MBA 560 Security 101

1

MBA 560 Security 101MBA 560 Security 101

Automated Attacks DefinedAutomated Attacks Defined

Microsoft’s Approach to VulnerabilitiesMicrosoft’s Approach to Vulnerabilities

How to Protect Your P.C.How to Protect Your P.C.

2

Automated Attack VectorsAutomated Attack Vectors

3

Automated Attack VectorsAutomated Attack Vectors VirusesViruses

A computer program file capable of A computer program file capable of attaching to disks or other files attaching to disks or other files

Necessary characteristics of a virus:Necessary characteristics of a virus:It is able to replicateIt is able to replicate

It requires a host program as a carrierIt requires a host program as a carrier

It is activated by external actionIt is activated by external action

4

Automated Attack VectorsAutomated Attack Vectors Viruses: Polymorphic virusesViruses: Polymorphic viruses

Creates copies during replication that Creates copies during replication that are functionally equivalent but have are functionally equivalent but have distinctly different byte streamsdistinctly different byte streams

Randomly insert superfluous instructionsRandomly insert superfluous instructions

Interchange order of independent Interchange order of independent instructionsinstructions

Use encryption schemesUse encryption schemes

This variable quality makes difficult to This variable quality makes difficult to locate, identify, or removelocate, identify, or remove

5

Automated Attack VectorsAutomated Attack Vectors WormsWorms

A self-replicating computer program, A self-replicating computer program, similar to a virussimilar to a virus

A virus attaches itself to, and becomes A virus attaches itself to, and becomes part of, another executable programpart of, another executable program

A worm is self-contained and does not A worm is self-contained and does not need to be part of another program to need to be part of another program to propagate itselfpropagate itself

6

Automated Attack VectorsAutomated Attack Vectors WormsWorms

Necessary characteristics of a worm:Necessary characteristics of a worm:It is able to replicate without user interventionIt is able to replicate without user intervention

It is self-contained and does not require a hostIt is self-contained and does not require a host

It is activated by creating process It is activated by creating process

If it is a network worm, it can replicate across If it is a network worm, it can replicate across communication linkscommunication links

Some customers like to distinguish between Some customers like to distinguish between worms that use buffer overruns to propagate worms that use buffer overruns to propagate and those that use e-mailand those that use e-mail

7

Automated Attack VectorsAutomated Attack Vectors Worms: ExamplesWorms: Examples

SQL SlammerSQL Slammer

BlasterBlaster

MyDoomMyDoom

SasserSasser

8

Automated Attack VectorsAutomated Attack Vectors BotsBots

Derived from the word RobotDerived from the word Robot

Program designed to search for Program designed to search for information Internet with little human information Internet with little human interventionintervention

Search engines, such as Yahoo and Search engines, such as Yahoo and Altavista, typically use bots to gather Altavista, typically use bots to gather information for their databasesinformation for their databases

9


Bots analogous to agentBots analogous to agentTypically an exeTypically an exeBots are not exploits themselvesBots are not exploits themselves

They are payloads delivered by worms, They are payloads delivered by worms, viruses and hackersviruses and hackersInstalled after compromiseInstalled after compromise

Infect system and maintain access for Infect system and maintain access for attackers to control themattackers to control them

Botnets – thousands of system controlledBotnets – thousands of system controlled

10


Thousands of highly configurable bot Thousands of highly configurable bot packages available on Internetpackages available on Internet

Some use IRC channels to Some use IRC channels to communicatecommunicate

Easy to useEasy to use

Control thousands of systemsControl thousands of systems

Obscures traffic among legitimate IRC Obscures traffic among legitimate IRC traffic (TCP port 6667)traffic (TCP port 6667)

Obscures attacker’s identityObscures attacker’s identity

11

Automated Attack VectorsAutomated Attack Vectors Bots: usesBots: uses

DDoS attacksDDoS attacks

Information theftInformation theftkeyboard logging, network monitoring, etckeyboard logging, network monitoring, etc

Trade Bandwidth between hacker Trade Bandwidth between hacker communitiescommunities

Warez i.e. host illegal dataWarez i.e. host illegal dataPirated software, movies, games, etc.Pirated software, movies, games, etc.

