Tag Archives: summit

Microsoft Security Intelligence Report v12–South Africa’s Perspective

Posted on April 26, 2012 | 1 Comment

Microsoft produces the Microsoft Security Intelligence Report twice a year to keep the industry informed on the changing threat landscape and provide actionable guidance for customers in an effort to create safer more trusted computing experiences for everyone. The latest report, Volume 12 provides insight into online threat data with new information for July 2011 through December 2011 and analysis of data from more than 100 countries/regions around the world. This include Africa and our focus being South Africa (pdf).  More information about Microsoft Security Intelligence Report Volume 12 (SIRv12) is available at http://www.microsoft.com/sir.

SIRv12 found that the Conficker worm is still one of the biggest on-going threats to enterprises. The Conficker worm, first detected in November 2008,  is a computer worm that can infect your computer and spread itself to other computers across a network automatically, without human interaction. Conficker worm was detected almost 220 million times worldwide in the past two and a half years. The study also revealed that the worm continues to spread as a result of weak or stolen passwords and vulnerabilities for which a security update exists.

Conficker Spread

According to the SIRv12, quarterly detections of the Conficker worm have increased by over 225% since the beginning of 2009. In the fourth quarter of 2011 alone, Conficker was detected on 1.7 million systems worldwide. In examining the reasons behind Conficker’s prevalence in organizations, research showed that 92% of Conficker infections were a result of weak or stolen passwords, and 8% of infections exploited vulnerabilities for which a security update exists.

Computers detected with Worms in South Africa are still sitting at 42.8% compared to worldwide figure of 11.3%. Worms are found to be the most common threat category  in 4Q11,  down from 43.7% in 3Q11. Miscellaneous Potentially Unwanted Software is the second most common category which affected 30.1% of all infected computers, down from 31.2% in 3Q11. The figure below clearly shows an improvement in terms of computers cleaned per 1000 scanned (CCM) both in SA and worldwide. The third most common category in 4Q11 is Miscellaneous Trojans, which affected 20.7% of all infected computers, down from 20.8% in 3Q11.

Malicious Software

South Africa generally performed below the worldwide average with the exception of Trojan Downloaders & Droppers, Exploits, Password Stealers & Monitoring Tools. The top two identified malware families driving worms were Win32/Autorun (18.4% of detected computers) which spreads by copying itself to the mapped drives (including network or removable media like USB drives and instant messaging) of an infected computer and Win32/Vobfus (12.1%) which spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware. Win32/Conficker  affected 4.4% of detected computers and sit well in the top 10 bracket of threats in SA . It infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. Depending on the specific variant, it may also spread via removable drives and by exploiting weak passwords. It disables several important system services and security products and downloads arbitrary files.

Threat Category

Cybercriminals are also trying to do business in South Africa using the following:

  • Number of websites found that were phishing websites per 1000 hosts has decreased from 0.11 in 2010 to 0.04 in 2011 – worldwide 0.02
  • Malware hosting sites (per 1000 hosts) has decreased from 0.10 in 2010 to 0.08 in 2011 – worldwide 0.06
  • Percentage of sites hosting  drive-by downloads has decreased from 0.042% in 2010 to 0.031%. This is an improvement when compared to a pick of 1.071% in 1Q11 and it’s way below the worldwide rate of 3.644%.

image

What You Need to Do:

To ensure protections aligned with today’s threats and to mitigate risks, it is critically important that organizations focus on the security fundamentals to help protect against the most common threats.

For businesses, as Scott Charney, corporate vice president of Microsoft Trustworthy Computing, outlined in his keynote at RSA 2012, Microsoft recommends a more holistic approach to risk management to help protect against both broad-based and targeted attacks that includes:

  • Prevention: Employ security fundamentals and pay close attention to configuration management and timely security update deployment.
  • Detection: Carefully monitor and perform advanced analysis to identify threats. Keep abreast of security events and leverage credible sources of security intelligence.
  • Containment: If the targeted organization has configured its environment with targeted attacks by determined adversaries in mind, it is possible to contain the attacker’s activities and thereby buy time to detect, respond to, and mitigate the attack. To contain an attack, consideration should be given to architecting domain administration models that limit the availability of administrator credentials and apply available technologies such as IPsec-based network encryption to restrict unnecessary interconnectivity on the network.
  • Recovery: It is important to have a well-conceived recovery plan, supported by suitably skilled incident response capability. Maintain a “crisis committee” to set response priorities and engage in exercises to test the organization’s ability to recover from different attack scenarios.

Microsoft recommends that customers and businesses adhere to the following security fundamentals to help ensure they are protected:

  • Use strong passwords and educate employees on their importance
  • Keep systems up to date by regularly applying available updates for all products
  • Use antivirus software from a trusted source
  • Invest in newer products with a higher quality of software protection
  • Consider the cloud as a business resource

How do I remove the Conficker worm?

