Over the last few day we have seen a lot of coverage about new Conficker variants. Let me give you a very brief update. But before I start, let me make sure that we are clear on one thing. In the area of security, we often see coverage about somebody who heard something from the brother-in-law’s girlfriend’s nephew (chose any combination you want) that some thing either does not work (a security update is not working) or something really bad is going to happen. If you look at Christopher Budd’s Ten Principles of Microsoft Patch Management, principle number 10 reads The Security Bulletin is always authoritative. This statement is true for Security Updates as well as malware. So, you as a professional please trust only “trusted sources” and nothing else. Especially if a threat hits the press as hard as Conficker.

So, let’s come back to the latest news about Conficker:

Yes, there are two new binaries reported and the best way to get information about them are the following resources:

• Our Conficker Landing page
• Win32/Conficker Variants Update (MMPC Blog)
• Win32/Conficker (our encyclopedia)

There is one important quote in the Microsoft Malware Protection Center blog: We are pleased to inform that Microsoft products such as Windows Live OneCare, Windows Live OneCare safety scanner, and the Forefront family of products were able to detect both of these newly reported binaries with existing signatures, no update required as Worm:Win32/Conficker.D and Worm:Win32/Conficker.gen!A. Specific detections have been added for the new variants as Worm:Win32/Conficker.D and Worm:Win32/Conficker.E

Roger

You know that we release our Security Intelligence Report twice an year: Today Version 6 is due.

Let me try to give you an overview of the “highlights” of the report from my point of view:

As I wrote in the title and as I blogged about this summer („Scareware“ on the Raise) one if the biggest growing threats we see is what I call “Scareware” or what we call in the report “Rogue Security Software”. I guess you know the feeling of visiting a website which then tells you that you are infected by malware and you should download a piece of software to protect you (or to clean your PC). Here you see a screenshot of how this can look like:

So, we have seen this growing over the last three periods and therefore we decided to feature a focus section on this growing threat.

A standard topic in the report is about vulnerability disclosures. Here you find the chart you are used to if you read our Security Intelligence Report, my blog or heard me talking recently:

So, looking at the chart there is good and bad news:

• The good news is that vulnerability disclosures (industry-wide) is decreasing.
• However, there are still more than 2500 vulnerabilities per 6 months (to be clear again: this is the whole industry, not us)
• And, roughly 52% of all the vulnerabilities where high severity ones!

Looking at Microsoft’s vulnerabilities, this is the picture:

One thing I always mention, when I talk about this: If you are planning your Patch Management processes and you look at the figures above, make sure you cover your whole IT and not “just” Microsoft. In H2 2008 we had roughly 100 vulnerabilities out of 2500! So, think about patching the others as well (see 98% unpatched – and I am one of them :()

There are a few other charts in the report like the percentage of vulnerabilities responsibly disclosed or attacks on applications which I do not want to put in there (there has to be a reason you read the report J). But one thing I want to take up here as it was so important in H2, which is the PDF attacks as this underlines the statement I made above about Patch Management. Look at the exploits by months targeting Adobe Acrobat Reader:

To be crystal clear with the graph above: This is not finger-pointing at Adobe. We were working closely together to address this and for both vulnerabilities there are updates available today. What I wanted to show you is that you have to extend your risk management to applications outside Microsoft.

Another standing set of graphs are world heatmaps. There are three of them in this Security Intelligence Report:

The “classic” malware infection rate based on the Malicious Software Removal Tool:

Even though we changed the way to determine where a computer is based (and therefore last report’s map cannot be compared with this one), EMEA does not look that bad. We have some challenges in the Middle East, Russias and – surprisingly to me – in Spain but the rest looks not great but ok.

But there is more. This time we look at the source of the malware based on infected websites and where they are hosted:

Here we have quite some green spots – which is good. It is interesting to see that Russia and Spain are red again here…

And last but not least the heatmap on where phishing sites are hosted:

If you take a different angle and look at it from a Windows perspective with regards to malware infection, it once more shows the progress we made with the different OSs:

This re-enforces the message I am delivering as often as possible: If I could give you one single advice from security person to security person (I am not measured on quota), this would be “stay on the latest version of your software – everywhere”. This includes Patch Management as well as Lifecycle management. Jus think about every piece of software you have (including embedded systems), think about when it was designed and then think about the threat landscape back then… Do you really have to think twice then?

If you want to hear Vinny Gullotto (General Manager, Microsoft Malware Protection Center) talk about the Security Intelligence Report, you can look at and interview he did with Tim Rains: Vinny and Tim show - SIR Volume 6 .

So, this and much more you can find in our Security Intelligence Report. Download it and have fun!

Roger

Interesting: Bill would give Obama power to shut down Internet, networks during cyber attacks

Roger

This is a question I often get asked: What is the impact of the economic downturn on security? I am convinced that three things will happen:

1. Cybercrime will grow
2. Security budgets will shrink – it is just open whether the budgets will shrink at the same pace as IT budgets or faster but I am convinced that companies need to safe money there as well
3. Regulations will increase and so will the requirements for compliance

So, to me compliance is the key theme for the next few years. Additionally companies will have to move away from the “best of breed” to the *"best of need” as budgets get tighter. Last but definitely not least, in order to address the compliance needs, you will have to go for an integrated solution of your products. There is no way you will be able to address the challenges with point solutions (and I guess I do not have to say here that we are best suited to help you with the best of need integrated platform).

The actual reason why I write this post is two-fold: I had the honor this week to hold a keynote to open the CoE – OAS/CICTE Conference on Terrorism and Cyber Security in Madrid. I had to opportunity to talk to some journalists as well during the conference and one of the articles covers point 1 form above (the raising Cybercrime challenge): Economic crisis tempts tech experts into cyber crime. And then I stumbled across an article called Fired Employees Can Still Access Co Systems, Survey Finds. So, if you bring those two challenges together, you can easily derive what you have to do – things which are not new but more important (and sometimes urgent) than ever:

• Get your processes in order. Processes covering Risk Management, Identity Management (a key process from my point of view), Change Management, Configuration Management, Update (including Patch) Management. These processes are essential for the cost-effective and secure operations of your network!
• Accept that the Internet is your network. There is no such thing like “our internal network is trusted”. Your network cannot be trusted for different reasons and a lot of your endpoints (e.g. notebooks, handhelds) are not within your perimeter as they travel.

To me, those are the key starting points: Address your Patch Management, Identity Management and enforce policy compliance on your network with technologies like Domain Isolation using IPSec and Network Access Protection.

Roger

Just a brief one: I wrote an article for Infosecurity which was just published in the latest version covering the economic downturn as well. It is called Time to Step Up and can be found on page 45 of the latest edition.

Roger