security: the changing threat environment david aucsmith architect and cto security business &...
TRANSCRIPT
![Page 1: Security: The Changing Threat Environment David Aucsmith Architect and CTO Security Business & Technology Unit awk @ microsoft.com Microsoft Corporation](https://reader036.vdocument.in/reader036/viewer/2022062423/56649c945503460f94950f16/html5/thumbnails/1.jpg)
Security: The Changing Threat Environment
David AucsmithArchitect and CTOSecurity Business & Technology Unitawk @ microsoft.comMicrosoft Corporation
![Page 2: Security: The Changing Threat Environment David Aucsmith Architect and CTO Security Business & Technology Unit awk @ microsoft.com Microsoft Corporation](https://reader036.vdocument.in/reader036/viewer/2022062423/56649c945503460f94950f16/html5/thumbnails/2.jpg)
Session OutlineSession Outline
The World TodayThreats
Bad Guys
How We Got ThereLegacy
Crime
Evolving the SolutionSecurity Strategy
A Look Ahead
![Page 3: Security: The Changing Threat Environment David Aucsmith Architect and CTO Security Business & Technology Unit awk @ microsoft.com Microsoft Corporation](https://reader036.vdocument.in/reader036/viewer/2022062423/56649c945503460f94950f16/html5/thumbnails/3.jpg)
Vulnerability TimelineVulnerability Timeline
Undiscovered
Vulnerability Discovered
Correction
Component Fixed
Packaging
Customer FixAvailable
Module Gap
Customer Testing /Deployment
Actual Vulnerability To Attack
ResponsibleDisclosure
Experimentation
VulnerabilityDisclosed
Software Ship Fix Deployed
Early Disclosure
Rarely discovered
Attacks occur here
Why does this gap exist?
The World Today
![Page 4: Security: The Changing Threat Environment David Aucsmith Architect and CTO Security Business & Technology Unit awk @ microsoft.com Microsoft Corporation](https://reader036.vdocument.in/reader036/viewer/2022062423/56649c945503460f94950f16/html5/thumbnails/4.jpg)
Vulnerability TimelineVulnerability Timeline
Undiscovered
Vulnerability Discovered
Correction
Component Fixed
Packaging
Customer FixAvailable
Module Gap
Customer Testing /Deployment
Actual Vulnerability To Attack
ResponsibleDisclosure
Experimentation
VulnerabilityDisclosed
Software Ship Fix Deployed
Early Disclosure
151151180180
331331
BlasterBlasterWelchia/ Welchia/ NachiNachi
NimdaNimda
2525SQL SQL
SlammeSlammerr
Days between patch & exploitDays between patch & exploit Days From Patch To Days From Patch To
ExploitExploit Have decreased so that Have decreased so that
patching is not a defense in patching is not a defense in large organizationslarge organizations
Average 6 days for patch to Average 6 days for patch to be reverse engineered to be reverse engineered to identify vulnerabilityidentify vulnerability
The World Today
Source: Microsoft
![Page 5: Security: The Changing Threat Environment David Aucsmith Architect and CTO Security Business & Technology Unit awk @ microsoft.com Microsoft Corporation](https://reader036.vdocument.in/reader036/viewer/2022062423/56649c945503460f94950f16/html5/thumbnails/5.jpg)
The Forensics of a VirusThe Forensics of a Virus
Blaster shows the complex interplay between security researchers, software companies, and hackers
Vulnerability reported to us /
Patch in progress
Bulletin & patch available
No exploit
Exploit code in public Worm in the world
July 1 July 16 July 25 Aug 11
ReportReport Vulnerability in Vulnerability in
RPC/DDOM RPC/DDOM reportedreported
MS activated MS activated highest level highest level emergency emergency response processresponse process
BulletinBulletin MS03-026 delivered MS03-026 delivered
to customers to customers (7/16/03)(7/16/03)
Continued outreach Continued outreach to analysts, press, to analysts, press, community, community, partners, partners, government government agenciesagencies
