WindowSecurity.com - Monthly Newsletter - November 2014

Welcome to the WindowSecurity.com newsletter by Richard Hicks (MCSE, MCITP:EA, Enterprise Security MVP), Technical Services Director for Celestix Networks. Each month we will bring you interesting and helpful information pertaining to Windows Security. We want to know what all of *you* are interested in hearing about, so please send your questions and suggestions for future newsletter content to winsec@richardhicks.com.


Editor's Corner

Just a few days prior to sitting down to write this month’s WindowSecurity.com monthly newsletter, Microsoft released their biannual Security Intelligence Report. This is the 17th edition of the report in which Microsoft provides deep insight into the threat landscape and specifically how it affects the Microsoft ecosystem. I look forward to each edition of the report as it outlines how cybercriminals are leveraging their attacks, and more importantly, when and how they are being successful. In addition to providing the usual threat assessment information regarding vulnerabilities, exploits, and malicious software, the report includes guidance for securing account credentials and highlights the challenge posed by expired security software. In addition, how the Microsoft Digital Crimes Unit (DCU) fights malware using the legal system is documented. The report also includes detailed information on how Microsoft deals with security threats on their vast internal network. They’ve been quite successful with keeping their systems up to date and defending against attacks in spite of the large and unique environment they support, and I’m certain that many organizations could benefit from implementing some of the practices they use.

--Rich

Microsoft Security Intelligence Report (SIR) Volume 17

Passwords are awesome! Ok, not really. And that’s pretty much the message conveyed by the first feature of the Microsoft Security Intelligence Report (SIR) volume 17. The latest report begins with an overview of the current state of passwords, outlining the challenges posed by the continued use of usernames and static passwords in today’s world. The basic premise of account credentials, that being the tried and true combination of username and password, is continuing to fall short when it comes to providing the level of security necessary. Users typically need to authenticate against numerous systems, often more than 25 per day. Evidence shows that users tend to reuse passwords across sites, and at best use a handful of passwords for them. With so many different systems to log into, password fatigue quickly sets in and, out of necessity, users resort to using simple passwords, reusing passwords, or using unique passwords that end up being predictable. Complicating matters is the fact that the many data breaches in recent history provide valuable data for attackers to assess which passwords are most common and what patterns people tend to use with regularity. I was shocked to learn that a recent study of 6 million user-generated passwords, an astonishing 98.8 percent of users chose a password that was on the list of the most common 10,000 passwords! It’s no wonder dictionary attacks are so effective. Making things worse is that successful attacks and breaches continue, providing yet more valuable data for cybercriminals to further refine their password dictionaries. Clearly the time has come for something better than static passwords.

The report goes on to provide guidance for organizations storing passwords, which include strong encryption and key protection when access to the password is required, and the use of strong hashing algorithms and salts when not required. Additional guidance for agencies who have recovered evidence of compromised accounts and how organizations should protect that information is also included. Finally, recommendations are provided for improving password security, including the use of randomly generated passwords and the use of secure credential stores to make the use of unique passwords per application or site feasible.

The SIR also provides interesting insight into the challenge of expired security software and its effects on protection. Not surprisingly, expired security software is really not much better than nothing at all. This is somewhat unique to consumer systems, as new computers are often bundled with trial versions of popular antivirus software. This is not usually the case with enterprise systems, as they are proactively managed. Interestingly though, the report breaks out statistics by domain-joined and non-domain joined computers and the domain-joined computers reported being out of date 4.3% of the time, compared to just 2.7% for non-domain joined computers. I can’t imagine why enterprise-managed systems would be less up to date than consumer systems, but the data doesn’t lie.

The report continues by providing insight into activities conducted by the Microsoft Digital Crimes Unit (DCU) and their efforts to leverage the legal system to fight malware and provide further protection for the Windows platform.

The heart of the report, as always, is the current state of the threat landscape over the reporting period for the report, which is the first half of 2014. Vulnerabilities, exploits, malware, email threats, and malicious web sites are outlined in detail, providing a broad view of current tactics employed by cybercriminals. Security administrators should pay close attention to current prevalent malware families and common attack vectors and focus their efforts on mitigating those risks in high priority. Once again, thorough and consistent patching is highlighted, especially for third-party software. A continuing trend illuminated by this report is that malware authors are far less successful attacking the core operating system, indicating that Microsoft’s efforts to protect the OS are paying off. However, it’s worth noting that the most common vulnerability being targeted in the operating system is a Windows shell vulnerability that was patched over four years ago! The report also contains the usual heat maps that provide a visual cue to where malware is most prevalent and where attacks tend to originate from. This can be valuable information for evaluating network traffic logs during incident response or simply for evaluating anomalous network behavior.

