We’ve been publishing threat intelligence reports for our customers, partners and the industry for 10 years now. During that time, we’ve published over 12,500 pages of threat intelligence, 100+ blog posts, many videos, and delivered thousands of customer briefings all over the world.

This new volume of the report includes threat data from the second half of 2015 as well as longer term trend data on industry vulnerabilities, exploits, malware, and malicious websites. The report also provides deep dive threat data for over 100 countries/regions.

There are a couple of new sections in this volume of the SIR that I’m excited to share.

First, the report includes a section called “PLATINUM: Targeted attacks in South and Southeast Asia.” This section provides details on a newly discovered determined adversary group, which Microsoft has code-named PLATINUM. This group has conducted several cyber espionage campaigns since 2009, focusing on targets associated with governments and related organizations in southeast Asia. This information can help you understand mitigations that can significantly reduce the risks that organizations face from such groups.

The other section I’m excited about is called “Protecting Identities in the Cloud: Mitigating Password Attacks.” This section of the report focuses on some of the things that Microsoft does to prevent account compromise inside our cloud services. This is the first time we’ve published data like this in the SIR.

There is a lot of other new data in this report that I hope you’ll find useful.

You can download Volume 20 of the Microsoft Security Intelligence Report at www.microsoft.com/sir.

Tim Rains
Director, Security

The post Microsoft Security Intelligence Report Volume 20 is now available appeared first on Microsoft Security Blog.

The panel was moderated by Robert Herjavec, CEO of the Herjavec Group and star of ABC’s Shark Tank. Robert was a gracious and fun moderator to work with and I managed to survive the panel without a shark bite!

Also from Microsoft, Bruce Cowper delivered a keynote titled “Trusted Cloud” in which Bruce discussed the gap between how much people trust their on-premises infrastructure and the enterprise cloud services they consume, and examined reasons for the difference.

Tim Rains
Director, Security
Microsoft

The post Cloud Security Alliance Summit 2016: I Survived the Shark Tank appeared first on Microsoft Security Blog.

One of the Microsoft cloud services that I get asked about most often is OneDrive for Business. It’s part of Office 365 – so many, many customers are already using this service. OneDrive for Business can help ensure that business files for organizations’ users are stored in a central location making it easy for users to search, share and collaborate on documents using a range of devices including Windows and Windows Phone devices, Android, Mac OSX, and iOS-based devices. Many enterprise customers want to take advantage of the many benefits this service offers, in addition to the relatively low cost and unlimited storage capabilities it provides.

But naturally, customers have questions about the security controls built into OneDrive for Business that will help them manage the security of the data they store there. Customers want to ensure that this service provides appropriate protections to help them manage the risks of unauthorized access to data and accidental leakage of data.

I recently wrote an article about encrypting data at rest in Microsoft cloud services where I discussed how encrypting customer data and properly managing the encryption keys can help mitigate the risk of unauthorized access to that data. I also wrote an article on how data in-transit is protected. If you haven’t read these articles yet, I suggest reading them as a prerequisite to this article as I mention a bunch of controls, like physical security controls, that help protect customer data in OneDrive for Business beyond what I’ll discuss in this article. It’s important to understand that there are layers of controls (physical datacenter security, network security, access security, application security, etc.) inside Microsoft cloud services that help protect customer data, and give customers options on how to manage their organizations’ highest priority risks.

First, let’s look at how data stored in the service is encrypted at rest. Data at rest in OneDrive for Business is encrypted at both the disk level and the file level. Microsoft has been deploying BitLocker Drive Encryption across the OneDrive for Business service to provide disk level encryption. Many enterprise customers are familiar with BitLocker as they use it to protect data stored on their on-premises Windows-based systems. In addition to numerous other security controls that help protect data in OneDrive for Business, BitLocker helps manage the risk of physical disk theft from a Microsoft datacenter. Even if someone could steal a disk or server out of a datacenter, BitLocker would not allow an attacker to boot the system or harvest customer data from it.

