Monday, October 31, 2016

How cyber threats affect enterprise and consumer devices

Over the past decade, Microsoft has methodically studied the evolving cyber threat landscape. We share what we learn twice a year in our Security Intelligence Report, and the most recent issue reveals some important differences between consumer devices and enterprise threats.

Attackers don’t view all attack vectors equally – home computer users and enterprise users tend to be exposed to a different mix of threats due to different usage patterns. These usage patterns can influence the type of cyber-attack attempted. Typically, users in work settings perform business activities while connected to a company network. Users in these situations may also have limitations regarding use of the Internet and email for personal use.

On the other hand, consumers generally connect to the Internet directly or use a home router (a personal network). Here, consumers more often use computers for activities like social media, personal email, playing games, watching videos, consuming content, and shopping.

Active Directory Domains vs. Non-Domains

Microsoft antimalware products and tools produce telemetry data that reveal if infected computers belong to an Active Directory Domain Services (ADDS) domain. (Computers that do not belong to an ADDS are more likely to be for personal or other non-enterprise use).

By comparing the threats ADDS computers encounter with those of non-ADDS computers, we can gain compelling insights into the stark differences between personal and enterprise security attacks and can begin to understand which threats are most likely to succeed in each environment.

As the following table shows, enterprise computers encounter less malware and encounter different kinds of threats than consumer computers do.

Malware and unwanted software encounter rates by category for domain-based and non-domain computers during the second half of 2015.

Malware and unwanted software encounter rates by category for domain-based and non-domain computers during the second half of 2015.

Our analysis of related data collected over the course of 2015 reveals the following:

  • Non-domain computers encountered disproportionate amounts of unwanted software compared to domain-based computers, with Adware, Browser Modifiers, and Software Bundlers each appearing between three and six times as often on non-domain computers
  • Domain-based computers encountered exploits nearly as often as their non-domain counterparts, despite encountering less than half as much malware as non-domain computers overall
  • Six families—Win32/SupTab, Win32/Diplugem, Win32/Gamarue, Win32/Skeeyah, Win32/Peals, and Win32/OutBrowse—were common to both lists; all were more frequently encountered on non-domain computers than on domain-joined computers
  • The four families that were unique to the top ten list for domain-joined computers but not for non-domain computers are the exploit kit JS/Axpergle, the Trojan family Win32/Dorv, the worm family Win32/Conficker, and the generic detection INF/Autorun

In addition, the encounter rate for consumer computers was about 2.2 times as high as the rate for enterprise computers during the second half of 2015.

How to stay updated on emerging threats

The threat landscape has changed dramatically in recent years. Constant vigilance is needed to maintain visibility into emerging vulnerabilities so you can make the adjustments necessary to help protect your organization and customers. From big data analysis to continuous machine learning and human intelligence, security demands a holistic approach to ensure your organization is prepared to handle new attacks.

Visit to gain a deeper understanding about the security threats that affect your environment. Learn more about Security at Microsoft Secure.

from Microsoft Secure Blog Staff

"What the Gartner Magic Quadrant on Awareness Tells Us"

As some of you may have noticed, last week Gartner released it's Magic Quadrant report on Security Awareness Training. Every year Gartner does an analysis of the top security awareness vendors and rates them via the Magic Quadrant. While I'm excited to see SANS Securing The Human once again listed at the very top of … Continue reading What the Gartner Magic Quadrant on Awareness Tells Us

from lspitzner

Saturday, October 29, 2016

"Wrapping Up #CyberAware Month - Support What's Next"

Today endsthe last full week of National Cyber Security Awareness Month and the NCSAM Planning Kit. What started in 2003 as a national campaign has now grown into a global effort. The goal of NCSAM (also known as #CyberAware month) is to promote cyber security at both work and at home. Within the United States … Continue reading Wrapping Up #CyberAware Month - Support What's Next

from lspitzner

Wednesday, October 26, 2016

Use Security Education and Awareness Programs to Your Advantage

This post is authored by Jonathan C. Trull, Worldwide Executive Cybersecurity Advisor, Enterprise Cybersecurity Group

Most of today’s media coverage, internal security budgets, and venture capital dollars are focused on new and exciting technologies, such as next-generation endpoint solutions, user behavior analytics, and others.  However, one equally important area that often receives little attention is security education and awareness for company employees.

The majority of successful attacks target end users in one form or another.  Typically, attackers lure a company’s employees into either unknowingly divulging company secrets or passwords, or trick them into clicking links or visiting websites that install malware on their computers.  Worst case scenario, this happens to a user with domain administrator privileges and your entire network becomes a playground for the attacker.

Another common cause of reported breaches is lost or stolen devices that were not physically secured or properly encrypted.  These devices, especially removable media, often have sensitive data that is unprotected with encryption.  In my experience as a CISO, when such incidents occur, employees will often argue that they were not aware of the corporate policy to protect such data or felt ill-equipped to use the technology made available to them.

An important component to prevent such situations from happening is to properly educate company employees.  However, most corporate security education and awareness programs are antiquated, stale, boring, and lack tailored content for specific roles within the organization.  Company employees often run kicking and screaming when such training is mandated, and executives either request exemptions because of their busy schedules or force their assistants to complete the training for them.  After sitting through many such training programs, I really can’t blame them.

Even after almost weekly public cases of CEO wire fraud and other such scams, corporate and government executives often personally avoid such training and/or provide lackluster support for such initiatives companywide.  I believe this is because they do not find the content relevant or important enough compared to everything else they and their employees must do.  I believe this is exactly why security professionals and cybersecurity solution providers must “up our game” in this area.

Based on my experience, I believe that a robust and effective security education and awareness program must contain the following key elements:

  1. For all new employees
  • On day one, all employees are required to complete a short, tailored and position-relevant security awareness training.  Key to this training is that all new employees walk away understanding how to get security help if needed and know when and how to report a security incident.
  • New employees are provided with access to online resources such as information security policies and how-to guides for key security technologies and scenarios, e.g. how do I send a secure email, how do I handle PII, etc.
  • For all new employees, I recommend phishing them within their first month on the job and providing JIT training if they fail the test.  Rinse and repeat to ensure the training was effective.
  • Employees should be rewarded for identifying security vulnerabilities and reporting them to security.  I would suggest a “catch of the month” program where the employee who reported the most impactful vulnerability for that month receives a $100 prepaid gift card or something similar.

2. For Company Executives

  • Companies should develop and deliver a tailored security education program for executives.  The training should be custom to the individual executive and should be based on the most likely digital threats to the executive and their family.  This type of program should be coordinated with other physical security programs if such exists, as online and physical threats to executives are often linked.  I recommend one-on-one training with the executive once per year, as the most effective mechanism for this audience.

3. For Traveling Employees

  • For companies with employees traveling overseas, provide specific just-in-time (JIT) training based on the countries being visited.  Focus on the key tasks they need to perform while traveling, such as accessing email and sending documents, and what to do in case of a suspected breach or an attempted seizure of technology resources.  Equally important is to ensure the employee understands any actions they need to take when returning from certain, high risk countries.

4. For IT Employees

  • Provide targeted training to information technology staff.  Ensure developers know how to use secure coding best practices, secure and handle source code, and other intellectual property.  Make sure that all system administrators are well versed in the dangers of using domain administrator accounts to perform high risk functions such as browsing the Internet or reading email.  Also, ensure that system administrators are trained on the corporate policy regarding the safe handling of such accounts.  I’ve attached a few helpful resources below on this specific topic.

5. For all employees

  • Security teams should consider their end users as one of their most important and valuable detection sensors and work to maintain the health (“knowledge”) of these sensors just like their IDS/IPS devices and endpoint sensors.  This means providing end users with continual training and education, especially related to new threats.
  • Consider flash cyber threat advisories to potentially targeted end users.  I’ve also used short (less than one minute) video updates on important topics with great success.  Video updates are simply short videos that give end users quick, actionable direction on security topics in a fun and interactive format.
  • For existing employees, perform simulating phishing for a percentage of the user base each month until all employees have been tested.  Similar to new employees, provide JIT training for those failing the test, and rinse and repeat to ensure training effectiveness.
  • Finally, gamify your security awareness training and make it mobile friendly.  Keep the content fresh and engaging for all generations of your workforce.  Also, make the training relevant to both the employee’s work and home life, including being safe on social media.  You know you got it right when your employees ask if they can include their family and friends in the training!