ExploitExploit X-focus (Chinese X-focus (Chinese
group) published group) published exploit toolexploit tool
MS heightened MS heightened efforts to get efforts to get information to information to customerscustomers
WormWorm Blaster worm Blaster worm
discovered –; discovered –; variants and other variants and other viruses hit viruses hit simultaneously (i.e. simultaneously (i.e. “SoBig”)“SoBig”)
The World Today
Source: Microsoft
![Page 6: Security: The Changing Threat Environment David Aucsmith Architect and CTO Security Business & Technology Unit awk @ microsoft.com Microsoft Corporation](https://reader036.vdocument.in/reader036/viewer/2022062423/56649c945503460f94950f16/html5/thumbnails/6.jpg)
Understanding the LandscapeUnderstanding the Landscape
National InterestNational Interest
Personal GainPersonal Gain
Personal FamePersonal Fame
CuriosityCuriosity
Script-KiddyScript-Kiddy HobbyistHobbyistHackerHacker
ExpertExpert SpecialistSpecialist
Vandal
Thief
Spy
Trespasser
The World Today
Tools created Tools created by experts by experts now used by now used by less-skilled less-skilled attackers and attackers and criminalscriminals
Fastest Fastest growing growing segmentsegment
Author
![Page 7: Security: The Changing Threat Environment David Aucsmith Architect and CTO Security Business & Technology Unit awk @ microsoft.com Microsoft Corporation](https://reader036.vdocument.in/reader036/viewer/2022062423/56649c945503460f94950f16/html5/thumbnails/7.jpg)
Legacy and EnvironmentLegacy and Environment
The security kernel of Windows NT was written
Before there was a World Wide Web
Before TCP/IP was the default communications protocol
The security kernel of Windows Server 2003 was written:
Before buffer overflow tool kits were generally available
Before Web Services were widely deployed
How We Got Here
![Page 8: Security: The Changing Threat Environment David Aucsmith Architect and CTO Security Business & Technology Unit awk @ microsoft.com Microsoft Corporation](https://reader036.vdocument.in/reader036/viewer/2022062423/56649c945503460f94950f16/html5/thumbnails/8.jpg)
Honey Pot ProjectsHoney Pot Projects
Six computers attached to InternetDifferent versions of Windows, Linux and Mac OS
Over the course of one weekMachines were scanned 46,255 times
4,892 direct attacks
No up-to-date, patched operating systems succumbed to a single attack
All down rev systems were compromised Windows XP with no patches
Infested in 18 minutes by Blaster and Sasser
Within an hour it became a "bot"
How We Got Here
Source: StillSecure, see http://www.denverpost.com/Stories/0,1413,36~33~2735094,00.html
![Page 9: Security: The Changing Threat Environment David Aucsmith Architect and CTO Security Business & Technology Unit awk @ microsoft.com Microsoft Corporation](https://reader036.vdocument.in/reader036/viewer/2022062423/56649c945503460f94950f16/html5/thumbnails/9.jpg)
MalwareMalware
Spam
Phishing
Spyware
Bots
Root Kit Drivers
How We Got Here
![Page 10: Security: The Changing Threat Environment David Aucsmith Architect and CTO Security Business & Technology Unit awk @ microsoft.com Microsoft Corporation](https://reader036.vdocument.in/reader036/viewer/2022062423/56649c945503460f94950f16/html5/thumbnails/10.jpg)
SpamSpam
Mass unsolicited email
For commerceDirect mail advertisement
For Web trafficArtificially generated Web traffic
Harassment
For fraudPhishing
Identity theft
Credential theft
How We Got Here
Affiliates Programs
Example
•$0.50 for every validated free-trial registrant
•60% of each membership fee from people you direct to join the site
SoBig spammed > 100 million inboxesIf 10% read the mail and clicked the link
= 10 million peopleIf 1% signed up for 3-days free trial
= (100,000 people) x ($0.50) = $50,000If 1% of free trials sign up for 1 year