12

Automated Attack VectorsAutomated Attack Vectors Bots: prime targetsBots: prime targets

High bandwidth (“cable bots”)High bandwidth (“cable bots”)

High availability systemsHigh availability systems

Low user sophisticationLow user sophistication

System located in geography providing System located in geography providing low likelihood of law enforcement low likelihood of law enforcement effectivenesseffectiveness

13

Automated Attack VectorsAutomated Attack Vectors Bots: examplesBots: examples

Agobot = Gaobot = Phatbot = PolybotAgobot = Gaobot = Phatbot = PolybotThousands of variantsThousands of variants

Uses MS03-001 and MS03-026/MS03-039 Uses MS03-001 and MS03-026/MS03-039 to propagateto propagate

TCP port 135 and TCP port 445TCP port 135 and TCP port 445

Probes admin shares using hard coded Probes admin shares using hard coded list of user names and passwordslist of user names and passwords

14

Automated Attack VectorsAutomated Attack Vectors Bots: examplesBots: examples

Agobot = Gaobot = Phatbot = PolybotAgobot = Gaobot = Phatbot = PolybotSteals CD keys for hard coded list of Steals CD keys for hard coded list of popular gamespopular games

Inventories running processesInventories running processesKills processes in hard coded list Kills processes in hard coded list

FirewallsFirewalls

AV softwareAV software

Other wormsOther worms

15

Automated Attack VectorsAutomated Attack Vectors BackdoorsBackdoors

Provides user access without using normal Provides user access without using normal authorization or vulnerability exploitation authorization or vulnerability exploitation Typically run under system contextTypically run under system contextOnce installed, allows anyone or any Once installed, allows anyone or any program that knows listening port number program that knows listening port number (and password) to remotely control host(and password) to remotely control hostIntruders access backdoor server using Intruders access backdoor server using either text or graphics based clienteither text or graphics based clientAllows intruders to run any command or Allows intruders to run any command or processprocess

16

Automated Attack VectorsAutomated Attack Vectors TrojansTrojans

Term borrowed from Greek historyTerm borrowed from Greek history

Malicious program disguised as Malicious program disguised as something benignsomething benign

Screen saver, game, etc.Screen saver, game, etc.

exe, com, vbs, bat, pif, scr, lnk, js, etc.exe, com, vbs, bat, pif, scr, lnk, js, etc.

It seems to function as user expectsIt seems to function as user expects

17

Automated Attack VectorsAutomated Attack Vectors TrojansTrojans

May or may not appear in process listMay or may not appear in process list

May install a backdoorMay install a backdoor

Generally spread through e-mail and Generally spread through e-mail and exchange of disks and filesexchange of disks and files

Worms also spread Trojan horses, IRC Worms also spread Trojan horses, IRC channels, P2P applications, porn sites, channels, P2P applications, porn sites, etc. etc.

18

Security at MicrosoftSecurity at Microsoft

19

Vulnerability LifecycleVulnerability Lifecycle Presentation ContentPresentation Content

Overview of security teams at MicrosoftOverview of security teams at Microsoft

Security Bulletin Development Walk-thruSecurity Bulletin Development Walk-thruVulnerability ReportedVulnerability Reported

InvestigationInvestigation

Bulletin releaseBulletin release

SupportSupport

20

Security Teams at MicrosoftSecurity Teams at Microsoft

PSS Security – Microsoft Services and Our Customers

Trustworthy Computing SecurityStrategy for Trustworthy Computing

Microsoft SecurityResponse Center

(MSRC)

Corporate SecurityOperations, Network Security

Security Business & Technology Unit(SBTU)

Microsoft ConsultingNational Practice TWC

Premier Support ServicesSecurity Solutions Architects

Secure Windows Initiative (SWI)

Security Center of Excellence(SCOE)

MSN, MS.com, etc.

21

Vulnerability ReportedVulnerability Reported

Is the reported problem really a Is the reported problem really a vulnerabilityvulnerability??

A security vulnerability is a flaw in a product A security vulnerability is a flaw in a product that makes it infeasible – even when using that makes it infeasible – even when using the product properly – to prevent an the product properly – to prevent an attacker from usurping privileges on the attacker from usurping privileges on the user's system, regulating its operation, user's system, regulating its operation, compromising data on it, or assuming compromising data on it, or assuming ungranted trust.ungranted trust.

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/security/essays/vulnrbl.asphttp://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/security/essays/vulnrbl.asp

22


23


Security vulnerabilities are reported toSecurity vulnerabilities are reported toMSRCMSRChttps://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/alertus.asphttps://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/alertus.asp

PSS SecurityPSS Security

Other PSS support teamsOther PSS support teams

Third partiesThird parties

Reporters include:Reporters include:CustomersCustomers

Security consulting companiesSecurity consulting companies

MSRC actively looks for reportsMSRC actively looks for reports

https://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/alertus.asp

24


25

Bulletin ReleaseBulletin Release

MSRC writes bulletin and associated KB MSRC writes bulletin and associated KB article(s)article(s)