“Conficker is one of the biggest security problems we face and yet it is well within our power to defend against,” said Tim Rains, director of Microsoft Trustworthy Computing. “It is critically important that organizations focus on the security fundamentals to help protect against the most common threats.”

Tim Rains, Director, Microsoft Trustworthy Computing, provides a report overview of the Security Intelligence Report Volume 12, highlighting the latest vulnerability disclosure, exploit and malware trends focusing on the second half of 2011.

 

If your computer is infected with the Conficker worm, you may be unable to download certain virus protection security products, such as the Microsoft Malicious Software Removal Tool or you may be unable to access certain websites, such as Microsoft Update. If you can’t access those tools, try using the Microsoft Safety Scanner for virus removal.

In Conclusion:

Key questions on this data:

1. The malware infection rates in SA have been trending down – what factors are contributing to this trend?

2. Conficker and Autorun are among the top ten threats in SA.  What citizens, government and organizations need to do in order to protect themselves against these specific threats? 

3. Worms appear to be at higher levels in SA than the world wide average. What can citizens, government and organizations in SA do to protect themselves from these threats?

I will be presenting this data at the ITWeb Security Summit 2012 – Agenda 15 May and will follow with a blog.

→ 1 Comment

Posted in Cloud, Cybercrime and Fraud, Education, Industry, Information Security

Tagged , , , , , , , , , , ,

Mobile security and its relationship with the cloud

Posted on November 1, 2011 | 3 Comments

Last week on the 26th October 2011 I had a conversation at the Mobile Security Summit on the following issues:

  1. Managing the relationship between mobile and the cloud: harnessing the potential of cloud and understanding the relevant risks
  2. Managing the power in security decisions and strategies for the cloud: what are the implications and how has the cloud been breached?
  3. How do companies manage data and application security in the cloud when control is being relinquished?
  4. Distributing data through the cloud and the security boundaries and challenges this presents
  5. Harnessing good governance procedures to ensure secured data in the cloud

On the first and second points, the emergence of two technological trends like the cloud and Consumerization of IT (CoIT) has effectively made IT dynamic.  Cloud computing is one of the biggest changes that are happening within our time and it’s an important change that is going to help computing to be much more accessible to people. The cloud is as a hub for orchestrating the flow of information and technology across our lives and nearly infinite storage and processing power.

A series of technology trends are driving the consumerization of IT. Availability of devices like smartphones, tables, laptops etc. enables  the users/consumers to access different cloud services from anywhere at anytime.  This obviously requires good communication technology platforms to help people connect with each other and access services in a secure manner. If one looks back at the white paper “Smartphone Attacks and Hacking: Security Threats and Trends 2011”, we definitely have seen continual data breaches which forced more and more governments-and even private industries-to consider more in-depth security regulations to protect citizens.

On the third, fourth and last point, I blogged on “Information Protection and the Cloud” earlier and  the article titled “Windows Phone 7.5 Enterprise Security and Policy Management”  provides an overview of the Windows Phone security model and how Windows Phone was designed to protect information. It describes the Exchange ActiveSync (EAS) security–related policies that can be managed by IT departments and discusses how apps are isolated from each other to help protect the operating system. In addition, the article provides information on how Windows Phone helps protect against malware and how IT departments can provide secure access to corporate resources.

Cloud services begin and end either within an organisation or at the personal computer or device of an individual using the service. The mobile devices as the end-point must be included in any security consideration for cloud-based services. Failure to evaluate the entire service chain from beginning to end can introduce flaws in service design and delivery. To increase the trustworthiness of cloud computing end-to-end, the full spectrum of activity should be considered, to help protect users from threats including online identity theft, website cross-scripting attacks, phishing attacks, and malicious software downloads. In a cloud computing environment, security measures and approaches should be reviewed, as cloud services may have dependencies on more than one service provider where the same level of visibility may not be available.

The key to maximizing security and productivity is to control access based on the user, the level of trust you have in the device, and the business impact of the information. Organization need to look into end-to-end security and management platform that can:

  • Manage Windows-based devices best and be best-in-class on other devices (Android/Apple).
  • Manage any mobile device that connects via Exchange ActiveSync, including Windows, iOS, Symbian, and Android-based devices
  • Distribute and deploy software to PCs nearly anywhere over the Internet
  • Scan for malware remotely, update malware definitions and even restart remote PCs

In conclusion, here is an example (Developing an Advanced Windows Phone 7.5 App that Connects to the Cloud) of how you can develop application for the cloud using best practices like Security Development Lifecycle.

→ 3 Comments

Posted in Cloud, Information Security, Technology

Tagged , , , , , , , , , ,