Author: Dr. Philip Cao

It’s been well publicized that on April 8th, 2014 Microsoft discontinues product support for Windows XP.  Released in 2001, the support policy for the life of Windows XP soon followed in October 2002.  In September 2007, we announced that support for Windows XP would be extended an additional two years to April 8 2014.  We are very clear about the lifecycle of our products, deliberately communicating this information years in advance, because we know customers need time to plan for changes to their technology investments and manage upgrades to newer systems and services.

We’ve also focused on communicating regularly, such as an article posted in August of last year.  That piece focused on the fact that supported versions get security updates that address any newly discovered vulnerabilities, which Windows XP won’t receive after April 8, 2014.  This means that running Windows XP when the product is obsolete (after support ends), will increase the risk of technology being affected by cybercriminals attempting to do harm.  This blog post continues on from that article, and also provides guidance to consider as people look ahead.

Many of the enterprise customers I’ve talked to recently have finished, or are in the process of finishing, technology projects that move their desktop computing environments from Windows XP to Windows 7 or Windows 8.  However, I’ve also talked to some small businesses and individuals that don’t plan to replace their Windows XP systems even after support for these systems ends in April.  In light of this, I want to share some of the specific threats to Windows XP-based systems that attackers may attempt after support ends, so that these customers can understand the risks and hopefully decide to immediately upgrade to a more secure version of Windows, or accelerate existing plans to do so.

The cyber threats discussed here are based on data and insights from recent volumes of theMicrosoft Security Intelligence Report.  This report includes aggregate data on the threats that hundreds of millions of systems around the world encounter – many of which are successfully blocked by Microsoft antivirus software and the security features built into Windows, Internet Explorer, Bing, and other Microsoft products and services. This data gives us a good picture of the tactics that attackers have been using to try to compromise computer systems, including which attacks are used most often on Windows XP systems.  The information then helps Microsoft and antivirus security companies develop ways to combat those attacks.  From the year that Windows XP was built, cyber attacks have increased in sophistication.  Systems receiving regular updates get the protections they need based on the latest cyber threats.  But at some point an older model of any product will lack the capability to keep up and becomes antiquated.  Obsolescence for Windows XP is just around the corner.

What Motivates Cyber Attackers?
Attackers’ motivations have changed over the past decade.  Ten years ago attackers were primarily motivated by making a name for themselves through notoriety for each malicious act they completed.  Today, attackers typically steal personal and business information from the systems they go after and try to keep a lower profile, as the goal is financial profit more regularly than mischievous disruption or ego.  The attackers that steal the information from computer systems sometimes choose to trade or sell that stolen information to other criminals to use for identity theft and bank fraud schemes.  And, access to compromised computer systems is often sold or leased by attackers to other criminals to perpetrate more crimes against additional unsuspecting victims, while providing anonymity to the original criminals.

Microsoft Security Innovations made it Harder for Cyber Attackers to be Successful
Following Windows XP’s release and through 2004, there were several cyber attacks that gained widespread awareness in news outlets and with many customers.  In the wake of those computer virus attacks, Microsoft invested further in several important security protections and turned existing improvements (called “mitigations” by security experts) in order to better protect customers that were running Windows XP.  This protection push resulted in a major update called Windows XP Service Pack 2, which was released in 2004.  One of the security mitigations that was turned on in Service Pack 2 was a feature called Windows Firewall. This helped stop many of the attacks that were common at that time and made it much harder for attackers to violate Windows XP systems.  Our security intelligence report shows that the time between major attacks extended in length after Windows XP Service Pack 2 was released, proving that Service Pack 2 provided more protections than prior versions of Windows XP.

The Usual Suspects – Threats to expect against Windows XP
The types of attacks that we expect to target Windows XP systems after April 8th, 2014 will likely reflect the motivations of modern day attackers.  Cybercriminals will work to take advantage of businesses and people running software that no longer has updates available to repair issues.  Over time, attackers will evolve their malicious software, malicious websites, and phishing attacks to take advantage of any  newly discovered vulnerabilities in Windows XP, which post April 8th, will no longer be fixed.