To learn more about how Microsoft can help you ensure security while enabling your digital transformation, visit us a Microsoft Secure.

Resources for protecting domain admin credentials:

Credential Theft and How to Secure Credentials

Securing privileged access: Preventing and detecting attacks

from Microsoft Secure Blog Staff

"Three Simple Steps to Securing Your Home Smart Devices"

Editors Note: This blog post is part of Week 04 of #CyberAware month and the #NCSAM Planning Kit. Connected technologies, smart devices, Internet of Things (IoT) - they all mean the same thing. Every day devices that you commonlyuse butare also connected to the Internet. These aredevicessuch as baby monitors, security cameras, thermostats, DVRs, light … Continue reading Three Simple Steps to Securing Your Home Smart Devices

from lspitzner

Securing the Internet of Things: Introducing the Security Program for Azure IoT

This post is authored by Sam George, Partner Director Program Management, Azure IoT

As the Internet of Things (IoT) continues to gain traction in the enterprise, questions of security and privacy are top of mind for business decision makers, executives and IT alike. In our work with customers, we find many businesses are struggling to determine how secure their end-to-end IoT infrastructure is, or even delaying IoT implementations until security best practices and standards can be established and confirmed.

Our goal at Microsoft to keep our customer’s IoT solutions secure.  We already do this on multiple levels, ranging from the cloud and beyond – including Azure’s enterprise-grade security, working with standards bodies on IoT security, and providing comprehensive security recommendations and guidance – to individual assets that only support secure protocols when connecting to devices and the Windows 10 IoT Core secure IoT operating system.

While these are all important aspects of IoT security, we have heard from enterprises that they want additional security assurances to make sure they have assembled their IoT solutions in a secure way from devices, to connectivity, to cloud.

Today, I’m thrilled to announce the Security Program for Azure IoT.  This new program brings together a curated set of best-in-class security auditors customers can choose from to perform a security audit on their IoT solutions, find issues and provide recommendations.  The Security Program for Azure IoT will work from the ground up, examining everything from a businesses’ devices and assets to gateways and even communication to the cloud.

Our initial best-in-class security auditors include Casaba Security LLC, CyberX, Praetorian, and Tech Mahindra and will expand as the program grows. Microsoft will also be working with these security auditing partners and standards organizations, such as the Industrial Internet Consortium (IIC), to establish industry protocols and best practices for security auditing. This is part of our commitment to establish a vibrant and safe IoT ecosystem.

In all our security efforts, Microsoft works with security partners to help protect businesses – and ultimately help us raise the bar across the industry. Select Azure IoT customers will be the first to take advantage of this program to evaluate their end-to-end IoT infrastructure and manage their security risk. In the coming months, we’ll continue to provide updates on the Security Program for Azure IoT, our global auditing partners, and auditing standards.

In the meantime, we invite you to learn more from our Securing Your IoT Deployment and Securing Your Internet of Things from the Ground Up whitepapers. You can also read more about our public recommendations for cybersecurity and IoT standards or attend our upcoming talk at IoT Solutions World Congress on Trustworthy Internet of Things Infrastructure. For more information about the security auditing program, please visit our partner page on

from Microsoft Secure Blog Staff

Cyber risk and resilience: not understood

This post is authored by Paul Nicholas, Senior Director, CPP US

“The meaning and implications of systemic cyber risk are not yet fully recognized or understood”, states the newly published White Paper on Understanding Systemic Cyber Risk from the Global Agenda Council (GAC) on Risk & Resilience of the World Economic Forum (WEF).

The White Paper is something that my team and I here in Microsoft contributed to, along with critical infrastructure providers and other experts around the world. Through a pair of workshops and multiple interviews, the lack of clarity in thinking around systemic cyber risk became obvious. This was not a total shock because cyber risk is increasingly hard to quantify when its ramifications across complex and interconnected systems are elusive or at times overwhelming. Many people generally acknowledge that a single cybersecurity event could, in theory, cascade into a widespread crisis but the interactions of technologies with human decisions and other complex systems, e.g. financial markets or transport infrastructure, make it hard to predict the what, how, when and why of such a crisis.

Illustrating the depth of this challenge, the White Paper itself references the WEF’s earlier Global Risks Report 2016. This report on broad risks facing the world found that although the risk of large-scale cyberattacks was seen as a high impact/high likelihood risk, the likely consequences of such cyberattacks, i.e. failure/shortfall of critical infrastructure and breakdown of critical information infrastructure and networks, were perceived as being considerably lower down the list of likely global risks than perhaps they should be.

Why does any of this matter to policy-makers and business leaders, and to private individuals? In some respects this is a hard question to answer. There are, for example, no easily referenced and universally agreed baselines for measuring or managing cyber risk. Nor is there an internationally accepted definition of cyber resilience. Without these decision-makers are often left with the fallback position of “we’ll know it when we see it”, which is hardly ideal for planning purposes and makes it harder to promote the importance of both managing risk and preparing for resilience amongst those not already expert in the issues.

The White Paper helps partly address this problem by proposing a definition of cyber risk that speaks to all those who might be effected: “Systemic cyber risk is the risk that a cyber event (attack(s) or other adverse event(s)) at an individual component of a critical infrastructure ecosystem will cause significant delay, denial, breakdown, disruption or loss, such that services are impacted not only in the originating component but consequences also cascade into related (logically and/or geographically) ecosystem components, resulting in significant adverse effects to public health or safety, economic security or national security. The adverse real economic, safety and security effects from realized systemic risk are generally seen as arising from significant disruptions to the trust in or certainty about services and/or critical data (i.e. the integrity of data), the disruption of operations and, potentially.”

This definition is just a starting point. More needs to be done to refine it and to evolve a disciplined understanding of systemic cyber risk. It seems clear to me that systemic cyber risk and cyber resilience are, in themselves, the logical extensions of thinking coherently and realistically about cybersecurity. As with any form of protection and defense, we need to recognize that nothing can be 100% secure 100% of the time. Even with limitless resources committed to cybersecurity there will always a risk of something going wrong. This recognition must lead us, in turn, to ask about what we can do when our defenses have been bypassed in some way. Should we accept that once the secure perimeters have been breached and our internal systems bypassed that we must accept a zero-sum game loss? Or do we see such a cybersecurity failure as simply the start of a resilience process that will ensure our ICT systems and critical infrastructures continue to operate at some level, whilst we respond to the problem, reinvent our processes and re-establish normal operations.

All in all, then, the report provides another, much-needed catalyst to discussions, in depth and in detail, of cyber risk and resilience. In doing so it provides another opportunity for policy-makers, business leaders and others to start or expand their thinking about how cyber resilience should feature in their plans. After all, the unpredictability of the nature of the next crisis does not mean we should not plan for it. And whilst we are unlikely to predict the specifics of every challenge we may face, as President Eisenhower observed, “In preparing for battle I have always found that plans are useless, but planning is indispensable”.

This White Paper is the concluding publication of the GAC on Risk & Resilience. It has been a valuable experience for me and my colleagues to have participated in the GAC’s discussions over the last six months. We were very excited to be able to contribute to its publications and attend its meetings and events. I recommend that anyone seeking to better understand the implications of cyber risk and cyber resilience for themselves and for their organizations should look in detail at the work of the GAC, and I look forward to future work with the WEF on these issues, which will only become more important as technology continues to spread through businesses, governments and societies around the world.



from Microsoft Secure Blog Staff

Tuesday, October 25, 2016

Security Intelligence Report: Discover the top cybersecurity threats by country

Security professionals know there’s no silver bullet to achieve perfect security—the volume and magnitude of cyber threats vary considerably depending on country and threat type. For example, during the second half of 2015 (2H15), encounter rates for some types of threats in Russia and Brazil were nearly three times the worldwide average. Of the ten most commonly encountered threat families in Russia in 2H15, five were trojans, including Win32/Peals, Win32/Skeeyah, Win32/Dynamer, and Win32/Spursint. And in Brazil, Suptab and the downloader/dropper families Win32/Sventore and Win32/Banload topped the threat list.

