Windows Security: Thinking Beyond the Day-to-Day Hype
Why you shouldn't be worrying about many of the recently reported Microsoft vulnerabilities. Really.
Over the past month or so we've seen a return of the hype about vulnerabilities
in Microsoft products. It's not like it ever really left, but since the
vulnerability in .WMF handling from December, it seems we've had one story
after the next about some new zero-day, remotely exploitable vulnerability in
Microsoft software that should get your panties in a twist.
I mean, really, why should you get alarmed? Why should you care? What's
happening that really matters to your day-to-day business?
The answer is absolutely nothing. Let's consider some facts:
- New viruses emerge every day. Typically, a new virus definition file is
published by your anti-virus vendor every day. If you don't get the update,
potentially you could get one of the new viruses.
- New sites with spyware, adware or out-and-out malware are set up every day.
The vast majority of such URLs are unknown, and those that worked yesterday
probably won't work today -- they've either been taken down or just changed
- Some employees will try something today to get something they shouldn't
be allowed to, either by social engineering, running a tool or continuing
their brute force password attempts.
- Bots continue to run every day, randomly trying to break into IP addresses
they generate. They try many ways, usually attempting to exploit the latest
In other words, we're under constant and relentless attack now. We have been
for a long time, and are likely to be for a long time to come. If you think
the only reason you haven't been compromised yet is because you've kept up-to-the-minute
with patches and anti-virus signatures, then I have a bridge to sell you.
Attacks vs. Attack Methods
As you know, most attacks come by e-mail, Web or insiders. You can get granular
over the latest attacks, or you can focus instead on protection from these methods:
- E-mail: Malicious e-mail without an attachment is virtually non-existent
in the real world (excluding phishing). You can either block the attachments,
or if you must let them through, pick a two-character extension that anyone
wishing to send you an attachment must use. Doing so prevents everything from
automatically executing should a user double-click on it. Yes, it seems more
cumbersome, but how will you feel about not having to worry about e-mail as
an attack vector any more?
As for phishing, to stop it dead in its tracks, convert HTML mail to plain
text. URLs that once read "www.yourtrustedbank.com" will become
- Web: The real threat from the Web is that a popular trusted site
becomes compromised. It has happened in the past, and it's going to happen
in the future. There's nothing we can do about that except hope that the site
isn't really that popular. The attack that will be used is likely to be an
old one. Patch your browser regularly, but remember that you're patching against
an extremely rare occurrence. Ask yourself, how many times have your browsers
been compromised by visiting a reasonably business-related site?
Make sure you have a policy in place informing your employees they shouldn't
be taking risks with the sites they visit while at work. Should an employee's
browser become compromised, they likely have visited a site they shouldn't
have, and have therefore violated the policy. That should be enough to keep
them away from the sites most likely to exploit a browser flaw. I realize
it sounds too simple to be true, but it's enough to turn the already rare
occurrence into an unbelievably rare one.
- Insiders: More often than not insiders are going to do something
trivial, not write and run an exploit against a vulnerability. They'll watch
an administrator type a password, or use a desktop that's already logged in
and not protected with a password-locked screensaver. In other words, you've
got lots of non-vulnerability related stuff to worry about already -- work
on those. Certainly you have to pay attention to vulnerabilities in your critical
security infrastructure -- domain controllers, payroll servers, etc. -- but
desktop vulnerabilities can be way down your list of things to get hyped up
Risk Assessment vs. Panic
We've been told about alert levels going up because of the disclosure
of some vulnerability…to what end? The easy answer is that because they
went up, because people were alerted…we missed the "digital pearl
harbor" or massive attack. Bah! People got press, the media had a story
to write about, and life continued as if nobody had said a thing.
column was originally published in our weekly Security Watch
newsletter. To subscribe, click here.
I'm all for worrying about risk, but if you live in a constant state of panic,
how will you know when you really need to burn the midnight oil doing something
to protect yourself?
Here's a set of questions you can ask yourself the next time someone's
warning you about some new vulnerability:
- Is there actually an attack? If no, forget about panicking.
- Does the attack require me to do something to be compromised (e.g., go
to a Web site, click on a link or execute anything)? If yes, forget about
- Does the attack yield higher privileges than the victim has? Can it easily
get the "goose that lays the golden eggs" at your company? If no,
forget about panicking.
- Can the attack ruin your company's reputation? If no, forget about panicking.
Effective risk analysis is the key to successful administration. It really
is that simple.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.