Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

79

Transcript of Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Page 1: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.
Page 2: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Attacking Windows Stack and How to Protect against These Attacks Graham Calladine, David Hoyle

Security Center of ExcellenceMicrosoftSession Code: SIA313

Page 3: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Session Objectives & Takeaways

To learn and understand:Current Attack Trends that Microsoft is seeingAttack Vectors Mitigation Strategies with Windows Products

Page 4: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

10 Years…

We have come a long way since Melissa2003-2004 difficult times

Blaster/Slammer – Was horrible – Hit Home Users hardConficker emerged in a different s/w industry – Did not hit home users hardPartnerships

MS Response Alliance & Internet Consortium for Advanced Security on the Internet & CWG

Page 5: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

WW Threat Trends

Not a simple trend – Geographically DiverseMiscellaneous Trojans (inc rouge s/w) most prevalentWORMS 2nd most prevalentPassword Stealers & Monitoring toolsBreaches – Data Scarce – (datalossdb.org)

Top is stolen equipment, twice as many incidents as intrusionBut equipment loss is easily reported!

Data: Microsoft SIR v7 Report

Page 6: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Geographical Trends

8 Locations with most infected machinesUSA,UK,France,Italy – TrojansChina, language specific browser threatsBrazil, malware targeting online bankingSpain, Korea, WORMS targeting online gamers

Data Source: SIR V7 Report Pg 40

Page 7: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Threat Landscape is getting better?

Improvement in Software Development PracticeSoftware Development Lifecycle (SDL)Geoff 1min Video

Increased Availability of Automatic Patch Update Process

Patch Tuesday and Auto UpdatesHowever, unpatched client is primary initial infection vector

Social engineering techniques to mislead Victims

Attacker still finds success with a variety of techniques for manipulating people

Page 8: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

SANS Analysis

The Top Cyber Security Risks” 2009 SeptemberApplication Vulnerabilities Exceed OS VulnerabilitiesWeb Application Attacks

Cross Site Scripting, PHPFile Include, and SQL Injection

Windows: Conficker/Downadup

Cited from SANS “The Top Cyber Security Risks” 2009 September, http://www.sans.org/top-cyber-security-risks/

Page 9: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Attackers use social engineering techniques – Human Emotion

Microsoft Security Intelligence Report, 2008 July through December 2008

FEAR I want: Protection I got: Rogue SoftwareDesire I wanWeb Surfing, Free Stuff Games, etcI got: fake contents, malicious downloads, etc

Trust I want: Online Banking, Email, Social Networking etc.I got: Banking Malware, Phishing, Spam, and File Format Infections, etc.

Page 10: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Attack Vectors and Trends

Current attacks in the wildRogue Security Software and WormBrowser Based Attacks

PhishingCross Site ScriptingClickjacking

File Format Attacks

Page 11: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Attack Vectors and Trends

Rogue Security Software and WormsBrowser Based AttacksFile Format Attack

Page 12: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Rogue Unwanted SoftwareRank Family Most Significant

CategoryInfected Machines

1Win32/Renos

Trojan Downloaders & Droppers 4,371,508

2Win32/Zlob

Trojan Downloaders & Droppers 3,772,217

3Win32/Vundo Miscellaneous Trojans 3,635,207

4Win32/ZangoSearchAssistant Adware 3,326,275

5Win32/Taterf Worms 1,916,446

6Win32/ZangoShoppingreports Adware 1,752,252

7Win32/FakeXPA Miscellaneous Trojans 1,691,393

8Win32/FakeSecSen Miscellaneous Trojans 1,575,648

9Win32/Hotbar Adware 1,477,886

10Win32/Agent Miscellaneous Trojans 1,289,178

Win32/Renos

Win32/FakeXPA

Page 13: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Rogue Security Software 1

Use Fear to convince victimsWin32/Renos Family

Page 14: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Rogue Security Software 2

Use the same logicWin32/FakeXPA Family

Page 15: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Use your Desire

A Rogue Software Real Sample

There is no security issue or vulnerability in YouTube.com.

