I’m happy today to introduce a guest blog post by Matt Thomlinson, the General Manager of Trustworthy Computing Security at Microsoft, who leads the Microsoft Security Engineering Center (MSEC), the Microsoft Security Response Center (MSRC), and Global Security Strategy & Diplomacy (GSSD). His teams are responsible for proactively implementing training, tools and processes of the Security Development Lifecycle (SDL) to improve the security of Microsoft products.

Matt is speaking today at the North Atlantic Treaty Organization (NATO) Information Assurance Symposium 2011, where he will deliver a keynote that embodies the content written here.

imageAnyone in the computer security field will tell you that our constant companion is change. The cyber threat landscape is continually evolving, with the attacks becoming ever more sophisticated.

Just pick up a newspaper and read the headlines. It’s no longer just vandals or petty cyber criminals taking advantage of random individuals on the Internet. We’re now in an era of targeted attacks from a spectrum of bad actors with a wide set of motivations. Scott Charney, Corporate Vice President, Trustworthy Computing, Microsoft, addresses the range of threats and motivations in his white paper Rethinking the Cyber Threat: A Framework and Path Forward. Charney divides threats into four categories: cybercrime, economic espionage, military espionage, and cyber warfare.

In the previous cyber threat era—before the recent surge of sophisticated, targeted attacks—the best practice was to keep yourself immune from the things that were affecting the masses. It was generally good enough to make yourself a harder-than-average target by staying up-to-date with patching, running antivirus software, and observing other measures for risk mitigation. But in today’s threat landscape, we face a greater challenge: How does an organization defend against attackers who spend time selecting targets, staking them out, analyzing weaknesses, and tailoring custom attacks?

As I prepared to address the North Atlantic Treaty Organization (NATO) Information Assurance Symposium 2011—with its theme of, “NATO’s Cyber Shield—How high, how wide”— I chose to emphasize two important questions:

  • What techniques are these determined attackers using?
  • What methods do we have at our disposal for defending against them?

The good news is that it seems to me that an organization’s resources can be protected better than the headlines might lead us to believe—even in the face of malicious adversaries and targeted attacks.

The Four Points of Attack

No matter what their motive, bad actors have a finite set of tools at their disposal. There are four areas that attackers can focus on, and in each one there are a finite set of methods that attackers can use. The four areas are:

  • Product Vulnerabilities. The first area attackers focus on encompasses vulnerabilities that are introduced while the product is being built. As these Information Technology products are increasingly complex and made by humans, they will never be perfect. Attackers can attempt to exploit vulnerabilities in hardware and software, including the operating system, applications, and services.
  • Supply Chain, Including Product Integration and Delivery. The second area attackers might target is to introduce vulnerabilities into the product or service that is received by the customer. We commonly refer to these as supply chain issues, and they include attacks on product suppliers and subcontractors, malicious insiders, and non-genuine products that could be tampered with in transit or during deployment to the customer.
  • Operational Security. Once the product is produced and safely delivered to a customer’s hands, an attacker looks at how it’s deployed and the policies that are being used, searching for weak spots in an organization’s operational security. Are least-privilege policies enforced on the network? Are strong passwords required? Are software updates and security patches immediately applied? Does the company have a good employee hiring process?
  • Social Engineering. As security improves in products and services, we see social engineering becoming the attack route of choice. Cyber attackers are getting more adept at creating plausible e-mails that deliver malicious code; some pose as IT staff and ask for passwords; and in a classic shocker there’s the recurring field experiment documenting how many people would swap their office passwords for a chocolate bar.

Generally a cyber attacker is more likely to attempt a social engineering attack than a supply chain attack, as the investment required for this second route is greater. Looking at the threat from a NATO perspective, and faced with long-term, well-funded adversaries, all options are open. However, even with all avenues of attack under scrutiny, organizations can still take steps to enhance their security against all four areas of attack. In fact, they must do so to ensure there is no glaring “weakest link” and that an attacker can’t just sidestep investment in one area. So let’s take a look at how security can be enhanced at each of the four stages.

Enhancing Security for Product Creation

Enhancing product security is mostly in the hands of the vendor. My comments in this section will necessarily be Microsoft-centric; though I believe they provide guidance that could be useful for others.

From the inception of a product at Microsoft we apply rigorous processes and tools to reduce vulnerabilities. Our Security Development Lifecycle (SDL) is applied to every product during development and has proven its ability to increase the security of software. We’ve made the SDL process and many of our tools available for others to use—check out http://microsoft.com/SDL.

