apatrizio

The Biggest Security Vulnerability: The Wetware

by Andy Patrizio (apatrizio) on 30-01-2012 01:31 PM

If you try to keep up on the latest in security developments, then you know those three dreaded words: Zero-day threat. It has become a commonly-used phrase, one that makes for great headlines.

A zero-day exploit is one where there is no time – zero days – between the time the vulnerability is discovered by hackers and when the first attack takes place. There is usually no defense against these security vulnerabilities since no one has invented a patch or other fix – or even knew, until today, that one was necessary.

So you'd think that with all the screaming headlines on tech news sites about new zero-day exploits found in the wild, along with reports about how Microsoft (or whichever company) is scrambling to find a fix, that these security breaches would be a major source of computer security problems IT has to deal with on a daily basis.

And you'd be wrong, says Microsoft.

Twice a year, the company releases its massive Security Intelligence Report (SIR), a 150+-page document with dozens of authors covering all manners of IT security issues. Data for the report is culled over a half-year period, so volume 11, released in August, dealt with security issues Microsoft encountered from January to June of 2011.

And there it is, right on page 14: Zero-day threats account for just 0.01% of all security issues Microsoft examined. That's right, the big bad zero-day exploit that has 6.4 million Google entries is a no-show. Brute force hacking of passwords, probably the least effective way to break in unless people are stupid with their passwords, was 1.7% of exploits.

“The hype around zero-days is like the TSA equivalent of public safety. There's way more deaths and injuries to drunk drivers than [there are] hijackers, but [hijackers are] the scary thing. So instead of focusing resources where we can fix the problem we attack the hype,” says Randy Abrams, an independent security consultant who has worked for Microsoft and Eset, maker of the NOD32 antivirus program.

"It takes sensationalism sometimes to get people to read the headlines, and it's hard to sensationalize 'We've been telling you this for 20 years, why aren't you doing it?'" he adds.

The Real Threat

What you really need to fear isn't the big bad zero-day; it's your staff. Microsoft’s report found that 44.8% of exploits, far and away the leading problem, were "user interaction required." That means a person had to click on a link or double-click on an attachment in a spam e-mail.

If ever there was a facepalm moment, this is it. For years, security professionals and trainers have been repeating the mantra: Don't open attachments or links from anyone you don't know, and if it is from someone you know, confirm that they sent it. Malware often hijacks a person's e-mail client and uses their address book to propagate itself. After all, you trust your friends not to spam you, right?

And yet after repeating this mantra until people are blue in the face, almost half of all malware infections in the first half of 2011 were from people doing exactly what they've been told not to do.

Microsoft hopes people will start to realize what the real threats are in proper context. “What we wanted to do is put [the threats] into context and show through real data the impact Zero-days have had,” says Marc Lauricella, a contributor to the SIRv11 report. Microsoft (and we all) want to shift people in IT from a panic state about vulnerabilities that are essentially outside their control to “now they have information they need and they can prioritize managing security risk,” says Lauricella.

Dealing with that means minimizing and monitoring your attack surface, so you have a smaller area for the bad guys to exploit. That means removing or disabling all applications and services you don’t need and using security tools to protect against these attacks. Microsoft provides plenty of advice on the SIR site under Managing Risk.

Windows XP Has Got to Go

Upgrading the computer wouldn't be a bad idea, either. The SIR report found that two types of Autorun exploits accounted for 43% of all infections. Autorun is the feature in Windows that starts an application, such as an install file, when media is inserted in the computer.

In a DVD-ROM, this is more locked down. But network drives and USB thumb drives are less secured. The bad guys found ways to propagate malware when USB drives were inserted into the USB port of a computer, or from network drives, to infect every computer that connected to that drive.

In February, Microsoft issued a patch for Windows XP and Windows Vista as part of its monthly Patch Tuesday cycle that turned off Autorun for USB and network drives. Now when you insert a USB device into the port, it's blocked by default. (Windows 7 already blocks Autorun by default so it did not have the problem.)

The result was immediate. By May 2011, infections related to most prolific Autorun families of malware went down 60% on Windows XP and 74% on Windows Vista when compared to 2010. But Lauricella says some PCs that haven't done an update (yes, not since February) and they need to run Windows Update badly.

The larger issue is an IT problem of user neglect with PCs. Users (and the support staff responsible for them) still haven't learned that a PC is not like a TV or stereo receiver, where you plug it in and forget about it. Computers need to be continuously maintained and updated. Lauricella says that approximately 90% of all vulnerabilities that cybercriminals exploited in early 2011 were more than a year old, wherein a fix was long since available.

At the very least, update your Windows XP systems with the latest patches. Microsoft is committed to providing patches through 2014. Windows 7 would be a better idea, but between the economy and the floods in Thailand sending the costs of new PCs through the roof (by way of the hard disk shortage), it's understandable if new PCs are not on the table right now.

What To Do

Lauricella says firms need to prioritize how they handle the security issues, and not fall for hype. Microsoft puts a fair amount of emphasis on products, not surprisingly. Its Internet Explorer 9, for example, has anti-phishing features, and the AppLocker feature in Windows 7 uses digitally signed code from the vendor to prevent programs from being installed or executed on managed desktops.

Beyond that, users need proper training. It would seem some end users aren't even getting that. Often times, training is not handled by IT, which is too busy putting out fires. Instead, staff get a handout from HR on computer policies they don't read.

"Bingo," says Abrams. "Our education efforts to date have been highly ineffective, and students are blamed for poor teaching techniques. The education component is essential. Without education, people can't understand policy in many cases. It's not that they don't want to comply; they don't know what it means."

But instead of having the techies do it, Abrams has his own unique solution: peer education. "An IT manager with CEO-level support should set up brown bag lunches. Have different employees research a security topic and present it to their peers. Have the presentation reviewed by IT first, but when people start researching a topic themselves, it makes it more personal. And when the others learn from their peers, they realize they can learn this information too, and when they present it to their peers they develop work skills," he says.

One of the most common exploits targeting companies is what is diplomatically known as social engineering. Otherwise known as BSing your way through someone who doesn't know better. Education must include discussion of social engineering tricks. A disturbing number of people give out passwords despite being told again and again to never give a password to anyone.

So study how the bad guys work and use that to mitigate their attacks, says Abrams. "Look at the concepts around various social engineering attacks and teach people using examples and conceptual exercises how to identify when they are being social engineered. Fundamental understanding of how computers work and how to secure them in plain language will make all the difference in the world. It can't solve crime but can mitigate it," he says.

See also:

Article Options
Post a Comment
Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
 

The HP Input Output site is sponsored by HP and features articles and content from HP and third-party contributors. Third-party articles and content, while paid for by HP, do not necessarily represent the views and opinions of HP. HP does not endorse this content and is not responsible for its accuracy, availability and quality.

Follow Us
Spotlight
The Permissions Your Database Users Really Need (Video) The 16 Linux Shell Commands Every Desktop Linux User Should Know 7 Deadly Sins of Job Searching: Why You Still Don't Have a Job, and How to Get Back on Track 9 Tech Analogies That No Longer Mean Anything To Those Young Whippersnappers
┼ Based on energy, paper and toner savings from regular printer usage. Results may vary.