Microsoft Security Notification Service Microsoft Security Notification Service http://www.microsoft.com/technet/security/bulletin/notify.mspxhttp://www.microsoft.com/technet/security/bulletin/notify.mspx

http://www.microsoft.com/technet/security/bulletin/notify.mspx

26

Bulletin ReleaseBulletin Releasehttp://www.microsoft.com http://www.microsoft.com http://www.microsoft.com/securityhttp://www.microsoft.com/securityhttp://www.microsoft.com/officehttp://www.microsoft.com/officehttp://www.microsoft.com/exchangehttp://www.microsoft.com/exchangehttp://www.microsoft.com/sqlhttp://www.microsoft.com/sqlhttp://www.microsoft.com/servershttp://www.microsoft.com/servershttp://msdn.microsoft.com/securityhttp://msdn.microsoft.com/securityhttp://www.microsoft.com/technet http://www.microsoft.com/technet http://www.microsoft.com/windowshttp://www.microsoft.com/windowshttp://www.microsoft.com/windows/iehttp://www.microsoft.com/windows/iehttp://www.microsoft.com/windowsXPhttp://www.microsoft.com/windowsXPhttp://www.microsoft.com/windows2000/serverhttp://www.microsoft.com/windows2000/serverhttp://www.microsoft.com/windows2000/professionalhttp://www.microsoft.com/windows2000/professionalhttp://www.microsoft.com/NTServerhttp://www.microsoft.com/NTServerhttp://www.microsoft.com/ntserver/ProductInfo/terminalhttp://www.microsoft.com/ntserver/ProductInfo/terminalhttp://www.microsoft.com/windowsMehttp://www.microsoft.com/windowsMehttp://www.microsoft.com/windowsserver2003 http://www.microsoft.com/windowsserver2003 http://www.microsoft.com/protecthttp://www.microsoft.com/protect

27

SupportSupportAfter release PSS Security responsible for:After release PSS Security responsible for:

Bulletin – accuracy and correctionsBulletin – accuracy and corrections

Related KB articles – accuracy and Related KB articles – accuracy and correctionscorrections

Download links – accuracy and correctionsDownload links – accuracy and corrections

Security update installation and functionalitySecurity update installation and functionality

Consulting on patch management strategyConsulting on patch management strategy

Windows Update issuesWindows Update issues

Software Updates Services (SUS)Software Updates Services (SUS)

MSsecure.xml issuesMSsecure.xml issues

Hacking, worms, viruses and Trojans using Hacking, worms, viruses and Trojans using vulnerabilityvulnerability

28

Patches proliferatingPatches proliferating

Time to exploit decreasingTime to exploit decreasing

Exploits are more Exploits are more sophisticated sophisticated

Current approach is not Current approach is not sufficientsufficient

Security is our #1 PrioritySecurity is our #1 PriorityThere is no silver bulletThere is no silver bullet

Change requires innovationChange requires innovation

151151180180

331331

Blaster

Blaster

Welchia/ Nachi

Welchia/ Nachi

NimdaNimda

2525

SQL Slammer

SQL Slammer

Days between patch Days between patch and exploitand exploit

SupportSupportHelping Customers Avoid a CrisisHelping Customers Avoid a Crisis

29

Protecting Your P.C.Protecting Your P.C.

30

How To Protect Your PCHow To Protect Your PC

Three primary ways to exploit you:Three primary ways to exploit you:Weak passwordsWeak passwords

Unpatched vulnerabilitiesUnpatched vulnerabilities

Social EngineeringSocial Engineering

31

How To Protect Your PCHow To Protect Your PC Use Complex PasswordsUse Complex Passwords

At least eight characters longAt least eight characters long

Does not contain all or part of user's account Does not contain all or part of user's account namename

Contain characters from three of following Contain characters from three of following four categories:four categories:

English uppercase characters (A through Z)English uppercase characters (A through Z)

English lowercase characters (a through z)English lowercase characters (a through z)

Base-10 digits (0 through 9)Base-10 digits (0 through 9)

Non-alphanumeric (for example, !, $, #, %) Non-alphanumeric (for example, !, $, #, %) extended ASCII, symbolic, or linguistic charactersextended ASCII, symbolic, or linguistic characters

32

How To Protect Your PCHow To Protect Your PC Other OptionsOther Options

Use a pass phrase instead of passwordUse a pass phrase instead of password

Use non-English words in passwordUse non-English words in password

Rename accounts including Rename accounts including Administrator accountAdministrator account

33

How To Protect Your PCHow To Protect Your PC Keep Your PC UpdatedKeep Your PC Updated

Use Windows Update AND Office Use Windows Update AND Office UpdateUpdate

Use automatic update clientUse automatic update client

XP SP2XP SP2

Run antivirus and anti-spyware Run antivirus and anti-spyware softwaresoftware

34

How To Protect Your PCHow To Protect Your PC Social EngineeringSocial Engineering

Do not open e-mail from people you Do not open e-mail from people you don’t knowdon’t know

Do not open e-mail attachmentsDo not open e-mail attachments

Do not follow URLs sent in e-mailDo not follow URLs sent in e-mail

Do not go to web sites that you cannot Do not go to web sites that you cannot trusttrust

35

How To Protect Your PCHow To Protect Your PC http://www.microsoft.com/protecthttp://www.microsoft.com/protect

Documents

MBA 560 Security 101