Microsoft has also been rolling out per-file encryption for OneDrive for Business in Office 365 multitenant and new dedicated environments that are built on multitenant technology. This file level encryption employs a combination of chunking the files that customers store in the service into smaller pieces, encrypting each chunk with a separate key and distributing chunks randomly across multiple storage containers in a datacenter. The keys used to encrypt the chunks of content (content encryption keys) are encrypted themselves with a master key. The encrypted chunks of content, the master keys, and the “map” used to re-assemble the chunked content into the original file that the customer stored in the service are all stored in physically separate data stores. This combination of safeguards, combined with the aforementioned BitLocker Drive Encryption, are a very effective set of security controls that help manage the risk of unauthorized access to data.

This article and video walks you through the combination of BitLocker Drive Encryption and file level encryption in the OneDrive for Business service: Data Encryption in OneDrive for Business and SharePoint Online.

Another question I get asked about OneDrive for Business from time to time is how it synchronizes data securely. The graphic below illustrates how the synchronization process works along with the aforementioned file level encryption process.

Perhaps the question I get asked most often about security controls for OneDrive for Business is whether administrators can block data from being synchronized to unmanaged systems. Many organizations do not want their organization’s data to be distributed to personally owned or unmanaged PCs where policies are not being enforced. File synchronization can be configured to work only on domain-joined PCs; it can also be configured to only synchronize to PCs that are members of administrator specified Windows domains. This control is configurable using administrators’ favorite system interface: PowerShell cmdlets. Mobile systems that need to access files stored in OneDrive for Business can be managed using mobile device management (MDM) policies via MDM for Office 365. This will help ensure that mobile devices meet organizational security requirements, like enforcing PIN usage on the device, as well as full wipe and selective wipe capabilities. A blog post and video describing these features and other related features is available here: New IT management controls added to OneDrive for Business.

Of course, auditing controls are important to enterprise customers as well. Auditing controls available in the Office 365 compliance center enable organizations to audit all the actions taken on their files stored in OneDrive for Business. For example, organizations can monitor which PCs or Macs attempted to sync with OneDrive and who viewed and shared files. The screen shot below illustrates this type of activity report, which can also be accessed via a Search PowerShell cmdlet, as well as the Office 365 Management Activity API.

There is a lot of other great information available – check out some of these other resources:

The Office 365 Trust Center
The OneDrive blog
OneDrive How-To

Lastly, the OneDrive team announced new security capabilities in OneDrive for Business just this week. These new features will help customers govern how their users share files via OneDrive for Business – a key control area that I know many customers are interested in. These new capabilities include:

Limiting external sharing permissions for specific users
Depending on your organization’s policies, it might or might not permit users to share files with external parties. OneDrive for Business already provided a switch for administrators that disabled external sharing for all OneDrive for Business users. Now a new feature gives administrators the ability to disable external sharing permissions for specific individual users. This will help some organizations enforce information sharing policies that apply to specific roles inside their organization. For example, it can be applied to roles who work on information that is classified as confidential – do not share. Once the administrator disables sharing for a user, the user is then informed they can’t share to external parties via OneDrive for Business.

Managing external sharing domains
The OneDrive team is also working on a new feature that will enable administrators to limit which external email domains their users can invite to view or edit shared files. Administrators will be able to configure an “allow list” or a “deny list” of email domains (as seen below) that will help them control who their users can share files with via OneDrive for Business.

Auditing external sharing invitations
In cases where policy does permit file/information sharing, some customers will still want the ability to audit the invitations to share files stored in OneDrive for Business that their users send to external parties. Now administrators can enable a feature that will send a blind copy of each invitation email to a dedicated archive mailbox for review.

Tim Rains
Chief Security Advisor
Worldwide Cybersecurity & Data Protection

The post Cloud security controls series: OneDrive for Business appeared first on Microsoft Security Blog.