= (1,000 people) x ($144/yr) = $144,000/yr
![Page 11: Security: The Changing Threat Environment David Aucsmith Architect and CTO Security Business & Technology Unit awk @ microsoft.com Microsoft Corporation](https://reader036.vdocument.in/reader036/viewer/2022062423/56649c945503460f94950f16/html5/thumbnails/11.jpg)
PhishingPhishing
Most people are spoofedOver 60% have visited a fake or spoofed site
Many people are tricked Over 15% have provided personal data
Economic loss ~ 2% of people
Average loss of $115
How We Got Here
Source: TRUSTe
![Page 12: Security: The Changing Threat Environment David Aucsmith Architect and CTO Security Business & Technology Unit awk @ microsoft.com Microsoft Corporation](https://reader036.vdocument.in/reader036/viewer/2022062423/56649c945503460f94950f16/html5/thumbnails/12.jpg)
SpywareSpyware
Software that:Collects personal information from you
Without your knowledge or permission
Privacy15 percent of enterprise PCs have a keylogger
Source: Webroot's SpyAudit
Number of keyloggers jumped three-fold in 12 monthsSource: Sophos
ReliabilityMicrosoft Watson
~50% of crashes caused by spyware
How We Got Here
![Page 13: Security: The Changing Threat Environment David Aucsmith Architect and CTO Security Business & Technology Unit awk @ microsoft.com Microsoft Corporation](https://reader036.vdocument.in/reader036/viewer/2022062423/56649c945503460f94950f16/html5/thumbnails/13.jpg)
BotsBots
Bot EcosystemBots
Botnets
Control channels
Herders
It began en masse with MyDoom.AEight days after MyDoom.A hit the Internet
Scanned for the back door left by the worm
Installed Trojan horse called Mitglieder
Then used those systems as their spam engines
Millions of computers across the Internet were now for sale to the underground spam community
How We Got Here
![Page 14: Security: The Changing Threat Environment David Aucsmith Architect and CTO Security Business & Technology Unit awk @ microsoft.com Microsoft Corporation](https://reader036.vdocument.in/reader036/viewer/2022062423/56649c945503460f94950f16/html5/thumbnails/14.jpg)
Bot-Nets Tracked (3 Sep 2004 snapshot)Bot-Nets Tracked (3 Sep 2004 snapshot)
Age (days) Name Server MaxSize
02.00 nubela.net dns.nubela.net 10725
10.94 winnt.bigmoney.biz (randex) winnt.bigmoney.biz 2393
09.66 PS 7835 - y.eliteirc.co.uk y.eliteirc.co.uk 2061
09.13 y.stefanjagger.co.uk (#y) y.stefanjagger.co.uk 1832
03.10 ganjahaze.com ganjahaze.com 1507
01.04 PS 8049 - 1.j00g0t0wn3d.net 1.j00g0t0wn3d.net 3689
10.93 pub.isonert.net pub.isonert.net 537
08.07 irc.brokenirc.net irc.brokenirc.net 649
01.02 PS 8048 - grabit.zapto.org grabit.zapto.org 62
10.34 dark.naksha.net dark.naksha.net UNK
08.96 PS 7865 - lsd.25u.com lsd.25u.com UNK
UNK PS ? - 69.64.38.221 69.64.38.221 UNK
How We Got Here
![Page 15: Security: The Changing Threat Environment David Aucsmith Architect and CTO Security Business & Technology Unit awk @ microsoft.com Microsoft Corporation](https://reader036.vdocument.in/reader036/viewer/2022062423/56649c945503460f94950f16/html5/thumbnails/15.jpg)
In The NewsIn The News
Botnet with 10,000 Machines Shut DownSept 8, 2004
A huge IRC "botnet" controlling more than 10,000 machines has been shut down by the security staff of Norwegian provider Telenor, according to the Internet Storm Center. The discovery confirms beliefs about the growth of botnets, which were cited in the recent distributed denial of service (DDoS) attack upon Akamai and DoubleClick that sparked broader web site outages. […]http://news.netcraft.com/archives/2004/09/08/botnet_with_10000_machines_shut_down.html
How We Got Here
FBI busts alleged DDoS MafiaAug 26, 2004
