Cyber threats to Windows XP and guidance for Small Businesses and Individual Consumers

It’s been well publicized that on April 8th, 2014 Microsoft discontinues product support for Windows XP.  Released in 2001, the support policy for the life of Windows XP soon followed in October 2002.  In September 2007, we announced that support for Windows XP would be extended an additional two years to April 8 2014.  We are very clear about the lifecycle of our products, deliberately communicating this information years in advance, because we know customers need time to plan for changes to their technology investments and manage upgrades to newer systems and services.

We’ve also focused on communicating regularly, such as an article posted in August of last year.  That piece focused on the fact that supported versions get security updates that address any newly discovered vulnerabilities, which Windows XP won’t receive after April 8, 2014.  This means that running Windows XP when the product is obsolete (after support ends), will increase the risk of technology being affected by cybercriminals attempting to do harm.  This blog post continues on from that article, and also provides guidance to consider as people look ahead.

Many of the enterprise customers I’ve talked to recently have finished, or are in the process of finishing, technology projects that move their desktop computing environments from Windows XP to Windows 7 or Windows 8.  However, I’ve also talked to some small businesses and individuals that don’t plan to replace their Windows XP systems even after support for these systems ends in April.  In light of this, I want to share some of the specific threats to Windows XP-based systems that attackers may attempt after support ends, so that these customers can understand the risks and hopefully decide to immediately upgrade to a more secure version of Windows, or accelerate existing plans to do so.

The cyber threats discussed here are based on data and insights from recent volumes of theMicrosoft Security Intelligence Report.  This report includes aggregate data on the threats that hundreds of millions of systems around the world encounter – many of which are successfully blocked by Microsoft antivirus software and the security features built into Windows, Internet Explorer, Bing, and other Microsoft products and services. This data gives us a good picture of the tactics that attackers have been using to try to compromise computer systems, including which attacks are used most often on Windows XP systems.  The information then helps Microsoft and antivirus security companies develop ways to combat those attacks.  From the year that Windows XP was built, cyber attacks have increased in sophistication.  Systems receiving regular updates get the protections they need based on the latest cyber threats.  But at some point an older model of any product will lack the capability to keep up and becomes antiquated.  Obsolescence for Windows XP is just around the corner.

What Motivates Cyber Attackers?
Attackers’ motivations have changed over the past decade.  Ten years ago attackers were primarily motivated by making a name for themselves through notoriety for each malicious act they completed.  Today, attackers typically steal personal and business information from the systems they go after and try to keep a lower profile, as the goal is financial profit more regularly than mischievous disruption or ego.  The attackers that steal the information from computer systems sometimes choose to trade or sell that stolen information to other criminals to use for identity theft and bank fraud schemes.  And, access to compromised computer systems is often sold or leased by attackers to other criminals to perpetrate more crimes against additional unsuspecting victims, while providing anonymity to the original criminals.

Microsoft Security Innovations made it Harder for Cyber Attackers to be Successful
Following Windows XP’s release and through 2004, there were several cyber attacks that gained widespread awareness in news outlets and with many customers.  In the wake of those computer virus attacks, Microsoft invested further in several important security protections and turned existing improvements (called “mitigations” by security experts) in order to better protect customers that were running Windows XP.  This protection push resulted in a major update called Windows XP Service Pack 2, which was released in 2004.  One of the security mitigations that was turned on in Service Pack 2 was a feature called Windows Firewall. This helped stop many of the attacks that were common at that time and made it much harder for attackers to violate Windows XP systems.  Our security intelligence report shows that the time between major attacks extended in length after Windows XP Service Pack 2 was released, proving that Service Pack 2 provided more protections than prior versions of Windows XP.

The Usual Suspects – Threats to expect against Windows XP
The types of attacks that we expect to target Windows XP systems after April 8th, 2014 will likely reflect the motivations of modern day attackers.  Cybercriminals will work to take advantage of businesses and people running software that no longer has updates available to repair issues.  Over time, attackers will evolve their malicious software, malicious websites, and phishing attacks to take advantage of any  newly discovered vulnerabilities in Windows XP, which post April 8th, will no longer be fixed.

Here’s a list of risks that Windows XP based systems might encounter over time, along with some guidance to help small businesses and individual consumers temporarily protect themselves against cyber attacks while moving to a modern operating system:

RISK #1: SURFING THE INTERNET:  New exploits for Windows XP will likely be added to cybersecurity exploit kits that are sold/leased to attackers.  Exploit kits make it easy for professional and novice attackers alike to build malicious websites that try to install malware on systems that visit those sites.  Surfing the Internet on Windows XP based systems after April 8th, 2014 will become more risky as new exploits for Windows XP are distributed among attackers via exploit kits.

