On the 11th October 2011, volume 11 of the Microsoft Security Intelligence Report (SIRv11) was released, covering the period January to June 2011. With detailed analysis on 105 countries, it is the largest and most in-depth report on cyber-threats ever developed thus far. One of the SIRv11 Key Finding - less than 1% of all vulnerability attacks were against zero-day vulnerabilities; 99% of attempted attacks impacted vulnerabilities for which an update was available. 
Customers had a good sense of what zero-days are (situations where an exploit is released before the vendor has issued a security update), but don’t always know how to prioritize them. Zero-days are real, and we don’t want to diminish the risk they represent. But this data suggests that IT professionals can prioritize their security work on the more prevalent threats that they already know how to defend.
Malware detection
Looking at the malware detection regionally or per country and zooming specifically into South African whose report can be found here, consider the heat map below:
Second Quarter of 2011 (2Q2011) – April, May June 2011
As noted in Tim Rains blog “The Threat Landscape in Africa & the Internet Governance Forum”, Africa is one area where it has been difficult to obtain reliable, long-term trend data on the threat landscape for specific locations. The heat maps above, shows that insufficient data exists for many regions in Africa. Microsoft Windows Malicious Software Removal Tool (MSRT) was downloaded and executed over 4.7 billion times in the first half of 2011 (1H11) alone. The number of systems that runs this tool changes from month to month, although there has being some consistency in some countries like South Africa, Egypt and Kenya on the African continent.
The most common category in South Africa in 2Q11 was Worms, which affected 45.4% of all infected computers, down from 46.3% in 1Q11. The second most common category in South Africa in 2Q11 was Miscellaneous Potentially Unwanted Software, which affected 28.3% of all infected computers, up from 27.0% in 1Q11. The third most common category in South Africa in 2Q11 was Adware, which affected 23.1% of all infected computers, down from 26.5 % in 1Q11
South Africa generally performed below the worldwide average with the exception of exploits, adware and spyware. The top two identified malware families driving worms were Win32/Autorun (20.3% of detected computers) and Win32/Rimecud (a.k.a. Mariposa botnet – 15.5%). Both of these threats spread using multiple techniques and have been observed spreading via mapped drives, removable media like USB drives, instant messaging and by abusing the Autorun feature in Windows.
Worldwide cybercriminals abuse Autorun to install malware such as malicious and potentially unwanted software. Autorun was the 2nd most common malware propagation method cybercriminals were using to swindle money from their victims. Some of the most prevalent malware threats over the past couple of years have misused a feature in Windows commonly called Autorun to execute code and attack systems.
- To protect users, AutoRun is more locked down now by default in Windows 7.
- For users of Windows XP and Windows Vista we released updates in February to make the AutoRun feature more locked-down from being enabled automatically for most media.
- By May, the number of infections related to the most prolific Autorun-abusing families found by the MSRT per scanned computer was reduced by almost 60% on XP and by 74% on Vista in comparison to the 2010 infection rates.
But it’s still a problem that persists for those that have not turned off the feature or click unknown things on their USB drives. Threats that use Autorun-feature abuse, like Win32/Autorun and Win32/Rimecud, have being addressed in this blog post: Defending Against Autorun Attacks.
Cybercriminals are also trying to do business in South Africa using the following:
- Phishing sites (per 1000 hosts) has increased from 0.06 in 1Q11 to 0.07 in 2Q11 – worldwide 0.38
- Malware hosting sites (per 1000 hosts) has increased from 0.04 in 1Q11 to 0.06 in 2Q11 – worldwide 2.02
- Percentage of sites hosting drive-by downloads has increased from 0.056% in 3Q10 to 0.726% in the second quarter of 2011 (2Q11) way above the worldwide rate of 0.273%.
- In 2Q11, Forefront Online Protection for Exchange (FOPE ) determined that 0.519% of all spambot IP addresses were located in South Africa; this figure is down from 0.554% in 1Q11.
Protect Your Environment
Challenges and constraints
So the obvious question is if the majority of threats can be mitigated against, why do they still exist? The reality is that although the sophistication of cybercriminals continues to be a challenge, old techniques of infecting users continue to succeed. For consumers and corporations alike, creating and maintaining a fully-threat proof system is not easy.
Consumers -For the vast majority of people, the scope of the security problem far exceeds their will and ability to keep up with it. People want to spend their time and money on using the technology for enjoyment and to help them be productive. Generally, they want to spend minimal time and money keeping pace with the latest security threats.
Businesses – On the other hand, for the vast majority of businesses, the scope of the problem has become exceedingly complex. Businesses have many competing security challenges. Regulatory compliance, application testing and compatibility, incident response and expectations around the everyday threat-du-jour. There may also be competing demands for resources, budget, or skill. That can be a hard call for many companies to make.
Despite these challenges and constraints, this data shows us that, in most cases, with a “back to basics” kind of approach customers can be more secure.
So, what can we do?
