WindowSecurity.com - Monthly Newsletter - May 2015

Welcome to the WindowSecurity.com newsletter by Richard Hicks (MCSE, MCITP:EA, Enterprise Security MVP), Technical Services Director for Celestix Networks. Each month we will bring you interesting and helpful information pertaining to Windows Security. We want to know what all of *you* are interested in hearing about, so please send your questions and suggestions for future newsletter content to winsec@richardhicks.com.


1. Editor's Corner

Earlier this month Microsoft held its inaugural Ignite technical conference in Chicago. This 5 day event, which is essentially now a combination of several events including TechEd, the Microsoft Management Summit (MMS), the Microsoft Exchange Conference, and a few more, featured many of the usual announcements we expect to hear at these conferences. Microsoft laid out its vision for the future including Windows 10 and Azure, and provided additional detail around some new and interesting technologies such as HoloLens. Interestingly, during the keynote I noticed an important trend – security! If you were watching closely, security was mentioned by nearly every keynote presenter, and many of the products and services Microsoft demonstrated were actually full-fledged security solutions! Some of these new security offerings are quite compelling, so let’s spend some time digging in a little deeper.

--Rich

Microsoft Ignite 2015 Key Security Announcements

As organizations continue to adopt cloud-based applications, services, and infrastructure, security is often at the forefront of these discussions. Microsoft understands that if they are to be successful with their cloud offerings, not only will their services have to be technically compelling and cost effective, they must also be secure. Helping customers protect their data, applications, and infrastructure has become a central focus in Microsoft cloud strategy, and that was clearly on display at the Ignite conference. Here’s a quick rundown on some of the new security features introduced at Ignite.

Outlook App for Mobile Devices – Microsoft showed off new security features in the Outlook app for mobile devices that will ease some of the data security pain associated with Bring Your Own Device (BYOD). Employees accessing corporate data on personal devices has long been a serious challenge for security administrators, so the new Outlook app includes features that allow corporate IT to keep data secure on these devices. The app now separates personal and corporate content and allows full management by central IT. Copy/paste from corporate email can only be copied and pasted to other corporate applications, and data from these apps can only be saved to locations managed by central IT (e.g. SharePoint or OneDrive for Business). These security features go far beyond the typical container approach, allowing more granular control of sensitive data and providing essential data leakage prevention while at the same time ensuring a positive user experience.

Windows 10 Enhanced Data Protection – Similar to the DLP features of the Outlook app for mobile devices, Windows 10 now includes new features that help protect sensitive data. Users can interact with both personal and corporate data using the same applications, and yet the corporate data is always protected. Users cannot copy and paste corporate data to non-approved applications, store corporate data on removable storage devices, and central IT can control which applications have access to corporate data. In addition, administrators can now regulate which applications have access to the corporate VPN, and with much more fine-grained control.

Windows 10 Device Guard – Malware resistance has been a focus of Microsoft since the introduction of Windows 8, and Device Guard in Windows 10 takes that a step further. Device Guard works like an application white list, allowing only proven trusted applications from executing on the device. This is a dramatic improvement in attack protection as signature-based solutions are always working from behind, detecting only known malicious code. Device Guard can block 0-day vulnerabilities and unknown threats and even includes protections for itself in the event of a full kernel compromise. And for those of you who have ever experienced removing administrator privileges for your general user population, Device Guard also provides the same protection for users running with full administrative privileges.

Document Tracking and Secure Collaboration with Azure RMS – Rights Management Services (RMS) has been with us for a few years, and the latest iteration of RMS is now part of the Azure cloud platform. At Ignite, Microsoft demonstrated a new feature in Azure RMS that allows administrators to track who is accessing or attempting to access files that have been protected using Azure RMS. It is now possible to see visually where a document is going and it provides visibility in to unauthorized sharing or access attempts. The sender can now see who has opened any files they’ve shared that were protected with Azure RMS, as well as where they are opening it. Also, the sender can now revoke access to a file at any time, giving them complete control over their sensitive documents.

Detecting Anomalous Sign-Ins with EMS – One of the most serious security challenges today is dealing with malicious users masquerading as legitimate ones. When a corporate user account has been compromised, it is exceedingly difficult to distinguish their activity from that of non-compromised accounts. During the Ignite keynote Microsoft showed how Azure Machine Learning can help identify previously difficult to detect usage patterns that often signal malicious activity or compromise. Using the data analytics of Azure Machine Learning, login patterns are analyzed for patterns of normal use. When a user exhibits signs of anomalous behavior, for example logging in from a different geography or at a different time than would be expected, administrators can be alerted and further detailed investigation can commence.

