WindowSecurity.com - Monthly Newsletter - September 2015

Welcome to the WindowSecurity.com newsletter by Richard Hicks (MCSE, MCITP:EA, MCSA, Enterprise Security MVP), independent consultant and Microsoft network security and remote access expert. Each month we will bring you interesting and helpful information pertaining to Windows Security. We want to know what all of *you* are interested in hearing about, so please send your questions and suggestions for future newsletter content to winsec@richardhicks.com.


1. Editor's Corner

Last month the popular online video streaming content provider Netflix publicly announced that they would be formally dumping their existing signature-based desktop antivirus solution. This is a bold step, as many consider desktop antivirus to be a critical tool for preventing potential compromise of the operating system. So, is this a good idea? Is Netflix on to something here? Or have they simply gone mad? Let’s explore this topic a little more…

--Rich

Is Desktop Antivirus Really Dead?

Traditional desktop antivirus (AV) software has been with us for quite some time. I can recall many, many years ago downloading one of the first AV solutions for the PC, a product made by McAfee. As the pioneers of this field, they had one of the most popular and accessible solutions, and as a general security best practice I dutifully installed and maintained it on my systems. Mind you, this was the late 80’s or early 90’s and I hadn’t yet even switched to Windows yet! That’s how long desktop AV has been with us.

For the most part, desktop AV makes use of signatures to identify malicious software (although most vendors have integrated some form of non-signature based detection). The challenge with this is that, by design, desktop AV software will often only detect known malicious software. Of course clever malware authors have figured out easy ways around this rudimentary detection mechanism by altering their payloads and leveraging various obfuscation tactics. They’ve been quite successful with this, which is now leading to important changes in this industry.

So, is desktop AV completely ineffective? Not really. It is good at what it does, and what it was designed to do – detect known malicious software. The real problem comes when organizations rely on it as their only means of malware detection and prevention. Clearly the threat landscape has changed. Malware authors are more motivated, determined, and much better financed. Targeted attacks are becoming much more common and effective. However, I still don’t think that abandoning your desktop AV solution is the answer. Rather, desktop AV should be seen as an essential and important component in a total malware prevention strategy. Layered security is always more effective, and malware prevention is no exception. Additional technologies should most definitely be employed to provide protection for unknown malicious software, and there is no shortage of interesting and compelling solutions on the market today.

It’s also important to understand that often desktop AV is required for various regulatory and compliance reasons. For example, desktop AV is necessary to meet PCI DSS requirements. I’m sure there are many others. Be sure to take them under consideration if you plan to follow in Netflix’s footsteps and abandon your desktop antivirus solution.

2. Bulletproof SSL and TLS

With recent revelations of widespread surveillance by government agencies, a strong push is on to encrypt all types of communication regardless of sensitivity. With the popularity and ubiquity of web-based communication, Secure Sockets Layer (SSL) and Transport Layer Security (TLS) have quickly become essential tools to provide the highest level of security and protection for network communication. 

Ivan Ristic, one of the foremost experts in the field of SSL and TLS, recently released a comprehensive guide for deploying secure web servers and applications using SSL and TLS. The book provides a valuable overview of the SSL and TLS protocols along with PKI, and also includes detailed, prescriptive guidance for configuring and deploying systems using SSL and TLS, both Windows and open source.

Order your copy of Bulletproof SSL and TLS today!

Image

Click here to order your copy today!


3. Microsoft Security Bulletins for September 2015

For the month of September Microsoft released 12 security bulletins. 5 are rated critical and 7 important. Affected software includes Internet Explorer, Edge, Active Directory, Office, Media Center, .NET Framework, Exchange, Skype for Business/Lync, Hyper-V, and all supported desktop and server operating systems. Pay close attention to MS15-097, a vulnerability in the Microsoft Graphics Components which allows remote code execution. There are reports that this vulnerability is being actively exploited in the wild.

For more information about September’s security bulletins click here.

4. Microsoft Security Advisories for September 2015

For the month of September, Microsoft released security advisory 3083992 which details and important update to improve AppLocker publisher rule enforcement.


5. Security Articles of Interest

  1. Last month Netflix announced that they would be abandoning their existing desktop antivirus solution in favor of more modern and advanced malware protection technologies. As I stated in the open, I agree that desktop AV is somewhat antiquated, but I do believe it has its place in an overall malware mitigation strategy. Obviously Netflix doesn’t agree.
    http://www.forbes.com/sites/thomasbrewster/2015/08/26/netflix-and-death-of-anti-virus/

