"Stay Safe" Cyber Security Blog : Application

Flying Pigs at the Turn of the Tide: Microsoft is finally emerging as a leader the cyber security industry

tarwine — Tue, 23 Jun 2009 18:31:00 GMT

Microsoft has been dealing with cyber treats for years both internally and with our customers, but just in case you haven’t noticed; there has been a significant change in the tide from both in the focus of such malevolent attacks and public perception of Microsoft ability to deal with those threats effectively.

To see the trends in Cyber Warfare, one needs to just read some of the headlines in The Latest Microsoft Security Intelligence Report or News articles and the focus of recent attacks now on the rise.

Just take a look at some recent news articles:

February 24^th 2009 – SQL Attacks - Half a Million Sites Already Owned -”Current epidemic of online SQL injection attacks maintains that over a half million sites were victimized by the threats during 2008 alone”

April 3^rd 2009 – VMware exploits - just how bad is it? - “When Tony reported on the release of new VMware patches on April 4th, we didn't immediately spot that the same day there was also a release of a for-pay exploit against CVE-2009-1244 (announced in VMSA-2009-0006). Seems a few days later, there is also a white paper available -for pay as well-, and now also a flash video of the alleged exploit showing a XP client OS exploiting a Vista host OS (launching calc.exe). The video also comments that they get a data leak back from the host to the client”

April 14th 2009 - Attack Sneaks Rootkits Into Linux Kernel - “A researcher at Black Hat Europe this week will demonstrate a more stealthy way to hack Linux “. “One of bonuses of this [approach] is that most kernel module rootkits make a lot noise when they are inserting [the code]. This one is directly manipulating" the memory, so it's less noticeable, he says”

April 16^th 2009 - iBotnet: Researchers find signs of zombie Macs – “Writing in the current issue of Virus Bulletin (subscription required), researchers Mario Ballano Barcena and Alfredo Pesoli found two malware variants — OSX.Iservice and OSX.Iservice.B — using different techniques to obtain the user’s password and take control of the infected Mac machine”

Contrast this with the trend of positive security reports from Gartner, Av-Comparatives and other Security experts raving about Microsoft’s SDL, security software and best practice guidance.

March 25^th 2009 - Gartner: No need to wait for Windows 7 SP1 - A Gartner analysis report recommends IT departments to depart from the usual SP1 milestone when deciding to deploy Windows 7

"Conventional wisdom has been that organizations need to wait for the first Service Pack to ship before they deploy a new client OS. This used to be a necessity. The availability of beta software to test the new product was not as broad as it is today, and people expected the initial release to be buggy and unstable. The first Service Pack usually would ship approximately nine to 12 months after the initial OS shipment, and would usually represent a marked improvement in stability. Today, SP1 does not represent the milestone it used to"

May 20^th 2009 - Adobe to release security updates a la Patch Tuesday - “Adobe said on Wednesday it will release quarterly security updates to coincide with Microsoft's Patch Tuesday as part of a new approach to product security for Adobe Reader and Acrobat. “

“All new code and features for Adobe Reader and Acrobat have been put through a Secure product Lifecycle that is similar to Microsoft's much-touted Security Development Lifecycle.”

June 10^th 2009 - Microsoft Ranks First in AV-Comparatives May Edition for Proactive Detection Testing! – “We are #1 this time! And it is our first time scoring Advanced+ in AV-comparatives testing. We scored very well on both ends: second best in detection rate and we had the fewest false positives. AV-Comparatives.org published the May edition of the proactive/retrospective testing of the May Edition….Our detection rate was…the second best among the participants, and we had the fewest false positive samples.

For details, please check AV-comparatives May edition published below: http://www.av-comparatives.org/images/stories/test/ondret/avc_report22.pdf”

June 29^th 2009 - Pigs fly! Microsoft leads in security – “Microsoft's success with Security Development Lifecycle has security experts buzzing and offers lessons…Many of the world's most knowledgeable security experts are urging their favorite software vendors to follow in the footsteps of Microsoft.