Here’s a list of risks that Windows XP based systems might encounter over time, along with some guidance to help small businesses and individual consumers temporarily protect themselves against cyber attacks while moving to a modern operating system:

RISK #1: SURFING THE INTERNET:  New exploits for Windows XP will likely be added to cybersecurity exploit kits that are sold/leased to attackers.  Exploit kits make it easy for professional and novice attackers alike to build malicious websites that try to install malware on systems that visit those sites.  Surfing the Internet on Windows XP based systems after April 8th, 2014 will become more risky as new exploits for Windows XP are distributed among attackers via exploit kits. Guidance: Since browsing the Internet is a risky proposition if running on out-of- support systems like Windows XP after April, small businesses and consumers should limit where they go to on the Internet to help manage the risk.  Limiting the specific websites these systems can get to on the Internet, or simply not using Windows XP systems to connect to the Internet, will reduce the probability of compromise via a malicious website. Important note: Changing browsers won’t mitigate this risk as most of the exploits used in such attacks aren’t related to browsers.

RISK #2: OPENING EMAIL AND USING INSTANT MESSAGING (IM): Many attacks typically start with a well-constructed phishing attack via email.  The email will likely contain the Internet address (also known as a URL) to a malicious website that has been constructed for unsupported Windows XP based systems.  The email could also have a specially crafted malicious attachment that when opened, exploits an unpatched Windows XP vulnerability, potentially giving attackers control of the system.  Attackers have also used Instant Messaging (IM) to deliver malicious URLs and attachments.  Opening email or using IM on Windows XP based systems after April 8th, 2014 will become more risky as new exploits for Windows XP may be integrated into phishing attacks, malicious emails and IMs. Guidance: Malicious e-mail messages are a very common tactic attackers use to gain entry to systems.  Given this, it would be prudent to avoid using Windows XP systems to send or receive email.  Avoid clicking on links or opening attachments sent via email or IM. Important note:Using a different email or IM program likely won’t mitigate this risk as these attacks are typically in the content of the messages themselves, not a vulnerability in a specific email or IM program.

RISK #3: USING REMOVABLE DRIVES:  Attackers can attempt to use USB drives and other types of removable drives to distribute malware that seeks to leverage new vulnerabilities in Windows XP to compromise systems. Guidance: This is a common way that Windows XP systems get infected with malware.  Some customers have decided to physically block access to USB ports on systems in their organizations in an attempt to block this type of threat.  Connecting removable storage devices to Windows XP systems should be avoided. More information is available in this article: Defending Against Autorun Attacks.

RISK #4: WORMS WILL USE ANY NEWLY DISCOVERED VULNERABILITIES TO ATTACK WINDOWS XP: Malware purveyors will likely integrate new vulnerabilities targeting Windows XP, into malware that tries to multiply.  The success of the virus named Conficker, to infect systems in enterprise environments, illustrates that security firewalls and strong password policies are still not comprehensively used.  Organizations that continue to run Windows XP after support ends, should be on guard for this type of threat in their environment, which is typically introduced into systems by infected USB drives in an attempt to get past firewalls. Guidance: Review any exceptions you allow, through firewalls, in your environment. Only keep the exceptions in your firewall rules that you really need.  Follow the earlier guidance to limit removable drive use on Windows XP systems. Use strong passwords on your systems that can’t be easily guessed.

RISK #5: RANSOMWARE:  We have seen a large uptick in ransomware in recent years.  Attackers use this type of malware to extort users into paying them to unencrypt files that the malware has encrypted on their system, or to unlock the system’s desktop.  After April 2014, attackers will likely attempt to use unpatched vulnerabilities on Windows XP based systems to distribute ransomware.  This type of attack can have a crippling impact on small businesses and consumers that lose access to important data or systems. Guidance: Restoring data from backup is a good way to recover from a ransomware infection.  More frequent backups of data stored on Windows XP systems or that Windows XP systems have access to, would be prudent after April.

So What Should You Do?

