WindowSecurity.com - Monthly Newsletter - May 2016

Welcome to the WindowSecurity.com newsletter by Richard Hicks (MCSE, MCITP:EA, MCSA, Enterprise Security MVP), independent consultant and Microsoft network security and remote access expert. Each month we will bring you interesting and helpful information pertaining to Windows Security. We want to know what all of *you* are interested in hearing about, so please send your questions and suggestions for future newsletter content to winsec@richardhicks.com.


1. Editor's Corner

This month, two important security-related reports were released by Verizon and Microsoft. They are the Data Breach Investigations Report (DBIR) and the Security Intelligence Report (SIR), respectively. Each of these reports should be required reading for anyone with responsible for managing information and device security for organizations of any size. These reports paint a vivid picture of the current threat landscape and provide valuable insight in to current attack vectors. It is not possible to effectively defend networks and data without understanding the key findings highlighted in these reports. Take the time to read them both thoroughly. You’ll be better armed to make intelligent decisions about how best to defend against modern attacks.

 --Rich

Verizon 2016 Data Breach Investigations Report

The annual Verizon Data Breach Investigations Report is always a fascinating (and sometimes depressing!) read. The DBIR is unique in that it includes real world attack and compromise details that directly resulted in unauthorized information disclosure. The dataset used in the report includes more than 100,000 incidents and nearly 3200 confirmed breaches.

 Understanding what attackers are seeking, and how they are being successful, ultimately provides us with a better understanding of current patterns and practices cybercriminals are using. Armed with this information, we can better defend ourselves and protect our assets.

 Using empirical evidence, the report helps dispel some common information and cybersecurity myths. For example, if you walked the expo floor at the most recent RSA Security Conference this year you’d be under the impression that the Internet of Things (IoT) and the security risks associated with it would bring about an impending apocalypse. In addition, and again based mostly on vendor hype, the insider threat would also have appeared to be common place. The data in the DBIR conclusively debunks these myths.

 The data speaks for itself, and in the vast majority of breaches, it’s the usual suspects that are major contributing factors. Default, weak, or stolen credentials and unpatched vulnerabilities and are often blame.  In fact, the top 10 vulnerabilities accounted for more than 85% of successful exploits. Also, many of the vulnerabilities used in successful data breaches had been patched for more than a year. In addition, attacks were overwhelmingly committed by outsiders.

 Phishing attacks continue to be popular, obviously because they are so successful. Data in the reports indicates that 30% of phishing messages are opened by users, and an alarming 12% of them click on the links or open the attachments.

Web application attacks are also effective, with Content Management Systems (CMS) like WordPress a favorite for attackers. SQL injection attacks, not surprisingly, are still quite common.

 Keystroke loggers are a favorite of cybercriminals, which is particularly interesting because it effectively renders strong passwords useless. The longest, most complex passwords imaginable are defenseless, being completely exposed and vulnerable to key logging software. This obviously underscores the need for strong multifactor authentication.

 Overall, the report once again demonstrates that data breaches occur across all industries, verticals, and geographies. No one is immune. Also, it is clear that the primary motive for most attacks and data theft is financial gain. These are definitely things to consider carefully when designing a defense strategy for your organization.

Microsoft Security Intelligence Report Volume 20

The semi-annual Microsoft’s Security Intelligence Report (SIR) volume 20 reports on threat data from July through December, 2015. This reports differs fundamentally from the DBIR in that it focuses specifically on the vulnerabilities and exploits used by attackers to infiltrate target organizations. It also includes important data regarding malware and potentially unwanted software. This report focuses both on consumer and corporate computing, and includes data relevant to attacks aimed at both environments.

 Importantly, the SIR also includes valuable data about drive-by downloads, malicious web sites, and phishing attacks. All of these are common threads in successful data breaches. If you think antimalware software is dead, think again.

 Together, the SIR and DBIR help paint a clear picture of the threat landscape and the current security environment today. Be sure to read both of these reports soon. You’ll be in a much better position to defend your resources when you do.


2. Richard M. Hicks Consulting

Looking for assistance with the design, implementation, or support of a Microsoft DirectAccess remote access solution? Need help migrating from Microsoft Forefront Threat Management Gateway (TMG) 2010? Interested in guidance for integrating on-premises networks with Microsoft Azure or Amazon Web Services? I can help!

I am a Microsoft Certified Solutions Associate (MCSA) with nearly 20 years’ experience working with Microsoft network security platforms. I’ve deployed DirectAccess and VPN solutions for some of the largest organizations in the world. I’ve also helped organizations large and small implement hybrid cloud network solutions, migrate from Forefront TMG to other security platforms, and perform other security related services.

For more information about consulting services, click here.

Image


3. Microsoft Security Bulletins for May 2016

For the month of May Microsoft released 16 security bulletins, 8 of which are rated critical and 8 important. Affected software includes Microsoft Internet Explorer and Edge web browsers, Office, the .NET Framework, and all supported versions of the Windows desktop and server operating systems. This month, pay careful attention to MS16-054, an update that addresses vulnerabilities in Office that can result in compromise by users viewing RTF documents in the preview pane. No need to click on the attachments to get infected, which is crucial.
For more information about May’s security bulletins click here.

4. Microsoft Security Advisories for May 2016

This month Microsoft released security advisory 3155527 for an update to SSL and TLS cipher suites used for FalseStart. FalseStart allows a TLS client to send application data before receiving and verifying the “Server Finished” message during the TLS handshake. This can be used by an attacker posing as a man-in-the-middle (MitM) to force a protocol downgrade to a weak cipher.