To help track the constantly shifting security terrain and meet demand for insights, twice each year Microsoft publishes the Security Intelligence Report (SIR), a comprehensive security analysis based on data we collect from around the world. The latest findings were published in May.

A relative look at the worldwide prevalence of malware

The current SIR gives an overarching view of the security situation around the world during the second half of 2015. It also provides more granular details to help you understand specific threats facing the areas you are concerned about right now.

Here are some of the country-specific malware patterns described in the SIR:

  • France and Italy both had high encounter rates for Browser Modifiers, led by Win32/SupTab and Win32/Diplugem.
  • Russia had a significantly higher encounter rate for Trojans than the other locations listed, led by Win32/Peals, Win32/Skeeyah, Win32/Dynamer, and Win32/Spursint; all four Trojans disproportionately affected computers in Russia and eastern Europe in the fourth quarter of 2015.
  • Worms were particularly prevalent in Brazil, led by VBS/Jenxcus, Win32/Gamarue, and JS/Bondat.
  • The highest encounter rates for adware were in Brazil, France, and Italy; Win32/EoRezo was the most commonly encountered adware family in all three locations.
  • Viruses were particularly prevalent in China, led by DOS/JackTheRipper and Win32/Ramnit.

The following table previews regarding the relative prevalence of various categories of malware in several locations around the world in the fourth quarter of 2015. Here are some tips for interpreting the findings:

  • Within each row, darker colors indicate more prevalent categories in each location.
  • Lighter colors signify that the threat category is less common.
  • The locations are arranged by the number of computers that reported threat detections during the second half of 2015.
The relative prevalence of different categories of malware in the fourth quarter of 2015 in several countries around the world.

The relative prevalence of different categories of malware in the fourth quarter of 2015 in several countries around the world.

Read the full report to learn more about security threats in your region and better understand what location-specific factors may affect your ability to create a secure environment for your organization.

Factors that cause high cybersecurity infection rates

Threat dissemination can be highly dependent on language and socioeconomic factors. In addition, distribution methods can play a considerable role. For instance:

  • Attackers frequently use techniques that target people based on their native language.
  • For threat vectors, attackers employ online services that are local to a specific geographic region.
  • In some situations, attackers target vulnerabilities or operating system configurations and applications that show up disproportionately in a given location.

Microsoft’s commitment to ongoing cybersecurity analysis

We are committed to help reduce cyber threat infection rates on a regional and global scale. The SIR is just one aspect of this work. Through the regularly updated insights it allows, we aim to help inform policymakers and IT professionals about malware trends, and arm them to act accordingly.

We encourage you to evaluate your security stance in the light of our latest SIR report, so you can help defend your organization against the most significant risks it faces.

Visit today to discover the security risks that threaten your organization. To learn more about Microsoft’s Security products visit us at Microsoft Secure.

from Microsoft Secure Blog Staff

Saturday, October 22, 2016

"Week 04 #NCSAM: Our Continuously Connected Lives: What's Your \"Apptitude\"?"

Editor's Note: National Cyber Security Awareness Month (NCSAM) is hereand we are enablingorganizations to make this most of October. Every Monday this monthwe posta new blog on how to make the most of NCSAM and the NCSAM Planning Kit. The planning kit is everything you need for a successful October, to include daily activities, resources … Continue reading Week 04 #NCSAM: Our Continuously Connected Lives: What's Your "Apptitude"?

from lspitzner

Friday, October 21, 2016 2016 Wrap-Up Day #3

The third day is already over! I’m just back at home so it’s time for a last quick wrap-up before recovering before BruCON which is organized next week! Damien Cauquil started the first batch of talks with a presentation of his new framework: “BTLEJuice: the Bluetooth Smart Man In The Middle Framework“.

Damien on stage

As the title says, the presentation focused on the BlueTooth LE (“Low Energy“) protocol. Damien started with a few slides to review the specs of this protocol. It is designed to be used by low power devices. That’s why it is mainly used in embedded devices (IoT). Two important terms are: the peripheral (which accept only one connection) and the central which accepts more connections and is some kind of relay. BTLE uses the same base band as the WiFi (2.4Ghz) and communications are encrypted (via the Security Manager Protocol). Damien explained how the pairing process is performed and how the devices use the different channels available. An important aspect is the ability to sniff the traffic. Not so easy because we must list to all advertising channels to be sure to get all the conversations. You’ve to be lucky to intercept a connection request (“CONNECT_REQ”). And, as the same frequency is used, WiFi devices may cause false positives.

The next part of the presentation was dedicated to Damien’s framework: BTLEJuice. Written in Node.js, it has the following features:

  • Live GATT operations and sniffing
  • Burp-like intersection and manipulation
  • Web UI
  • Text and JSON export
  • Python & node.js bindings

Some demonstrations were performed. The first one was just sniffing some traffic. The victim was a smart lock that can be unlocked via a smartphone and an app. After sniffing the traffic, we see that the PIN code is exchanged in clear-text mode and that the lock authentication is just based on the BD address. The next one was a replay attack against a small robot. It’s easy to send commands to make the robot “beep”. Finally, an injection attack was demonstrated based on a blood glucose monitoring system. Can you imagine sending false data without the device itself?

Finally, Damien explained how to detect / block BTLEJuice. Applications should use timing detections (read or write operations take longer than expected when intercepted by the application). Another best practice is to keep the BTLE connections available only when required. The framework is available on Github.

The next presentation was “Where to host my malware?”

Attila presented “Where to host my malware?” by Attila Marosi. It was the same kind of presentation: abusing some hardware. Attila made a research and discovered that a specific malware is infecting specific NAS devices. How? The malware, called Mal/Miner-C, is distributed via open FTP servers. The first step was to identify such vulnerable system. A good start is to use online tools like or Attila searched for open FTP servers, than the ones with anonymous access and finally the ones with writable access. Thousands of devices were identified and 70% (!) of them were already infected by Mal/Miner-C. Vulnerable devices are the Seagate Central NAS. On those devices, accounts can’t be disabled and if remote access is enable, anonymous access is also activated by default.  Based on the capacity of the devices, Attila estimated that the online available storage space was 766TB! The malware drops the following files: photo.src and Available webpages are also infected. The next Attila’s target was the CCTV solution NetVU and finally some smart street lighting systems. Crazy to see such devices so badly protected! For those who are interested, Attila wrote a nice blog post on the Sophos website.

After a welcome coffee break, Marion Marschalek came with another awesome malware research titled “Interesting malware, No I’m not kidding”. Marion’s job is to track malware’s and when she found one, it is analyzed from A to Z.

Marion on stage

If we have masses of malware for windows, most of them are boring and the analyze is always the same. The malware presented by Marion, called “Cheshire Cat“, was different. First of all, only 5 samples were detected between 2002 and 2011. Analyzing a malware from 2002 can be challenging because the operating systems internals were different. Marion explained in details how the malware worked: browser injection, C2 communications, key logging, file system enumeration, etc. I liked Marion’s conclusion: if you are interesting enough, you could get a malware dedicated to you 🙂

Then, Russell Mattioni, from ENISA, presented “Enhancing infrastructure cybersecurity in Europe”. By infrastructure, we mean transports, finance, e-health services, smart grids, … Russel presented the ENISA and its daily work to improve the security of infrastructures in Europe. If the talk contained interesting information, it was way too theoretical. IMHO, it was not appropriate for an audience like We all know what are the issues and how to (try to) fix them.

