Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
I’m happy today to introduce a guest blog post by Matt Thomlinson, the General Manager of Trustworthy Computing Security at Microsoft, who leads the Microsoft Security Engineering Center (MSEC), the Microsoft Security Response Center (MSRC), and Global Security Strategy & Diplomacy (GSSD). His teams are responsible for proactively implementing training, tools and processes of the Security Development Lifecycle (SDL) to improve the security of Microsoft products.
Matt is speaking today at the North Atlantic Treaty Organization (NATO) Information Assurance Symposium 2011, where he will deliver a keynote that embodies the content written here.
Anyone in the computer security field will tell you that our constant companion is change. The cyber threat landscape is continually evolving, with the attacks becoming ever more sophisticated.
Just pick up a newspaper and read the headlines. It’s no longer just vandals or petty cyber criminals taking advantage of random individuals on the Internet. We’re now in an era of targeted attacks from a spectrum of bad actors with a wide set of motivations. Scott Charney, Corporate Vice President, Trustworthy Computing, Microsoft, addresses the range of threats and motivations in his white paper Rethinking the Cyber Threat: A Framework and Path Forward. Charney divides threats into four categories: cybercrime, economic espionage, military espionage, and cyber warfare.
In the previous cyber threat era—before the recent surge of sophisticated, targeted attacks—the best practice was to keep yourself immune from the things that were affecting the masses. It was generally good enough to make yourself a harder-than-average target by staying up-to-date with patching, running antivirus software, and observing other measures for risk mitigation. But in today’s threat landscape, we face a greater challenge: How does an organization defend against attackers who spend time selecting targets, staking them out, analyzing weaknesses, and tailoring custom attacks?
As I prepared to address the North Atlantic Treaty Organization (NATO) Information Assurance Symposium 2011—with its theme of, “NATO’s Cyber Shield—How high, how wide”— I chose to emphasize two important questions:
The good news is that it seems to me that an organization’s resources can be protected better than the headlines might lead us to believe—even in the face of malicious adversaries and targeted attacks.
No matter what their motive, bad actors have a finite set of tools at their disposal. There are four areas that attackers can focus on, and in each one there are a finite set of methods that attackers can use. The four areas are:
Generally a cyber attacker is more likely to attempt a social engineering attack than a supply chain attack, as the investment required for this second route is greater. Looking at the threat from a NATO perspective, and faced with long-term, well-funded adversaries, all options are open. However, even with all avenues of attack under scrutiny, organizations can still take steps to enhance their security against all four areas of attack. In fact, they must do so to ensure there is no glaring “weakest link” and that an attacker can’t just sidestep investment in one area. So let’s take a look at how security can be enhanced at each of the four stages.
Enhancing product security is mostly in the hands of the vendor. My comments in this section will necessarily be Microsoft-centric; though I believe they provide guidance that could be useful for others.
From the inception of a product at Microsoft we apply rigorous processes and tools to reduce vulnerabilities. Our Security Development Lifecycle (SDL) is applied to every product during development and has proven its ability to increase the security of software. We’ve made the SDL process and many of our tools available for others to use—check out http://microsoft.com/SDL.
Responding to the “weakest link” hypothesis above, we see attackers moving away from Microsoft products as they get harder to attack. Kaspersky, the antivirus firm, noted in their latest IT Threat Evolution quarterly report (Aug 2011) that of the top 10 vulnerabilities they observed being used, none were flaws in a Microsoft product.
We also invest in mitigations so that even if a vulnerability is found, it is still difficult or impossible for an attacker to use. These mitigations, such as ASLR, included in Windows Vista, are built in and most are enabled by default. While you don’t notice them when using the computer, they take useful handholds away from attackers. The SDL requires that Microsoft products take advantage of mitigations to improve their resistance to attack.
Finally, it’s important to apply software updates to quickly respond to issues and decrease the likelihood of an attack against that issue or vulnerability. We’ve worked hard to make these updates timely, easy to install, reliable and complete.
The supply chain encompasses a spectrum of operations, including part and component sourcing, product manufacturing, shipping, and systems integration. Governments have become increasingly apprehensive about the possibility that a sophisticated, hostile actor could manipulate or sabotage products during their design, development or delivery in order to undermine or disrupt government functions.
We recently published two white papers on cyber supply chain risk management. The first white paper Cyber Supply Chain Risk Management: Toward a Global Vision of Transparency and Trust presents a set of key principles to enable governments and vendors to manage supply chain policies more effectively. The second paper, Toward A Trusted Supply Chain: A Risk-Based Approach to Managing Software Integrity provides a framework for the pragmatic creation and assessment of Software Integrity risk management practices in the product development process and online services operations.
Strong operational security and use of best practices are essential because attackers often focus on finding deployment issues such as unpatched or misconfigured computers, weak passwords, computers that unintentionally bridge the corporate network to the Internet, or unapproved file-sharing software that makes internal documents publicly available.
The importance of solid operational security measures such as staying current with security updates cannot be overstated. We tracked the exploitation of Microsoft Office vulnerabilities in Volume 8 our own Security Intelligence Report last year. It showed the effectiveness of staying up-to-date on new software versions:
If the Office 2003 RTM users in the sample had installed SP3 and no other security updates, they would have been protected against 96 percent of observed attacks; likewise, Office 2007 RTM users would have been protected from 99 percent of attacks by installing SP2.
Operational security can be enhanced by the use of best practices, including:
Sometimes users make poor choices; when these are directed by an attacker, we call that social engineering. Social engineering attacks can be difficult to protect against, because it’s hard to protect against the actions of a legitimate user. Education is a key part of defense. Organizations should raise awareness of these threats and provide training to help spot and prevent social engineering. For example, users should be suspicious of receiving attachments and be cautious when clicking on URLs in e-mails or social media sites. Web browser URL reputation solutions can help by blocking known malicious sites or downloads.
Organizations can also protect users from their own actions by instituting best practices such as:
Cyber criminals, including those who conduct economic or military espionage, will be with us for a while. They have shown the ability to evolve their techniques to take advantage of whatever weakness they can find, and shift to leverage the weakest link available to them. But their basic approaches are understood, and organizations have the means to greatly enhance their security by practicing risk management to identify and secure their weakest links, and deploying defense in depth instead of relying on any single cyber shield.