http://blogs.technet.com/mmpc/archive/2009/08/20/winwebsec-on-youtube.aspx

Page 17: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Worms: Win32/Conficker.A to EWin32/Conficker is a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE)

On October 23, 2008, Microsoft released critical security update MS08-067Allow remote code execution if an affected system received a specially crafted Remote Procedure Call (RPC) request

On November 21, 2008, the first significant worm that exploits MS08-067 was discovered

The first variant discovered, Worm:Win32/Conficker.A, only uses MS08-067 exploits to propagate

On December 29 2008, a significantly more dangerous variant, Win32/Conficker.B, was discovered

Exploits the MS08-067 vulnerability but uses additional methods to propagate.It attempts to spread itself to other computers on the network

Combining the vulnerability with social engineering to introduce and spread the worm in an organization

Continues…

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fConficker

Page 18: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Social Engineeringby e-mailing infected fileswith official-sounding names to people at a company like“Corporate Policy.PDF”

Page 19: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Worms: Win32/Conficker.A to E

Release D, monitors 500/50,000 domain names/day for payloads…

Still isConficker Working Group (CWG) formed Jan09

Many people from well know sec groups/researchersImplemented defense DNS strategyKaspersky & OpenDNS – calc’ed 1Y of namesAll 110 TLDs involved & signed upRapid, effective collaboration – keeps Conficker constrained

Page 20: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Published Articles for Conficker

Knowledge Base articleKB962007

MMPC blog (http://blogs.technet.com/mmpc)Get Protected, Now! (October 23, 2008)A Quick Update About MS08-067 Exploits (November 17, 2008)Just in Time for New Year’s… (December 31, 2008)MSRA Released Today Addressing Conficker and Banload (January 13, 2009)Centralized Information About the Conficker Worm (January 22, 2009)Information about Worm:Win32/Conficker.D (March 27, 2009)

Page 21: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

MitigationsGet the latest computer updates Install and update anti-malware signaturesRun an up-to-date scanning and removal tool Use caution with attachments and file transfers Use caution when clicking on links to web pages Standard user rightsProtect yourself from social engineering attacksUser Security Best Practices such as strong Password PolicyKeep eye on vulnerabilities and follow the guideline from the trusted sourceUse recent technologies and systems that can reduce the risk on exploiting

Page 22: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Attack Vectors and Trends

Rogue Security Software and worms

Browser Based AttacksFile Format Attack

Page 23: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Browser Based Attacks

PhishingCross Site ScriptingClickJacking

Page 24: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Browser Based Attacks

PhishingCross Site ScriptingClickJacking

Page 25: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Phishing: Overview

Phishing is a method of identity theft that tricks Internet users into revealing personal or financial information online.

Page 26: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Phishing Scam Samples

Social engineering techniques “Verify your account”“If you don't respond within 48 hours, your account will be closed”“Dear Valued Customer”“Click the link below to gain access to your account”

Page 27: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Spear Phishing and Whaling

Spear phishing - highly targeted phishing Send email messages that appear genuine to all employees and members within a community

Whaling - involves targeted attacks on senior executives and other high ranking people

Page 28: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Phishing Trends in Industry

APWG: Anti Phishing Working Group Report, 2009 1H

http://www.antiphishing.org/reports/apwg_report_h1_2009.pdf

Page 29: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Phish Tank: Current Phish Sites

Live Phish site can be found

http://www.phishtank.com/

Page 30: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Phishing with Hotmail

Illegally acquired by a phishing scheme and exposed to a website

Microsoft Recommends:Renew their passwords for Windows Live IDs every 90 daysFor administrators, make sure you approve and authenticate only users that you know and can verify credentialsAs phishing sites can also pose additional threats, install and keep anti-virus software up to date

Page 31: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Techniques

Man-in-the-middle attacks Proxies, DNS Cache Poisoning, etc

URL Obfuscation attacksBad Domain Name, Friendly Login URL’s, Host Name/URL Obfuscation, etc

