Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security: The Changing Threat Environment David Aucsmith Architect and CTO Security Business & Technology Unit Microsoft Corporation.

Similar presentations

Presentation on theme: "Security: The Changing Threat Environment David Aucsmith Architect and CTO Security Business & Technology Unit Microsoft Corporation."— Presentation transcript:

1 Security: The Changing Threat Environment David Aucsmith Architect and CTO Security Business & Technology Unit awk @ Microsoft Corporation

2 Session Outline The World Today Threats Bad Guys How We Got There Legacy Crime Evolving the Solution Security Strategy A Look Ahead

3 Vulnerability Timeline Rarely discovered Attacks occur here Why does this gap exist? The World Today

4 Vulnerability Timeline 151 180 331 Blaster Welchia/ Nachi Nimda 25 SQL Slammer Days between patch & exploit Days From Patch To Exploit Days From Patch To Exploit  Have decreased so that patching is not a defense in large organizations  Average 6 days for patch to be reverse engineered to identify vulnerability The World Today Source: Microsoft

5 The Forensics of a Virus Blaster shows the complex interplay between security researchers, software companies, and hackers Vulnerability reported to us / Patch in progress Bulletin & patch available No exploit Exploit code in public Worm in the world July 1July 16July 25Aug 11 Report Vulnerability in RPC/DDOM reported Vulnerability in RPC/DDOM reported MS activated highest level emergency response process MS activated highest level emergency response processBulletin MS03-026 delivered to customers (7/16/03) MS03-026 delivered to customers (7/16/03) Continued outreach to analysts, press, community, partners, government agencies Continued outreach to analysts, press, community, partners, government agenciesExploit X-focus (Chinese group) published exploit tool X-focus (Chinese group) published exploit tool MS heightened efforts to get information to customers MS heightened efforts to get information to customersWorm Blaster worm discovered –; variants and other viruses hit simultaneously (i.e. “SoBig”) Blaster worm discovered –; variants and other viruses hit simultaneously (i.e. “SoBig”) The World Today Source: Microsoft

6 Understanding the Landscape National Interest Personal Gain Personal Fame Curiosity Script-Kiddy Hobbyist Hacker Expert Specialist Vandal Thief Spy Trespasser The World Today Tools created by experts now used by less-skilled attackers and criminals Fastestgrowingsegment Author

7 Legacy and Environment The security kernel of Windows NT was written Before there was a World Wide Web Before TCP/IP was the default communications protocol The security kernel of Windows Server 2003 was written: Before buffer overflow tool kits were generally available Before Web Services were widely deployed How We Got Here

8 Honey Pot Projects Six computers attached to Internet Different versions of Windows, Linux and Mac OS Over the course of one week Machines were scanned 46,255 times 4,892 direct attacks No up-to-date, patched operating systems succumbed to a single attack All down rev systems were compromised Windows XP with no patches Infested in 18 minutes by Blaster and Sasser Within an hour it became a "bot" How We Got Here Source: StillSecure, see,1413,36~33~2735094,00.html

9 Malware Spam Phishing Spyware Bots Root Kit Drivers How We Got Here

10 Spam Mass unsolicited email For commerce Direct mail advertisement For Web traffic Artificially generated Web traffic Harassment For fraud Phishing Identity theft Credential theft How We Got Here Affiliates Programs Example $0.50 for every validated free- trial registrant 60% of each membership fee from people you direct to join the site SoBig spammed > 100 million inboxes If 10% read the mail and clicked the link = 10 million people If 1% signed up for 3-days free trial = (100,000 people) x ($0.50) = $50,000 If 1% of free trials sign up for 1 year = (1,000 people) x ($144/yr) = $144,000/yr

11 Phishing Most people are spoofed Over 60% have visited a fake or spoofed site Many people are tricked Over 15% have provided personal data Economic loss ~ 2% of people Average loss of $115 How We Got Here Source: TRUSTe

12 Spyware Software that: Collects personal information from you Without your knowledge or permission Privacy 15 percent of enterprise PCs have a keylogger Source: Webroot's SpyAudit Number of keyloggers jumped three-fold in 12 months Source: Sophos Reliability Microsoft Watson ~50% of crashes caused by spyware How We Got Here

13 Bots Bot Ecosystem Bots Botnets Control channels Herders It began en masse with MyDoom.A Eight days after MyDoom.A hit the Internet Scanned for the back door left by the worm Installed Trojan horse called Mitglieder Then used those systems as their spam engines Millions of computers across the Internet were now for sale to the underground spam community How We Got Here