Guidance: Since browsing the Internet is a risky proposition if running on out-of- support systems like Windows XP after April, small businesses and consumers should limit where they go to on the Internet to help manage the risk.  Limiting the specific websites these systems can get to on the Internet, or simply not using Windows XP systems to connect to the Internet, will reduce the probability of compromise via a malicious website.

Important note: Changing browsers won’t mitigate this risk as most of the exploits used in such attacks aren’t related to browsers.

RISK #2: OPENING EMAIL AND USING INSTANT MESSAGING (IM): Many attacks typically start with a well-constructed phishing attack via email.  The email will likely contain the Internet address (also known as a URL) to a malicious website that has been constructed for unsupported Windows XP based systems.  The email could also have a specially crafted malicious attachment that when opened, exploits an unpatched Windows XP vulnerability, potentially giving attackers control of the system.  Attackers have also used Instant Messaging (IM) to deliver malicious URLs and attachments.  Opening email or using IM on Windows XP based systems after April 8th, 2014 will become more risky as new exploits for Windows XP may be integrated into phishing attacks, malicious emails and IMs.

Guidance: Malicious e-mail messages are a very common tactic attackers use to gain entry to systems.  Given this, it would be prudent to avoid using Windows XP systems to send or receive email.  Avoid clicking on links or opening attachments sent via email or IM.

Important note:Using a different email or IM program likely won’t mitigate this risk as these attacks are typically in the content of the messages themselves, not a vulnerability in a specific email or IM program.

RISK #3: USING REMOVABLE DRIVES:  Attackers can attempt to use USB drives and other types of removable drives to distribute malware that seeks to leverage new vulnerabilities in Windows XP to compromise systems.

Guidance: This is a common way that Windows XP systems get infected with malware.  Some customers have decided to physically block access to USB ports on systems in their organizations in an attempt to block this type of threat.  Connecting removable storage devices to Windows XP systems should be avoided. More information is available in this article: Defending Against Autorun Attacks.

RISK #4: WORMS WILL USE ANY NEWLY DISCOVERED VULNERABILITIES TO ATTACK WINDOWS XP: Malware purveyors will likely integrate new vulnerabilities targeting Windows XP, into malware that tries to multiply.  The success of the virus named Conficker, to infect systems in enterprise environments, illustrates that security firewalls and strong password policies are still not comprehensively used.  Organizations that continue to run Windows XP after support ends, should be on guard for this type of threat in their environment, which is typically introduced into systems by infected USB drives in an attempt to get past firewalls.

Guidance: Review any exceptions you allow, through firewalls, in your environment. Only keep the exceptions in your firewall rules that you really need.  Follow the earlier guidance to limit removable drive use on Windows XP systems. Use strong passwords on your systems that can’t be easily guessed.

RISK #5: RANSOMWARE:  We have seen a large uptick in ransomware in recent years.  Attackers use this type of malware to extort users into paying them to unencrypt files that the malware has encrypted on their system, or to unlock the system’s desktop.  After April 2014, attackers will likely attempt to use unpatched vulnerabilities on Windows XP based systems to distribute ransomware.  This type of attack can have a crippling impact on small businesses and consumers that lose access to important data or systems.

Guidance: Restoring data from backup is a good way to recover from a ransomware infection.  More frequent backups of data stored on Windows XP systems or that Windows XP systems have access to, would be prudent after April.

So What Should You Do?

The guidance above provides suggestions towards managing some of the risks of running Windows XP post April 8.  However, the primary thrust of our advice is clear: the best option is to migrate to a modern operating system like Windows 7 or Windows 8 that have a decade of evolved security mitigations built in and will be supported after April 8, 2014.

Upgrade Advice
For customers considering upgrading a device designed to run Windows XP, we recommend purchasing modern hardware – from touch laptops to tablets to all-in-ones – to take full advantage of the features and touch-based user interface available in Windows 8 or later systems.  Modern devices are not only faster and have greater performance than devices running older operating systems, but come with greater security features, new and improved networking tools for when you’re on the go, modern apps and more.

If a customer wants to upgrade an existing machine to Windows 8.1, upgrade activities depend on what current operating system is on the machine, and the capabilities of that hardware.  System requirements to install a new operating system can be found here.

  • Computers running Windows 8 can be updated to Windows 8.1 via the Windows Store (for consumers) or using media (for larger organizations with volume licensing).
  • Computers running Windows 7 can be upgraded to Windows 8 using media, then updated to Windows 8.1 (using the process above).
  • Computers running Windows XP cannot be upgraded in-place to Windows 7, Windows 8, or Windows 8.1. A clean install is necessary, although user data can be migrated.

