Security Intelligence Report
Total Page:16
File Type:pdf, Size:1020Kb
Managing Risks Microsoft | Security Intelligence Report Volume 9 January through June 2010 Microsoft | Security Intelligence Report Microsoft Security Intelligence Report This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. This document is provided “as-is”. Information and views expressed in this document, including URL and other Internet website references, may change without notice. You bear the risk of using it. Copyright © 2010 Microsoft Corporation. All rights reserved. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. 2 January through June 2010 Authors David Anselmi Jimmy Kuo Navaneethan Santhanam Digital Crimes Unit Microsoft Malware Protection Center Bing Richard Boscovich Scott Molenkamp Christian Seifert Digital Crimes Unit Microsoft Malware Protection Center Bing T.J. Campana Michelle Meyer Frank Simorjay Digital Crimes Unit Microsoft Trustworthy Computing Microsoft Trustworthy Computing Neil Carpenter Bala Neerumalla Holly Stewart CSS Security Microsoft Secure SQL Initiative Team Microsoft Malware Protection Center Greg Cottingham Daryl Pecelj Adrian Stone CSS Security Microsoft IT Information Security and Risk Management Microsoft Security Response Center Joe Faulhaber Anthony Penta Matt Thomlinson Microsoft Malware Protection Center Microsoft Windows Safety Platform Microsoft Security Response Center Vinny Gullotto Paul Pottorff Jossie Tirado Arroyo Microsoft Malware Protection Center Windows Consumer Product Management Microsoft IT Information Security and Risk Paul Henry Tim Rains Management Wadeware LLC Microsoft Trustworthy Computing Scott Wu Jeannette Jarvis Javier Salido Microsoft Malware Protection Center CSS Security Microsoft Trustworthy Computing Terry Zink Jeff Jones Microsoft Forefront Online Protection for Exchange Microsoft Trustworthy Computing Contributors Ian Brackenbury John Lambert Andrei Florin Saygo Microsoft Trustworthy Computing Microsoft Security Engineering Center Microsoft Malware Protection Center Doug Cavit Laura Lemire Jireh Sanico Microsoft Trustworthy Computing Microsoft Legal and Corporate Affairs Microsoft Malware Protection Center Eva Chow Nishanth Lingamneni Richard Saunders (EMEA) Microsoft IT Information Security and Risk Microsoft Security Essentials Microsoft Trustworthy Computing Management Ken Malcolmson Marc Seinfeld Greg Cottingham Microsoft Trustworthy Computing Microsoft Malware Protection Center CSS Security Russ McRee Jasmine Sesso Dave Dittrich Global Foundation Services Microsoft Malware Protection Center University of Washington Charles McColgan Norie Tamura (GOMI) Enrique Gonzalez Microsoft ISD CSS Japan Security Response Team Microsoft Malware Protection Center Mark Miller Gilou Tenebro Cristin Goodwin Microsoft Trustworthy Computing Microsoft Malware Protection Center Microsoft Legal and Corporate Affairs Price Oden Patrik Vicol Satomi Hayakawa Microsoft IT Information Security and Risk Management Microsoft Malware Protection Center CSS Japan Security Response Team Kathy Phillips Steve Wacker Robert Hensing Microsoft Legal and Corporate Affairs Wadeware LLC Microsoft Consulting Services Anthony Potestivo Jeff Williams Yuhui Huang Microsoft IT Information Security and Risk Management Microsoft Malware Protection Center Microsoft Malware Protection Center Ina Ragragio Dan Wolff CSS Japan Security Response Team Microsoft Malware Protection Center Microsoft Malware Protection Center Microsoft Japan Tareq Saade Joe Johnson Microsoft Malware Protection Center Microsoft Malware Protection Center 3 Microsoft | Security Intelligence Report Table of Contents Authors & Contributors 3 Making Microsoft More Secure 5 Information Security Policies 5 Business Drivers for Information Security Policies 6 Policy Management 6 Promoting Awareness 7 Security Awareness Program 7 Defending Against Malware 8 Secure Infrastructure 9 Protect Your Computer 10 Other Resources 11 Malware Response Case Study 12 Isolate the Computer 12 Identify the Malware 12 Determine How the Malware Starts 13 How Was the Malware Installed? 14 Determine Malware Connectivity 15 Remediate the Malware 16 Recommendations 16 This section features information and tips from two groups at Microsoft that have practical, real-world experience managing malware outbreaks and safeguarding networks, systems, and people: Microsoft® IT (MSIT), which manages the enterprise computing infrastructure at Microsoft, and Microsoft Customer Service and Support (CSS), which provides support information and services to Microsoft customers worldwide. The informa- tion presented here describes how these two groups have met the challenges Pposed by malware and security threats in their areas of responsibility. Not all of the details are likely to be relevant to security–related scenarios elsewhere, but Microsoft hopes that this information will give readers useful ideas for improving their own incident prevention and response plans. For comprehensive security guidance related to the aspects of security covered in this report, see the Managing Risk section of the Security Intelligence Report website. 