Build products and services with security in mind – from the ground up
- Microsoft has to work harder to continue to make our products and services more secure – our unique responsibility in that regard is never far from our minds. But so too has the broader industry. And there is progress.
- SIRv11 shows the number of vulnerabilities tracked by CVE declined ~24% when comparing the past 12 months to the year prior – a trend that has been declining since we started tracking it in 2006. Progress, but more work to be done.
- See the following blog – “Science inside the SDL” – Microsoft SDL Progress Report (2004 – 2010).
Education and Best Practices
- IT PROFESSIONALS – Companies need to look at educating their employees on their responsibility to security and back that up by developing and enforcing strong security policies around things like passwords.
- CONSUMERS - Leverage best practices to protect your PC:
Install updates regularly
(February 2011 – Updates released for XP and Vista to make the Autorun feature more locked-down, as it is by default in Windows 7.)
Use strong passwords for security
Install and enable anti-malware software
Click links after verifying the source
Avoid downloading pirated software
Use caution with attachments and file transfers
Protect yourself from social engineering attacks
-
For continual development, see the following blog – Yes!, Free Computer Security and Privacy Course from Microsoft.
Improving Security. Newer Products, Better Protections
In the video below Tim Rains, Frank Simorjay and Vinny Gullotto discuss how newer products and services offer better protection.
You can better protect yourself from malicious attacks by upgrading to the latest software version available irrespective of the vendor.
SIRv11 shows that people who use Windows 7 and IE9 are significantly less likely to be the victim of an attack. It’s a simple matter of innovation. Years ago banks put big padlocks on their safes. As robbers became more advanced so too did the locks and security measures used by banks. When it comes to keeping your data safe from cyber criminals, don’t put your faith in old technology.
For example, Windows 7 and Windows Server 2008 R2, the most recently released Windows client and server versions, respectively, have the lowest infection rates of any prior operating systems. Additionally, Office 2010 proved to be the most effective at blocking exploits when compared to all prior versions.
|
Security and Privacy Technologies |
Internet Explorer 7 |
Internet Explorer 8 |
Internet Explorer 9 |
|
Security by default |
X |
X |
X |
|
SmartScreen – Phishing Filter |
X |
X |
X |
|
SmartScreen – Antimalware protection |
|
X |
X |
|
InPrivate Browsing |
|
X |
X |
|
Cross-site scripting filter |
|
X |
X |
|
SmartScreen – Application Reputation |
|
|
X |
|
Tracking Protection |
|
|
X |
|
ActiveX Filtering |
|
|
X |
Newer products have less computers cleaned per thousand. In fact, the latest version of Windows 7 32 bit is three times less likely to get infected than Vista and 6 times less than XP. As you can see from the chart above, IE incorporates the latest security and privacy technologies. In fact, according to NSS labs, IE9 blocked 96% of socially engineered malware worldwide. More than 7 times any other browser measured. I blogged about this earlier here – Windows Internet Explorer 9 (IE9) caught an exceptional 99.2% of live threats.
It is important to migrate to the latest products and services to keep protected from the changing threat landscape. Download the Windows 7 Security Deep Dive Report here: Windows 7 Security Deep Dive
In conclusion, South Africa might need to look into the lessons learned from some of the least malware infected countries in the world. This information was blogged here. Implementation of the national CSIRT as one of the recommendation by the Cybersecurity policy of South Africa will bring a lot of improvement in how we can respond to this threats. While zero-days do pose a serious risk, it’s important that organizations know that the vast majority of attacks can be mitigated by following the best security practices.
The scarry part of the 2Q11 MS SIRv11 is the apparent increase in the success of social engineering methods. Computer users remain the lower hanging fruit for hackers. No matter how many times you tell people to buckle up on the road, in others, that message fails to sink in. No matter how stringent the rules on the road, we are always going to encounter drunken drivers who are going to cause fatal accidents. The same human trait that causes people to take these risks on the road despite the potential consequences of their actions is the same trait that causes many computer users not to embrace safe computing. When u ask people to secure their computing environment you are asking them to make a trade off. Often they have to trade off convenience for a secure environment. For many that’s a tall order. The bottom line is that we are always going to have a few “knuckle heads” who will not observe safe computing. It only takes a few of them to compromise the system. Hackers know this and they are exploiting it. Unfortunately, we just have to live with it the same way we do with drunken drivers on our roads. That’s a tough pill to swallow.
It’s about time somonee wrote about this.
And to think I was going to talk to someone in pseron about this.
Your anology is quite interesting Dr Msimang. I heard of technologies that can be installed in a car to stop you from driving when you are drunk. We do have technologies like Network Access Protection (NAP – http://technet.microsoft.com/en-us/network/bb545879) that can also be used to protect end-point devices by controlling access to network resources based on a client computer’s identity and compliance with corporate governance policy.
You have a great weblog and I like your style of writing about this stuff. Keep up the good work!
Well maacdmaia nuts, how about that.
There are no words to describe how bdocaious this is.