A Massachusetts businessman allegedly paid members of the computer underground to launch organized, crippling distributed denial of service (DDoS) attacks against three of his competitors [...]http://www.securityfocus.com/news/9411
![Page 16: Security: The Changing Threat Environment David Aucsmith Architect and CTO Security Business & Technology Unit awk @ microsoft.com Microsoft Corporation](https://reader036.vdocument.in/reader036/viewer/2022062423/56649c945503460f94950f16/html5/thumbnails/16.jpg)
PayloadsPayloads
Keystroke loggers for stealing CC, PII
SYN or application flooding code Used for DDoS
DDoS has been used many times
Including public attacks against Microsoft.com
Spam relays: 70-80% of all spam Source SpecialHam.com, Spamforum.biz
Piracy
Future features
How We Got Here
![Page 17: Security: The Changing Threat Environment David Aucsmith Architect and CTO Security Business & Technology Unit awk @ microsoft.com Microsoft Corporation](https://reader036.vdocument.in/reader036/viewer/2022062423/56649c945503460f94950f16/html5/thumbnails/17.jpg)
Botnet Damage PotentialBotnet Damage Potential
Attack Requests/bot Botnet Total Resource exhausted
Bandwidth flood (uplink)
186 kbps 1.86 Gbps T1, T3, OC-3, OC-12
Bandwidth flood (downlink)
450 kbps 4.5 Gbps T1, T3, OC-3, OC-12, OC-48 (2.488Gbps)
50% of Taiwan/US backbone
Syn flood 450 SYNs/sec 4.5M SYN/sec 4 Dedicated Cisco Guard (@$90k) OR
20 tuned servers
Static http get (cached)
93/sec 929,000/sec 15 servers
Dynamic http get 93/sec 929,000/sec 310 servers
SSL handshake 10/sec 100,000/sec 167 servers
10,000-member botnet
>$350.00/weekly - $1,000/monthly (USD) >Type of service: Exclusive (One slot only)>Always Online: 5,000 - 6,000>Updated every: 10 minutes
>$220.00/weekly - $800.00/monthly (USD)>Type of service: Shared (4 slots)>Always Online: 9,000 - 10,000>Updated every: 5 minutes
September 2004 postings to SpecialHam.com, Spamforum.bizHow We Got Here
![Page 18: Security: The Changing Threat Environment David Aucsmith Architect and CTO Security Business & Technology Unit awk @ microsoft.com Microsoft Corporation](https://reader036.vdocument.in/reader036/viewer/2022062423/56649c945503460f94950f16/html5/thumbnails/18.jpg)
RootkitsRootkits
Growth in the root kit populationTechnical challenge in the community
Defeats current anti-spyware products
Financial motivation to support adware & spyware
How We Got Here
Microsoft OCA Root Kit Drivers
![Page 19: Security: The Changing Threat Environment David Aucsmith Architect and CTO Security Business & Technology Unit awk @ microsoft.com Microsoft Corporation](https://reader036.vdocument.in/reader036/viewer/2022062423/56649c945503460f94950f16/html5/thumbnails/19.jpg)
Evolving The Solution
Microsoft’s Security FocusMicrosoft’s Security Focus
![Page 20: Security: The Changing Threat Environment David Aucsmith Architect and CTO Security Business & Technology Unit awk @ microsoft.com Microsoft Corporation](https://reader036.vdocument.in/reader036/viewer/2022062423/56649c945503460f94950f16/html5/thumbnails/20.jpg)
Evolving The Solution
Microsoft’s Security FocusMicrosoft’s Security Focus
![Page 21: Security: The Changing Threat Environment David Aucsmith Architect and CTO Security Business & Technology Unit awk @ microsoft.com Microsoft Corporation](https://reader036.vdocument.in/reader036/viewer/2022062423/56649c945503460f94950f16/html5/thumbnails/21.jpg)
Combating Spyware ThreatsCombating Spyware Threats
Global SpyNet™ community helps identify new spywareGlobal SpyNet™ community helps identify new spyware
Automatic signature downloads keep you up-to-dateAutomatic signature downloads keep you up-to-date
Spyware removal reduces PC slow down, pop-up ads, and moreSpyware removal reduces PC slow down, pop-up ads, and more
Scheduled scans help maintain PC security and privacyScheduled scans help maintain PC security and privacy