For customers who are unsure of what version of Windows they are using, visitAmIRunningXP.com, a website designed to automatically tell if a computer is running on Windows XP or a newer version of Windows like Windows 7, Windows 8 or Windows 8.1.  If it detects Windows XP, the website provides guidance on how to upgrade ahead of the April 8th end of support deadline.

Additional information on the end of support for Windows XP and how to upgrade can be foundhere.

Tim Rains
Director
Trustworthy Computing Group

Addressing Cyberattacks via Positive Enforcement Model

Stop Playing Whack-A-Mole with Advanced Threats

As more and more details about the Target breach have emerged, security experts, bloggers and media have focused on on why Target failed to react to alerts from zero day malware point products that allegedly provided indication there was malware in the network.

According to a Bloomberg BusinessWeek article, a team of security specialists in Bangalore, India, spotted the alerts and relayed the information to counterparts at Target’s headquarters in Minneapolis, who apparently failed to follow up. In fact, according to thisNetwork World article, major companies often do not react to these alerts because there receive so many false positives it takes too many resources to act on them.

Whether or not someone should have acted on the information is beside the point. The takeaway from this breach is that the strategy of tackling modern, advanced attacks via point products is flawed. The modern attack cycle, and the cyber criminals behind it are using a sophisticated system to attack enterprises. (Just think about the definition of APTs – advanced, persistent threats). Trying to defend them with one-off point solutions is like playing a whack-a-mole game, always one step behind the attacker and trying to play catch up with the alerts as they’re received. A tactical, negative enforcement approach using point solutions means that organizations are constantly trying to keep up with bad things in the network without proper context.

Jon Oltsik of Enterprise Strategy Group in his report entitled “Advanced Malware Trends, Opinions and Strategies” outlined this very eloquently:

“Following a historical pattern, many organizations want to address new types of malware with new kinds of threat prevention technologies. After all, this strategy worked reasonably well against e-mail threats, web threats, and endpoint threats in the past. Why not just buy another appliance to block new types of malware?

 Unfortunately, this strategy will simply add another one-off solution to an already chaotic security infrastructure. ESG believes that this type of enterprise security infrastructure based upon independent point tools and manual processes will ultimately fail because it is no match for the scale, sophistication, and complexity of modern IT and cyber threats.”

Addressing Cyberattacks via a Positive Enforcement Model

A better philosophy to addressing modern attacks is via a positive enforcement model. Positive enforcement implies that you selectively allow what is required for day-to-day business operations as opposed to a negative enforcement approach where you would selectively block everything that is not allowed.

When adopting a positive enforcement model, you would:

• Only enable applications, their application functions and content for certain groups and users. For example, “John” from “group Finance” can access the PCI zone using “Oracle application. All other traffic is explicitly denied. (Oh, and by the way, if you’re still using security appliances that classify traffic based on ports and protocols, you’re out of luck!).

• Next, for the application traffic that you’ve allowed in your network, you would inspect the applications for known threats, ensuring that common vulnerabilities are not being exploited by attackers.

• Sandboxing technology is then used to inspect unknown files for zero day malware that may have been downloaded by a gullible user in the network, or used to infect servers in the datacenter. Note that the sandboxing technology to inspect for unknown threats becomes the last line of defense, not a reactionary first line of defense.

• Information about zero day malware found via this sandboxing technology should then be used to create threat signatures to ensure no further infection or malware propagation in the network. In addition, information about indicators of compromise, command and control domains, DNS information should be fed into other threat prevention functions (like URL blocking for the new command and control domains), rapidly turning these unknown threats into known threats.

Benefits of a Positive Enforcement Model Approach

There are several benefits to this approach:

Context – Effective security for organizations is about building good context and managing risks. This positive enforcement model can be applied to various segments of the network, providing context and understanding of what is traversing the network. If the proper context is known about a particular segment being protected, any alerts can be acted on with the appropriate urgency.

Reduce attack surface – This positive enforcement approach also reduces the attack surface. By only allowing certain applications and application functions for user groups, any unknown traffic becomes more significant, and can signify hacker or malware activity or an unknown application.

Systems approach to attack lifecycle – the most important aspect of the approach above is transforming information about unknown zero day malware to known information that can be part of the arsenal of protection. Just as cybercriminals are using information found in the network to learn, adapt and refine their malware techniques to get to their target data, a proper systems-based threat prevention solution will continually learn and adapt to new threats.

