Download presentation
Presentation is loading. Please wait.
Published byMelissa Dunfield Modified over 9 years ago
1
Security: The Changing Threat Environment David Aucsmith Architect and CTO Security Business & Technology Unit awk @ microsoft.com Microsoft Corporation
2
Session Outline The World Today Threats Bad Guys How We Got There Legacy Crime Evolving the Solution Security Strategy A Look Ahead
3
Vulnerability Timeline Rarely discovered Attacks occur here Why does this gap exist? The World Today
4
Vulnerability Timeline 151 180 331 Blaster Welchia/ Nachi Nimda 25 SQL Slammer Days between patch & exploit Days From Patch To Exploit Days From Patch To Exploit Have decreased so that patching is not a defense in large organizations Average 6 days for patch to be reverse engineered to identify vulnerability The World Today Source: Microsoft
5
The Forensics of a Virus Blaster shows the complex interplay between security researchers, software companies, and hackers Vulnerability reported to us / Patch in progress Bulletin & patch available No exploit Exploit code in public Worm in the world July 1July 16July 25Aug 11 Report Vulnerability in RPC/DDOM reported Vulnerability in RPC/DDOM reported MS activated highest level emergency response process MS activated highest level emergency response processBulletin MS03-026 delivered to customers (7/16/03) MS03-026 delivered to customers (7/16/03) Continued outreach to analysts, press, community, partners, government agencies Continued outreach to analysts, press, community, partners, government agenciesExploit X-focus (Chinese group) published exploit tool X-focus (Chinese group) published exploit tool MS heightened efforts to get information to customers MS heightened efforts to get information to customersWorm Blaster worm discovered –; variants and other viruses hit simultaneously (i.e. “SoBig”) Blaster worm discovered –; variants and other viruses hit simultaneously (i.e. “SoBig”) The World Today Source: Microsoft
6
Understanding the Landscape National Interest Personal Gain Personal Fame Curiosity Script-Kiddy Hobbyist Hacker Expert Specialist Vandal Thief Spy Trespasser The World Today Tools created by experts now used by less-skilled attackers and criminals Fastestgrowingsegment Author
7
Legacy and Environment The security kernel of Windows NT was written Before there was a World Wide Web Before TCP/IP was the default communications protocol The security kernel of Windows Server 2003 was written: Before buffer overflow tool kits were generally available Before Web Services were widely deployed How We Got Here
8
Honey Pot Projects Six computers attached to Internet Different versions of Windows, Linux and Mac OS Over the course of one week Machines were scanned 46,255 times 4,892 direct attacks No up-to-date, patched operating systems succumbed to a single attack All down rev systems were compromised Windows XP with no patches Infested in 18 minutes by Blaster and Sasser Within an hour it became a "bot" How We Got Here Source: StillSecure, see http://www.denverpost.com/Stories/0,1413,36~33~2735094,00.html
9
Malware Spam Phishing Spyware Bots Root Kit Drivers How We Got Here
10
Spam Mass unsolicited email For commerce Direct mail advertisement For Web traffic Artificially generated Web traffic Harassment For fraud Phishing Identity theft Credential theft How We Got Here Affiliates Programs Example $0.50 for every validated free- trial registrant 60% of each membership fee from people you direct to join the site SoBig spammed > 100 million inboxes If 10% read the mail and clicked the link = 10 million people If 1% signed up for 3-days free trial = (100,000 people) x ($0.50) = $50,000 If 1% of free trials sign up for 1 year = (1,000 people) x ($144/yr) = $144,000/yr
11
Phishing Most people are spoofed Over 60% have visited a fake or spoofed site Many people are tricked Over 15% have provided personal data Economic loss ~ 2% of people Average loss of $115 How We Got Here Source: TRUSTe
12
Spyware Software that: Collects personal information from you Without your knowledge or permission Privacy 15 percent of enterprise PCs have a keylogger Source: Webroot's SpyAudit Number of keyloggers jumped three-fold in 12 months Source: Sophos Reliability Microsoft Watson ~50% of crashes caused by spyware How We Got Here
13
Bots Bot Ecosystem Bots Botnets Control channels Herders It began en masse with MyDoom.A Eight days after MyDoom.A hit the Internet Scanned for the back door left by the worm Installed Trojan horse called Mitglieder Then used those systems as their spam engines Millions of computers across the Internet were now for sale to the underground spam community How We Got Here