Continuous protection guards 50+ ways spyware gets on a PCContinuous protection guards 50+ ways spyware gets on a PC
Intelligent alerts handle spyware based on your preferencesIntelligent alerts handle spyware based on your preferences
Evolving The Solution
![Page 22: Security: The Changing Threat Environment David Aucsmith Architect and CTO Security Business & Technology Unit awk @ microsoft.com Microsoft Corporation](https://reader036.vdocument.in/reader036/viewer/2022062423/56649c945503460f94950f16/html5/thumbnails/22.jpg)
Malicious Software Removal ToolsMalicious Software Removal Tools
Updated monthly to remove prevalent malwareTargeted at consumers without antivirusEnterprise deployable as part of a defense-in-depth strategyAvailable through: Windows Update Auto Update Online interface MS Download Center
Complements traditional Antivirus technologies by providing one tool that removes prevalent viruses and worms from a PC
Evolving The Solution
![Page 23: Security: The Changing Threat Environment David Aucsmith Architect and CTO Security Business & Technology Unit awk @ microsoft.com Microsoft Corporation](https://reader036.vdocument.in/reader036/viewer/2022062423/56649c945503460f94950f16/html5/thumbnails/23.jpg)
Cleaner Statistics (as of 11 March 2005)Cleaner Statistics (as of 11 March 2005)
Bots on Windows decreasing due to Windows XP SP2Source: Symantec
Release Days Live Executions
Disinfections
Value %
January 28 124,613,632 239,197 0.1920%
February 28 118,209,670 351,135 0.2970%
March 5 84,013,460 149,981 0.1785%
Total 61 326,836,762 740,313 0.2265%
1
10
100
1000
10000
100000
1000000
Mach
ines
Cle
aned
(log)
1 2 3 4 5 6 7 8 9
Malware per Machine
Evolving The Solution
Source: Microsoft
![Page 24: Security: The Changing Threat Environment David Aucsmith Architect and CTO Security Business & Technology Unit awk @ microsoft.com Microsoft Corporation](https://reader036.vdocument.in/reader036/viewer/2022062423/56649c945503460f94950f16/html5/thumbnails/24.jpg)
Vulnerability Assessment RoadmapVulnerability Assessment Roadmap
MBSA 1.2.1 (today)detects most security updates and common configuration vulnerabilities
Enterprise Scan Tool detects critical and important security updates that MBSA does not
MBSA 2.0 (Q2CY05)Will eventually detect all security updates and offer consistency with SMS, WUS and Windows Update
Geneva (1HCY06)Authoritative vulnerability assessment for the MS platform
Evolving The Solution
![Page 25: Security: The Changing Threat Environment David Aucsmith Architect and CTO Security Business & Technology Unit awk @ microsoft.com Microsoft Corporation](https://reader036.vdocument.in/reader036/viewer/2022062423/56649c945503460f94950f16/html5/thumbnails/25.jpg)
Advanced IsolationClients who do not pass can be blocked and isolated
Isolated clients can be given access to updates to get healthy
Health CheckupCheck update level, antivirus, and other plug in and scriptable criteria
Evolving The Solution
Network Access ProtectionNetwork Access Protection
![Page 26: Security: The Changing Threat Environment David Aucsmith Architect and CTO Security Business & Technology Unit awk @ microsoft.com Microsoft Corporation](https://reader036.vdocument.in/reader036/viewer/2022062423/56649c945503460f94950f16/html5/thumbnails/26.jpg)
Evolving The Solution
Microsoft’s Security FocusMicrosoft’s Security Focus
![Page 27: Security: The Changing Threat Environment David Aucsmith Architect and CTO Security Business & Technology Unit awk @ microsoft.com Microsoft Corporation](https://reader036.vdocument.in/reader036/viewer/2022062423/56649c945503460f94950f16/html5/thumbnails/27.jpg)
Update Quality ImprovementsUpdate Quality Improvements
Engineering Process Automated triggering of QA processes on fix check-ins
