In my previous two blog posts, we looked at the insights and interesting findings contained within the latest Microsoft Security Intelligence Report. The report is now getting some press in the tech community, and one article in particular caught my attention. A report published by H Security notes, with some surprise, that “users are responsible for nearly half of all infections.” This doesn’t surprise me at all, though.

Humans are (largely) by nature trusting creatures that crave community, for both protection and intellectual stimulation. This is why social engineering works so well and will continue to do so until we’ve learned to be highly suspicious of everything our computer does. If our computer pops up a properly worded box warning that it is infected with a virus and offers to run a program to fix it, most of us will run that program. Technology and the Internet reached into all of our lives so rapidly that the trusting nature in-grained within us was unable to adapt quickly enough to the notion that a significant minority of people do not have our best interests at heart and would like to exploit us.

From time to time, TRUE is asked by clients to conduct social engineering exercises against the client’s employees. Even in the rare case where a client has engaged in educating its users against phishing attacks, we usually experience a 25% success rate. USB drives and CD-Rs left lying around usually get inserted into corporate machines, too. These exercises have great value because users see firsthand how susceptible they are to social engineering attacks, while reinforcing they should think twice before automatically trusting their emails or computers.

I’ve said it before, and I’ll keep saying it: users are the weakest link in security.

Brett Edgar

Brett is a Founder and the Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

Twitter - More Posts

In yesterday’s article I detailed some interesting results from the latest Microsoft Security Intelligence Report from the Key Findings Summary.   I’ve now made it through several more sections and wish to highlight some more interesting data.

In the section titled “Malware and Potentially Unwanted Software” (starting on page 49, which is page 73 of the PDF), Microsoft presents many interesting statistics. They break down the infection rate by country (geolocated by IP), by Microsoft OS version (XP SP3 through Windows 7 SP1, including Server 2003 SP2 and Server 2008 R2) and bitted-ness (32 bit vs 64 bit), and threat categories by country. They also present statistics on rogue security software, a.k.a. “scareware.”

Most interesting to me, however, is the discussion of home vs. enterprise threats that starts at the bottom of page 66 (PDF page 90). By separating the data from its MSRT software into domain-joined vs. non-domain-joined computers, Microsoft is able to present a view of the differences between the home and the enterprise.  What is most interesting is that in the enterprise, the top threat category (approximately one-third of all threats) is worm-related.  On the home side, the top category (approximately one-third of all threats) is adware.  I sort of expected adware/spyware to be at the top of the list for home users, but based on data we gather from our enterprise network security monitoring (NSM) customers, I expected the same to hold true for the corporate world.

So what does this mean for enterprise NSM?  I don’t know for sure.  My first guess is that traditional network-based IDS is not as good at detecting worm traffic once it gets on the inside of the network, whereas it is quite a bit easier to detect adware/spyware that is going out to the Internet to retrieve advertisements (or transmit browsing histories).  Almost all of our customers place TRUE’s NSM devices at the Internet< ->internal boundary, so perhaps my expectations are an artifact of that placement.

Brett Edgar

Brett is a Founder and the Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

Twitter - More Posts

The latest Microsoft Security Intelligence Report (Volume 11) has been released and contains some interesting information that Microsoft has collected from the execution of its Malicious Software Removal Tool (MSRT) and Internet Explorer SmartScreen® data.  Several of the results confirm what those of us in the network security monitoring community already know: Java is the most often exploited application (page xvii), Adobe Acrobat exploits account for most malicious documents (page xviii), and Adware is the most common type of malware identified (page xx).  Microsoft also stated that over a third of malware detected could spread via the AutoRun feature on removable media or on network shares.  Updates exist that help make the AutoRun feature in XP and Vista more like the one in Windows 7, which is to say more secure.  Deploy those updates.

Some of the more interesting information reported:

• What is not getting exploited as often as I would have suspected – Adobe Flash and Microsoft Office.  Even though two Flash vulnerabilities identified in the first half of 2011 led to an increase in exploits against Flash, Flash is getting exploited 7 times less often than Java!

• For the last four quarters (Q3 2010 through Q2 2011) the detection of trojan and backdoor malware has experienced a consistent slight downward trend.  An explanation could be the coordinated take down of several large botnets in the past year.  Microsoft has been involved in those take downs, so a shout of thanks goes to them!

• Another unexpected result: phishing attacks against social networks accounted for slightly less than half of all phishing attempts, while attacks against financial institutions accounted for slightly more than one-third of phishing attempts.  In April, Microsoft’s data indicated that 84% of all phishing attempts were against social networks.

So, what does this mean for security professionals in the corporate world?  Well, it’s nothing new really: protect the clients just as you would the servers.  Patching the OS is no longer enough.  You must patch applications regularly too – most importantly, Java, Acrobat, and Flash.   Disable AutoRun, if possible, but at a minimum deploy the updates from Microsoft for XP and Vista that make them more secure.  And, finally, warn your users about phishing attacks and discourage using the same password for personal social networking and financial websites as they use for their corporate login(s).

Brett Edgar

Brett is a Founder and the Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

Twitter - More Posts

Well, installation wasn’t too bad.  It took about 20 minutes or so.  As a bonus, all of my settings seem to be intact and all of my programs continue to function properly.  Even our corporate AV is working… I hope this isn’t premature, but: Good job, Microsoft.

Brett Edgar

Brett is a Founder and the Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

Twitter - More Posts

So Vista SP2 is now available to the masses.  I’ve downloaded it and am in the process of installing it.  So far no problems, but it is claiming that my machine may reboot several times and the total installation time may be 1 hour or more.  Here’s hoping the upgrade goes smoothly and I still have full functionality when the process completes…I’ll post my results here later today.

Brett Edgar

Brett is a Founder and the Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

Twitter - More Posts

Microsoft appears set to display a new version of its search engine early next week.  The boys in Redmond have been scratching their heads trying to compete with the behemoth that is Google for the past few years.  Looks like this may be their latest attempt at assassination.

Sometimes I feel bad for Microsoft.  They have to compete with both Google and Apple.  Then I remember all the unfair things Microsoft has done to stifle competition in the past and I stop feeling bad.

Brett Edgar

Brett is a Founder and the Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

Twitter - More Posts

Last week, in a surprise move, Microsoft announced Open Access to Protocol Documentation[microsoft.com]. Microsoft is releasing their protocol technical specifications for interoperability with Windows Vista, Windows Server 2008, Exchange, and others. This means third party and open source software will be able to “talk” directly with Windows components that had previously been closed to them. This is quite a change for Microsoft, who until now kept their protocols propriety, forcing vendors to reverse-engineer the protocols. This should result in greater support between open source products and Windows. I hope other companies follow Microsoft’s lead.

Michael Oglesby

The Director of Tactical Security Services at TRUE, Michael specializes in security testing initiatives with vast network and application security assessment experience. He oversees a team of analysts in conducting SAST- and DAST-based services. Certifications include CISSP, CSSLP, QSA and CNSS 4011-4015. He is also the Verizon 2010 Data Breach Investigation Report Cover Challenge Winner and second place finisher in the 2011 competition.

Twitter - More Posts