14 Bot-Nets Tracked (3 Sep 2004 snapshot) Age (days)NameServerMaxSize 10725 (randex)winnt.bigmoney.biz2393 09.66PS 7835 - (#y) 1507 01.04PS 8049 - 1.j00g0t0wn3d.net1.j00g0t0wn3d.net3689 537 649 01.02PS 8048 - grabit.zapto.orggrabit.zapto.org62 UNK 08.96PS 7865 - lsd.25u.comlsd.25u.comUNK PS ? - How We Got Here

15 In The News Botnet with 10,000 Machines Shut Down Sept 8, 2004 A huge IRC "botnet" controlling more than 10,000 machines has been shut down by the security staff of Norwegian provider Telenor, according to the Internet Storm Center. The discovery confirms beliefs about the growth of botnets, which were cited in the recent distributed denial of service (DDoS) attack upon Akamai and DoubleClick that sparked broader web site outages. […] How We Got Here FBI busts alleged DDoS Mafia Aug 26, 2004 A Massachusetts businessman allegedly paid members of the computer underground to launch organized, crippling distributed denial of service (DDoS) attacks against three of his competitors [...]

16 Payloads Keystroke loggers for stealing CC, PII SYN or application flooding code Used for DDoS DDoS has been used many times Including public attacks against Spam relays: 70-80% of all spam Source, Piracy Future features How We Got Here

17 Botnet Damage Potential AttackRequests/botBotnet TotalResource exhausted Bandwidth flood (uplink) 186 kbps1.86 GbpsT1, T3, OC-3, OC-12 Bandwidth flood (downlink) 450 kbps4.5 GbpsT1, T3, OC-3, OC-12, OC-48 (2.488Gbps) 50% of Taiwan/US backbone Syn flood450 SYNs/sec4.5M SYN/sec4 Dedicated Cisco Guard (@$90k) OR 20 tuned servers Static http get (cached) 93/sec929,000/sec15 servers Dynamic http get93/sec929,000/sec310 servers SSL handshake10/sec100,000/sec167 servers 10,000-member botnet >$350.00/weekly - $1,000/monthly (USD) >Type of service: Exclusive (One slot only) >Always Online: 5,000 - 6,000 >Updated every: 10 minutes >$220.00/weekly - $800.00/monthly (USD) >Type of service: Shared (4 slots) >Always Online: 9,000 - 10,000 >Updated every: 5 minutes September 2004 postings to, How We Got Here

18 Rootkits Growth in the root kit population Technical challenge in the community Defeats current anti-spyware products Financial motivation to support adware & spyware How We Got Here Microsoft OCA Root Kit Drivers

19 Evolving The Solution Microsoft’s Security Focus

20 Evolving The Solution Microsoft’s Security Focus

21 Combating Spyware Threats Global SpyNet™ community helps identify new spyware Automatic signature downloads keep you up-to-date Spyware removal reduces PC slow down, pop-up ads, and more Scheduled scans help maintain PC security and privacy Continuous protection guards 50+ ways spyware gets on a PC Intelligent alerts handle spyware based on your preferences Evolving The Solution

22 Malicious Software Removal Tools Updated monthly to remove prevalent malware Targeted at consumers without antivirus Enterprise deployable as part of a defense-in-depth strategy Available through:  Windows Update  Auto Update  Online interface  MS Download Center Complements traditional Antivirus technologies by providing one tool that removes prevalent viruses and worms from a PC Evolving The Solution

23 Cleaner Statistics (as of 11 March 2005) Bots on Windows decreasing due to Windows XP SP2 Source: Symantec Release Days Live Executions Disinfections Value% January28124,613,632239,1970.1920% February28118,209,670351,1350.2970% March584,013,460149,9810.1785% Total61326,836,762740,3130.2265% Evolving The Solution Source: Microsoft

24 Vulnerability Assessment Roadmap MBSA 1.2.1 (today) detects most security updates and common configuration vulnerabilities Enterprise Scan Tool detects critical and important security updates that MBSA does not MBSA 2.0 (Q2CY05) Will eventually detect all security updates and offer consistency with SMS, WUS and Windows Update Geneva (1HCY06) Authoritative vulnerability assessment for the MS platform Evolving The Solution

