WindowSecurity.com - Monthly Newsletter - November 2013

Welcome to the WindowSecurity.com newsletter by Richard Hicks (MCSE, MCITP:EA, MVP), Sales Engineering Director for Iron Networks. Each month we will bring you interesting and helpful information pertaining to Windows Security. We want to know what all of *you* are interested in hearing about, so please send your questions and suggestions for future newsletter content to winsec@richardhicks.com.

Editor's Corner

It's been a busy month with regard to Windows security! A few weeks ago, Microsoft released their biannual Security Intelligence Report, volume 15, and released updates to important security tools – the Microsoft Baseline Security Analyzer (MBSA) and the Enhanced Mitigation Experience Toolkit (EMET). In addition, Microsoft made some important announcements about their use of the SHA1 hash algorithm for certificate services, along with security improvements in Internet Explorer 11 to make use of TLS 1.2 by default and to avoid the use of the RC4 encryption cipher suite. I'll discuss these in more detail later in the newsletter.

--Rich

Microsoft Security Intelligence Report

Microsoft recently released their Security Intelligence Report (SIR) volume 15, which covers the malware landscape from January through June, 2013. The SIR provides insight and perspective on software vulnerabilities, exploits, viruses and malicious software for Microsoft and third-party software. The data used for the report is gained from intelligence from the Microsoft Malware Protection Center (MMPC), the Microsoft Security Response Center (MSRC), the Microsoft Security Engineering Center (MSEC), and from telemetry received from hundreds of millions of computers worldwide that have opted-in to share data with Microsoft.

The latest release of the SIR includes a new metric for analyzing the prevalence of malware, a metric known as the encounter rate. Historically the report includes details for infection rates expressed in Computer Cleaned per Mille (CCM) which provides a good indication of the success of malware. It did not, however, provide any insight as to how effective our security controls were. With the inclusion of encounter rate, we now have detailed information that can be used to correlate directly to the efficacy of our defense mechanisms.

Each SIR contains valuable insight and details into the current malware and threat landscape, and security administrators would be well-advised to read this report to stay abreast of current threats and vulnerabilities. The latest report indicates that HTML/JavaScript along with Java represent the most common exploits being leveraged by malware authors and attackers in the first half of 2013.

The report also provides detailed information regarding security software use, with metrics on infection rates broken out by the use of real-time security software. In addition, there is specific data on infection and encounter rates by operating system. With the CCM reporting metric being a normalized data point, this information provides clear evidence that running the latest release of Microsoft's client and server operating systems is the most effective way to reduce your exposure to attack.

The SIR also includes data about e-mail threats and SPAM, malicious web sites (phishing, malware hosting, and drive-by downloads), and all of the information is broken down by region, which can help immensely when tuning security controls in your environment.

You can download the latest release of the Microsoft Security Intelligence Report (volume 15) at http://www.microsoft.com/security/sir/.

TechGenix Launches CloudComputingAdmin.com!

TechGenix is pleased to announce CloudComputingAdmin.com – a new site that offers a unique perspective on the quickly evolving world of cloud computing.

To celebrate the launch of CloudComputingAdmin.com, we will be giving away a Google Nexus 10 to one lucky newsletter subscriber! All you need to do to be eligible to win is sign up for any of the new CloudComputingAdmin.com newsletters and provide your name, email address, and country of residence.

Subscribe to a newsletter here.

The prize giveaway will run until Saturday, December 14, 2013. Be sure to sign up today for your chance to win!

Windows Server 2012 Security from End to Edge and Beyond

If you're planning to deploy Windows Server 2012 now or in the future, be sure to order your copy of Window Server 2012 Security from End to Edge and Beyond today. Written by veteran security authors Tom Shinder, Deb Shinder, and Yuri Diogenes, this book provides detailed, prescriptive guidance on how to architect, design, plan, and deploy Windows Server 2012 in a secure manner. This book covers all aspects of Windows Server 2012 security, including Active Directory and Certificate Services, Active Directory Federation Services (AD FS), Active Directory Rights Management Services (AD RMS), patch management, Hyper-V, remote access, and application, network, and cloud security.

This book is an essential reference for IT professionals and security administrators everywhere, so order now. You'll be glad you did!

Image

Click here to order your copy today!

Microsoft Security Bulletins for November 2013

For the month of November, Microsoft has released 8 security bulletins, 3 of which are rated as critical. Affected software includes all supported Microsoft client and server operating systems, as well as all supported versions of Microsoft Office. Of particular note this month is security update MS13-090, a cumulative security update of ActiveX kill bits that addresses a zero-day vulnerability in Internet Explorer that is being actively exploited. For more information about November's security bulletins click here.

Security Articles of Interest

  1. In an effort to improve accuracy and provide new insight into the effectiveness of protection mechanisms, the Microsoft Security Intelligence Report (SIR) volume 15 includes new data and metrics that highlight the number of times a system encounters malicious software, yet is not infected. Data is gathered from the telemetry provided by real-time security products and yields excellent clues as to how well the operating system can protect itself from attack. Not surprisingly, the latest versions of Microsoft client and server operating systems with up-to-date virus and malicious software protection enabled are the most resistant to compromise.
    http://blogs.technet.com/b/mmpc/archive/2013/10/29/new-security-intelligence-report-new-data-new-perspectives.aspx