14
Bot-Nets Tracked (3 Sep 2004 snapshot) Age (days)NameServerMaxSize 02.00nubela.net dns.nubela.net 10725 10.94winnt.bigmoney.biz (randex)winnt.bigmoney.biz2393 09.66PS 7835 - y.eliteirc.co.uky.eliteirc.co.uk2061 09.13y.stefanjagger.co.uk (#y)y.stefanjagger.co.uk1832 03.10ganjahaze.com 1507 01.04PS 8049 - 1.j00g0t0wn3d.net1.j00g0t0wn3d.net3689 10.93pub.isonert.net 537 08.07irc.brokenirc.net 649 01.02PS 8048 - grabit.zapto.orggrabit.zapto.org62 10.34dark.naksha.net UNK 08.96PS 7865 - lsd.25u.comlsd.25u.comUNK PS ? - 69.64.38.22169.64.38.221UNK How We Got Here
15
In The News Botnet with 10,000 Machines Shut Down Sept 8, 2004 A huge IRC "botnet" controlling more than 10,000 machines has been shut down by the security staff of Norwegian provider Telenor, according to the Internet Storm Center. The discovery confirms beliefs about the growth of botnets, which were cited in the recent distributed denial of service (DDoS) attack upon Akamai and DoubleClick that sparked broader web site outages. […] http://news.netcraft.com/archives/2004/09/08/botnet_with_10000_machines_shut_down.html How We Got Here FBI busts alleged DDoS Mafia Aug 26, 2004 A Massachusetts businessman allegedly paid members of the computer underground to launch organized, crippling distributed denial of service (DDoS) attacks against three of his competitors [...] http://www.securityfocus.com/news/9411
16
Payloads Keystroke loggers for stealing CC, PII SYN or application flooding code Used for DDoS DDoS has been used many times Including public attacks against Microsoft.com Spam relays: 70-80% of all spam Source SpecialHam.com, Spamforum.biz Piracy Future features How We Got Here
17
Botnet Damage Potential AttackRequests/botBotnet TotalResource exhausted Bandwidth flood (uplink) 186 kbps1.86 GbpsT1, T3, OC-3, OC-12 Bandwidth flood (downlink) 450 kbps4.5 GbpsT1, T3, OC-3, OC-12, OC-48 (2.488Gbps) 50% of Taiwan/US backbone Syn flood450 SYNs/sec4.5M SYN/sec4 Dedicated Cisco Guard (@$90k) OR 20 tuned servers Static http get (cached) 93/sec929,000/sec15 servers Dynamic http get93/sec929,000/sec310 servers SSL handshake10/sec100,000/sec167 servers 10,000-member botnet >$350.00/weekly - $1,000/monthly (USD) >Type of service: Exclusive (One slot only) >Always Online: 5,000 - 6,000 >Updated every: 10 minutes >$220.00/weekly - $800.00/monthly (USD) >Type of service: Shared (4 slots) >Always Online: 9,000 - 10,000 >Updated every: 5 minutes September 2004 postings to SpecialHam.com, Spamforum.biz How We Got Here
18
Rootkits Growth in the root kit population Technical challenge in the community Defeats current anti-spyware products Financial motivation to support adware & spyware How We Got Here Microsoft OCA Root Kit Drivers
19
Evolving The Solution Microsoft’s Security Focus
20
Evolving The Solution Microsoft’s Security Focus
21
Combating Spyware Threats Global SpyNet™ community helps identify new spyware Automatic signature downloads keep you up-to-date Spyware removal reduces PC slow down, pop-up ads, and more Scheduled scans help maintain PC security and privacy Continuous protection guards 50+ ways spyware gets on a PC Intelligent alerts handle spyware based on your preferences Evolving The Solution
22
Malicious Software Removal Tools Updated monthly to remove prevalent malware Targeted at consumers without antivirus Enterprise deployable as part of a defense-in-depth strategy Available through: Windows Update Auto Update Online interface MS Download Center Complements traditional Antivirus technologies by providing one tool that removes prevalent viruses and worms from a PC Evolving The Solution
23
Cleaner Statistics (as of 11 March 2005) Bots on Windows decreasing due to Windows XP SP2 Source: Symantec Release Days Live Executions Disinfections Value% January28124,613,632239,1970.1920% February28118,209,670351,1350.2970% March584,013,460149,9810.1785% Total61326,836,762740,3130.2265% Evolving The Solution Source: Microsoft
24
Vulnerability Assessment Roadmap MBSA 1.2.1 (today) detects most security updates and common configuration vulnerabilities Enterprise Scan Tool detects critical and important security updates that MBSA does not MBSA 2.0 (Q2CY05) Will eventually detect all security updates and offer consistency with SMS, WUS and Windows Update Geneva (1HCY06) Authoritative vulnerability assessment for the MS platform Evolving The Solution
25
Advanced Isolation Clients who do not pass can be blocked and isolated Isolated clients can be given access to updates to get healthy Health Checkup Check update level, antivirus, and other plug in and scriptable criteria Evolving The Solution Network Access Protection
26