Rossella on stage

After the lunch, another talk was given with again a physical device as the target. This time, it was the intercom systems that we can find at doors of buildings in many cities. Basically, they provide the following features: they call a resident who can unlock the building from door remotely. The title was “House intercoms attacks: when front doors become backdoors” and presented by Sébastien Dudek.

Sébastien had the idea to investigate how such devices could be abuse. Modern ones do not need cables and rely on 3G connectivity. They are different brands. Amongst them, Linkcom is the cheapest and commonly used in private buildings. They are easy to detect when a nice 3G module is installed close to the door.

Sébastien on stage

Besides the intercoms, Sébastien explained how 3G networks are working. The device configuration can be performed by SMS and the configuration is stored on the SIM card. A first demonstration was to hijack the number stored in the intercom with your own number. You’ll then receive calls from visitors, be able to talk to them and unlock the door.

Some intercom’s use M2M networks (“Machine 2 Machine“). In this case, there is a centralized server, which means a broader attack surface! Re-use the SIM card in your computer and configure the same M2M network settings then attack the infrastructure. Some of you could also have free Internet access. Note that a botnet of intercom’s device could be build to call a premium-rate number for make some profit.

Mahsa Alimardani was the next speaker and came back with a talk that (“A push towards practice informing  technology“) was really close to the one she gave last year.

I left the event earlier and did not attend the last talk. The 2016 edition was a good one, I met new people and had great times with the already known too. Keep an eye on the archive page to get a copy of slides. Finally, I would like to thank all the readers of my wrap-ups. Feedbacks are always very positive! Stay tuned for more soon 🙂


[The post 2016 Wrap-Up Day #3 has been first published on /dev/random]

from Xavier

Cybersecurity: a question of trust

This post is authored by Robert Hayes, Senior Director and Chief Security Advisor in Microsoft’s Enterprise Cybersecurity Group.

With the scale, scope, and complexity of cyber-attacks increasing by the week, cybersecurity is increasingly being seen as a primary issue for CEOs & Boards.

Advice is not hard to find, and there are a multitude of information sources and standards; the in-house CIO will have a view, and of course there are a myriad of vendors, each with a solution that promises to be the answer to all security problems.

Trust is at the heart of a successful security strategy, yet knowing who and what can be trusted, and whether that trust should be absolute or conditional, is extremely difficult.

In my conversations with CEOs I often ask them their degree of trust in five key security related areas:

  • The people who work in their organization
  • The organizations in their supply chain
  • The integrity, resilience & security of their existing infrastructure
  • The integrity, resilience & security of cloud based infrastructures
  • The advice they receive, both internal & external

Unsurprisingly, the answer to each question is always varying degree of conditional, but not absolute trust.

Where the conversation becomes interesting, is where the CEO and I then jointly explore whether the infrastructure, processes, and policies of their organization reflect their intent to avoid absolute trust in these five key areas. Invariably, the answer is no.

Recurring examples of this inconsistency, each carrying significant organizational risk, are:

  • IT administrators having unfettered and unaudited access to all corporate systems without effective security mitigations such as multi-factor authentication, and privileged access workstations in place.
  • HR departments not instructing the IT department to cancel user access privileges for days, often weeks, after an employee is terminated or leaves the company.
  • Supply chain contracts drawn up with no security provisions, standards, or audit clauses.
  • No due diligence or impartial advice at Board level on the assurances and assertions made by both in-house IT teams and vendors on integrity, resilience and security.

A common closing theme of these conversations is the need for CEOs and Boards to have impartial advice and support to help them robustly challenge and undertake effective due diligence in this critical area, and the difficulty achieving this.

In the US proposed SEC regulation will mean that companies, in particular publicly listed firms, must have a cyber expert on their Board, yet there are currently very few executive or non-executive directors with this skill set, and who are comfortable operating at a Board level.

An alternative, but expensive position is to buy in the skill set from a third party, and there are many consultancies who will be delighted to have this conversation. However, some consultancies also have a vested interest in system integration, and their advice may not be as impartial as it seems.

Finally, there exists the challenging option of changing the relationship with key suppliers away from the classic customer – vendor to one closer to trusted strategic partner, supported by a robust due-diligence process. Many organizations are seeking to move closer to this type of relationship, whilst still maintaining sufficient distance to satisfy probity and procurement rules.

Whilst each of these options have challenges, the reality remains that without a trusted cybersecurity advisor, CEOs and Boards will continue to make decisions without effective challenge or scrutiny, that leave their organization vulnerable to cyberattack.

To learn more about how Microsoft can help you ensure security while enabling your digital transformation, visit us a Microsoft Secure.

Robert Hayes is a Senior Director and Chief Security Advisor in Microsoft’s Enterprise Cybersecurity Group.

from Microsoft Secure Blog Staff

Thursday, October 20, 2016

[SANS ISC Diary] Spam Delivered via .ICS Files

I published the following diary on “Spam Delivered via .ICS Files.

Yesterday, I received a few interesting emails in my honeypot. I set up catch-all email addresses for domains that are well known by spammers. I’m capturing emails and extracting MIME attachments for further analysis. Today, my honeypot received three ICS files. iCalendar[1] is a file format used to exchange meeting information between users, mainly via email or a file sharing system… [Read more]

[The post [SANS ISC Diary] Spam Delivered via .ICS Files has been first published on /dev/random]

from Xavier 2016 Wrap-Up Day #2

I’m just back from the second day of The day started early with Patrice Auffret about Metabrik! Patrice is a Perl addict and developed lot of CPAN modules like Net::Packet or Net:Frame. That’s why he had the idea to write a new UNIX shell working like a Perl interpreter.

So, Metabrik was born. It’s not only a shell but a true language that can be empowered with “briks“. A brik is a development/prototyping platform used to quickly build your own tool. You can also see it as a wrapper around existing tools.

Patrice on stage

Patrice’s philosophy is: “Everything should be possible from the CLI” but in an automated way and normalized syntax and in a human readable form. And indeed, all external tools are interfaced in the same way and results provided in the same format.

To demonstrate the power of Metabrik, Patrice performed some demonstrations. The first one showed how easy it is to create an array and use CPAN module directly from the shell. So easy! At the moment, Metrabrik has 200+ briks available. I’m sure you will find something interesting. Others demonstrations were performed. Personally, I liked the malware analysis automation. Patrice interfaced VirtualBox with Metabrik to spawn a guest VM, execute the malware and grab results (ex: by performing a memory acquisition with Volatility). If you are interested, have a look at his blog post here. Metabrik is a very nice tool but it will require some time to master it. The only comment that I received while discussing with friends about it was: “Why in Perl and not in Python?“. Please, no flame war! 🙂

The second slot was assigned to a master speaker: Saumil Shah. I don’t need to present him, he’s a regular speaker at Every time, I came on stage with a nice presentation. This time, in 2016, it was less technical. The title was “2016:The Infosec crossroads”. It was more a reflexion about the defence. Everything started with a fact: “Today’s attacks succeed because the defence is reactive”.

Saumil on stage

We have to be honest: attacks evolve way faster than defences. They are shifting regularly between different targets depending on opportunities (servers, workstations, IoT, …) because attackers just follow the money. If there is a change to gain more money, attackers will adapt their techniques. If today’s fashion is focusing on breaches, attackers don’t follow rules.

Bypassing controlsAnother fact: the defenders tried to buy back their bugs via bug bounty programs. It’s not a game anymore but a business. It’s a zero acquisition market. Then, Saumil talked about the (d)evolution of users. Advanced technologies are advanced and if you don’t know how to use them, it may become dangerous. What is the good reactive approach to defence? For Saumil, compliance and security are not the same. Attackers don’t follow rules. Today’s infosec defence remains based on rules, signature updates and machine learning. Existing strategies do not match attackers tactics. We have to switch from a reactive to a proactive approach! To achieve this, Saumil presented his own seven axioms:

  1. Collect everything: build a security data warehouse, retention is cheaper than retention,
  2. Can’t measure? Can’t use it!
  3. Proper Pentesting (are you more scared by pentesters then auditors?)
  4. User ratings
  5. Set booby traps
  6. Analysis decides actions
  7. Buy-in from the top

It was a very nice presentation but, let’s be honest, very difficult to put in practice. From both sides, money is the driver! Attackers want to make more money when defenders are asked to reduce costs!