4 January through June 2010 Making Microsoft More Secure Microsoft IT (MSIT) Microsoft IT (MSIT) provides information technology services internally for Microsoft employees and resources. MSIT manages 900,000 devices for 180,000 end users across more than 100 countries worldwide, with approximately 2 million remote connections per month. Safeguarding a computing infrastructure of this size requires implementation of strong security policies, tech- nology to help keep malware off the network and away from mission-critical resources, and dealing with malware outbreaks swiftly and comprehensively when they occur. The Security Intelligence Report typically focuses primarily on the technological aspects of malware and security, supported by in-depth telemetry data from multiple products and services. However, for IT departments looking to secure their networks, the non- technical aspects of security—policies, planning, education, awareness, and others—can be just as important. MSIT has had considerable experience on both sides of the equation, and we hope that information about the policies we’ve implemented can benefit others. The IT Showcase section of the Microsoft TechNet Library (technet.microsoft.com) includes a variety of articles and papers from MSIT about all aspects of IT administration. In this section we present a small sample of the IT Showcase material we have published on the subject of security. See technet.microsoft.com/library/bb687780.aspx for the full Microsoft IT Showcase collection, and see technet.microsoft.com/library/bb687795.aspx for the full versions of these and other security–related articles. Information Security Policies Excerpt from “Information Security at Microsoft Overview” (technet.microsoft.com/library/ bb671086.aspx), updated November 2007 Microsoft uses a layered approach to information security policies. This approach evolved out of business needs that remain fueled by an appreciation of the value of information assets, an evolving threat landscape with intentional and unintentional breaches and loss of information, and technology advancements enacted within and outside the company. The information security policies at Microsoft include: Microsoft Information Security Program (MISP) Policy. This policy establishes accountabilities that require Microsoft to operate a security program. It also estab- lishes a framework for a risk–based and policy–based approach to protecting assets. Information Security Policy. This policy contains principles for protecting and properly using corporate resources. It supports specific security standards, operating procedures, and guidelines for business units. Information Security Standards. This policy provides requirements and prescriptive guidance that enable users to comply with the Information Security Policy. 5 Microsoft | Security Intelligence Report Business Drivers for Information Security Policies Information security policies demonstrate company values and drive desired behaviors. They help ensure regulatory compliance and alignment with industry standards, and they are useful for conducting internal audits. Audits help ensure that company procedures support policies and that employees are following the procedures; they also help measure the overall security health of the organization. Without policies to govern the corporate infrastructure, the potential for loss of intellectual property, personally identifiable infor- mation (PII), and customer data increases dramatically. Figure 1 illustrates how Microsoft manages risk by using security policies that drive behavior, support values, and limit exceptions. FiguRe 1 How Microsoft uses information security policies Audit processes against Loss of iP, Pii & Customer Data Comply with regulations Risk Demonstrate Business company Drivers values Risk Align with industry standards exceptions Drive desired behaviors Policy Management Microsoft IT must enforce all of its unique security policies consistently to maintain cred- ibility. Involving key executives during the authorization process lends influence and credence. Implementing a repeatable process ensures that the appropriate roles, responsi- bilities, and administrative controls are in place. Promoting Awareness: If users are not aware of policies and standards, they cannot be held accountable for