Focus on good non-code solutions where risk is high
Reduction of ‘encompassed fixes’Use of oldest possible versions of dependent files
‘Dual Tree’ versus ‘Single Tree’ servicing model
Increase Application compatibilityIncreased the number of applications tested
Expanded prescriptive documentation on tested applications
Broader pre-release testing Microsoft: Desktop 10k+, Server 100+ (various roles)
Testing guidance produced along with beta versions
Evolving The Solution
![Page 28: Security: The Changing Threat Environment David Aucsmith Architect and CTO Security Business & Technology Unit awk @ microsoft.com Microsoft Corporation](https://reader036.vdocument.in/reader036/viewer/2022062423/56649c945503460f94950f16/html5/thumbnails/28.jpg)
TodayToday20052005
Windows, SQL,Windows, SQL,Exchange, Office…Exchange, Office…
Windows, SQL,Windows, SQL,Exchange, Office…Exchange, Office…
Office Update
Download Center
SUSSUS SMSSMS
““Microsoft Update”Microsoft Update”(Windows Update)(Windows Update)
VS Update
Windows Update
Windows onlyWindows only
Windows onlyWindows only
Windows Windows UpdateUpdateServicesServices
Windows, SQL,Windows, SQL,Exchange, Office…Exchange, Office…
AutoUpdateAutoUpdate
Evolving The Solution
Updating RoadmapUpdating Roadmap
![Page 29: Security: The Changing Threat Environment David Aucsmith Architect and CTO Security Business & Technology Unit awk @ microsoft.com Microsoft Corporation](https://reader036.vdocument.in/reader036/viewer/2022062423/56649c945503460f94950f16/html5/thumbnails/29.jpg)
Evolving The Solution
Microsoft’s Security FocusMicrosoft’s Security Focus
![Page 30: Security: The Changing Threat Environment David Aucsmith Architect and CTO Security Business & Technology Unit awk @ microsoft.com Microsoft Corporation](https://reader036.vdocument.in/reader036/viewer/2022062423/56649c945503460f94950f16/html5/thumbnails/30.jpg)
AuthenticationAuthentication
Evolving The Solution
![Page 31: Security: The Changing Threat Environment David Aucsmith Architect and CTO Security Business & Technology Unit awk @ microsoft.com Microsoft Corporation](https://reader036.vdocument.in/reader036/viewer/2022062423/56649c945503460f94950f16/html5/thumbnails/31.jpg)
Evolving The Solution
Microsoft’s Security FocusMicrosoft’s Security Focus
![Page 32: Security: The Changing Threat Environment David Aucsmith Architect and CTO Security Business & Technology Unit awk @ microsoft.com Microsoft Corporation](https://reader036.vdocument.in/reader036/viewer/2022062423/56649c945503460f94950f16/html5/thumbnails/32.jpg)
The Genesis of Security VulnerabilitiesThe Genesis of Security Vulnerabilities
Intended Behavior
Actual Behavior
Traditional Bugs
Most Security Bugs
Evolving The Solution
![Page 33: Security: The Changing Threat Environment David Aucsmith Architect and CTO Security Business & Technology Unit awk @ microsoft.com Microsoft Corporation](https://reader036.vdocument.in/reader036/viewer/2022062423/56649c945503460f94950f16/html5/thumbnails/33.jpg)
Threat Modeling ProcessThreat Modeling Process
Create model of app (DFD, UML etc)
Categorize threats to each tree node with STRIDE
Spoofing, Tampering, Repudiation, Info Disclosure, Denial of Service, Elevation of Privilege
Build threat tree
Rank threats with DREADDamage potential, Reproducibility, Exploitability, Affected Users, Discoverability
Evolving The Solution
![Page 34: Security: The Changing Threat Environment David Aucsmith Architect and CTO Security Business & Technology Unit awk @ microsoft.com Microsoft Corporation](https://reader036.vdocument.in/reader036/viewer/2022062423/56649c945503460f94950f16/html5/thumbnails/34.jpg)
1.2.1Parse
Request
Threat (Goal)
STRIDE
Threat (Goal)
STRIDE
Threat (Goal)
STRIDE
DREADThreat
SubthreatCondition