Etc…

Page 32: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Anti-PhishingIE 8 SmartScreen

demo

Page 33: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Mitigations

Use an up-to-date anti-malware product from a known, trusted source, and keep it updated.Use the most recent version of your Web browser, and keep it up to date by applying security updates and service packs in a timely fashion.Use a robust spam filter to guard against fraudulent and dangerous e-mail.You can add sites you trust to the Trusted Sites zone with more than middle security level. Follow the guidance to take actions

http://www.microsoft.com/mscorp/safety/technologies/antiphishing/guidance.mspx

Page 34: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Browser Based Attacks

Phishing

Cross Site ScriptingClickJacking

Page 35: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Cross Site Scripting: Overview

Cross-Site Scripting (XSS): Occurs whenever an application reads user data, and embeds that user data in Web responses without encoding or validating the user dataCommon vulnerabilities that make Web-based applications susceptible to cross-site scripting attacks:

Improper input validationFailing to encode outputTrusting data from shared resources

Page 36: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Cross Site Scripting in News

October 2005 MySpace “Samy” wormFebruary 2006 FacebookJune 2008 Yahoo MailDecember 2008 American ExpressApril 2009 Twitter

http://twittercism.com/remove-stalkdaily/

Page 37: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

http://xssed.com/ - live XSSed

Page 38: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Types of Cross-Site Scripting

Two major types of cross-site scripting attacks:Type 1: Non-Persistent

Often referred to as reflected cross-site scriptingRequires some level of social engineering

Type 2: PersistentStored cross-site scriptingOne attack can affect multiple users

Type 0: DOM-Based

38

Page 39: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Type 1: Non-PersistentCross-Site Scripting

39Malicious User User

Congratulations! You won a prize, please click here to claim your prize!

<html><head><title>Hello</title></head><body>[malicious code]</body>…

http://www.contoso.com?id=[malicious code]

Web Server

Page 40: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Blog Comment:Hello, this article was helpful! [malicious code]Thanks, Kevin

Type 2: PersistentCross-Site Scripting

40

Malicious User

User

DatabaseWeb Server

Blog Comment:Hello, this article was helpful! [malicious code]Thanks, Kevin

User User

Page 41: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Mitigation Strategies

Server SidesValidate all untrusted inputEncode any Web response data that could contain user or other untrusted inputUse built-in ASP.NET protection via the ValidateRequest optionUse the System.Web.HttpCookie.HttpOnly propertyUse the <frame>, <iframe> IE6 and above security attributeUse the Microsoft Anti-Cross Site Scripting Library (AntiXSS)

Page 42: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Microsoft Anti-Cross Site Scripting Library V3.1

New featuresAn expanded white list that supports more languages Performance improvements Performance data sheets (in the online help) Support for Shift_JIS encoding for mobile browsers A sample application Security Runtime Engine (SRE) HTTP module

Page 43: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Security Runtime Engine (SRE) HTTP module Ideally, you do not need to change your code!

In your your web.config, <httpModules> <add name="AntiXssModule" type="Microsoft.Security.Application. SecurityRuntimeEngine.AntiXssModule"/> </httpModules>

In antixssmodule.config, <ControlEncodingContexts>  <ControlEncodingContext FullClassName="System.Web.UI.Page"

PropertyName="Title" EncodingContext="Html" />  <ControlEncodingContext FullClassName="System.Web.UI.WebControls.Label" PropertyName="Text" EncodingContext="Html" />  <ControlEncodingContext FullClassName="System.Web.UI.WebControls.CheckBox" PropertyName="Text" EncodingContext="Html" /> </ControlEncodingContexts>

Page 44: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Anti-Cross Site Scripting in ActionMicrosoft Anti-Cross Site Scripting Library V3.1

demo

Page 45: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Mitigation Strategies

Client SidesIE8 XSS Filter

Page 46: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Anti-Cross Site Scripting in ActionIE8 XSS Filter with Microsoft Application Compatibility Tool Kit

demo

Page 47: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Browser Based Attacks

PhishingCross Site Scripting

ClickJacking

Page 48: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

ClickJacking: Overview

Clickjacking is :an attack that tricks the victim into initiating commands on a website that they did not intend. Use iframes and web page layers in DHTML such that you overlay a potentially malicious button (for example) on top of an existing legitimate web page.