5. Security Articles of Interest

  1. This month, Verizon released their annual Data Breach Investigations Report (DBIR). This report includes information and data that will be invaluable to security administrators everywhere. The DBIR can be downloaded (registration optional) here.
    http://www.verizonenterprise.com/verizon-insights-lab/dbir/

  2. Also released this month, the Microsoft Security Intelligence Report (SIR) volume 20, which includes vulnerability and exploit data from the second half of 2015, is now available. Along with the DBIR, the data included in this report will be essential for developing an effective security strategy.
    https://www.microsoft.com/security/sir/default.aspx
  3. The Art of War by Chinese author Sun Tzu, a book that dates back to the 5th century B.C, details crucial military strategies and tactics has been an important reference for many prominent military leaders for many years. It has even been used by business leaders competing in the marketplace. What does it have to do with cybercrime? As it turns out, quite a bit. Many equate defending assets from cybercriminals as warfare. I tend to agree. Read this interesting post on the Microsoft cyber trust blog to learn more.
    http://blogs.microsoft.com/cybertrust/2016/04/11/whats-the-art-of-war-got-to-do-with-cybercrime-quite-a-bit-actually/
  4. I’m stating the obvious when I say that cloud computing is a massively disruptive technology. Today it touches nearly every part of our daily lives. It goes without saying that it is changing the security paradigm, and with it, incident response. In this article, Microsoft outlines their vision of shared responsibility for IR when using public cloud services such as Microsoft Azure.
    https://azure.microsoft.com/en-us/blog/microsoft-incident-response-and-shared-responsibility-for-cloud-computing/
  5. When you finish reading this year’s Verizon DBIR, one thing you’ll quickly learn is that attackers are after credentials. Once they’ve got them, their job is infinitely easier. After all, with valid credentials, often they can move around unnoticed and without fear of detection. Credentials are not just usernames and passwords either. Password hashes are, for all intent and purpose, the same thing. Here is some very valuable guidance for implementing updates and changes to further enhance and protect against credential theft and Pass-the-Hash attacks.
    https://blogs.technet.microsoft.com/askpfeplat/2016/04/18/the-importance-of-kb2871997-and-kb2928120-for-credential-protection/
  6. As with any new Microsoft operating system release, new features and functionality always seem to get the bulk of the attention. However, as a security professional, I’m always interested in the security enhancements that they bring about. With the impending release of Windows Server 2016 later this year, the server operating system will feature a number of important new security features. Details details here:
    https://blogs.technet.microsoft.com/windowsserver/2016/04/25/ten-reasons-youll-love-windows-server-2016-8-security/
  7. I’ve mentioned the importance of SSL and TLS security in this newsletter quite a few times. If you support systems that rely on SSL/TLS for security and protection, it is crucial that their configuration be managed and monitored. Microsoft does that too, and in fact has recently remove the RC4 cipher suites from use in Azure services.
    https://blogs.msdn.microsoft.com/azuresecurity/2016/04/26/azure-services-ssltls-cipher-suite-update-and-removal-of-rc4/
  8. Bug bounty programs are essential tools to incentivize security researchers to invest time looking for vulnerabilities in specific products. Microsoft recently announced an expansion of their popular bug bounty program to include Nano Server in Windows Server 2016 technical preview.
    https://blogs.technet.microsoft.com/msrc/2016/04/29/microsoft-bounty-programs-expansion-nano-server-technical-preview-bounty/
  9. In the past I’ve written about preinstalled software on new computers containing serious security vulnerabilities. Lenovo seems to be the poster child for this. Again, it has been discovered that a support tool included with new Lenovo systems contained a serious flaw. That flaw has now been patched, but it underscores what I’ve stated many times in the past. Get a new machine? Wipe and reload right away. Trust me, you’ll be much better off!
    http://www.cio.com/article/3066910/lenovo-patches-serious-flaw-in-pre-installed-support-tool.html
  10. A new and important security feature in the upcoming Windows Server 2016 release for Hyper-V is Shielded VMs. Shielded VMs provide exceptional security and isolation, not only from other workloads on the same host, but from the host administrators as well. If you are a hosting provider, no doubt you should be investigating these new features.
    https://blogs.technet.microsoft.com/windowsserver/2016/05/10/a-closer-look-at-shielded-vms-in-windows-server-2016/


6. WindowSecurity.com Articles of Interest

  1. Amazon Web Services (AWS) and the Internet of Things (IoT)

  2. Kaspersky Endpoint Security – Voted WindowSecurity.com Readers’ Choice Award Winner – Antivirus

  3. Application Security Redux – It’s All About the Apps (Part 1)

  4. Prioritize your Security Controls – Protect, Detect, and Remediate (Part 2)

  5. Application Security Redux – It’s All About the Apps (Part 2)

7. Windows Security Tip of the Month

One of the more important points highlighted in this year’s Verizon Data Breach Investigations Reports is that cybercriminals are continuing to find targets with vulnerabilities that have had patches available for more than a year. This is stunning. With rare exceptions, most machines should be patched within 30 to 90 days. Systems that can’t be updated should be segmented and isolated to reduce exposure.
The fact that so many old vulnerabilities are being actively exploited indicates a serious lack of visibility to unpatched systems. For many, the luxury of a full-featured patch management infrastructure is not an option. Thankfully, Microsoft makes their Windows Server Update Services (WSUS) freely available. Today, administrators have no excuse not to manage updates on their systems.

You can learn more about the latest release of WSUS here.