  2. The power of the cloud can enable some extremely compelling security solutions, and Microsoft’s Azure Advanced Threat Analytics (ATA) is one of the more important ones to be announced in recent months. Visibility is key, but making sense of mountains of data and seemingly innocuous log data can be a daunting task. This task is made significantly easier thanks to cloud-based machine learning. Microsoft recently announced that ATA is now generally available.
    http://blogs.technet.com/b/ad/archive/2015/08/27/microsoft-advanced-threat-analytics-in-now-ga.aspx
  3. The makers of the most common web browsing platforms, Microsoft, Google, and Mozilla, have all announced they will be no longer be supporting the RC4 stream cipher beginning as early as next year. What does this mean for you? Well, if you are operating a web site or web service that relies on SSL/TLS, you’ll want to update your configuration to support modern cipher suites and drop the use of RC4 soon.
    http://www.informationweek.com/software/enterprise-applications/microsoft-google-mozilla-abandon-rc4-cryptographic-standard/a/d-id/1322032

  4. This is why the Internet-of-Things (IoT) scares me. With so many devices being connected, and so many manufacturers of these devices not really understanding (or caring?) about security, we’re going to begin seeing stories like this on a daily basis. Here, storage vendor Seagate was found to have included hard-coded credentials on some of their wireless storage products. Scary!
    http://www.kb.cert.org/vuls/id/903500

  5. Passwords. You can’t say enough bad things about passwords! Well, in some cases long, complex, and unique passwords can be sufficiently secure in most cases. However, we humans continue to use simple, often easily guessed passwords. The recent hack of the Ashley Madison web site definitely supports this. The most common password used on this site? “123456.” A close second was the ever popular “qwerty”. Will people ever learn?
    http://www.zdnet.com/article/these-are-the-worst-passwords-from-the-ashley-madison-hack/

  6. If you are a Cloud Solution Provider (CSP) that is leveraging the Microsoft platform, you’ll be happy to hear that the Microsoft Cloud Platform System (CPS) is has now been pre-validated for FedRAMP compliances. This is essential for cloud hosting providers seeking to extend their service offerings to U.S. federal government agencies.
    http://blogs.technet.com/b/privatecloud/archive/2015/09/08/microsoft-cps-pre-validated-for-fedramp-compliance.aspx

  7. A serious flaw in many vendor’s implementation of SSL/TLS using RSA encryption may allow an attacker to obtain their SSL certificate’s private key. Although Microsoft was not affected, many vendors such as Citrix, Alteon/Nortel, Fortinet, and others are.
    http://arstechnica.com/security/2015/09/serious-bug-causes-quite-a-few-https-sites-to-reveal-their-private-keys/

  8. Oh, the irony! It was recently announced that solutions from popular security vendors Kaspersky and FireEye were found to have multiple security vulnerabilities. It really should not come as a surprise, however. These solutions are, after all, software created by humans. As such, they are imperfect just like any other software is. Be sure to update soon!
    http://www.ibtimes.com/kaspersky-fireeye-security-products-cracked-researchers-2085291

  9. Windows 10 and Windows Server 2016 include an update to the SMB protocol that is designed to enhance security for SMB communication. SMB 3.1.1 has been upgraded to include support for better encryption algorithms and provides improved performance. Details here:
    http://blogs.msdn.com/b/openspecification/archive/2015/09/09/smb-3-1-1-encryption-in-windows-10.aspx

  10. Having administration tools installed on a server or a workstation is often helpful when managing a system, but these tools can also be leveraged by an attacker if that same system is compromised. It is becoming an increasingly popular attack vector, and one that systems administrators would be well advised to consider. Where installing utilities on a server was once common, we really should rethink this strategy. Today, systems should be managed remotely as much as possible to avoid these types of situations. PowerShell includes full remote support, as do many other popular tools. It’s time to start using them in that way!
    http://www.eweek.com/security/hackers-using-victims-own-software-to-breach-network-firm-says.html


6. WindowSecurity.com Articles of Interest

  1. Embracing the Internet of Things as well as its Security Challenges – Part 1
  2. Microsoft Ignites a New Focus on Security – Part 2
  3. Video – Recover Deleted Active Directory Objects Without the Recycle Bin: FREE
  4. Microsoft Ignites a New Focus on Security – Part 3
  5. Embracing the Internet of Things as well as its Security Challenges – Part 2
  6. Sophos UTM Software Appliance – Voted WindowSecurity.com Readers’ Choice Award Winner – Firewall Solution

7. Windows Security Tip of the Month

Beginning with Windows 8, Microsoft has included an antivirus solution as a part of the desktop operating system. This was done to ensure that every Windows client had at least some level of protection from viruses and malicious software. Working in concert with security technologies included in their web browser, default installations of Windows were reasonably well protected. However, you may have occasion to want to scan a system for malware using something other than the native scanning tool. For that, Microsoft has two offerings. The first is the Microsoft Safety Scanner. You can download this tool and conduct a proactive, online system scan for viruses and malicious software. For those situations where you suspect a root kit is hiding it’s presence from the virus scanner, a better alternative is to use Windows Offline Defender. This tool allows you to conduct a full system scan of the hard drive while the system is offline. This prevents root kits or other types of malware from cloaking their existence. Keep both of these tools in mind when considering malicious software remediation.