"Microsoft becomes high priest of secure software development." - CNET

“As an industry we should recognize the sea change in Microsoft's approach to security… and encourage other vendors to follow Microsoft's lead." - SANS NewsBites

“In 2004 Microsoft was a couple years into its Trustworthy Computing Initiative but it remained the software company IT security practitioners hated with glee.... That's not so much the case today." -- Computerworld

"As repugnant as it sounds, Apple will need to take a page from Microsoft's book in this area. Years of combating viral threats, malware, and so on - CrunchGear

“It isn't just press talk alone. Every common security and vulnerability metric shows Microsoft's software security has dramatically improved over the years, especially compared to its main competitors. Vulnerabilities found by employees and external researchers are down well over half from just a few years ago. For some products, such as IIS and SQL Server, the improvement is startling going from dozens of exploits a year to barely a handful over five years.”

“Hackers have moved on from focusing on Windows holes to attacking third-party applications or social engineering the end-user as the primary attack vector. Patch Tuesday was derided when it first appeared. Now it has become a model for many other popularly attacked products, and vendors not using a regularly scheduled patch period are being asked to get on board by their customers.”

“I challenge you to find anywhere near the amount of free resources on improving your software security from any other source.”

Summary:

Microsoft has made contributions with The Microsoft Security Development Lifecycle (SDL). This SDL framework along with Microsoft’s free security tools, patch Tuesday example, and Microsoft’s Forefront Security products, have forced the trend of attacks to shift to 3^rd party and applications and low hanging fruit, and simultaneously bolstered Microsoft reputation as not only a security player, but a leader in the industry.

Look for more to come with the Forefront “Stirling” wave and Windows 7

Secure Web Applications - The Microsoft Way

tarwine — Thu, 29 Nov 2007 19:15:00 GMT

A question came up this week on how to Secure Web Applications the Microsoft way.

Microsoft has extensive prescriptive guidance that applies to secure online applications.

Defense in Depth

1. Start by building on a Secure Platform:

· Windows Server 2003 with latest Service Pack - http://www.microsoft.com/windowsserver2003/default.mspx

· Windows SQL Server 2005 with Latest Service Pack http://www.microsoft.com/sql/default.mspx

· Implement Microsoft Best Practice Security Guidance for Servers - http://www.microsoft.com/technet/security/guidance/serversecurity.mspx

2. Build the application using best practice Secure Coding techniques

· Secure Coding Guidelines - http://msdn2.microsoft.com/en-us/library/d55zzx87.aspx

· Writing Secure Code - http://msdn2.microsoft.com/en-us/security/aa570401.aspx

3. Be aware of common threats to Applications and avoid SQL Injection & Cross Site Scripting attacks:

· “Stop SQL Injection Attacks Before They Stop You” - http://msdn.microsoft.com/msdnmag/issues/04/09/SQLInjection

· “How To: Protect From SQL Injection in ASP.NET” - http://msdn2.microsoft.com/en-us/library/ms998271.aspx

· “How to Prevent Cross Site Scripting” - http://support.microsoft.com/kb/252985

· “Anti-Cross Site Scripting Library” - http://msdn2.microsoft.com/en-us/security/aa973814.aspx

4. Use Network based Firewall at the perimeter –Forefront Edge: ISA 2006

· Secure remote access - http://www.microsoft.com/forefront/edgesecurity/sra.mspx

· Network protection against Floods & Attacks - http://www.microsoft.com/technet/isa/2006/flood_resiliency.mspx

5. Access the Application securely by Publishing through the Firewall & using appropriate security

· Publish Site using Forefront Edge Internet Application Gateway (IAG) with Application Layer Firewall - http://www.microsoft.com/forefront/edgesecurity/iag/default.mspx

· IAG Secure Remote Access White Papers - http://www.microsoft.com/forefront/edgesecurity/iag/whitepapers.mspx

