Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
Are you working on cutting edge research on the future of cybersecurity policy? If so, you have less than 3 weeks left to enter our Cybersecurity 2020 essay contest for a chance to win the $5,000 cash prize! Read more.
Last month my blog post discussed Microsoft’s perspective on building a Cybersecurity Framework for critical infrastructure, which is part of President Obama’s Executive Order on cybersecurity. As a next step in the process of implementing the Executive Order, the Commerce Department recently requested comments regarding incentives to encourage critical infrastructure entities and others to adopt improved cybersecurity practices. These incentives would be aimed at encouraging participation in a new voluntary program (referred to as the Voluntary Program below) to support the adoption by owners and operators of critical infrastructure and other interested entities of the Cybersecurity Framework being developed by the National Institute of Standards and Technology (NIST).
Last week, Microsoft submitted comments to the Commerce Department about these incentives. Before discussing Microsoft’s comments, it is important to acknowledge that the Commerce Department has led an ongoing public discussion about how to incent broader adoption of cybersecurity practices, reaching back to Commerce’s Green Paper on Cybersecurity, Innovation, and the Internet Economy and our comments both prior and subsequent to the Green Paper. We appreciate the Commerce Department’s consistent focus on the important challenge of creating incentives to increase cybersecurity. Read more
In the six or seven years that we have been publishing the Microsoft Security Intelligence Report (SIR) I have seen many trends emerge over time. The threat landscape is constantly changing as attackers try to find methods that will help them compromise the systems they target. For several years viruses (file infectors) seemed to be out of favor with attackers as they used other categories of threats to attack systems.
Viruses simply didn’t support the profit motive many attackers had in the same way that Trojan Downloaders and Droppers, Miscellaneous Trojans, and Password Stealers and Monitoring Tools all did. Viruses are threats designed in an era before ubiquitous Internet connectivity made it easier for Worms to successfully self-propagate. Worms like SQL Slammer and Blaster spread around the world in minutes. This would likely take an old fashioned file-infector much, much longer to accomplish, limiting their ability to infect large numbers of systems quickly. Additionally, Viruses tend to be relatively “noisy” threats as they typically try to infect large numbers of files (.exe, .dll, .scr) on the systems they compromise. This characteristic can make them easier to detect than other more blended threats.
Subsequently, I have rarely seen the Virus threat category found on more than 5 percent of systems with detections globally. There have been regional exceptions like Korea, Russia, and Brazil, where I have seen relative Virus levels reach between 10 and 15 percent. But more recently I have noticed that Viruses seem to be making a comeback. As seen in Figure 1, the relative prevalence of Viruses has been trending up. The prevalence worldwide for the Virus threat category was 7.8 percent in the fourth quarter of 2012 (4Q12). Read more.
This morning at the Security Development Conference in San Francisco, I am joined by hundreds of organizations that have traveled from all over the world to learn more about proven practices in security development that can help reduce an organization’s risk to threats on the Internet. As we anxiously await the two keynotes by Scott Charney and Howard Schmidt to kick off the day, I am reminded of the early days of computing when security development was an afterthought for many organizations.
The threat landscape has evolved quite a bit over the past decade and the importance of software security is more evident than ever. To see so many security professionals in attendance at this year’s conference makes me cautiously optimistic that more and more organizations are starting to take application security seriously.
Despite the growing awareness on the need for application security, adoption numbers remain low. A recent Microsoft survey found that only 37% of IT Professionals worldwide cited their organizations as building their products and services with security in mind. In that same study, 61% of developers were not taking advantage of mitigation technologies that already exist such as ASLR, SEHOP and DEP. The three biggest roadblocks cited by IT professions and developers were management approval, lack of support and training and cost. Read more
I was in Tokyo a couple of weeks back, talking to people about the latest Microsoft Security Intelligence Report. According to the report, Japan continues to have one of the lowest malware infection rates in the world, as seen in Figure 1. The Microsoft Malicious Software Removal Tool (MSRT) found just 0.7 systems infected with malware for every 1,000 systems scanned in the fourth quarter of 2012. The worldwide average was 6.0 during the same period.
In less than two weeks, the world’s best and brightest security professionals will converge on the InterContinental Hotel San Francisco, CA for the Security Development Conference! Don’t miss this opportunity to hear from industry experts who will discuss current security topics and issues.
REGISTER NOW using this discount code: IND@SDC#12 and save $300 off current registration prices. For more information, visit the website at www.securitydevelopmentconference.com or contact firstname.lastname@example.org
Yesterday we released the latest volume of the Microsoft Security Intelligence Report. Among the ~800 pages of new threat intelligence is a new study that attempts to quantify the benefit of running up-to-date anti-virus (AV) software. The study leveraged data from over a billion systems worldwide and it turns out that systems that do not have up-to-date AV are 5.5 times more likely to be infected with malware than systems that are protected. It’s also noteworthy that almost 270 million systems worldwide did not have up-to-date AV installed in the second half of 2012; many people that could be benefiting from the protection that AV offers, are not.
Didn’t we already know this?While it might seem like common sense that AV software is a good thing to have, I think much of the evidence I have seen to support this notion has mostly been anecdotal. I have attended and spoken at numerous security industry conferences over the past couple of years where I have heard more and more industry security experts question the efficacy of AV. The typical argument against AV is the erroneous assumption that since it can’t block or detect 100% of threats, including some of the high-profile targeted attacks that have been reported over the last few years, then it’s entirely worthless and not worth running.
To me, this point of view seems less than pragmatic as part of the challenge the industry has is to protect the billions of devices that are now continuously connected to the Internet from the flood of new threats that continually emerge. Since both the number of connected devices and the number of threats will only increase in the future, how to scale protections will always be important. More and more attackers are using automation and sophisticated techniques like server-side polymorphism to generate massive numbers of threats; Figure 1 below illustrates the estimated growth of malware since 1991 and Figure 2 shows 29,451,883 computers had detections/removals of malware in the ten most active countries in the 90 days of the fourth quarter of 2012 alone. In this type of environment AV is becoming more important, not less important. Read more.
We released the latest volume of the Microsoft Security Intelligence Report today that provides a large body of new data and analysis on the threat landscape. Volume 14 focuses on what the threat landscape looked like in the second half of 2012, including trend data from previous periods. This volume of the report contains:
In addition, we have included a section in the report focused on quantifying the value of using up-to-date antimalware software. This is a must read for those Information Technology/security professionals who are grappling with the challenge of articulating why investing in antimalware software is so important to the security of their organization, possibly among those questioning its efficacy.
I encourage you to download the new SIR and take full advantage of the new research it contains as well as the hundreds of pages of new threat intelligence. We also have a shorter Key Findings Summary available, new video content, and past volumes of the report, all at www.microsoft.com/sir.
Tim RainsDirectorTrustworthy Computing
For the past three and a half years, Win32/Conficker has been the top threat found in enterprise environments. We have reported on Conficker in the Microsoft Security Intelligence Report since the second half of 2008. No new variants of Conficker have been released in years and the methods it uses to propagate are well known, but once it finds its way into an environment it can be difficult to eliminate it.