Responding to the “weakest link” hypothesis above, we see attackers moving away from Microsoft products as they get harder to attack. Kaspersky, the antivirus firm, noted in their latest IT Threat Evolution quarterly report (Aug 2011) that of the top 10 vulnerabilities they observed being used, none were flaws in a Microsoft product.

We also invest in mitigations so that even if a vulnerability is found, it is still difficult or impossible for an attacker to use. These mitigations, such as ASLR, included in Windows Vista, are built in and most are enabled by default. While you don’t notice them when using the computer, they take useful handholds away from attackers. The SDL requires that Microsoft products take advantage of mitigations to improve their resistance to attack.

Finally, it’s important to apply software updates to quickly respond to issues and decrease the likelihood of an attack against that issue or vulnerability. We’ve worked hard to make these updates timely, easy to install, reliable and complete.

Enhancing Security for the Supply Chain

The supply chain encompasses a spectrum of operations, including part and component sourcing, product manufacturing, shipping, and systems integration. Governments have become increasingly apprehensive about the possibility that a sophisticated, hostile actor could manipulate or sabotage products during their design, development or delivery in order to undermine or disrupt government functions.

We recently published two white papers on cyber supply chain risk management. The first white paper Cyber Supply Chain Risk Management: Toward a Global Vision of Transparency and Trust presents a set of key principles to enable governments and vendors to manage supply chain policies more effectively. The second paper, Toward A Trusted Supply Chain: A Risk-Based Approach to Managing Software Integrity provides a framework for the pragmatic creation and assessment of Software Integrity risk management practices in the product development process and online services operations.

Enhancing Operational Security

Strong operational security and use of best practices are essential because attackers often focus on finding deployment issues such as unpatched or misconfigured computers, weak passwords, computers that unintentionally bridge the corporate network to the Internet, or unapproved file-sharing software that makes internal documents publicly available.

The importance of solid operational security measures such as staying current with security updates cannot be overstated. We tracked the exploitation of Microsoft Office vulnerabilities in Volume 8 our own Security Intelligence Report last year. It showed the effectiveness of staying up-to-date on new software versions:

If the Office 2003 RTM users in the sample had installed SP3 and no other security updates, they would have been protected against 96 percent of observed attacks; likewise, Office 2007 RTM users would have been protected from 99 percent of attacks by installing SP2.

Operational security can be enhanced by the use of best practices, including:

  • Employ defense-in-depth. Your network defenses should be deep, integrating multiple, overlapping, and mutually supportive defensive systems. Defense systems should include firewalls, gateway antivirus protection, intrusion detection, intrusion protection systems, and Web security gateway solutions.
  • Aggressively update. An aggressive update program is essential. Operating systems, applications, and browser plug-ins should be updated whenever new code is released. Automated patch deployment should be used whenever possible to maintain up-to-date protection across the organization.
  • Update security countermeasures. Security countermeasures, including virus definitions and intrusion prevention must be updated continually.
  • Monitor for threats. Proactively monitor infrastructure for network intrusions, malicious code propagation attempts, suspicious traffic patterns, attempts to connect to known malicious or suspicious hosts, and attempts to spoof trusted web sites. Stay current with vulnerability alerts and remediation.
  • Ensure proper incident response procedures. Proper incident response should be an integral part of your overall security policy and risk mitigation strategy. This should involve proactively creating incident response plans, and assembling an incident response team.

Enhancing Security against Social Engineering

Sometimes users make poor choices; when these are directed by an attacker, we call that social engineering. Social engineering attacks can be difficult to protect against, because it’s hard to protect against the actions of a legitimate user. Education is a key part of defense. Organizations should raise awareness of these threats and provide training to help spot and prevent social engineering. For example, users should be suspicious of receiving attachments and be cautious when clicking on URLs in e-mails or social media sites. Web browser URL reputation solutions can help by blocking known malicious sites or downloads.

Organizations can also protect users from their own actions by instituting best practices such as:

  • Use encryption. Encryption should be used to protect sensitive data, including drive encryption like BitLocker to secure data should a computer be stolen or simply lost.
  • Enforce an effective password policy. Ensure passwords or passphrases are at least eight to 10 characters long and include a mixture of letters and numbers. Encourage users to avoid re-using the same passwords on multiple Web sites, and sharing passwords with others. Passwords should be changed at least every 90 days.
  • Apply least privilege. Use least-privilege accounts and software restriction policies.

Conclusion

Cyber criminals, including those who conduct economic or military espionage, will be with us for a while. They have shown the ability to evolve their techniques to take advantage of whatever weakness they can find, and shift to leverage the weakest link available to them. But their basic approaches are understood, and organizations have the means to greatly enhance their security by practicing risk management to identify and secure their weakest links, and deploying defense in depth instead of relying on any single cyber shield.