The guidance above provides suggestions towards managing some of the risks of running Windows XP post April 8.  However, the primary thrust of our advice is clear: the best option is to migrate to a modern operating system like Windows 7 or Windows 8 that have a decade of evolved security mitigations built in and will be supported after April 8, 2014.

Upgrade Advice
For customers considering upgrading a device designed to run Windows XP, we recommend purchasing modern hardware – from touch laptops to tablets to all-in-ones – to take full advantage of the features and touch-based user interface available in Windows 8 or later systems.  Modern devices are not only faster and have greater performance than devices running older operating systems, but come with greater security features, new and improved networking tools for when you’re on the go, modern apps and more.

If a customer wants to upgrade an existing machine to Windows 8.1, upgrade activities depend on what current operating system is on the machine, and the capabilities of that hardware.  System requirements to install a new operating system can be found here.

• Computers running Windows 8 can be updated to Windows 8.1 via the Windows Store (for consumers) or using media (for larger organizations with volume licensing).
• Computers running Windows 7 can be upgraded to Windows 8 using media, then updated to Windows 8.1 (using the process above).
• Computers running Windows XP cannot be upgraded in-place to Windows 7, Windows 8, or Windows 8.1. A clean install is necessary, although user data can be migrated.

For customers who are unsure of what version of Windows they are using, visitAmIRunningXP.com, a website designed to automatically tell if a computer is running on Windows XP or a newer version of Windows like Windows 7, Windows 8 or Windows 8.1.  If it detects Windows XP, the website provides guidance on how to upgrade ahead of the April 8th end of support deadline.

Additional information on the end of support for Windows XP and how to upgrade can be foundhere.

Tim Rains
Director
Trustworthy Computing Group

Stop Playing Whack-A-Mole with Advanced Threats

As more and more details about the Target breach have emerged, security experts, bloggers and media have focused on on why Target failed to react to alerts from zero day malware point products that allegedly provided indication there was malware in the network.

According to a Bloomberg BusinessWeek article, a team of security specialists in Bangalore, India, spotted the alerts and relayed the information to counterparts at Target’s headquarters in Minneapolis, who apparently failed to follow up. In fact, according to thisNetwork World article, major companies often do not react to these alerts because there receive so many false positives it takes too many resources to act on them.

Whether or not someone should have acted on the information is beside the point. The takeaway from this breach is that the strategy of tackling modern, advanced attacks via point products is flawed. The modern attack cycle, and the cyber criminals behind it are using a sophisticated system to attack enterprises. (Just think about the definition of APTs – advanced, persistent threats). Trying to defend them with one-off point solutions is like playing a whack-a-mole game, always one step behind the attacker and trying to play catch up with the alerts as they’re received. A tactical, negative enforcement approach using point solutions means that organizations are constantly trying to keep up with bad things in the network without proper context.

Jon Oltsik of Enterprise Strategy Group in his report entitled “Advanced Malware Trends, Opinions and Strategies” outlined this very eloquently:

“Following a historical pattern, many organizations want to address new types of malware with new kinds of threat prevention technologies. After all, this strategy worked reasonably well against e-mail threats, web threats, and endpoint threats in the past. Why not just buy another appliance to block new types of malware?

 Unfortunately, this strategy will simply add another one-off solution to an already chaotic security infrastructure. ESG believes that this type of enterprise security infrastructure based upon independent point tools and manual processes will ultimately fail because it is no match for the scale, sophistication, and complexity of modern IT and cyber threats.”

Addressing Cyberattacks via a Positive Enforcement Model

A better philosophy to addressing modern attacks is via a positive enforcement model. Positive enforcement implies that you selectively allow what is required for day-to-day business operations as opposed to a negative enforcement approach where you would selectively block everything that is not allowed.

When adopting a positive enforcement model, you would:

• Only enable applications, their application functions and content for certain groups and users. For example, “John” from “group Finance” can access the PCI zone using “Oracle application. All other traffic is explicitly denied. (Oh, and by the way, if you’re still using security appliances that classify traffic based on ports and protocols, you’re out of luck!).

• Next, for the application traffic that you’ve allowed in your network, you would inspect the applications for known threats, ensuring that common vulnerabilities are not being exploited by attackers.