After the morning coffee break,Fitzl Csaba and Miklos Desborders came to present their tool to automate the exploit generation and JavaScript analysis automation. The first part of the talk was focusing on automatic exploit development. If you’re an exploit developer, you know that this process is time consuming. It is an heavily manual intensive process based on recurrent tasks: start the process, attach the debugger, crash the application, analyze results, modify exploit, restart. When an EIP overwrite location is found, we have to examine the memory layout and registries, jump to shell code, generate it and put all the stuff together. To automate this, they wrote a tool in Python which used the PyKD library to attack to a WinDBG instance. What does it do? At the moment, it works for classic BoF, it can bypass ASLR, works for network and file based exploits. It creates exploits and automate the testing process. They performed a demo of the tool which found a vulnerability in a badly written application, generated the shell code to spawn a classic calc.exe. It sound awesome. The tool will be released after the conference.

The second part of the talk focused on a JavaScript analysis automation tool. Like classic exploits, it is also time consuming and a challenging process. The goal is also to get rid of anti-debugging and anti-reversing techniques. The process is based on the following steps: deobfuscate the code, catch the function before its execution, locate the exploit code and understand the shellcode. To achieve this, the speakers developed another tool that automates this process (currently working only on IE11). The exploit generator code is available here.

Today’s keynote was presented by Quinn Norton: “A network of sorrows, Small adversaries and small allies” or a status of the Internet… It started with a nice picture: Attackers are everywhere!

Attackers are everywhere

Quinn reviewed several issues on the Internet today and how people/organization react to security issues. Example: many schools and hospitals are hit by ransomware in the US. It seems also that  teenagers are more concerned about being spied by their parents than by the NSA. The Internet introduced new technologies that are not well understood by users. This is a classic behaviour:

No you won’t have my SSH key but I can give you access to my desktop via TeamViewer!

Keep in mind that users must be educated to face the changing world. We ask our users to listen to our advices but we should also listen to the users. They use tools (and the security issues related to them) to solve their problems.

After a good lunch and discussions with peers, there was a second set of lightning talks but I did not attend them, too busy to exchange with peers (that’s also the goal of security conferences!). The next talk focused on SAP and how to exploit it via default accounts.

Joris on stage

This was presented by ERP-SEC. For most of us, SAP is a boring environment but being using by all of the big players in many business fields and the data stored in SAP systems being highly valuable, such environments are good targets. Of course, patches and security fixes are released by SAP but patching means downtime and downtime means unavailability which means loss of money. So, systems are not often patched. Two big attack vectors for SAP have been identified by ERP-SEC:

  • Default accounts
  • SAP RFC gateway (then pivoting)

A SAP system may have many default accounts, the first method will be the preferred one. One slide full of default usernames and passwords was displayed. A fact reported by ERP-SEC: 100% of tested SAP instances had at least one default account. For customers, the key question is: “Are those users in my system?” Most of them have! Indeed, the SAP Solution Manager may require new accounts when some features are activated like enabling some monitoring features in the product. An important remark is that a default account alone does not immediately mean a bug security hole. It must be combined with another vulnerability (SQL execution, SMB relay, OS command injection, …) to fully compromise a system. The second part of the presentation was based on demos. How to protect? Nothing new here: Change default passwords, delete / disable unused users if not required. There is nothing new but often not applied.

The next talk was about GPO’s (Microsoft Group Policies). The idea of the speakers was to use them to deploy a malware and get persistence. The goal of the talk is to create some awareness or to give more evil ideas to pentesters. How does it start? Microsoft recommends using GPO to solve management issues. Example: to enable WMI on all workstations.

Yves, Immanuel on stage

Mainly used in companies, GPO’s are also badly managed:

  • It tends to be messy
  • They are stored everywhere
  • There is a lack of naming convention

To achieve their goal, they used a well-known framework called PowerShell Empire. The first  demo was about to set persistence by creating a ‘RunOnce” registry key which contains the malicious exe file (“calc.exe” in this case for demo purposes). The second demo was about to find a way to quickly search for a specific file across all the workstations. To achieve this, they created a new GPO that enable WMI and open the local firewall to allow the attacker to connect to the victim. It’s a nice tool and they are for sure plenty of way to use it for malicious purposes. So, how to protect you? There is no all-in-one solution. To protect yourself, you must review GPO’s in place, limit admin privileges, monitor the activity on the network and, of course, keep your environment healthy.

Then, Clarence Chio came to present “Machine Duping – Pwning Deep Learning Systems”. Machine learning, or deep learning, or “artificial intelligence” refers to computers which can take decisions by themselves (to briefly resume). The idea of Clarence was to search for a way to pwn them, read: to make them take wrong decisions. As such kind of computer will be more and more used, it is interesting to see how they can be abused.

Clarence on stage

The presentation explained in details how those computers can be abuse but it was purely theoretical (too much) for me. Clarence looks to really master his topic!

After the second coffee break of the day, the last wave of talks started… Four in a row! That was quite intensive… Matt Weeks came to present “Credential Assessment: Mapping Privilege Escalation at Scale“. Matt demonstrated that in major breaches, often the complete network is compromised, data are stolen. He reviewed some nice stories like Target, Home Depot of JP Morgan Chase. Sometimes the attack is more destructive like Sony or TV5-Monde. Usually, a data breach is based on multiple techniques: social engineering, modification of a malware to evade controls in place, etc.

Matt on stage

What do they have in common? Credentials were (ab)used to gain access to the infrastructure. In a second part, Matt explained how to protect credentials to not be used in such attacks. But, this must be combined with other security controls. Lessons learned demonstrate that often:

  • The corporate network was open to contractors
  • There was no response from anti-intrusions or monitoring tools in place
  • There is a lack of network segmentation

Matt explained how to track credentials and how to enforce security controls. What must be performed:

  • Identification of credentials dissemination
  • Identity reused
  • Identify impact of credentials

It is mandatory to determine mechanisms to break the chains and to clean up credentials. Data must be collected as much as possible with privileges assignments, group membership, etc.

The next slot was assigned to two guys from Checkpoint (Yaniv Balmas & Ben Herzog). They presented “When crypto fails” or “Finding cryptographic bugs for mere mortals”. Checkpoint guys are also regular speakers at Crypto is everywhere and more and more malware implement cryptography today. They are right when they say that cryptographic bugs are not in the crypto algorithm but un the way the developer implements it. Sometimes, a bug can be found in the crypto library. In this case, they recommend to disclose it privately.

Yanic & Ben on stage

After this introduction, the second part of the talk was a review of different badly implemented crypto in pieces of malware. The first one as Zeus, the well-known banking malware. Many malware use RC4. It is very popular, not complex and easy to implement. But… why do the Zeus developers decided to implement their own algorithm, called ZRC4? They called this example: Voodoo programming.

The next example was based on Linux.Encoder which was one of the first ransomware targeting Linux hosts. It uses PolarSSL\mbed-TLS libs for encryption tasks. To provide randomness, it uses the following code to encrypt files: SRAND(time(NULL)). What’s bad: encrypted files were created with a new timestamp, so they were easy to decrypt. Keep in ming that when you use time-based seed, the time can be used again to decrypt. The last one was Petya, the ransomware which encrypts also the MBR and finally the Nuclear Exploit Kit.


What’s bad: encrypted files were created with a new timestamp, so they were easy to decrypt. Keep in ming that when you use time-based seed, the time can be used again to decrypt. The last one was Petya, the ransomware which encrypts also the MBR and finally the Nuclear Exploit Kit.