Windows Update for Business – Microsoft has recently made fundamental changes in the way updates will be handled for Windows-based consumer devices. Instead of releasing updates on a monthly basis, they will instead be releasing updates as they become available. While this has the potential to greatly improve the security posture of systems running Windows and reduce the exposure window for recently disclosed vulnerabilities, it does pose a problem for enterprise organizations who need to perform validation testing for their managed devices to prevent potential conflicts and downtime. Microsoft understands the unique requirements for enterprises, and recently announced Windows Update for Business to meet their needs. Windows Update for Business provides support for distribution rings, allowing administrators to select which devices get updated first and more quickly, and which devices will wait and be updated more slowly. It also includes support for maintenance windows, where administrators can define specific timeframes when updates should or should not occur. Peer to peer delivery enables the efficient delivery of updates to branch offices and remote sites with limited bandwidth. Windows Update for Business integrates with existing management platforms such as Microsoft System Center and the Enterprise Mobility Suite, allowing for the management of all systems and devices with a single management console.

Advanced Threat Analytics – In my opinion, this was the single most compelling security announcement at the entire Ignite conference. Microsoft Advanced Threat Analytics (ATA) is a solution that allows organizations to protect their on-premises resources from attack by monitoring and analyzing normal behavior by users and devices. ATA is based on technology from Microsoft’s acquisition of Aorato, an Israeli-based security firm specializing in securing Microsoft Active Directory. ATA helps address the security challenge of identifying malicious behavior by attackers that have compromised a valid user account. ATA also detects common attacks like Pass-the-Hash (PtH) and Pass-the-Ticket (PtT) and helps identify issues with broken trust and weak protocols. 

 

2. Bulletproof SSL and TLS

With recent revelations of widespread surveillance by government agencies, a strong push is on to encrypt all types of communication regardless of sensitivity. With the popularity and ubiquity of web-based communication, Secure Sockets Layer (SSL) and Transport Layer Security (TLS) have quickly become essential tools to provide the highest level of security and protection for network communication. 

Ivan Ristic, one of the foremost experts in the field of SSL and TLS, recently released a comprehensive guide for deploying secure web servers and applications using SSL and TLS. The book provides a valuable overview of the SSL and TLS protocols along with PKI, and also includes detailed, prescriptive guidance for configuring and deploying systems using SSL and TLS, both Windows and open source.

Order your copy of Bulletproof SSL and TLS today!

Image

Click here to order your copy today!


3. Microsoft Security Bulletins for May 2015

For the month of May Microsoft released 13 security bulletins. 3 are rated critical and 10 important. Affected software includes Internet Explorer, .NET Framework, Microsoft Office, Lync, Silverlight, SharePoint, and all supported versions of Windows. Of particular importance this month is MS15-043, a cumulative security update for Internet Explorer. This latest update for IE includes updates for 14 critical CVEs with IE. And as a reminder, Adobe has released some important security updates for their software as well. Applications such as Flash Player and Reader are common targets for attackers, so don’t forget to update those programs too.

For more information about May’s security bulletins click here.

 

4. Microsoft Security Advisories for May 2015

For the month of May, Microsoft released two new security advisories and updated one. Security advisory 3062591 describes the new Local Administrator Password Solution (LAPS). This is a native Microsoft solution for the management of local administrator passwords. Having unique passwords per host is an effective mitigation against lateral movement after a compromise, but password management at scale is quite challenging. While there are a number of third-party solutions that address this need, this solution is free. More details about LAPS can be found here.

Microsoft also released security advisory 3042058 which outlines a change to the default cipher suite order for all supported versions of the Windows operating system, client and server. Today the update is only available from Microsoft Downloads. However, this update will be widely released via Microsoft Update and WSUS later this year. More details and download links can be found here.

In addition, Microsoft updated security advisory 2755801 which addresses an update for vulnerabilities in Adobe Flash Player in Internet Explorer.