If you’ve reacted to the latest zero day malware with a point product du jour, it’s time to take a step back and rethink your strategy. Sandboxing should only be one of many components in an integrated positive enforcement model approach to dealing with malware.

Danelle Au manages data center and service provider solutions atPalo Alto Networks. She brings more than 10 years of product and technical marketing experience in the security and networking market. Prior to Palo Alto Networks, Danelle led the product management and strategy efforts at Cisco for the TrustSec network access control solution and ASA 5500 Adaptive Security Appliance platforms. She was also co-­founder of a high-­speed networking chipset startup. She is co-­author of an IP Communications Book, “Cisco IP Communications Express: Operation, Implementation and Design Guide for the Small and Branch Office” and holds 2 U.S. Patents.

[Source: SecurityWeek]

(ISC)² is 25 This Year: So What’s Ahead for the Organization?

W. Hord Tipton

(ISC)² is celebrating its silver anniversary as a global organization educating and certifying information security professionals. What are the key threats and trends driving the profession’s future growth?

The field has changed dramatically since 1989, when the International Information Systems Security Certification Consortium was established as a not-for-profit entity dedicated toeducation. When (ISC)² offered its first CISSP credential training, there were 500 applicants. Today, the organization serves more than 100,000 members in 135 countries, and its education programs are a vital element of a CISO‘s career development.

W. Hord Tipton, executive director of (ISC)², says the organization is at a critical juncture.

“Our technology is just expanding exponentially,” Tipton says in an interview with Information Security Media Group. “We come from an area 25 years ago of really not having cellphones to now having smart computers hanging on our hips with more power than the Apollo [space capsule] that landed on the moon. It’s just amazing the things we have to change to keep up with this evolution.”

For the first half, maybe three-quarters of its existence, (ISC)² was primarily a certifying body, Tipton says. But the organization’s role has evolved dramatically.

“Now, having hit 100,000 members, we’re a self-sustaining operation,” he says. “We’re an organization that doesn’t exist for the mere sake of gaining members any more.”

Instead, Tipton says, “We refer to ourselves as an education and certification organization with social responsibility, as exhibited through our newly founded foundation.

“We try to build the security professionals of the future, and we want to get them early and keep them on a very robust and growing career path.”

In an interview about (ISC)² and its 25th anniversary, Tipton discusses:

  • Major accomplishments of the organization’s first 25 years;
  • The state of the security profession today;
  • Threats and trends that will drive future growth.

(ISC)² is a global leader in educating and certifying information security professionals throughout their careers. Before leading (ISC)², Tipton served as president and CEO of Ironman Technologies, where his clients included IBM, Perot Systems, EDS, Booz Allen Hamilton and Symantec. He also served for five years as CIO for the U.S. Department of the Interior.

[Source: Careers Info Security]

Understanding a Zero Trust Approach to Network Segmentation

Lately you’ve heard us talking a lot about Zero Trust, an architectural approach to enterprise security that uses “never trust, always verify” as its guiding principle.

First proposed by Forrester Research, a Zero Trust approach means there is no default trust for any entity, regardless of what it is and its location on or relative to the corporate network. With Zero Trust boundaries, you’re compartmentalizing different segments of your network. You can protect critical intellectual property, reduce the exposure of vulnerable systems, and prevent the lateral movement of malware throughout your network in a way other segmentation solutions – including the use of VLANs – do not.

True Zero Trust segmentation requires an enterprise security platform that addresses applications, users and content – and that’s exactly what Palo Alto Networks provides through secure access, inspection of all traffic, and advanced threat protection.

We’re pleased to share a range of new resources to help you get started with critical Zero Trust concepts:

  • Our Zero Trust resource page includes detailed discussions of the Zero Trust concept and links to videos, Forrester research and how we address segmentation forPCI compliance.
  • Our Zero Trust whitepaper itemizes the essential criteria and capabilities required of a Zero Trust solution, and also how the Palo Alto Networks next-generation security platform delivers on these requirements.
  • Our upcoming Zero Trust event in New York City, this Thursday, March 27 at 12:00 p.m.EST, will provide guidance on how to implement a Zero Trust model from Forrester Research Vice President and Principal Analyst John Kindervag and Palo Alto Networks technical experts. Register now.

And if you’ll be joining us at Ignite 2014 in Las Vegas next week, we will have several sessions devoted to Zero Trust as part of our Modern Data Centers track. Register now for Ignite if you haven’t already, and we’ll see you there!

In the meantime, check out a recent video with John Kindervag and I discussing Zero Trust and what it means for customers:

[Source: Palo Alto Networks Research Center]

5 Reasons Security Certifications Matter

There’s a lot of buzz around how certs aren’t important. I’m calling BS, and here’s why.