Page 49: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

A ClickJacking Example

Suppose that a hacker site has the following source code…

Page 50: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Mitigation

Use FrameBreaker Script<script>if (top!=self) top.location.href=self.location.href</script>

Use X-Frame-Options Header for IE8HTTP response header named X-FRAME-OPTIONS with HTML pages to restrict how the page may be framedThe OPTIONS value contains the token DENY, IE8 will prevent the page from rendering if it will be contained within a frame

Add X-FRAME-OPTIONS and Deny to HTTP Response Headers using IIS Manager, In html, insert <meta http-equiv="X-FRAME-OPTIONS" content="DENY" /> in <head> section, orUsing ASP.Net, you can insert Response.AddHeader("X-Frame-Options", "Deny”).

Page 51: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

ClickJacking: FrameBreaker and IE8 Defense

demo

Page 52: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Attack Vectors and Trends

Rogue Unwanted SoftwareBrowser Based Attacks

File Format Attack - Office

Page 53: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

File Format Attack: Overview

This class of vulnerability is described as parser vulnerabilities.

Attacker creates a specially crafted document that takes advantage of an error in how the code processes or parses the file format.

Increasingly, attackers are using common file formats as transmission vectors for exploits.

Office format and PDF format

Page 54: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

File Format Attack Trend

Recent (2H08) saw a sharp increase in the number of file format–based attacks,

Often in the form of spear phishing and whaling attacks, the victim opens the attachmentOr at a malicious / compromised web site, and the malicious code forces browsers to a malicious document, which is opened by victim

Page 55: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Binary Office File Format vs. Open XML format

Office 2003 (and lower) Binary FormatOLE Structured Storage outer formatFile system within a file!Complex file formatcomplete with

FAT TableSectorsStreams (like files)

Another application specific inner format within a stream!

STRM1 STRM2

STRM3 STRM4Header

Page 56: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Examining The File

Requires a hex editor + expert knowledgeInteresting strings in a stream near the beginning of the malicious files!

What could possibly go wrong?

Page 57: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Office 2007 Open XML File Format

Safety was a design goal from the beginningDesigned under the SDL

ZIP file container with ‘XML parts’Also non-XML parts (typically binary data like embedded images or OLE objects)

Non-XML parts can be disabled by policy

Rename to .zip and open with zip file viewer!

Page 58: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Historical DataFuzzing Iterations Completed

1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4 1 2

2004 2005 2006 2007 2008

30

25

20

15

10

5

0

Office Security Bulletin Trend (by quarter)

72% Not Vulnerable

Newer is Better% of vulns affecting Office 2007 since Jan 2007

28% Vulnerable

Page 59: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Layered Defenses

Harden the Attack

Surface

Reduce the Attack

Surface

Improve User

Experience

Mitigate the Exploits

Page 60: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Security EngineeringSecurity Development Lifecycle FoundationIntensive Distributed Fuzzing

Integrate OS AdvancesSupport for DEP/NXLeverage WIC Image ParsersRobust & Agile Cryptography

Harden the Attack

Surface

Harden the Attack Surface

Page 61: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Reduce the Attack

Surface

File BlockBlock unused or legacy file formatsEasy policy enforcementView allows read-only accessTied in with Protected View for formats between block and allow

Office File ValidationBinary filesRuns automatically on openEvaluates file for ‘correctness’Protects against unknown exploitsFaster updates for changes to rules

Reduce the Attack Surface

Page 62: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Gatekeeper vs MSRC cases

Page 63: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Mitigate the Exploits

Protected Viewer ‘Sandbox’

Word, Excel, PPT files can run in the ‘sandbox’Prevents harmful documents from damaging user data and OSHelp users make better trust decisions

Page 64: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Protected Viewer

Office Protected

Viewer

Files that failed

File Validation

Files that don’t comply with File

Block Policy

Files in unsafe folders

All Outlook Attachments

Files from the Internet

Zone

Mitigate the Exploits

Page 65: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Office - FileFormatsdemo

Page 66: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Observations on XP

Malicious PPT drops an EXE and a clean

PPT on users desktop

The EXE creates a ‘.log’ file in users temp folder and

executes it.