The figure below illustrates the malware infection rates for Windows client and server operating systems in the third and fourth quarters of 2014 based on data from hundreds of millions of systems worldwide. This data is normalized, meaning the infection rate for each version of Windows is calculated by comparing an equal number of computers per version; for example, comparing 1,000 Windows Vista Service Pack 2 (SP2) based systems to 1,000 Windows 8.1 based systems in the fourth quarter of 2014 we can see 5.2 Windows Vista based systems infected with malware compared to 1.3 Windows 8.1 systems infected. In percentage terms, that’s equivalent to 0.52% of Windows Vista based systems (5.2/1,000*100 = 0.52) compared to 0.13% of Windows 8.1 based systems (1.3/1,000*100) infected with malware.

Figure: Infection rate by client and server operating system in the third and fourth quarters of 2014 (3Q14/4Q14)

The newest versions of both Windows client and server operating systems had the lowest malware infection rates during the period, by a large margin.

Some of the CISOs and IT professionals I talk to use this operating system infection rate data to help make a business case for upgrading to newer, more secure software or deploying more secure service packs for their current platforms. As you can see from the latest data, newer is better across the board.

You can download this data in volume 18 of the Microsoft Security Intelligence Report at http://microsoft.com/sir.

Tim Rains
Chief Security Advisor
Worldwide Cybersecurity & Data Protection

The post Latest data shows newer versions of Windows have lower malware infection rates than older versions appeared first on Microsoft Security Blog.

This volume of the SIR focuses on the second half of 2014 and contains longer term trend data as well. SIR volume 18 contains data, insights and practical guidance on a range of global and regional cybersecurity threats including vulnerability disclosures, malware and unwanted software including the latest on Ransomware, malicious websites such as drive-by download sites, and exploit activity including exploits used in targeted attacks. Deep dives into the threat landscape in over 100 countries/regions are also available.

The “Featured Intelligence” section of the report is on “The life and times of an exploit.” This section explores the increased speed at which some attackers are able to reverse engineer security updates, illustrating the critical need to update systems as quickly as possible once security updates have been published by vendors.

The SIR also contains actionable guidance to help mitigate the threats reported to us from hundreds of millions of systems worldwide. This also includes guidance based on the threats that Microsoft’s IT department, MSIT, detect and mitigate in the course of protecting Microsoft’s corporate network which spans every region of the world.

Tim Rains
Chief Security Advisor
Worldwide Cybersecurity & Data Protection

The post Latest Microsoft Security Intelligence Report Now Available appeared first on Microsoft Security Blog.

This was my first time attending the bi-annual event and I was blown away by the innovative power and automation technologies that ABB and others had on display on the show floor—everything from electric cars to the latest in robotics.

I was also impressed with the level of interest that so many CIPs had around cybersecurity and the adoption of cloud services. The general session I spoke to had a couple thousand people in attendance. During this lunchtime presentation, I spoke about the impact of cybersecurity in the ever-evolving threat landscape, and how we think the Internet will transform over the next 10 years. I showed the audience how the Microsoft Digital Crime Unit uses big data analytics to take down botnets, helping make the Internet a safer place for everyone, including CIPs. Markus Braendle, Group Head of Cyber Security at ABB, moderated audience questions and provided his own great industry insights. Questions around the threat landscape, the Internet of Things (IoT), cloud computing, and risk management proved to me that cybersecurity is top of mind for this critical industry.

Key themes I heard from the audience during the session included:

• How adopting cloud services increases the security protections for most organizations and helps them maintain compliance,
• The security considerations for IoT,
• How a risk-based management approach helps minimize the emotions that often accompanies security conversations,
• Best practices for working with security researchers, and
• Today’s attackers, their evolved motivations, and the difficulty of attribution.

The post ABB Automation & Power World 2015 – Cybersecurity in the evolving threat landscape appeared first on Microsoft Security Blog.