The next talk was presented by Jacob Torrey: Bootstrapping an architectural research platform in 60 mins. I bypassed this one…

The day ended with a presented about Hadoop, the tool developed by Apache. Here again, the title of the presentation induces a false idea. The presentation was about abusing Hadoop. After an introduction to Hadoop and its infrastructure (which is quite complex), Thomas & Madhi explained how the framework is badly configured (by default).

Hadoop architecture


Then, they reviewed the Hadoop security model which is very “open”. By default, there is no authentication: “simple” means none but there is an alternative based on Kerberos. About authorization and auditing: all components implement their own model. This make it very complex to maintain. Data encryption is available but, here again, disabled by default. If you try to build an attack surface of an Hadoop instance, you will see that many TCP ports are used! The rest of the presentation was based on demonstrations that prove that the security model is by default inexistent! More scary, there are Hadoop instance available publicly available. IMHO, the conclusion to this talk is: Hadoop is a mess!

That’s it for today! Same place for the third wrap-up tomorrow…

[The post 2016 Wrap-Up Day #2 has been first published on /dev/random]

from Xavier

"Beyond Phishing: Understand the Principles of Social Engineering"

Jane works in the accounting department of a medium sized manufacturing company and just completed her annual awareness training before heading home. She passed the phishing module with flying colors and felt ready for any email type attack that may come her way. While retrieving her keys shereceived a phone call on her mobile phone. … Continue reading Beyond Phishing: Understand the Principles of Social Engineering

from Securing the Human

Tuesday, October 18, 2016 2016 Wrap-Up Day #1

I’m back to Luxembourg for a new edition of In fact, I arrived yesterday afternoon to attend the MISP summit. It was a good opportunity to meet MISP users and to get fresh news about the project. This first official day started later and in a classic way: with a keynote. The slot was assigned to Alice Hutchings and was named: “Stressed out? Denial of service attacks from the providers’ perspective”.

Alice is working for the Cambridge Cybercrime Center Computer Laboratory. The keynote title did not reflect the exact content of the keynote. It was not covering the DDoS aspect from an “Internet providers” point of view but from the DDoS services providers, read: the bad guys. The idea of the keynote was “know your enemy!“.

Alice on stage

Alice started with an example of a website providing DDoS services to anybody. A nice look, support, description of the different types of supported attacks, the different membership plans. Looks very professional. Those guys are called “booters“. The Alice’s research was to study who they are, how they work. She started with cybercrime trajectories: the theory of initiation, maintenance and desistance. First of all, they are techies who know how to attack, how to abuse. It starts always with opportunities. Two pathway:

  • The general pathway:  the initiation goes from strain to presented opportunity
  • The Technical pathway: the initiation goes from associations with others to learn skills and neutralisations

For both, the maintenance is mainly low likelihood detection and benefits relating to offending. Finally, the desistance is when costs outweigh benefits

The biggest part of the study was to organize an online survey. Once a list of booters was identified, she sent invitation request and, first surprise, 25% of them responded (positively as well as negatively). Two of them even accepted an interview. Based on the information gathered, what she learned from the respondents? They are often young and are active from a few months up to a few years. And, what a surprise, their main motivation is to make easy money. Alice release all details of her research in a document called “Exploring the provision of online booter services” (available here). An interesting fact: those guys do not realize that they provide illegal services. For them, it is a normal business.

Then, a first set of lightning talks was organized. Amongst other, I noted:

  • A cool demo of Metabrik (they will be the topic of a talk tomorrow)
  • A very nice exploitation (RCE, XSS) of a Kerio UTM appliance (“when your firewall turns against you”)

After the lunch, the regular talks started again with “Exploiting and Attacking Seismological Networks… Remotely” by James Jara. Why seismological devices? Because it’s not a juicy target for most people and it may be an idea for cool scenarios. Indeed such devices are not only used to detect earthquake but also by oil & gas companies to find new sources of combustible.

James on stage

Like for other devices, they are different vendors, Nanometrics being the biggest one. The devices are Linux based, provide remote management facilities (SSH, Telnet, FTP), a web server, GPS chop, good batteries or solar panels. Of course, they are connected to the Internet to be able to send collected data to seismologic centers. James explained how he found devices.  Via, a site similar to but more focusing on IoT devices. A nice story, to get a copy of the firmware, he just sent a mail to the manufacturer askin politely a copy… and he received one! Everybody know that once you get a copy of the firmware, the most difficult step is completed. It’s then easy to analyze it to extract keys, passwords,e etc. James performed lot of demos (some recorded, some live – which is, IMHO, a little bit borderline). Nice research but the audience was not the right one. The vulnerabilities found are the same as any other IoT device. It would be interesting to present the same research to scientific people!

The next talk was “Secrets in Soft Token – A security study of HID global soft token” by Mouad Abouhali.It was a nice research about a specific 2FA implementation based on the HID soft token app. He started with a review of a classic 2FA implementation. Today, many solutions can be installed on smartphones. We don’t need hardware tokens which are difficult to manage/deploy and expensive. If the HID solution is available on multiple mobile operating systems, the research focuses on the Android version. The idea was to analyze what may happen when a device is stolen, how the application is protecting itself, how data is stored and how cryptographic features are implemented. If the application looks quite well protected (code is obfuscated, it does not run in a jailbroken environment), the code was successfully analyzed by Mouad’s team: they read the code, debugged it and rebuilt it. They also analyzed the behaviour to generate logs and analyze them.

The next step was to understand the encryption tasks. Where is stored the PIN? A first vulnerability was discovered: it is possible to clone the application by copying the HID config files and to gather the Android_id secure attribute. But the attacker still needs the user’s PIN code (that can be collected using social engineering techniques). The second vulnerability was to discover the PIN. The develop a tool to do this and it seems to be quite useful. Mouad explained in details how it works. That was a great research performed in one month. They reported the findings to the vendor which is busy with a new design of its application.

Then, “KillTheHashes, 30 million malware DNA profiling exercise” was presented by Luciano Martins, Rodrigo Cetera & Javier Bassi. It started with a fact: Today, the identification of a piece of malware only with its hash is a fail.

Luciano on stage

Luciano gave several examples of well-known malware (Stuxnet, Zeus, Dino). All of them have specific characteristics like a file name, a system call, a DLL name. The idea behind this talk is to classify the malware based on this information. To achieve this, a tool was developed which provides:

  • A DNA profiling search engine that discovers malware patterns and characteristics.
  • File type search capabilities
  • A framework to search malware
  • Large scale malware analytics

Another example, most popular malware code sections are the TSULoader, NullSoft PiMP stub or the 7zip extractor. They can also be used to identify malware samples. Based on this, the malware universe map was created:

The Universe of Malware

The tool is called CodexGigas and is available here. This is definitively something that you have to test if you’re dealing with many malware samples.

After a well-deserved coffee break, Wayne Huang & Sun Huang presented their analyze of a malware campaign: “Unveiling the attack chain of Russian-speaking cybercriminals“. The botnet is called Asprox and is online since 2007. It targets Windows and Android devices (since 2014). Being operated by Russian speaking guys, it is delivered via classic spam emails. If the delivery is classic, some interesting checks and features are implemented like a delivery testing (they verify the domain reputation via online services like or Waves of spam are also scheduled by geographic areas. The attack chain is classic:

Victim > Compromised Server > TDS Server > Botnet > NGinx Reverse-Proxy > C2 > Attacker

The explained in details how the botnet works, what are the techniques used to defeat the security researchers’ job but also the business around the botnet. Some techniques to make the analyst’s life more difficult are really evil. Example with the NGinx reverse proxy: the configuration with C2’s IP addresses is generated, the proxy started and the config immediately deleted and replace by a fake one.

The next speaker was Matthias Deeg with a talk called “Of Mice and Keyboards: On the Security of Modern Wireless Desktop Sets”.