25 Advanced Isolation Clients who do not pass can be blocked and isolated Isolated clients can be given access to updates to get healthy Health Checkup Check update level, antivirus, and other plug in and scriptable criteria Evolving The Solution Network Access Protection

26 Evolving The Solution Microsoft’s Security Focus

27 Update Quality Improvements Engineering Process Automated triggering of QA processes on fix check-ins Focus on good non-code solutions where risk is high Reduction of ‘encompassed fixes’ Use of oldest possible versions of dependent files ‘Dual Tree’ versus ‘Single Tree’ servicing model Increase Application compatibility Increased the number of applications tested Expanded prescriptive documentation on tested applications Broader pre-release testing Microsoft: Desktop 10k+, Server 100+ (various roles) Testing guidance produced along with beta versions Evolving The Solution

28 Today 2005 Windows, SQL, Exchange, Office… Windows, SQL, Exchange, Office… Office Update Download Center SUS SMS “Microsoft Update” (Windows Update) VS Update Windows Update Windows only WindowsUpdateServices Windows, SQL, Exchange, Office… AutoUpdate Evolving The Solution Updating Roadmap

29 Evolving The Solution Microsoft’s Security Focus

30 Authentication Evolving The Solution

31 Microsoft’s Security Focus

32 The Genesis of Security Vulnerabilities Intended Behavior Actual Behavior Traditional Bugs Most Security Bugs Evolving The Solution

33 Threat Modeling Process Create model of app (DFD, UML etc) Categorize threats to each tree node with STRIDE Spoofing, Tampering, Repudiation, Info Disclosure, Denial of Service, Elevation of Privilege Build threat tree Rank threats with DREAD Damage potential, Reproducibility, Exploitability, Affected Users, Discoverability Evolving The Solution

34 1.2.1 Parse Request Threat (Goal) STRIDE Threat (Goal) STRIDE Threat (Goal) STRIDE DREAD Threat SubthreatCondition Threat Condition DREAD Sub threat Threat Condition KEY Evolving The Solution

35 SD 3 At Work – MS03-007 The underlying DLL (NTDLL.DLL) not vulnerable Code made more conservative during Security Push Even if it was running IIS 6.0 doesn’t have WebDAV enabled by default Even if it did have WebDAV enabled Maximum URL length in IIS 6.0 is 16kb by default (>64kb needed) Even if it was vulnerable IIS 6.0 not running by default on Windows Server 2003 Even if it there was an exploitable buffer overrun Would have occurred in w3wp.exe which is now running as ‘network service’ Even if the buffer was large enough Process halts rather than executes malicious code, due to buffer-overrun detection code (-GS) Evolving The Solution

36 64 27 628 Focus Yields Results

37 Evolving The Solution Microsoft’s Security Focus

38 Guidance and training Security Guidance Center Free training for over 500K IT professionals Security tools Microsoft Baseline Security Analyzer Security Bulletin Search Tool Community engagement Newsletters Webcasts and chats Microsoft “Security360” Evolving The Solution Support And Engagement

39 Microsoft Baseline Security Analyzer (MBSA) v1.2 Virus Cleaner Tools Systems Management Server (SMS) 2003 Software Update Services (SUS) SP1 Internet Security and Acceleration (ISA) Server 2004 Standard Edition Windows XP Service Pack 2 Patching Technology Improvements (MSI 3.0) Systems Management Server 2003 SP1 Microsoft Operations Manager 2005 Windows malicious software removal tool Windows Server 2003 Service Pack 1 Windows Update Services ISA Server 2004 Enterprise Edition Windows Rights Management Services SP1 Windows AntiSpyware System Center 2005 Windows Server 2003 “R2” Visual Studio 2005 Vulnerability Assessment and Remediation Active Protection Technologies Antivirus Prior H2 04 Future 2005 Futures Security Timeline

40 Call To Action Keep current Software Anti-virus, cleaners, anti-spyware, … Defense in depth Strong authentication Firewalls Anti-malware Use threat-based development Learn from others

41 Community Resources Windows Hardware & Driver Central (WHDC) Technical Communities Non-Microsoft Community Sites Microsoft Public Newsgroups Technical Chats and Webcasts Microsoft Blogs

42 Resources General XP SP2 Resources for the IT Professional Security Guidance Center Tools How Microsoft IT Secures Microsoft E-Learning Clinics Events and Webcasts

Download ppt "Security: The Changing Threat Environment David Aucsmith Architect and CTO Security Business & Technology Unit Microsoft Corporation."

Similar presentations

Ads by Google