· Use the practice of Least Privilege account access - http://www.microsoft.com/technet/security/secnews/articles/lpuseacc.mspx

6. Audit your Firewall, Application and Operating System Logs

· Audit Active Directory - http://support.microsoft.com/kb/814595

· Audit Policy - http://www.microsoft.com/technet/security/guidance/serversecurity/tcg/tcgch03n.mspx

· Audit ISA - http://www.microsoft.com/technet/isa/2006/security_guide.mspx

7. Use Secure Authentication Mechanisms (IAG can use AD, Kerberos, RADIUS, LDAP etc…)

· IIS Authentication - http://support.microsoft.com/kb/324274

· Kerberos Authentication in Windows Server 2003 http://www.microsoft.com/windowsserver2003/technologies/security/kerberos/default.mspx

8. Use Host based Antivirus & Antimalware protection on Clients and Servers

· Forefront Client Security - http://www.microsoft.com/forefront/clientsecurity/default.mspx

9. Keep all systems patched with latest Security Patches using Microsoft Update or WSUS

· Microsoft Windows Server Update Services (WSUS) - http://technet.microsoft.com/en-us/wsus/default.aspx

· How to keep your Windows up-to-date - http://support.microsoft.com/kb/311047

· Patch 3^rd party products that are not managed by Microsoft

o Backup Software

o Zip or Compression Utilities

o Antivirus

o IE Plug-ins

o Management Software

o etc….

Note: A System that is Fully Patched with Microsoft Updates can be vulnerable by un-patched vulnerable software with a driver or running with administrator privileges.

10. Remember the CIA Triad of security of Confidentiality, Integrity, and Availability

There are a number of other considerations to consider as well focusing on these 3

· Backups of Server 2003 & SQL 2005 Database

a. http://www.microsoft.com/technet/prodtechnol/sql/2005/bkupssas.mspx

b. http://technet.microsoft.com/en-us/library/aa998799.aspx

c. http://technet.microsoft.com/en-us/library/ms175477.aspx

· Load Balancing & Clustering

a. http://technet2.microsoft.com/WindowsServer/en/Library/1611cae3-5865-4897-a186-7e6ebd8855cb1033.mspx?mfr=true

b. http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/2d5977cf-06b7-4d4b-8e8c-ce083ac8a6ee.mspx?mfr=true

· High Availability & Disaster Recovery

a. http://www.microsoft.com/technet/security/guidance/disasterrecovery.mspx

b. http://www.microsoft.com/technet/windowsserver/sharepoint/V2/reskit/c2861881x.mspx

c. http://technet.microsoft.com/en-us/sqlserver/bb331801.aspx

· File Encryption (EFS & BitLocker)

a. http://www.microsoft.com/technet/security/guidance/cryptographyetc/efs.mspx

b. http://technet.microsoft.com/en-us/windowsvista/aa905065.aspx

Note: BitLocker will be available in Windows Server 2008 http://technet2.microsoft.com/WindowsVista/en/library/58358421-a7f5-4c97-ab41-2bcc61a58a701033.mspx?mfr=true

· Rights Management Services (RMS)

a. http://www.microsoft.com/windowsserver2003/technologies/rightsmgmt/default.mspx

b. http://www.microsoft.com/windowsserver2003/techinfo/overview/rm.mspx

Case Study

The Infrastructure of www.microsoft.com, Microsoft Update, and the Download Center

http://download.microsoft.com/download/6/2/b/62bae197-0d3d-4dbb-913a-acd21c57a2c7/DRJ_MSCom_Design_for_Resilience_FINAL.ppt

Conclusion

These are a few things to consider, but the key is to thinking about Defense in Depth and end-to-end security of the Data, Systems, Network Infrastructure, and Application.

You need to know first how to secure the application, but then you need to know how to identify threats when security is being tested and/or compromised and how to respond to those threats.