  2. Finally, the Microsoft Baseline Security Analyzer (MBSA) has been updated to support Windows 8/8.1 and Server 2012/R2! This is an essential tool in the security administrator's toolkit that can be used to quickly assess the security configuration for Windows systems. If you're not familiar with the MBSA, this tool allows you to scan individual computers or groups of computers and will check for administrative vulnerabilities, weak passwords, IIS administrative vulnerabilities, SQL vulnerabilities, and security updates. Download the latest MBSA, version 2.3, here:
    http://www.microsoft.com/en-us/download/details.aspx?id=7558

  3. Another essential security tool of Windows administrators, the Enhanced Mitigations Experience Toolkit (EMET) was also updated recently. EMET is a free tool that is designed to prevent software vulnerabilities from being exploited by protecting applications using the latest security mitigation technologies included in the Windows operating system. Version 4.1 includes new updates that make it easier to configure and deploy.
    http://blogs.technet.com/b/srd/archive/2013/11/12/introducing-enhanced-mitigation-experience-toolkit-emet-4-1.aspx

  4. Did you know that Internet Explorer 11 makes over 40% of the web more secure? Amazing, I know, and made possible by changes in IE 11 that favor the use of Transport Layer Security (TLS) v1.2 and by reducing the use of the vulnerable RC4 cipher suite. You might think that these changes would adversely affect functionality, but Microsoft has done their homework here. According to their research, over 96% of five million sampled web sites can negotiate ciphers other than RC4, and 39% support non-RC4 cipher suites even though they prefer RC4.
    http://blogs.msdn.com/b/ie/archive/2013/11/12/ie11-automatically-makes-over-40-of-the-web-more-secure-while-making-sure-sites-continue-to-work.aspx

  5. Microsoft recently announced a new policy for Certificate Authorities (CAs) that deprecates the use of the SHA1 hashing algorithm for SSL and code signing certificates in favor of SHA2. This policy directly affects those CAs that are members of the Windows Root Certificate Program who issue publicly trusted certificates, but this guidance should be followed by anyone operating a CA internally or externally.
    http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx

  6. As Microsoft security professionals, I believe it is important that we keep banging the drum about Windows XP and the need to migrate to the latest, more secure Windows desktop operating system. To support those efforts, take note of the malware infection rates for Windows XP with new detail from the infection and encounter rate metrics in the latest Microsoft Security Intelligence Report (SIR) volume 15. Malware infection rates are significantly higher with Window XP as compared to newer operating systems, and things will only get worse once XP support ends in April 2014. Time to retire your XP systems ASAP!
    http://blogs.technet.com/b/mmpc/archive/2013/10/29/infection-rates-and-end-of-support-for-windows-xp.aspx

  7. Holly Stewart, Senior Program Management Lead for the Microsoft Malware Protection Center (MMPC) shares insights into the taxonomy and protection metrics collected (coverage, quality, and customer experience), as well as the September 2013 results.
    http://blogs.technet.com/b/mmpc/archive/2013/10/25/our-protection-metrics-september-results.aspx

  8. Microsoft SmartScreen technology has proven to be a highly effective tool to prevent socially-engineered attacks. Previously available only with Internet Explorer, it is now included in the operating system in Windows 8/8.1 and can be leveraged by all applications. SmartScreen is fundamentally an application reputation mechanism designed to prevent the execution of untrusted software. To learn more about SmartScreen in Windows 8/8.1, download this whitepaper from the folks at NSS Labs.
    https://www.nsslabs.com/reports/microsoft-takes-scammers-camp

  9. Social Engineering is a particularly troublesome attack vector, as it can only be effectively controlled through education and not mitigated through technical controls. In this story, two hackers created a persona using social media (Facebook, LinkedIn, etc.) and ultimately got her a government job, a company laptop, and VPN credentials! And she doesn't even exist?!? Facepalm! Read this story and be amazed…and scared!
    http://www.zdnet.com/government-agency-compromised-by-fake-facebook-hottie-7000022700/
  10. More social engineering tactics in the news this month. It has recently come to light that notorious NSA leaker Edward Snowden also used social engineering to gain access to sensitive data. Snowden was able to convince some of his co-workers that he needed their password, and they freely gave it to him. What is alarming here is that this wasn't a naive, young customer service operator at a travel agency, these were employees of the National SECURITY Agency whose very jobs were security related and with security clearance and access to highly sensitive information. If this doesn't underscore the need for multi-factor authentication, nothing does.
    http://www.reuters.com/article/2013/11/08/net-us-usa-security-snowden-idUSBRE9A703020131108

WindowSecurity.com Articles of Interest

  1. Tenable Nessus voted WindowSecurity.com Reader's Choice Award Winner for Security Scanner Software
  2. Use Windows Command Line Tools and PowerShell Cmdlets to Manage Security in Windows Server 2012 – Part 2
  3. Product Review – Manage Engine EventLog Analyzer
  4. Are We Heading for Identity Management Federation – Part 2

Windows Security Tip of the Month

A good security practice before placing any system in to production, especially for edge connected or Internet-facing systems and services, is to conduct a thorough vulnerability and attack surface scan to determine potential remote attack vectors. One tool that can help evaluate the network attack surface is Port Query. This Microsoft utility was first introduced with the Windows Server 2003 Support Tools and is still a valuable assessment tool today. Port Query is a command-line tool that many administrators find difficult to work with, but thankfully there is also a Graphical User Interface (GUI) that can be downloaded as well. The Port Query GUI allows the user to define a host to scan and to also select default query types or manually specify ports to query. The results are displayed in a window that includes the command line arguments used by the underlying portqry.exe, which can be helpful for learning how to use the command line tool directly. You can download the Port Query GUI, which includes the portqry.exe command line tool, here.