As thousands of cybersecurity professionals converge in San Francisco at the RSA Conference, I thought I would throw my two cents in on the certification debate. To wit, there’s a lot of buzz about the assertion that softer analytics skills matter more than certifications. I’ve even heard people say some security certs detract from a resume.

You know the No. 1 attribute of people claiming security certifications don’t matter? They don’t have any. In my years of experience placing security pros in good jobs, it’s that simple. Having the right certifications matters, and here’s why.

1.  You will make more money. The 682 IT security professionals responding to the security cut of InformationWeek’s 2013 U.S. IT Salary Survey are unequivocal: Security staffers holding any security certification (CISSP, CISA, CISM) average $101,000 in total compensation vs. $87,000 for those with no certs. For managers, the spread is $130,000 vs. $121,000. Do you really need another reason?

 

 

 

 

2. Certs show your commitment to the security field. I know you’re serious about cybersecurity as a career, otherwise you wouldn’t be reading this. But how will a hiring manager know?  Easy — by scanning resumes to see which applicants are committed enough that they’re willing to spend free time studying and doing homework, often paying for the privilege out of their own pockets. Just 44% of security staffers and 49% of managers in the salary survey expected to get certification reimbursement.

Most of us were not Jeff Spicoli, but admit it, we hated homework as kids. We couldn’t wait to grow up so we could spend our free time (and cash) doing just about anything else. I know a person who burned a full week of vacation and paid for lodging to obtain his Cloud Security certification.  As an employer and a hiring manager, that tells me he wants to become better. He’s the type of security professional that any company would be fortunate to have.

3. Certs make you more attractive to potential employers. Building on the above, obtaining a security certification shows you respect the industry and take pride in your profession. That kind of attitude is contagious. Moreover, it shows you’re smart enough to know what you don’t know and look to improve. It takes gumption to acknowledge that there are areas of one’s professional experience that could use a boost. Team members see this, and it rubs off.

All that adds up to a great employee. That hiring managers get this is a no-brainer. In a side-by-side comparison of otherwise equal candidates, most prefer the one with certs. Don’t take my word for it — check out the ISC2 Global Information Security Workforce Study. It concluded that almost 70% of respondents view certs as a reliable indicator of competency when hiring, and almost half require certification.

[If you realize that mobile security means more than ensuring users don’t download malware-bearing games from the Android store, take our 2014 survey and enter to win a 32 GB Kindle Fire HDX.]

4. Certs jump out when robots and spiders crawl resumes. Most, if not all, resume reviews begin with an electronic search. The HR pro types in some keywords and voila. I know from experience that people conducting keyword searches typically begin narrowly and expand only if early results fail. “Narrowly” means entering in a comprehensive (read: long) list of keywords, and I guarantee that at least one certification will be among them. If your resume includes those magic letters, it will always help you get on the fast-track through the electronic screening process.

Plus, the InformationWeek security salary survey shows you’ll be in the minority if you don’t have any certifications.

 

 

 

 

5. You become a member of a club. While it might not be as glamorous as joining Bushwood Country Club, earning a certification grants you membership to an exclusive club. This association affords you the opportunity to network with like-minded individuals, share information, and gain ongoing knowledge. You can attend conferences, webinars, and have access to information provided only to members. Again, a career win/win for you and your employer.

Now, before leaving an angry comment, I am not implying that you are not serious, a great team player, and worthy of a job if you don’t have security certification(s). We all know a certification is not more important than experience. But the two combined is a powerful and delicious combination. Peanut butter is great on its own. Add jelly and it’s irresistible to hiring managers.

Engage with Oracle president Mark Hurd, NFL CIO Michelle McKenna-Doyle, General Motors CIO Randy Mott, Box founder Aaron Levie, UPMC CIO Dan Drawbaugh, GE Power CIO Jim Fowler, and other leaders of the Digital Business movement at the InformationWeek Conference and Elite 100 Awards Ceremony, to be held in conjunction with Interop in Las Vegas, March 31 to April 1, 2014. See the full agenda here.

Mark Aiello is President of Cyber 360 Solutions, a cyber-security professional services and staffing firm headquartered in Boston. Cyber 360 Solutions is a division of Staffing 360 Solutions, a publicly listed company in the global staffing sector engaged in the acquisition of domestic and international staffing organizations with operations in the United States, Europe, and India. Previously, Mark was founder and CEO of The Revolution Group and secureRevGroup.

[Source: InformationWeek]

English
Exit mobile version