• New Strategies and Features to Help Organizations Better Protect Against Pass-the-Hash Attacks
• New Guidance to Mitigate Determined Adversaries’ Favorite Attack: Pass-the-Hash
• Targeted Attacks Video Series
• You asked, we answered: #AskPtH Questions and Answers

Although pass-the-hash credential theft and reuse attacks aren’t new, more recently security researchers have been focusing on attack methods for Kerberos authentication. Kerberos authentication is achieved by the use of tickets enciphered with a symmetric key derived from the password of the server or service to which access is requested. To request such a session ticket, a special ticket, called the Ticket Granting Ticket (TGT) must be presented to the Kerberos service. The TGT is enciphered with a key derived from the password of the krbtgt account, which is known only by the Kerberos service[i].

A stolen krbtgt account password can wreak havoc on an organization because it can be used to impersonate authentication throughout the organization thereby giving an attacker access to sensitive data.

One way to help mitigate the risk of a bad actor using a compromised krbtgt key to forge user tickets is by periodically resetting the krbtgt account password. Resetting this password on a regular basis reduces the useful lifetime of krbtgt keys, in case one or more of them is compromised.

Today we are sharing the krbtgt account password reset script and associated guidance that will enable customers to interactively reset and validate replication of the krbtgt account keys on all writable domain controllers in the domain. By providing this script and associated guidance, we hope to help customers perform the reset in a way which reduces the likelihood of authentication errors caused by delayed distribution of the new krbtgt account keys in their environment.

The Reset-KrbtgtKeyInteractive-v1.4 enables customers to:

1. Perform a single reset of the krbtgt account password (it can be run multiple times for subsequent resets).
2. Validate that all writable DC’s in the domain have replicated the keys derived from the new password, so they are able to begin using the new keys.

The krbtgt account password reset script guide includes detailed information on how to use the reset script and its three modes- Informational, Estimation Mode, and Reset and offers:

1. A step-by-step list of tasks associated with performing the krbtgt account password reset.
2. Information for customers wishing to invalidate all existing TGTs by performing a double reset of the krbtgt account secret during a comprehensive Active Directory recovery.

We’ve also provided a detailed guide which helps system administrators understand the required tasks, impact to the organization, schedule and timeline, and other considerations. Together, this combination covers necessary tasks, tests, and validations that should be performed before and after the reset.

It is important to remember that resetting the krbtgt is only one part of a recovery strategy and alone will likely not prevent a previously successful attacker from obtaining unauthorized access to a compromised environment in the future. We strongly advise that customers create a comprehensive recovery plan using guidance found in the Mitigating Pass-the-Hash and Other Credential Theft, version 2.

[i] https://technet.microsoft.com/en-us/library/cc733924(v=ws.10).aspx

The post KRBTGT Account Password Reset Scripts now available for customers appeared first on Microsoft Security Blog.

It might be tempting to think that running expired software might continue to provide an adequate level of protection. If only this were true. The reality is that systems that run expired security software are generally only slightly more protected against infections than those that don’t run any security software at all.

The chart below, from the latest Microsoft Security Intelligence Report, helps illustrate this point. From the chart, we can see that systems that run expired security software are four times more likely to be infected with malware than those running up-to-date security software. Furthermore, there was only a .2 percent different in the number of systems Microsoft cleaned of malware when comparing those that were not running security software to those that had expired security software.

Infection rates for non-domain computers running Windows 8 and Windows 8.1 with and without adequate up- and the first half of 2014

A little over a year ago, I published a blog entitled “Antivirus Software is Dead…Really?” I published this blog because time and time again, I would attend security conferences and hear experts make claims that antivirus is not effective at helping protect systems. This data was intended to cut through the noise and help demystify that myth.

The data shows us that the vast majority of cases where computers were reporting expired antivirus software were on non-domain joined systems, a configuration that consumer systems typically have. Of the non-domain systems analyzed, 9.3% were running expired antivirus software.