Matthias on stage

His talk focussed on remote keyboards and mouses (using RF to communicate with a USB dongle). After a short introduction to the technology used and how it works, Matthias explained the goal of his research. There was already papers and presentation on the same topic but he focused on multiple device vendors (Cherry, Microsoft, Logitech & Fujitsu). The methodology was a classic approach: open the device, identify the chops, read (a lot of) documentation and write some code. The nRF24 looks to be the most popular one. The different exploited scenarios were:

  • Physical attack: extract the firmware, change the firmware, extract crypto material and manipulate it
  • Use radio signals: exploit open radio comms
  • Replay attacks
  • Keystroke attacks
  • To try to decrypt comms

Matthias made some nice demos: abuse a wireless mouse to launch a virtual keyboard and type some text. The replay attack simply unlocked a Windows desktop by replaying the user’s password. The best one was the injection attack: a Powershell payload can be injected and executed! Nice demo but we already know that such devices provide a low level of security.

Paul Rascagnères explained how Microsoft implemented code signing protection but also how to bypass it. A small reminder about Authenticode: it was developed by M$, based on certificates. Kernel drivers must be signed since Win7 64bits. Really?

Paul on stage

Paul explained several ways to bypass this protection: low cost and high end. The low cost is based on the bcdedit.exe command that can be used to switch the system to test mode :

bcdedit.exe -set TESTSIGNING ON

If a message is displayed by winlogin.exe, it can be removed by patching the process in memory to NOT display this info on the screen. The other technique (used by Uboruros) is based on CVE-2008-3431. Via VBoxDrv.sys, no message is displayed but it can be detected using bcdedit.exe. Other techniques explained by Paul were exploited by the malware Derusbi, GrayFish and HIDEDRV.

The last talk was presented by Kevin Borgolte about Shellphish and the DARPA Cyber Grand Challenge. The idea behind this project is to organize a CTF game (“Capture the Flag”) but instead of human players, computers are playing between and try to exploit each others and to protect themselves in an automated way. Kevin explained in details how it works but it was way too complex to get the point. Just visit the website if you’re interested in this topic or watch the video.

That’s all for the first day! Note that talks are recorded and videos posted very quickly after the presentation. The Youtube channel is here. Stay tuned for the second wrap-up by tomorrow!

[The post 2016 Wrap-Up Day #1 has been first published on /dev/random]

from Xavier

Top Five Security Threats Facing Your Business and How to Respond

This post was authored by Ann Johnson, Vice-President, Enterprise Cybersecurity Group

Headlines highlighting how vulnerable we are to cyber threats are now all too commonplace. The statistics on security events and successful network breaches continue a trend that favors attackers. These bad actors are getting faster at network compromise and data theft while their dwell times inside networks have increased to over 200 days according to most of the major annual cybersecurity reports. The result of these voluminous and persistent threats has been hundreds of millions of dollars in lost business alone without counting the long term costs of diminished customer and citizen confidence.

Still organizations may face even greater risks as they try to fend off sophisticated attackers against a backdrop of an ever expanding network footprint.  The new network now includes myriads of personal devices, virtualized workloads, and sensors that represent rapidly increasing points of connectivity as well potential compromise.

When considering these trends, it is clear that the traditional means of protecting organizations are not as effective as they once were. Static access controls like firewalls and intrusion prevention systems placed at network ingress and egress points are being easily evaded by attackers because the communications paths in and out of networks are too complex and dynamic. Also broad use of personal devices inside corporate networks has dissolved what used to be a hardened network boundary. We no longer conduct business within a perimeter of highly controlled, corporate-issued end user devices that gain access only under the strictest of authentication and authorization controls. Instead, the modern enterprise enables dynamic communities of employees, contractors, business partners and customers as well as their data and applications, all connected by an agile digital fabric that is optimized for sharing and collaboration.

In today’s networks then, we have to consider that identity is the new perimeter to be protected. Identity in this case does not mean only the device and its physical location but also the data, applications and user information it contains. Given that 60% of all breaches still originate at an endpoint compromised through a phishing scam or social engineering attack, it is no wonder that a risk mitigation strategy with identity at its center, is top of mind for many business and technology leaders.

In fact, cyber security is a boardroom level agenda item today. Business leaders want to ensure that they have in place the investments necessary to protect intellectual property and customer data, keeping their businesses out of the headlines that damage reputation and affect profitability. CIOs and CISOs feel caught between seemingly opposing goals of enabling digital transformation while protecting data and intellectual property at all times. These are concerns they share with their teams in IT and operations who feel equally burdened to balance performance and accessibility with rightful and appropriate resource use. Cybersecurity as we have all come to understand, can be either a critical barrier or key enabler to an organization’s ability to be productive. Current top of mind concerns for protecting the modern enterprise coalesce around 5 key areas: infrastructure, SaaS, devices, identity and response.

  1. Infrastructure – The public cloud offers unlimited potential for scaling business. On-demand compute and storage are only a small portion of the benefits of a highly agile IT environment. Easy access to applications, services and development environments promises to redefine business agility. Naturally, more and more organizations are taking critical workloads to the public cloud. Still the migration to an environment that is provisioned and managed by a non-organizational stakeholder creates new security challenges. So the top of mind question is: “How do I secure my cloud resources?”

Going to the cloud does not mean relinquishing security control or accepting a security posture that is less secure for cloud-hosted workloads relative to premised ones. In fact, the selection of cloud provider can mean having access to the very latest in security technologies, even more granular control and faster response than is possible with security in traditional networks. As a first step, security stakeholders need to understand how sensitive and compliance intense their cloud-hosted workloads and data are.  They should then opt for access controls that limit use to only that which is business appropriate and emulate those access policies already in place for premised workloads. Enrolling in cloud workload access monitoring will also ensure that any events which are a deviation from desired security policies can be flagged as indicators of possible compromise. Cloud users should also be familiar with the security technologies offered by their provider whether native or through partnership. This gives cloud users options for implementing the kind of multi-tiered security architecture required to ensure least privilege access, inspect content and respond to potential threats.

Key takeaways

  • Monitor workload access and security policies in place
  • Identify deviations from security policies and indicators of possible compromise
  • Deploy new security controls appropriate for your cloud environment

2. SaaS – Whether a business is hosting critical workloads in the public cloud or not, its employees are surely using applications there. The convenience and ubiquity of these applications means broad user adoption for the ease of information sharing and collaboration they enable. As a result, important, security and compliance intense data maybe making its way to the public cloud without security stakeholder knowledge. The question from businesses then is:  “How do I protect my corporate data?”

Organizations want to make sure their employees are as productive as they can be. To that end many are allowing them to bring their own devices and even their own applications into the network. This agility comes with some added security risk. Fortunately, there are ways to mitigate it. Ultimately the goal is to derive all of the benefits these SaaS applications offer without violating company use and compliance policies for data sharing and storage. Additionally, firms must ensure that employees’ use of SaaS apps does not unwittingly enable data exfiltration by bad actors. Limiting risk comes down to enacting a few of the basics that ensure safe use. For starters, there’s a need to identify which SaaS applications are in use in the network and whether they are in line with company policy or on a safe list. Granular access rights management will limit the use of even the safe apps to those persons who have a business need for them. Where possible, policies should be in place that require data to be encrypted when at rest, especially if it is being stored in the cloud. Having the ability to periodically update the safe lists of apps and monitor all use, can potentially alert security administrators when those applications which are unsanctioned appear among an organization’s communications. With these types of facilities in place stakeholders maybe be promptly alerted to unsanctioned application use. At times, unwanted application use will be detected. This is the time to block those applications, modify or deprecate privileges allowing access to them and as a further precaution remotely wipe or delete data stored through use of those applications.

Key takeaways

  • Apply rights management, identify unsanctioned apps, contain, classify and encrypt data
  • Be notified of unauthorized data access or attempts
  • Block suspicious apps, revoke unauthorized access and remotely wipe company data

3. Devices – Smartphones, tablets, self- sourced laptops, these are the new network perimeter and at times its weakest links.  Whether owned by the organization or not, they most certainly contain business valuable data that is at high risk. Because mobile devices often connect from public networks and may not have the most up to date protections, these endpoints are popular targets for the installation of botnets or malware. Use of personally sourced devices is a new and seemingly permanent reality prompting organizations to broadly ask “How do I keep company information secure?”