5. Security Articles of Interest

  1. As organizations speed adoption of cloud-based services, application, and infrastructure, the issue of key management for certificates and other sensitive information (i.e. database connection strings) must be addressed. Many security administrators are hesitant to upload these types of sensitive information to cloud providers for fear of compromise. To address these concerns, Microsoft recently introduced the Azure Key Vault for the secure storage and protection of private keys and sensitive information in the Microsoft cloud infrastructure. Azure Key Vault also provides support for Hardware Security Modules (HSMs) so that all key use is done in the HSM. Watch this video to learn more about this essential security feature in Azure
  2. Social engineering attacks have long been the bane of security administrators. There are few effective technical controls that can be put in place to mitigate this particular attack vector. Of course Microsoft Office applications with macros often represent an easy attack vector for social engineers. As these exploits require user consent to run, it is possible to limit the exposure and effectiveness of social engineering attacks by managing the execution of macros in Office. Read more here.
  3. There are seemingly infinite ways to detect viruses these days, but I found this one particularly clever. A few hospitals here in the U.S. will soon be implementing a solution that monitors AC power consumption on medical equipment in an effort to detect viruses and malicious software running on these critical devices. Very cool! More info here.
  4. WordPress is a popular content management system used extensively on the Internet, and is a popular workload running in Azure. Its ubiquity also makes it a popular attack target and earlier this month WordPress announced a critical 0-day vulnerability that allows attackers to hijack the web site running this software. If you are running hosted WordPress on wordpress.com your software is automatically updated. If you are running WordPress in Azure or somewhere else, be sure to update! More details here.
  5. As mentioned previously, Microsoft has announced fundamental changes to their existing update release strategy. Instead of releasing updates for everyone on a monthly basis, Microsoft will now be releasing updates as they become available. This applies to all Windows 10 platforms, including servers and clients, tables, and phones. News in detail here.
  6. Protecting a corporate enterprise is extremely difficult and challenging. Providing the same level of protection for a shared public cloud infrastructure like Azure is prohibitively difficult. At the Ignite conference, Microsoft shared some details into how they go about this task. It involves an “assume breach” mentality, highly limited and restricted administrative access, and a dedication to data collection and analysis. Read this article from Microsoft’s Nir Ben Zvi to learn more about protecting your datacenter and cloud from emerging threats.
  7. Microsoft recently announced changes to their unwanted software evaluation criteria in an effort to clean up misleading advertisements. This is aimed at improving the user experience by preventing file downloads when an advertisement is clicked, preventing the execution of malicious code, and blocking content that is difficult to distinguish from the web site itself.
  8. In their continuing effort to reduce and prevent credential theft and impersonation, Microsoft has announced Microsoft Passport in Windows 10. Passport, along with a new Virtual Secure Mode are designed to prevent Pass-the-Hash (PtH) attacks and simplify the deployment of multifactor authentication without requiring a Public Key Infrastructure (PKI). More info here.
  9. A recently released vulnerability in popular open source virtualization platforms including Xen, KVM, and VirtualBox, allows an attacker to break out of a guest VM and execute code on the virtualization host. Many non-Microsoft cloud providers are utilizing this software (Azure runs on Hyper-V which is not vulnerable) and represents a significant risk to customers on those platforms. More details here.

6. WindowSecurity.com Articles of Interest

  1. Securing your Network in an Internet of Things – Part 2
  2. Kaspersky Endpoint Security – Voted WindowSecurity.com Reader’s Choice Award Winner – Antivirus
  3. Assessing the Security of Mobile Applications – Part 2
  4. Developing and Assessing your DLP Strategy – Part 1
  5. Sharing the Load – Securely

7. Windows Security Tip of the Month

One of the biggest security announcements to come out of the Microsoft Ignite conference this month is the Microsoft Advanced Threat Analytics (ATA) solution. With all the recent focus on cloud and cloud security, it’s refreshing to see Microsoft continuing to invest in the security and protection of critical on-premises workloads like Active Directory (AD). AD is ubiquitous, and although many organizations may be efficiently managing it from an architectural and administrative perspective, I’m willing to bet that very few are effectively monitoring the security aspects of it. A real challenge facing security administrators today is an attacker that has compromised a corporate user account and is on the network with legitimate credentials. This is incredibly difficult to detect, and made worse in large scale enterprises due to the sheer volume of active user accounts and events. Microsoft ATA aims to address this challenge with new technologies from a recent acquisition to bring valuable insight into anomalous user activity in your organization. Microsoft ATA is in preview today and a 90 day free trial is also available. More information on Microsoft ATA can be found here.