Addressing the problem
In light of this information, we encourage people to verify that they are running up-to-date security software on their system. If they aren’t, there are many different free or paid options available. Microsoft also provides free security software to consumers called Microsoft Security Essentials. If you are running Windows 8 or Windows 8.1, then security software, called Windows Defender, is installed by default.  It will run automatically, unless your system was pre-loaded with another vendor’s trial security software.

The purpose of the Microsoft Security Intelligence Report is to provide our customers with the most comprehensive view into the threat landscape so that they can better manage risk. For more information on the latest threat trends, I encourage you to download the latest report at www.microsoft.com/sir.

The post Your Antivirus protection has expired. So what? You might be surprised. Microsoft’s new cybersecurity report explains. appeared first on Microsoft Security Blog.

Antimalware events are logged to the customer’s Azure Storage account when configured with Azure Diagnostics and can be piped to HDInsight or an SIEM for further analysis. More information is available in the Microsoft Antimalware Whitepaper.

The post Microsoft Antimalware for Azure Cloud Services and Virtual Machines now Available for Free appeared first on Microsoft Security Blog.

The vulnerability disclosure data in the Security Intelligence Report is compiled from vulnerability disclosure data that is published in the National Vulnerability Database (NVD). This database is the US government’s repository of standards-based vulnerability management data. The NVD represents all disclosures that have a published Common Vulnerabilities and Exposures (CVE) identifier.

Industry-wide vulnerability disclosures trending upwards
Figure 1 illustrates the vulnerability disclosure trend across the entire industry since 2011. Between 2011 and the end of 2013 vulnerability disclosure counts ranged from a low of 1,926 in the second half of 2011 to a high of 2,588 in the first half of 2012; there were more than 4,000 vulnerability disclosures across the entire industry each year during this period. For additional context, the peak period for industrywide vulnerability disclosures was 2006-2007 when 6,000 – 7,000 vulnerabilities were disclosed each year. Vulnerability disclosures across the industry in the second half of 2013 (2H13) were up 6.5 percent from the first half of the year, and up 12.6 percent from the second half of 2012.

Not all vulnerabilities are equal – there are differences in severity and access complexity.

Vulnerability severity trends
The Common Vulnerability Scoring System (CVSS) is a standardized, platform-independent scoring system for rating IT vulnerabilities. The CVSS base metric assigns a numeric value between 0 and 10 to vulnerabilities according to severity, with higher scores representing greater severity. Vulnerabilities that scored 9.9 or greater represented 6.2 percent of all vulnerabilities disclosed in the second half of 2013. This percentage represents a significant decrease from the first half of the year, when vulnerabilities that scored 9.9 or greater accounted for 12.4 percent of all vulnerabilities. Medium severity vulnerability disclosures increased 19.1 percent between the first half and second half of 2013, and accounted for 59.3 percent of total disclosures in the second half of the year. In general, mitigating the most severe vulnerabilities first is a security best practice. Vulnerabilities that scored 9.9 or greater represent 6.2 percent of all vulnerabilities disclosed in the second half of 2013, as Figure 3 illustrates.

This percentage represents a significant decrease from the first half of the year, when vulnerabilities that scored 9.9 or greater accounted for 12.4 percent of all vulnerabilities. Vulnerabilities that scored between 7.0 and 9.8 increased to 25.3 percent in the second half of 2013 from 24.4 percent in the first half of the year.

Vulnerability access complexity trends
Some vulnerabilities are easier to exploit than others. This is a characteristic that’s not captured in the aforementioned severity ratings. Vulnerability complexity is an important factor to consider in determining the magnitude of the threat that a vulnerability poses. A high-severity vulnerability that can only be exploited under very specific and rare circumstances might require less immediate attention than a lower-severity vulnerability that can be exploited more easily.

The CVSS assigns each vulnerability a complexity ranking of Low, Medium, or High. Figure 4 shows complexity trends for vulnerabilities disclosed since the first half of 2011 (1H11). Note that Low complexity in Figure 4 indicates greater risk, just as High severity indicates greater risk.