Many years ago, risk from mobile devices was ameliorated by installed agents and thick clients that provided security controls right on the device itself in a centralized way. Today, with employee self-sourced devices, the installation of such clients is not always feasible. Still today’s security administrators have to accommodate a heterogeneous end-user device environment comprised of various form factors and OSes while applying consistent and organizationally sanctioned controls to all of them. A cloud-based approach can provide a lot of flexibility and control here. From the cloud, endpoint connectivity to network resources can be centrally managed through security policies that restrict where devices can go based on their security posture, installed protections or location-based access rights. Command of devices from a central location ensures not only consistent policy enforcement but automation so that when anomalous device behaviors or connection patterns are detected, centralized command can restrict access, quarantine the affected device and even wipe it clean so that the threat is fully contained.

Key takeaways

  • Manage company and personal devices to classify and encrypt data to ensure compliance
  • Automatically identify compromised or questionable end points
  • Quickly respond to quarantine, wipe and remediate compromised devices

4. Identity – Despite all of the investments organizations make in security and threat mitigation, identity will be compromised. The latest data tells us that way too many of us click on links and attachments that we should not. From that point on, the bad actor has gained a foothold in the network and may set about moving laterally, looking for sensitive information to steal while impersonating the legitimate user. This common scenario is what makes many businesses ask: “How can I ensure identity protection?”

All of the major cybersecurity reports and indices point to this as the most common component of a data breach – the stolen identity. A security strategy for any organization or business needs to have this as a central tenet. The protection and management of credentials that give resource access to customers, employees, partners and administrators is foundational to sound security practice. Implementing multi-factor authentication broadly for all applications and services is a good starting point. It should nevertheless be complemented by facilities for monitoring authentication and authorization events not only for users but also and especially for privileged users and administrators. This type of monitoring offers the best opportunity to identify attempts by attackers trying to move laterally through privilege escalation. Once flagged as suspicious and anomalous, optional automated response can ensure that access requirements are elevated on the fly and privilege escalation requests are verified as legitimate.

Key takeaways

  • Augment passwords with additional authentication layers
  • Identify breaches early through proactive notification of suspicious behavior
  • Automatically elevate access requirements based on your policy and provide risk-based conditional access

5. Response – Each year organizations are subjected to tens of thousands of security events making the business of protecting critical assets continuous. Given that threat dwell times are 200 plus days, bad actors have ample opportunity to move “low and slow” throughout networks after the initial compromise. Naturally security administrators and stakeholders are left to ask: “How can I better respond to ongoing threats?”

The potency and frequency of today’s cyber threats requires a security strategy build on the assumption of compromise. A network or device may not be breached today but remains at risk so the process of protecting, detecting and responding to a breach is a continuous one. The data that is being exchanged by end points and shuttled among data centers and hybrid clouds contains a lot of information about the security state of those endpoints and resources. The key to unlocking that intelligence is analytics and specifically the type of analytics that is made possible through machine learning. Having the ability to monitor large amounts of traffic and information in a continuous fashion and unearth anomalous behavior is and will be key to shortening the time to detection of a breach or compromise. Behavioral analytics not only tell us what is out of the norm or unwarranted behavior but also informs of good and desired connectivity. By understanding both anomalous and appropriate traffic patterns, organizations can fine-tune access controls that are just right for enabling business yet limiting risk. Further, with continuous analytics the process of determining the right access controls for the environment at a given time can be as dynamic and responsive as users’ access needs.

Key takeaways

  • Use analysis tools to monitor traffic and search for anomalies
  • Use learnings from behavioral analysis to build a map of entity interactions
  • Practice just in time and just enough access control

In summary, security threats maybe common to businesses and organizations of all types but the way they are addressed can vary greatly. In the modern enterprise driven by mobility and cloud, architecting for security represents an opportunity for unprecedented agility.  With a strategy build on identity as the new perimeter and access to continuous processes to protect, detect and respond to threats, a business can be as secure as it is productive.  Watch the On-demand webinar – Top 5 Security threats – with Julia White and myself to hear more about our approach to cybersecurity or visit us at Microsoft Secure to learn more about Security.

from Microsoft Secure Blog Staff

"What IoT (and Security) Needs to Learn From the DeWalt Mitre Saw"

I recently purchased my first power tool ever, a DeWalt Compound Mitre Saw, an intimidating piece of machinery that can not only rip through huge pieces of wood, but potentially chop your hand/arm clean off. As such I was very nervous when I received it, to include reading through the safety manual several times … Continue reading What IoT (and Security) Needs to Learn From the DeWalt Mitre Saw

from lspitzner

Attackers using Trojans more than other malware categories

Global cyber threat patterns are a constantly moving target. But there are ways organizations can stay ahead of threats. Beginning in 2006, Microsoft took on systematic study of the ever-shifting security landscape, and we share our latest findings twice each year in our Security Intelligence Report (SIR).

While cyber threats grow more sophisticated, our goal is simple: to help customers understand the many different types of factors that can influence malware infection rates in different parts of the world. We do this because we believe knowledge is power, and our work to partner with policymakers and IT professionals to help keep them apprised of malware trends can help make not only specific regions but also the world safer for people, business, and governments.

To help you prioritize mitigations, including training people to identify cyber threats, we believe the place to start is to understand the current threats your organization is most likely to experience. Currently, that means understanding the growing risk presented by a malware category known as Trojans.

Trojan exploits proliferated in 2015

Trojans, like worms and viruses, are among the most widespread categories of threats Microsoft detects. Between the second and third quarters of 2015, our research and analysis showed that encounters involving Trojans increased by fifty-seven percent and stayed elevated through the end of the year.

Trojans increased more rapidly than other significant malware categories in 2015.

Trojans increased more rapidly than other significant malware categories in 2015.

In the second half of 2015, Trojans accounted for five of the top ten malware families encountered by Microsoft real-time antimalware products. The increase was due in large part to Trojans known as Win32/Peals, Win32/Skeeyah, Win32/Colisi, and Win32/Dynamer. In addition, a pair of newly detected Trojans, Win32/Dorv and Win32/Spursint, helped account for the elevated threat level.

Server platforms at greater risk from Trojans

Overall, unwanted software was encountered significantly more often on client platforms than on server platforms. However, Trojans were used against server platforms slightly more than they were used against client platforms.

During the course of 2015, our data analysis uncovered the following:

  • During the fourth quarter of 2015, Trojans accounted for three of the top ten malware and unwanted software families most commonly encountered on supported Windows client platforms
  • Also during the fourth quarter of 2015, 4 of the top 10 malware and unwanted software families most commonly encountered on supported Windows server platforms were categorized as Trojans

As these examples suggest, malware doesn’t affect all platforms equally. The reasons for this vary. For instance, some exploits may have no effect on some operating system versions. In addition, in areas where specific platforms are more or less popular than elsewhere, some types of threats are just more common. In some cases, simple random variation may cause differences between platforms.

How Trojans work

Like the famous Trojan horse in Homer’s Odyssey, software Trojans hide inside something end users want, such as a work file or social media video. Through this type of social engineering, attackers get people to install malware on their system or lower security settings.

Two common Trojans work as follows:

  • Backdoor Trojans provide attackers with remote unauthorized access to and control of infected computers
  • Downloaders/droppers are Trojans that install other malicious files to a computer they have infected, either by downloading them from a remote computer or by obtaining them directly from copies contained in their own code

Mitigating the Trojan threat

Armed with knowledge about the ways top Trojans in your area of the world work can help give you the upper hand when it comes to protecting your organization. For example, be sure to educate your workforce about common Trojan tricks, such as “clickbait” – fake web headlines with provocative titles – and spoofed emails. In addition, encourage the people in your organization to use personal devices for social media and web surfing instead of using devices connected to your corporate network.

To understand security threats in your region or view the current or previous editions of the SIR, visit  To learn more about Security at Microsoft, visit us at Microsoft Secure.

from Microsoft Secure Blog Staff