• Sandboxing technology is then used to inspect unknown files for zero day malware that may have been downloaded by a gullible user in the network, or used to infect servers in the datacenter. Note that the sandboxing technology to inspect for unknown threats becomes the last line of defense, not a reactionary first line of defense.

• Information about zero day malware found via this sandboxing technology should then be used to create threat signatures to ensure no further infection or malware propagation in the network. In addition, information about indicators of compromise, command and control domains, DNS information should be fed into other threat prevention functions (like URL blocking for the new command and control domains), rapidly turning these unknown threats into known threats.

Benefits of a Positive Enforcement Model Approach

There are several benefits to this approach:

• Context – Effective security for organizations is about building good context and managing risks. This positive enforcement model can be applied to various segments of the network, providing context and understanding of what is traversing the network. If the proper context is known about a particular segment being protected, any alerts can be acted on with the appropriate urgency.

• Reduce attack surface – This positive enforcement approach also reduces the attack surface. By only allowing certain applications and application functions for user groups, any unknown traffic becomes more significant, and can signify hacker or malware activity or an unknown application.

• Systems approach to attack lifecycle – the most important aspect of the approach above is transforming information about unknown zero day malware to known information that can be part of the arsenal of protection. Just as cybercriminals are using information found in the network to learn, adapt and refine their malware techniques to get to their target data, a proper systems-based threat prevention solution will continually learn and adapt to new threats.

If you’ve reacted to the latest zero day malware with a point product du jour, it’s time to take a step back and rethink your strategy. Sandboxing should only be one of many components in an integrated positive enforcement model approach to dealing with malware.

Danelle Au manages data center and service provider solutions atPalo Alto Networks. She brings more than 10 years of product and technical marketing experience in the security and networking market. Prior to Palo Alto Networks, Danelle led the product management and strategy efforts at Cisco for the TrustSec network access control solution and ASA 5500 Adaptive Security Appliance platforms. She was also co-­founder of a high-­speed networking chipset startup. She is co-­author of an IP Communications Book, “Cisco IP Communications Express: Operation, Implementation and Design Guide for the Small and Branch Office” and holds 2 U.S. Patents.

[Source: SecurityWeek]

(ISC)² is celebrating its silver anniversary as a global organization educating and certifying information security professionals. What are the key threats and trends driving the profession’s future growth?

The field has changed dramatically since 1989, when the International Information Systems Security Certification Consortium was established as a not-for-profit entity dedicated toeducation. When (ISC)² offered its first CISSP credential training, there were 500 applicants. Today, the organization serves more than 100,000 members in 135 countries, and its education programs are a vital element of a CISO‘s career development.

W. Hord Tipton, executive director of (ISC)², says the organization is at a critical juncture.

“Our technology is just expanding exponentially,” Tipton says in an interview with Information Security Media Group. “We come from an area 25 years ago of really not having cellphones to now having smart computers hanging on our hips with more power than the Apollo [space capsule] that landed on the moon. It’s just amazing the things we have to change to keep up with this evolution.”

For the first half, maybe three-quarters of its existence, (ISC)² was primarily a certifying body, Tipton says. But the organization’s role has evolved dramatically.

“Now, having hit 100,000 members, we’re a self-sustaining operation,” he says. “We’re an organization that doesn’t exist for the mere sake of gaining members any more.”

Instead, Tipton says, “We refer to ourselves as an education and certification organization with social responsibility, as exhibited through our newly founded foundation.

“We try to build the security professionals of the future, and we want to get them early and keep them on a very robust and growing career path.”

In an interview about (ISC)² and its 25th anniversary, Tipton discusses:

• Major accomplishments of the organization’s first 25 years;
• The state of the security profession today;
• Threats and trends that will drive future growth.

(ISC)² is a global leader in educating and certifying information security professionals throughout their careers. Before leading (ISC)², Tipton served as president and CEO of Ironman Technologies, where his clients included IBM, Perot Systems, EDS, Booz Allen Hamilton and Symantec. He also served for five years as CIO for the U.S. Department of the Interior.

[Source: Careers Info Security]