The malware creates 2 binaries in

system32 and modifies HKLM

registry keys

The binaries are injected into SYSTEM

processes like winlogon.exe

Requires regular

user rights

Requires regular

user rights

Requires admin rights

Requires admin rights

Page 67: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Observations on Vista

Malicious PPT drops an EXE and a clean

PPT on users desktop

The EXE creates a ‘.log’ file in users temp folder and

executes it.

The malware creates 2 binaries in

system32 and modifies HKLM

registry keys

The binaries are injected into SYSTEM

processes like winlogon.exe

Requires regular

user rights

Requires regular

user rights

Requires admin rights

Requires admin rights

Page 68: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Better Together

File Block

GateKeeper

Standard User / UAC

UAC “Dark Roast”

Page 69: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

MitigationsConfigure your computer to use Microsoft Update

Ensure that Microsoft security update MS06-027 has been applied to any affected software in your environment: http://www.microsoft.com/technet/security/bulletin/ MS06-027.mspx.

Keep your third-party software up to date. Updates for Adobe products can be downloaded from http://www.adobe.com/downloads/updates/.

If possible, upgrade your software applications to the most recent versions, since these demonstrate lower rates of attack.

Avoid opening attachments or clicking links to documents in e-mail or instant messages that are received unexpectedly or from an unknown source.

Use up-to-date antivirus software from a known, trusted source that offers real-time protection and continually updated definition files to detect and block exploits.

Page 70: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Summary

Trends are WORMS, Rogue, FileFormatVaries world wide

Security Community effort in industry to keep on topTechnology evolving fast to solve root cause (GateKeeper)Updates, Virus Checkers, Good Risk Management are key, Security StandardsLockdowns go a long way

Page 71: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Quick Case Study

AppLocker + Windows only rules + App rulesNo execute for standard users for writable areasBitlockerLockdown to reduce attack surfaceVirus checker/Updates etc…

Gives a solid defense in-depth client build!

Page 72: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Summary

Both security vendors and IT professionals should Adjust their risk management processes appropriately to help ensure that all operating systems and applications are protected (ISO 27000, COBIT, MS Sec Risk Guide)Keep updating wide range of potential security issuesTake appropriate actions based on your risk assessment

As individual to protect against malicious codeKeep update the security patches and anti-virus signatures, and if possible upgrade to newer softwareEducate themselves for potential security risksIT professionals and consumers should take advantage of the defense-in-depth technologies, such as firewalls, antivirus programs, and antispyware programs available from trusted sources…

Page 73: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

SummaryMost important of all…Stay informed & up to date

Microsoft Malware Protection CenterMicrosoft Security Update GuideMicrosoft Security Engineering CenterMicrosoft Security Response CenterMicrosoft SIR v7 ReportMicrosoft AVSecurity EssentialsEnd to End trustMicrosoft Security Development LifecycleCommon Vulnerabilities and Exposures : http://cve.mitre.org

Page 74: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

question & answer

Page 75: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Track Resources

Common Vulnerabilities and Exposures : http://cve.mitre.org

Nation Vulnerability Database : http://nvdnist.gov

www.securityfocus.com, www.secunia.com, www.securitytracker.com

Microsoft Malware Protection Center, Microsoft Security Update Guide, Microsoft Security Engineering Center, Microsoft Security Response Center, Microsoft SIR v7 Report, Microsoft AV, Security Essentials, End to End trust, Microsoft Security Development Lifecycle

Page 76: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

www.microsoft.com/teched

Sessions On-Demand & Community

http://microsoft.com/technet

Resources for IT Professionals

http://microsoft.com/msdn

Resources for Developers

www.microsoft.com/learning

Microsoft Certification & Training Resources

Resources

Page 77: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Related Content

SIA-205: SDL-Agile: Microsoft’s Approach to Security for Agile Projects

Page 78: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!

Page 79: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,

IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.