Threat Threat
ConditionCondition DREAD
Sub threat
Threat
Condition
KEY
Evolving The Solution
![Page 35: Security: The Changing Threat Environment David Aucsmith Architect and CTO Security Business & Technology Unit awk @ microsoft.com Microsoft Corporation](https://reader036.vdocument.in/reader036/viewer/2022062423/56649c945503460f94950f16/html5/thumbnails/35.jpg)
SDSD33 At Work – MS03-007 At Work – MS03-007
The underlying DLL The underlying DLL (NTDLL.DLL) not (NTDLL.DLL) not vulnerablevulnerable
The underlying DLL The underlying DLL (NTDLL.DLL) not (NTDLL.DLL) not vulnerablevulnerable
Code made more conservative during Security PushCode made more conservative during Security PushCode made more conservative during Security PushCode made more conservative during Security Push
EvenEven if it was running if it was runningEvenEven if it was running if it was running IIS 6.0 doesn’t have WebDAV enabled by defaultIIS 6.0 doesn’t have WebDAV enabled by defaultIIS 6.0 doesn’t have WebDAV enabled by defaultIIS 6.0 doesn’t have WebDAV enabled by default
EvenEven if it did have if it did have WebDAV enabledWebDAV enabledEvenEven if it did have if it did have WebDAV enabledWebDAV enabled
Maximum URL length in IIS 6.0 is 16kb by Maximum URL length in IIS 6.0 is 16kb by default (>64kb needed) default (>64kb needed) Maximum URL length in IIS 6.0 is 16kb by Maximum URL length in IIS 6.0 is 16kb by default (>64kb needed) default (>64kb needed)
EvenEven if it was vulnerable if it was vulnerableEvenEven if it was vulnerable if it was vulnerable IIS 6.0 not running by default on IIS 6.0 not running by default on Windows Server 2003Windows Server 2003IIS 6.0 not running by default on IIS 6.0 not running by default on Windows Server 2003Windows Server 2003
EvenEven if it there was an if it there was an exploitable buffer exploitable buffer overrunoverrun
Would have occurred in Would have occurred in w3wp.exew3wp.exe which is which is now running as ‘network service’now running as ‘network service’
EvenEven if the buffer was if the buffer was large enoughlarge enoughEvenEven if the buffer was if the buffer was large enoughlarge enough
Process halts rather than executes malicious code, Process halts rather than executes malicious code, due to buffer-overrun detection code (-GS)due to buffer-overrun detection code (-GS)Process halts rather than executes malicious code, Process halts rather than executes malicious code, due to buffer-overrun detection code (-GS)due to buffer-overrun detection code (-GS)
Evolving The Solution
![Page 36: Security: The Changing Threat Environment David Aucsmith Architect and CTO Security Business & Technology Unit awk @ microsoft.com Microsoft Corporation](https://reader036.vdocument.in/reader036/viewer/2022062423/56649c945503460f94950f16/html5/thumbnails/36.jpg)
6464
2727
628628Evolving The Solution
Focus Yields Results Focus Yields Results
![Page 37: Security: The Changing Threat Environment David Aucsmith Architect and CTO Security Business & Technology Unit awk @ microsoft.com Microsoft Corporation](https://reader036.vdocument.in/reader036/viewer/2022062423/56649c945503460f94950f16/html5/thumbnails/37.jpg)
Evolving The Solution
Microsoft’s Security FocusMicrosoft’s Security Focus
![Page 38: Security: The Changing Threat Environment David Aucsmith Architect and CTO Security Business & Technology Unit awk @ microsoft.com Microsoft Corporation](https://reader036.vdocument.in/reader036/viewer/2022062423/56649c945503460f94950f16/html5/thumbnails/38.jpg)
Guidance and trainingSecurity Guidance Center
Free training for over 500K IT professionals
Security toolsMicrosoft Baseline Security Analyzer
Security Bulletin Search Tool
Community engagementNewsletters
Webcasts and chats
Microsoft “Security360”
