Microsoft Advocates Security Through Timely Patching
Organizations can ensure security by keeping Windows up to date, and they should patch their line-of-business applications as well.
That basic notion, well known by IT pros, was one of the main talking points heard recently from Microsoft Chief Security Advisor Tim Rains. He spoke on Day 1 of the Microsoft TechNet Virtual Conference series, a three-day Web event that kicked off on Tuesday. Rains' talk is available on demand here.
Four issues tend to increase risks for organizations. They have weak passwords, software misconfigurations, fall prey to "social engineering" attempts or have unpatched vulnerabilities. Rains' talk concentrated on the latter issue. He acknowledged that "patch Tuesdays," the second Tuesday of the month when Microsoft delivers its software updates and security bulletins, does increase anxiety for organizations, especially when they have complex software environments to maintain.
Since 1999, per U.S. Department of Homeland Security statistics, just 3 percent to 7 percent of all software vulnerabilities now track back to Microsoft, Rains said. Microsoft's security used to be "terrible," but the company has improved its software development process over the years. Rains credited Microsoft's Security Development Lifecycle (SDL) approach for this turnaround.
Most of the security problems out there are due to applications, which account for about 80 percent of the vulnerabilities, Rains said. Browsers, in particular, amount to about 15 percent to 25 percent of the security holes, he added. Some applications don't automatically update, which makes it a chore to keep them patched, but there's risk if the patching isn't done, Rains noted.
Rains provided some clarification about Microsoft's approach to software vulnerabilities. Its focus is on reducing vulnerabilities that are actually exploitable, rather than exploitable at the theoretical level, he explained. While there might be a high number of security bulletins issued on a given month, Microsoft measures its software security progress by its reduction of highly exploitable software flaws.
The exploitability of Microsoft's software flaws has declined, Rains contended. There's been a 70 percent reduction in critical exploitability between 2011 and 2013, and the software was even less exploitable between 2014 and 2015, Rains said.
It's been a long-running joke that "exploit Wednesday" follows "patch Tuesday." Rains contended, though, that this exploit Wednesday phenomenon has largely shrunk as a result of Microsoft's speed in releasing updates.
Attackers have speeded up the production of "exploit kits" following patch Tuesdays. They used to take about 30 days to create exploits kits for known vulnerabilities, but now that time has shrunk to about 10 days, Rains said. In 2015, Microsoft is now seeing so-called "zero-day" exploits being placed into attack kits. Zero-day flaws are unpublished vulnerabilities typically not known by software developers. Rains said that organizations with five-year-old patching methodologies are likely out of date in addressing this faster attack pace.
Attacks aren't going to stop, so Rains' guidance for IT pros is simply to keep software patched. If software is up to date, it can't be targeted, Rains contended.
"If your system is patched, it can't be exploited through unpatched vulnerabilities, which is one of the four ways I mentioned that people get exploited," he said.
Attackers in the early days used to be motivated by achieving notoriety, but profit is the main consideration today. Other threats come from "hacktivists" and "nation-state" entities, Rains said. The Stuxnet worm, allegedly created by the U.S. and Israel governments to disrupt Iranian nuclear technology development, is still around even though it's been patched in Windows since 2010. Stuxnet remains as the No. 1 attack attempt because other attackers have adopted it for commodity malware, Rains explained.
IT pros already understand that patching should be kept up to date, Rains said, which is hard work in a lot of environments. He said that Microsoft tries to minimize patch reboots because they're "painful." However, IT pros also should make sure that software mitigation tools are turned on as well. It will help ward off zero-day attacks. In that regard, Rains recommended using Microsoft's Enhanced Mitigation Experience Toolkit (EMET), a free software tool designed to ward off known exploit techniques. EMET will show all of an organization's apps that have Data Execution Prevention (DEP) or Address Space Layout Randomization (ASLR) turned on, Rains said. While DEP and ASLR protections are built into Windows, sometimes those security options get unchecked, Rains explained. You can turn on those mitigations without recompiling apps when you use EMET, he added.
Rains also recommended the use of Microsoft's BinScope Binary Analyzer. Microsoft describes it as a tool for both developers and IT pros to audit the security of applications. Microsoft uses it as part of its SDL software approach. Rains said that BinScope will show which mitigations are turned on for a given binary.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.