REDMOND, Wash – Sept. 21, 2005 –Security threats such as spyware, key loggers and phishing schemes continue to emerge and grow in sophistication, according to industry experts featured this week on Microsoft’s monthly Security360 webcast series. The Sept. 20 webcast focused on the evolving world of computer viruses and malicious software, and offered guidance and recommendations to help organizations take proactive steps to better protect their computer networks.
Guests on the season’s opening webcast of the Security 360 series included Susan Bradley, an independent security consultant and Microsoft Security MVP; David Endler, director of Security Research, Tipping Point; Adam Overton, Microsoft group program manager .; Natalie Lambert, analyst at Forrester Research; and David Litchfield, managing director and chief research scientist, NGSSoftware.
The panel of experts noted that while the threat from so-called “malware” is evolving, so is the response from industry. Customers, security researchers, software vendors, IT professionals and analysts are working together to help prevent malware attacks from occurring and to lessen their impact when they do.
“Many organizations have made great strides to combat and prevent malware attacks,” said Mike Nash, host of the Security360 webcasts and corporate vice president of the Security Business and Technology Unit at Microsoft. “By knowing how malware has changed, organizations can put in place additional defensive strategies to make their systems much more secure.”
Security360 is webcast live on the third Tuesday of each month and is also available on-demand atwww.microsoft.com/security360. Microsoft has also localized the on-demand webcasts with subtitles in nine languages.
The changing face of malware
The threat of malware has evolved greatly in the last year, according to Nash. Previously, preventing viruses was the primary focus of security strategies and software. Today, attacks come in many forms: viruses, worms, adware, spyware, phishing, key-stroke loggers, bots and root kits, and multi-level onslaughts known as blended attacks. Malware can also be delivered in many ways – through instant messenger, e-mail and Web browsers.
The speed at which attacks are triggered is one element that has greatly changed in today’s malware world. “Today, attackers are much more efficient and faster moving,” says Nash. “When word of the Sasser vulnerability was released in May 2004, it took 17 days for the attack to occur. Last month, the time span between the disclosure and the Zotob worm exploit was only three and a half days. However, just as the attacks come more quickly, so Microsoft is also faster in responding: With Sasser, it took several days to release a cleaning tool. In the case of Zotob, it took only a few hours.”
Malware has been around for years. But as software has become more resilient, and guidance is being followed more carefully, malware writers have had to change their tactics. Previously, the emphasis was typically a broad Internet-based attack launched through software vulnerabilities. Today’s attacks are focused on user interactions, which attempt to fool the user to engage and unleash the malware.
An anti-malware checklist
During the webcast, Nash and his guests discussed a number of steps that IT professionals can take to improve the security of computing environments and to reduce the impact of malware on their organizations.
One of the most important elements of a malware defense strategy is having a security plan and process in place, says Nash. “You should hire or appoint a dedicated security resource staff and establish emergency response guidelines,” says Nash. “I also recommend you create, communicate and update a comprehensive companywide set of security policies.” These policies should address everything from appropriate use of company resources, to treatment and handling of confidential data.
Tipping Point’s David Endler concurred. “Understanding your security policy is important because, in doing so, you can take broad preventative measures like avoiding malicious or suspicious file types from entering the enterprise.”
Nash and his guests also stressed the importance of evaluating existing software investments based on the organization’s needs and considering the deployment of the most updated versions of software, as newer versions are less susceptible to many kinds of vulnerabilities, including malware.
“Make sure your machines are running up to date software and keep them patched with the latest systems,” says Microsoft’s Adam Overton. “For instance, the Microsoft Malicious Software Removal Tool is 15 times less likely to find malicious software on machines running Windows XP with Service Pack 2 (SP2) than previous versions of the Windows operating system.”
Another benefit of running up-to-date software, according to David Litchfield of NGSSoftware, is that modern software offers a smaller surface of vulnerability for viruses and malware to attack. “If we look at Internet Information Server (IIS) 5.0 that came with Windows Server 2000, many of its features came enabled, that is many of the extensions, such as .print, .sp, and .htr, were mapped by default,” says Litchfield. “However, if we look at IIS 6.0, everything is turned off by default, which reduces the potential attack surface. Customers can do much of the same thing in their own business by asking what technologies they actually need in order to do business and what tools they require to achieve their business goals. Everything outside of these requirements can be turned off to reduce the attack surface,” says Litchfield.
Nash also says maintaining security at multiple layers within the network is important because if one defense measure fails, there are more layers in place for continuous protection, a strategy referred to as defense in depth. In addition to making sure you have all the latest updates and patches, Nash recommends strongly that administrators install a firewall – or if running Windows XP SP2 or Windows Server 2003 – make sure that Windows Firewall is enabled, because it can supply additional protection against malicious software that might be attacking their systems. For enterprise network configurations Microsoft recommends not only a level-4 firewall but also an application-level firewall, requiring multiple firewall arrays in different locations.
Nash and his guests also recommend that organizations install software tools that protect against spyware, viruses and other malicious software, and keep them updated. Outdated antivirus software can only protect against previously identified viruses so it is imperative to regularly update antivirus software to protect systems against the latest threats.
“There are many things that customers can do to be more proactive to protect themselves against malicious code,” says Forrester’s Natalie Lambert. “While patch management is essential, in a recent Forrester survey, only 13 percent of companies polled have actually deployed patch management tools. One the other hand when it comes to deploying anti-virus solutions, personal firewalls and anti-spyware tools, you’re up to about 57 percent of companies. These are the tools that will help companies protect against these threats.”
Nash outlined a number of patch-management tools and security technologies that Microsoft offers to make updating software and helping protect organizations from spyware and other malware easier and more efficient.
Addressing malware extends beyond technology
The industry experts on Security360 said that while technology plays a key role in helping customers to protect their organizations from malware, it needs to be part of a more comprehensive approach that also involves education and policies.
“I used to spend my time protecting servers, the outer barrier of the system,” says MVP Bradley. “Today, I spend more time educating the end user. You can’t service pack the end user. That’s the one technology update we cannot do.” But since that’s where today’s major vulnerability is located, education has become a much more important component of anti-malware strategy, she says.
Nash agrees, stating that developing an education plan for all levels of the organization – including administrators, end-users, and developers – on their role and responsibility for information security within the company is one of the foremost strategies to prevent malware attacks. “It’s also important to ensure that your executives will follow-up and act appropriately when notified of a policy violation,” says Nash. “That means accepting the potential business interruption to correct vulnerable systems.”
While anti-virus protection is still a major component of an in-depth defense strategy, IT professionals must continue to address malware on all fronts. Resilient software, continuous updates, following guidance, and especially education are all key to a successful anti-malware strategy.
The same caution that we apply to our everyday environment should also apply to our Internet, says Nash. “The reality is that these attacks will continue to occur but an achievable goal is to put the right safeguards in place so that your systems are more secure,” he says.