General Manager, Trustworthy Computing, Microsoft
Today, I spoke at NATO (North Atlantic Treaty Organization) during the Information Assurance Symposium 2011 on cybersecurity. I started by teeing up two important questions:
· What techniques are attackers using?
· What methods do we have at our disposal for defending against them?
The good news is that organizations can be better protected than the headlines might lead us to believe—even in the face of malicious adversaries and targeted attacks.
Four Points of Attack
There are four areas that attackers focus on:
· Finding Vulnerabilities. This encompasses vulnerabilities that are introduced while the product is being built. Attackers attempt to exploit vulnerabilities in hardware and software, including the operating system, applications and services.
· Supply Chain, including product integration and delivery. Supply chain issues include attacks on product or service suppliers and subcontractors, malicious insiders and non-genuine products that could be tampered with in transit or during deployment to the customer.
· Operational Security. Once the product is created and safely delivered to a customer’s hands, attackers analyze how it’s deployed, searching for weak spots in an organization’s operational security. This includes whether strong passwords are required and whether software updates and security patches are immediately applied, but also covers issues like whether the company has a process to vet new hires.
· Social Engineering. As security improves in products and services, we see social engineering – tricking users - becoming the attack route of choice. Cyber attackers are adept at creating plausible e-mails that deliver malicious code, or posing as IT staff and asking users for passwords.
Organizations can take concrete steps to enhance their security against all four areas of attack. In fact, they must do so to ensure there is no glaring “weakest link” that would allow an attacker to sidestep investment in other areas. Let’s take a look at how security can be enhanced at each of the four stages.
Enhancing Security for Product Creation
From the inception of a product at Microsoft, we apply rigorous processes and tools to reduce vulnerabilities. Our Security Development Lifecycle (SDL) is applied to every product during development and has proven its ability to increase the security of software. We’ve made the SDL process and many of our tools available for others to use—check out http://microsoft.com/SDL.
We also invest in mitigations so that even if a vulnerability is found, it is still difficult or impossible for an attacker to use. These mitigations, such as ASLR, included in Windows Vista, are built in and most are enabled by default. While you don’t notice them when using the computer, they take useful handholds away from attackers. The SDL requires that Microsoft products take advantage of mitigations to improve their resistance to attack.
Finally, it’s important to apply software updates to quickly respond to issues and decrease the likelihood of an attack against that issue or vulnerability. We’ve worked hard to make updates timely, easy to install, reliable and complete.
Enhancing Security for the Supply Chain
Governments have become increasingly concerned that a sophisticated attacker could manipulate products during their development or delivery in order to undermine or disrupt government functions.
We recently published two white papers on cyber supply chain risk management. The first white paper Cyber Supply Chain Risk Management: Toward a Global Vision of Transparency and Trust presents a set of key principles to enable governments and vendors to manage supply chain policies more effectively. The second paper, Toward a Trusted Supply Chain: A Risk-Based Approach to Managing Software Integrity provides a framework for the pragmatic creation and assessment of Software Integrity risk management practices in the product development process and online services operations.
Enhancing Operational Security
Strong operational security and use of best practices are essential because attackers often focus on finding deployment issues such as unpatched or misconfigured computers, weak passwords, computers that unintentionally bridge the corporate network to the Internet, or unapproved file-sharing software that makes internal documents publicly available.
Operational security can be enhanced by the use of best practices, including enforcing good security policies, aggressively updating software, monitoring your network for threats, employing defense-in-depth and ensuring your enterprise has incident response procedures.
Enhancing Security against Social Engineering
Social engineering attacks can be difficult to block because it’s hard to protect against the actions of a legitimate user. Education is a key part of defense. Organizations should raise awareness of these threats and provide training to help spot and prevent social engineering.
Organizations can also protect users from their own actions by instituting best practices such as:
· Use encryption. Encryption should be used to protect sensitive data, including drive encryption like BitLocker to secure data should a computer be stolen or simply lost.
· Apply least privilege. Use least-privileged accounts and software restriction policies like AppLocker.
Learn more about cybersecurity topics via the Microsoft Security blog.