highest levels of the U.S. government urged her to use a secure email system. For whatever reason she chose to use a private email system that lacked the formalized security controls, management, and auditing provided by the government and I suspect that she won this battle because of her political standing and the power that comes with it. In fact, I’m certain that security administrators from organizations large and small are fighting, and perhaps losing, these same battles.

--Rich

Shadow IT

I don’t envy security administrators charged with ensuring the protection of their organization’s users and data today. They’ve got a daunting task, for sure. Many years ago, if you wanted to use email, it was corporate email. Now, with myriad online email providers, signing up for an email address is trivial. Making things worse is the plethora of online file storage services there are. Keeping all of your corporate data within the confines of the internal network is nearly impossible.

To further complicate things, a common sales tactic for some of these cloud-based application providers is to entice users at organizations to individually use their services. Eventually, when they have enough subscribers, they can approach the company with data that shows that many of their users are already using their service unmanaged, so it’s best to sign up for a full enterprise subscription and start proactively managing their existing user base.

The use of these online services by corporate users for non-personal, corporate use is called “Shadow IT”. It represents a serious blind spot for security administrators. When someone leaves the company, who knows what proprietary and potentially sensitive information still resides on user-owned and managed services. There are a wide variety of technical controls that can be implemented to address this, but it is still difficult at best to fully manage this challenge.

Ultimately a successful strategy will not simply try and prevent all access to these unmanaged services, but rather create an easy path to use services that are under the full control of corporate administrators. Microsoft has a number of solutions to help address these unique challenges. DirectAccess can be leveraged to provide seamless and transparent, always-on remote corporate network connectivity for managed Windows clients. With DirectAccess, remote users have ubiquitous access to on-premises applications and data, reducing or eliminating the need to use third-party storage solutions. For non-managed devices, Windows Server 2012 R2 includes two features called “Workplace Join” and “Work Folders” that work hand-in-hand to provide secure file synchronization for a variety of platforms using an on-premises corporate file server as the source file repository. In addition, technologies like Virtual Desktop Infrastructure (VDI) reduce the need to store corporate data off-premises.

2. Bulletproof SSL and TLS

With recent revelations of widespread surveillance by government agencies, a strong push is on to encrypt all types of communication regardless of sensitivity. With the popularity and ubiquity of web-based communication, Secure Sockets Layer (SSL) and Transport Layer Security (TLS) have quickly become essential tools to provide the highest level of security and protection for network communication. 

Ivan Ristic, one of the foremost experts in the field of SSL and TLS, recently released a comprehensive guide for deploying secure web servers and applications using SSL and TLS. The book provides a valuable overview of the SSL and TLS protocols along with PKI, and also includes detailed, prescriptive guidance for configuring and deploying systems using SSL and TLS, both Windows and open source.

Order your copy of Bulletproof SSL and TLS today!

Image

Click here to order your copy today!


3. Microsoft Security Bulletins for March 2015

For the month of March Microsoft released 14 security bulletins; 5 critical and 9 important. Updates for this month address vulnerabilities in all supported versions of Windows, Office, Exchange, and Internet Explorer. Of particular interest is MS15-031 that addresses the recently disclosed “FREAK” SSL downgrade vulnerability (more details later in this newsletter). Also, and this is most intriguing, Microsoft released MS15-020 to address the same vulnerability that was originally exploited by Stuxnet. Apparently the original update never actually fixed the issue. Perhaps the authors of Stuxnet needed more time to use their malware? Conspiracy theories, anyone? ;)  For more information about March’s security bulletins click here.

4. Microsoft Security Advisories for March 2015

Microsoft released security advisory 3033929 to announce the reissuance of an update to support SHA-2 code signing for Windows 7 and Windows Server 2008 R2. In addition, Microsoft revised two previous security advisories; 2755801, an update for vulnerabilities in Adobe Flash Player in Internet Explorer, and 3046015 which addresses a vulnerability in Schannel that could allow security feature bypass.


