The best form of defence is common sense, says Tim Rains
Attackers are working faster, but not necessarily much smarter, Microsoft security guru Tim Rains will reveal at SecTor next month. The chief security advisor for the company’s worldwide cybersecurity and data protection group, has worked closely with Microsoft researchers to find out how exploits have been evolving. He has some stories to tell, and some advice to give.
Before joining Microsoft, Rains had technology roles in Canada’s RCMP, and as a technology instructor in the education system. He has worked in Microsoft for 16 years, starting as technical lead in their enterprise networking team. He now helps enterprise customers with cybersecurity strategy and planning. In his role there, he gets to work frequently with Microsoft’s researchers, and gets full visibility into exploits and vulnerabilities as they emerge.
Art and science
He describes Microsoft’s vulnerability and exploit research as part science and part art. A lot of the data comes from Microsoft users that opted in to provide telemetry to the company, sending information on system operations back to its servers. The firm also works closely with industry partners to understand what they’re seeing too.
The study that he’ll be discussing at SecTor focused on exploits that enables remote code execution on Windows systems.
“This type of study gives us some of the answers to a few questions that enterprise customers typically ask about vulnerabilities and the security updates that address them,” he said. “How long do we have to deploy security updates before attackers start trying to use them? Are there any mitigations that help make exploitation of vulnerabilities more difficult or impossible?”
Harder and faster
So, what trends did he see emerging from Microsoft’s study? One thing he didn’t see was threats becoming more advanced, but he did notice that things are moving far more quickly than they have in the past.
“Attackers are working harder and faster than ever to try to find security vulnerabilities before they are addressed by affected vendors,” he said. “The time between the release of a security update and when an exploit for that update (if one is possible) is added to a commercial exploit kit has been compressed dramatically over the years. What used to take weeks or months now can happen in a matter of days.”
This makes fast software updates more crucial than ever. Thankfully, software vendors are getting better at this. According to Secunia’s 2015 Vulnerability Review, 83.1%of all vulnerabilities had a patch available on the day of disclosure, compared to 78.5% in 2013. And 86.6% of vulnerabilities in the top 50 applications were patched on the same day.
We could get better as an industry, though. The report argued that when vulnerabilities were not patched on the same day, it was often because of a lack of vendor resources, or uncoordinated releases (when vendors roll up patches into less frequent major product updates, for example).
We could definitely do better as users. Verizon’s 2015 Data Breach Investigations Report said that 99.99% of exploits used in 2014 took advantage of vulnerabilities that had been given CVE numbers at least a year before. And over 30 exploits responsible for data breaches last year used flaws found before the ILOVEYOU virus, which emerged in 2000.
Talking of old monsters, Rains confirmed that another bogeyman from the past is indeed making a comeback: the macro virus. Microsoft’s Malware Protection Center (MMPC) has seen a rise in threats that use macros in Office documents to spread malicious code. These were popular back in the nineties, and used Microsoft Office’s scripting capabilities to infect computer systems.
“We have seen new threats emerging that include some form of social engineering to trick users to manually enable macros and allow the malicious code to run,” he said, adding that users should be wary before turning macros on for any old document. For the most part, a file purporting to be a receipt or billing statement shouldn’t need to have any macros in it, he said.
“Some macro malware leaves the document intentionally empty, relying on the user to think that they need to enable the macro so that they can see something,” he added. “Beware of such tricks.”
Beyond regularly patching your systems, another form of basic system hygiene is still among the most effective forms of malware protection, said Rains: running anti-virus software, and keeping its signatures updated.
“The data also shows us that running up-to-date real-time anti-virus software from a vendor you know and trust typically keeps malware infection rates six to seven times lower than not running anti-virus software or running out of date anti-virus software,” he said.
Attackers may move more quickly than ever, but protecting yourself against them needn’t be rocket science. Products with bells and whistles are all well and good, but basic patching and anti-malware tools still seem to be the best form of defence.
Read more about Tim Rains’ presentation at SecTor 2015 here.
Interested in finding out more? Register at SecTor, which takes place at Metro Toronto Convention Centre in downtown Toronto on October 20-21, with a training day on October 19.