Evolving The Solution Microsoft’s Security Focus
27
Update Quality Improvements Engineering Process Automated triggering of QA processes on fix check-ins Focus on good non-code solutions where risk is high Reduction of ‘encompassed fixes’ Use of oldest possible versions of dependent files ‘Dual Tree’ versus ‘Single Tree’ servicing model Increase Application compatibility Increased the number of applications tested Expanded prescriptive documentation on tested applications Broader pre-release testing Microsoft: Desktop 10k+, Server 100+ (various roles) Testing guidance produced along with beta versions Evolving The Solution
28
Today 2005 Windows, SQL, Exchange, Office… Windows, SQL, Exchange, Office… Office Update Download Center SUS SMS “Microsoft Update” (Windows Update) VS Update Windows Update Windows only WindowsUpdateServices Windows, SQL, Exchange, Office… AutoUpdate Evolving The Solution Updating Roadmap
29
Evolving The Solution Microsoft’s Security Focus
30
Authentication Evolving The Solution
31
Microsoft’s Security Focus
32
The Genesis of Security Vulnerabilities Intended Behavior Actual Behavior Traditional Bugs Most Security Bugs Evolving The Solution
33
Threat Modeling Process Create model of app (DFD, UML etc) Categorize threats to each tree node with STRIDE Spoofing, Tampering, Repudiation, Info Disclosure, Denial of Service, Elevation of Privilege Build threat tree Rank threats with DREAD Damage potential, Reproducibility, Exploitability, Affected Users, Discoverability Evolving The Solution
34
1.2.1 Parse Request Threat (Goal) STRIDE Threat (Goal) STRIDE Threat (Goal) STRIDE DREAD Threat SubthreatCondition Threat Condition DREAD Sub threat Threat Condition KEY Evolving The Solution
35
SD 3 At Work – MS03-007 The underlying DLL (NTDLL.DLL) not vulnerable Code made more conservative during Security Push Even if it was running IIS 6.0 doesn’t have WebDAV enabled by default Even if it did have WebDAV enabled Maximum URL length in IIS 6.0 is 16kb by default (>64kb needed) Even if it was vulnerable IIS 6.0 not running by default on Windows Server 2003 Even if it there was an exploitable buffer overrun Would have occurred in w3wp.exe which is now running as ‘network service’ Even if the buffer was large enough Process halts rather than executes malicious code, due to buffer-overrun detection code (-GS) Evolving The Solution
36
64 27 628 Focus Yields Results
37
Evolving The Solution Microsoft’s Security Focus
38
Guidance and training Security Guidance Center Free training for over 500K IT professionals Security tools Microsoft Baseline Security Analyzer Security Bulletin Search Tool Community engagement Newsletters Webcasts and chats Microsoft “Security360” Evolving The Solution Support And Engagement
39
Microsoft Baseline Security Analyzer (MBSA) v1.2 Virus Cleaner Tools Systems Management Server (SMS) 2003 Software Update Services (SUS) SP1 Internet Security and Acceleration (ISA) Server 2004 Standard Edition Windows XP Service Pack 2 Patching Technology Improvements (MSI 3.0) Systems Management Server 2003 SP1 Microsoft Operations Manager 2005 Windows malicious software removal tool Windows Server 2003 Service Pack 1 Windows Update Services ISA Server 2004 Enterprise Edition Windows Rights Management Services SP1 Windows AntiSpyware System Center 2005 Windows Server 2003 “R2” Visual Studio 2005 Vulnerability Assessment and Remediation Active Protection Technologies Antivirus Prior H2 04 Future 2005 Futures Security Timeline
40
Call To Action Keep current Software Anti-virus, cleaners, anti-spyware, … Defense in depth Strong authentication Firewalls Anti-malware Use threat-based development Learn from others
41
Community Resources Windows Hardware & Driver Central (WHDC) www.microsoft.com/whdc/default.mspx Technical Communities www.microsoft.com/communities/products/default.mspx Non-Microsoft Community Sites www.microsoft.com/communities/related/default.mspx Microsoft Public Newsgroups www.microsoft.com/communities/newsgroups Technical Chats and Webcasts www.microsoft.com/communities/chats/default.mspx www.microsoft.com/webcasts Microsoft Blogs www.microsoft.com/communities/blogs
42
Resources General http://www.microsoft.com/security XP SP2 Resources for the IT Professional http://www.microsoft.com/technet/winxpsp2 Security Guidance Center http://www.microsoft.com/security/guidance Tools http://www.microsoft.com/technet/Security/tools How Microsoft IT Secures Microsoft http://www.microsoft.com/technet/itsolutions/msit E-Learning Clinics https://www.microsoftelearning.com/security Events and Webcasts http://www.microsoft.com/seminar/events/security.mspx
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.