5. Security Articles of Interest

  1. The cloud is a major force in today’s IT world. There’s no question that leveraging public cloud computing platforms can be beneficial for many organizations. Security is still the primary deterrent to cloud adoption, but Microsoft is steadily making advances to provide the highest level of assurance for its customers. Recently Microsoft Azure was certified to conform to ISO/IEC 27018, an international standard for the protection of Personally Identifiable Information (PII) in public clouds.
    http://azure.microsoft.com/blog/2015/02/16/azure-first-cloud-computing-platform-to-conform-to-isoiec-27018-only-international-set-of-privacy-controls-in-the-cloud/

  2. Recently it was discovered that new Lenovo PCs came pre-installed with adware that included an SSL inspection component. Dubbed “Superfish”, this software effectively acts as a “man-in-the-middle”, decrypting encrypted sessions for the purpose of targeting advertising to its users. Apart from the privacy concerns, there were numerous security flaws with the implementation, forcing Lenovo to release an update to force its removal. For the record, this is precisely why I always wipe and reload a new computer, regardless where it came from!
    http://www.scmagazineuk.com/pre-installed-lenovo-adware-strips-out-tlsssl-encryption/article/399009/

  3. It seems that someone over at Google has come to their senses (somewhat) over their draconian 0-day vulnerability disclosure policy. In response to recent issues with both Microsoft and Apple releasing updates just a few days after the 90-day window passed, Google is now accepting requests for a 14-day grace period if they are working on a fix.
    http://arstechnica.com/security/2015/02/google-updates-disclosure-policy-after-windows-os-x-zero-day-controversy/

  4. Good news for Internet Explorer security! Microsoft recently announced that HTTP Strict Transport Security is coming to IE.
    http://blogs.msdn.com/b/ie/archive/2015/02/16/http-strict-transport-security-comes-to-internet-explorer.aspx

  5. Two Microsoft security updates from last month, MS15-011 and MS15-014, both require additional configuration in order to work. Here is some valuable guidance for the proper deployment for both of these critical updates.
    http://blogs.technet.com/b/askpfeplat/archive/2015/02/23/guidance-on-deployment-of-ms15-011-and-ms15-014.aspx

  6. Here is more solid evidence that Microsoft’s security efforts for their operating systems are paying dividends. In a recent study, the top three most vulnerable operating systems were Apple OS X, Apple iOS, and Linux. Rounding out the top 5 were older Microsoft platforms.
    http://www.gfi.com/blog/most-vulnerable-operating-systems-and-applications-in-2014/

  7. Azure offers so many compelling features it is amazing. Recently Microsoft announced a new feature in Azure Active Directory (AD) that allows automated password rollover for Facebook Twitter, and LinkedIn. Very cool!
    http://blogs.technet.com/b/ad/archive/2015/02/20/azure-ad-automated-password-roll-over-for-facebook-twitter-and-linkedin-now-in-preview.aspx

  8. The Microsoft Azure network security whitepaper has recently been updated. You can download version 3 here.
    http://azure.microsoft.com/blog/2015/03/02/microsoft-azure-network-security-whitepaper-version-3-is-now-available/

  9. As mentioned earlier, a recently disclosed vulnerability in many SSL implementations allows an attacker to downgrade SSL encryption to use weak keys. It was originally thought that only Android and Apple devices were affected. However, Microsoft did release a security advisory and update to address this issue in Microsoft platforms.
    http://arstechnica.com/security/2015/03/freak-flaw-in-android-and-apple-devices-cripples-https-crypto-protection/

  10. At the time of publication for this newsletter, hopefully you’ve updated your platforms to address the FREAK SSL/TLS vulnerability. You can learn more about FREAK and determine if you are still vulnerable by visiting the FREAK attack website.
    https://freakattack.com/

  11. When tech companies aren’t allowed to tell their users when the government has access their data, many are turning to “warrant canaries”. This is a clever way to covertly communicate that user’s data has been accessed by the government.
    http://www.zdnet.com/article/warrant-canary/

  12. OpenDNS is a simple and effective way to reduce your exposure to potentially malicious web sites and services. The folks at OpenDNS introduced a new way to automatically detect and block sites used to distribute malware almost instantly without having to first scan them. More details here.
    http://arstechnica.com/security/2015/03/system-catches-malware-sites-by-understanding-sneaky-domain-names/


6. WindowSecurity.com Articles of Interest

  1. Security: A Shared Responsibility – Part 3
  2. Learning from 2014 Threats to Better Equip Enterprise for the Security Challenges of 2015
  3. Acunetix Web Vulnerability Scanner – Voted WindowSecurity.com Reader’s Choice Award Winner – Web Application Security
  4. Security: A Shared Responsibility – Part 4
  5. Ways to Grant Elevated Privileges in Windows

7. Windows Security Tip of the Month

Work Folders is a great new secure file synchronization service first included in Windows Server 2012 R2. When it was first introduced, the only supported clients were Windows 8.x, which limited the usefulness of this feature. However, Microsoft later released add-on components to provide support for both Windows 7 and iPad. Windows 7 requires an additional download, and the iPad software can be found in the Apple store. For more information about Work Folders and for links to download the Windows 7 client-side components, click here.