This 166 page report from Microsoft is not a quick read, but it should be considered essential reading for anyone responsible for providing security and protection for computer systems of all types. You can download the Microsoft Security Intelligence Report volume 17 here.

Bulletproof SSL and TLS

With recent revelations of wide spread surveillance by government agencies, a strong push is on to encrypt all types of communication regardless of sensitivity. With the popularity and ubiquity of web-based communication, Secure Sockets Layer (SSL) and Transport Layer Security (TLS) have quickly become essential tools to provide the highest level of security and protection for network communication. 

Ivan Ristic, one of the foremost experts in the field of SSL and TLS, recently released a comprehensive guide for deploying secure web servers and applications using SSL and TLS. The book provides a valuable overview of the SSL and TLS protocols along with PKI, and also includes detailed, prescriptive guidance for configuring and deploying systems using SSL and TLS, both Windows and open source.

Order your copy of Bulletproof SSL and TLS today!

Image

Click here to order your copy today!


Microsoft Security Bulletins for November 2014

For the month of November, Microsoft released 14 security bulletins to address 33 individual CVEs. 4 of them are rated critical, 8 are rated important, and 2 are rated moderate. Affected software includes Windows, Office, .NET Framework, and Internet Explorer. For more information about November’s security bulletins click here. Pay close attention to MS14-064, which addresses a vulnerability in Windows OLE, and MS14-066, a vulnerability in Schannel. Both are remotely exploitable and should be deployed as quickly as possible.

Microsoft Security Advisories for November 2014

Microsoft has published 2 security advisories in November. Security advisory 2755801 addresses an update for vulnerabilities in Adobe Flash player in Internet Explorer, and security advisory 3010060 addresses a vulnerability in Microsoft OLE that could allow remote code execution (also addressed with security bulletin MS14-064).

 


Security Articles of Interest

  1. Office 365 continues to make strides in the area of security and protection, recently gaining IRS 1075 compliance for their Office 365 for Government offering.
    http://www.microsoft.com/en-us/government/blogs/office-365-helps-customers-with-irs-1075-regulatory-compliance/default.aspx

  2. Security technology is continually improving, and of course that means new security features in the latest preview release of Windows 10. The latest release of Windows includes new identity protection and access controls with an emphasis on strong, multifactor authentication. Essential information protection is provided using new, integrated Data Loss Prevention (DLP) features, and enhanced threat resistance is accomplished by allowing administrators to restrict application installation to those from trusted sources.
    http://blogs.windows.com/business/2014/10/22/windows-10-security-and-identity-protection-for-the-modern-world/

  3. Pass-the-Hash (PtH) is a form of credential theft where an attacker steals credentials from a compromised device and uses those to gain access to additional systems. Often this technique is used for lateral movement once the attacker has already compromised an internal system, typically in an effort to find a valued target or to find a vulnerable system with which to execute privilege escalation. Microsoft recently posted some informative videos answering common questions about PtH. You can view them here:
    http://technet.microsoft.com/en-us/security/dn785092

  4. According to a recent report released by McAfee, nearly one-third of the organizations surveyed admitted they disabled advanced protection features on their next-generation firewalls (NGFW) in order to improve performance. It begs the question then…why implement a NGFW if you’re simply going to disable its most important protection mechanisms? Security always involves trade-offs, but there are better ways to resolve this issue than disabling essential security mechanisms. Proper capacity planning and thorough load testing are critical to the success of NGFW deployments.
    http://www.scmagazine.com/operators-disable-firewall-features-to-increase-network-performance-survey-finds/article/380341/

  5. More security enhancements for the cloud! Recently Microsoft announced that it would include antimalware for Azure cloud services and virtual machines for free. Great idea!
    http://azure.microsoft.com/blog/2014/10/30/microsoft-antimalware-for-azure-cloud-services-and-virtual-machines/