Evolving The Solution
Support And Engagement Support And Engagement
![Page 39: Security: The Changing Threat Environment David Aucsmith Architect and CTO Security Business & Technology Unit awk @ microsoft.com Microsoft Corporation](https://reader036.vdocument.in/reader036/viewer/2022062423/56649c945503460f94950f16/html5/thumbnails/39.jpg)
Microsoft Baseline Security Analyzer (MBSA) v1.2Microsoft Baseline Security Analyzer (MBSA) v1.2Virus Cleaner ToolsVirus Cleaner ToolsSystems Management Server (SMS) 2003Systems Management Server (SMS) 2003Software Update Services (SUS) SP1Software Update Services (SUS) SP1Internet Security and Acceleration (ISA) Server 2004 Internet Security and Acceleration (ISA) Server 2004 Standard EditionStandard EditionWindows XP Service Pack 2Windows XP Service Pack 2
Patching Technology Improvements (MSI Patching Technology Improvements (MSI 3.0)3.0)Systems Management Server 2003 SP1Systems Management Server 2003 SP1Microsoft Operations Manager 2005Microsoft Operations Manager 2005Windows malicious software removal toolWindows malicious software removal tool
Windows Server 2003 Service Pack 1Windows Server 2003 Service Pack 1Windows Update Services Windows Update Services ISA Server 2004 Enterprise EditionISA Server 2004 Enterprise EditionWindows Rights Management Services SP1Windows Rights Management Services SP1Windows AntiSpywareWindows AntiSpywareSystem Center 2005System Center 2005Windows Server 2003 “R2”Windows Server 2003 “R2”Visual Studio 2005Visual Studio 2005
Vulnerability Assessment and Vulnerability Assessment and RemediationRemediationActive Protection Technologies Active Protection Technologies AntivirusAntivirus
PriorPrior
H2 04H2 04
FutureFuture
20052005
Futures
Security TimelineSecurity Timeline
![Page 40: Security: The Changing Threat Environment David Aucsmith Architect and CTO Security Business & Technology Unit awk @ microsoft.com Microsoft Corporation](https://reader036.vdocument.in/reader036/viewer/2022062423/56649c945503460f94950f16/html5/thumbnails/40.jpg)
Call To ActionCall To Action
Keep currentSoftware
Anti-virus, cleaners, anti-spyware, …
Defense in depthStrong authentication
Firewalls
Anti-malware
Use threat-based developmentLearn from others
![Page 41: Security: The Changing Threat Environment David Aucsmith Architect and CTO Security Business & Technology Unit awk @ microsoft.com Microsoft Corporation](https://reader036.vdocument.in/reader036/viewer/2022062423/56649c945503460f94950f16/html5/thumbnails/41.jpg)
Community ResourcesCommunity Resources
Windows Hardware & Driver Central (WHDC)www.microsoft.com/whdc/default.mspx
Technical Communitieswww.microsoft.com/communities/products/default.mspx
Non-Microsoft Community Siteswww.microsoft.com/communities/related/default.mspx
Microsoft Public Newsgroupswww.microsoft.com/communities/newsgroups
Technical Chats and Webcastswww.microsoft.com/communities/chats/default.mspx
www.microsoft.com/webcasts
Microsoft Blogswww.microsoft.com/communities/blogs
![Page 42: Security: The Changing Threat Environment David Aucsmith Architect and CTO Security Business & Technology Unit awk @ microsoft.com Microsoft Corporation](https://reader036.vdocument.in/reader036/viewer/2022062423/56649c945503460f94950f16/html5/thumbnails/42.jpg)
ResourcesResources
Generalhttp://www.microsoft.com/security
XP SP2 Resources for the IT Professionalhttp://www.microsoft.com/technet/winxpsp2
Security Guidance Centerhttp://www.microsoft.com/security/guidance
Toolshttp://www.microsoft.com/technet/Security/tools
How Microsoft IT Secures Microsofthttp://www.microsoft.com/technet/itsolutions/msit
E-Learning Clinicshttps://www.microsoftelearning.com/security
Events and Webcastshttp://www.microsoft.com/seminar/events/security.mspx