  6. The so-called “Internet of Things” (IoT) represents a significant change in the way we view security. In this hyper-connected world of ubiquitous network access for everything from kitchen appliances to light bulbs, no doubt there will be some that think that IoT security is an oxymoron. As the folks in the Trustworthy Computing team at Microsoft demonstrate, it doesn’t have to be. Details here:
    http://blogs.microsoft.com/cybertrust/2014/11/05/iot-security-does-not-have-to-be-an-oxymoron/
    http://blogs.microsoft.com/cybertrust/2014/11/10/iot-security-does-not-have-to-be-an-oxymoron-part-2/

  7. I love the cloud! I'm a big fan of Microsoft Azure and make regular use of the Infrastructure-as-a-Service offering by leveraging it to extend my on-premises test labs. Many organizations are migrating applications and services to the public cloud as well. However, there are many scenarios in which the public cloud might not be the best choice. Thankfully Microsoft provides all of the components to build a private cloud on premises. Recently Microsoft released several key pieces of documentation on private cloud security. If you're considering building out your own on-premises private cloud, these documents will serve as a valuable security reference for your implementation.
    http://blogs.technet.com/b/privatecloud/archive/2014/11/09/private-cloud-security-considerations-guide-introduction-and-overview.aspx
    http://blogs.technet.com/b/privatecloud/archive/2014/11/09/private-cloud-security-considerations-guide-security-challenges.aspx
    http://blogs.technet.com/b/privatecloud/archive/2014/11/09/private-cloud-security-considerations-guide-security-design-considerations.aspx

  8. A whitepaper recently released by Microsoft outlines their use of threat simulation to practice incident response and improve threat detection for the Microsoft Azure public cloud. Through the use of “red teams”, Microsoft proactively tests breach detection systems and validates the security of their cloud platforms. Download the whitepaper here:
    http://download.microsoft.com/download/C/1/9/C1990DBA-502F-4C2A-848D-392B93D9B9C3/Microsoft_Enterprise_Cloud_Red_Teaming.pdf

  9. Microsoft has been aggressively implementing improved encryption technologies in its latest on-premises software platforms as well as their various cloud-based offerings. This month Microsoft announced that it would also be bringing these state-of-the-art encryption technologies, previously only available in Windows 8.1 and Windows Server 2012 R2, to older operating systems such as Windows 7, Windows 8, Windows Server 2008 R2, and Windows Server 2012.
    http://blogs.microsoft.com/cybertrust/2014/11/11/hundreds-of-millions-of-microsoft-customers-now-benefit-from-best-in-class-encryption/

  10. An update for the popular Microsoft Enhanced Mitigation Experience Toolkit 5.0 is now available. This update, 5.1, includes a number of improvements and addresses some previous application compatibility issues. You can download the update here: https://support.microsoft.com/kb/3015976

WindowSecurity.com Articles of Interest

  1. Planning Considerations for BYOD and Consumerization of IT – Part 5
  2. Planning Considerations for BYOD and Consumerization of IT – Part 6
  3. Tenable Nessus voted WindowSecurity.com Readers’ Choice Award Winner – Security Scanner Software
  4. Is Microsoft Windows Security Essentials Enough for Enterprise Security?
  5. Secure Sharing: Collaboration without Compromise – Part 1

Windows Security Tip of the Month

Have you deployed IPv6 in your environment yet? If you answered “no”, you’ve probably answered incorrectly! If your network includes hosts running anything newer than Windows Vista or Windows Server 2008, or any modern version of Linux, the answer is actually “yes”! Beginning with Windows Vista and Windows Server 2008, IPv6 is enabled by default and preferred. So, in reality, you have deployed IPv6, you just aren’t managing or monitoring it. From a security perspective, it really is a bad situation when you have a communication protocol in use on your network without having the proper visibility and controls in place to manage it.

I recommend that network engineers and security administrators get up to speed on IPv6 as soon as possible. The best place to start, in my opinion, is to join a community of IPv6 professionals and begin by learning about the fundamental operation of the protocol. GoGo6 is a great starting point and has a mature and robust IPv6 user community to leverage, along with various training and service offerings. They also have a handy client utility that can be used to connect your machine to the IPv6 Internet so you can begin building up operational expertise with the new protocol. Check it out today!