Disclosures of those vulnerabilities that are the easiest to exploit, low-complexity vulnerabilities, accounted for 43.5 percent of all disclosures in the second half of 2013, a decrease from 52.9 percent in the first half of the year. Disclosures of medium-complexity vulnerabilities accounted for 51.9 percent of all disclosures in the second half of 2013, an increase from 41.9 percent in the first half of the year. Disclosures of high-complexity vulnerabilities decreased to 4.6 percent of all disclosures in the second half of 2013, down from 5.3 percent in the first half of the year.

Operating system, browser, and application vulnerabilities
Comparing operating system vulnerabilities to non-operating system vulnerabilities that affect other components requires determining whether a particular program or component should be considered part of an operating system. This determination is not always simple and straightforward, given the componentized nature of modern operating systems. Some programs (media players, for example) ship by default with some operating system software but can also be downloaded from the software vendor’s website and installed individually. Linux distributions, in particular, are often assembled from components developed by different teams, many of which provide crucial operating functions such as a graphical user interface (GUI) or Internet browsing.

To facilitate analysis of operating system and browser vulnerabilities, the Microsoft Security Intelligence Report distinguishes among four different kinds of vulnerabilities:

• Core operating system vulnerabilities are those with at least one operating system product enumeration (“/o”) in the NVD that do not also have any application product enumerations (“/a”).
• Operating system application vulnerabilities are those with at least one /o product enumeration and at least one /a product enumeration listed in the NVD, except as described in the next bullet point.
• Browser vulnerabilities are those that affect components defined as part of a web browser, including web browsers such as Internet Explorer and Apple’s Safari that ship with operating systems, along with third-party browsers such as Mozilla Firefox and Google Chrome.
• Other application vulnerabilities are those with at least one /a product enumeration in the NVD that do not have any /o product enumerations, except as described in the previous bullet point.

• Vulnerabilities in applications other than web browsers and operating system applications increased 34.4 percent in the second half of 2013 (2H13) and accounted for 58.1 percent of total disclosures for the period.
• Operating system vulnerabilities increased 48.1 percent in 2H13, going from last place to second. Overall, operating system vulnerabilities accounted for 17.6 percent of total disclosures for the period. After reaching a high point in 1H13, operating system application vulnerabilities decreased 46.3 percent in 2H13, and accounted for 14.7 percent of total disclosures for the period. 
•  Browser vulnerability disclosures decreased 28.1 percent in 2H13 and accounted for 9.6 percent of total disclosures for the period.

Microsoft vulnerability disclosures
Microsoft vulnerability disclosures remained mostly stable, increasing from 174 disclosures in 1H13 to 177 in 2H13, an increase of 1.7 percent. The Microsoft percentage of all disclosures across the industry fell slightly over the same period, from 7.3 percent of all industrywide disclosures in 1H13 to 7.0 in 2H13, because of a larger increase in disclosures from other software publishers. This data highlights the importance of keeping all software up-to-date, not just Microsoft software.

Microsoft has been able to maintain relatively low vulnerability disclosure counts by using the Microsoft Security Development Lifecycle (SDL) – a software development methodology and toolset that is mandatory for all Microsoft products and services. In fact, Microsoft’s SDL celebrated its 10 year milestone this year. If you’d like more details on this story, check out an article we recently published called “The Secret of the SDL.”

Another interesting pivot on vulnerability data is examining which vulnerabilities actually get exploited by attackers. Data on exploitation is typically much harder to get than vulnerability disclosure data, which is why many people try to use disclosure counts as a type of proxy for what’s happening in the threat landscape. A recently published study on exploit activity tells us that most vulnerabilities in Microsoft software can’t be exploited, for a number of reasons. I published a series of articles based on this new research, that Microsoft’s Security Science team conducted, on vulnerability exploitation that helps us understand the what, who, when, and how of exploitation.

What vulnerabilities attackers are trying to exploit most often:
Keeping Oracle Java updated continues to be high security ROI

Who exploits vulnerabilities first:
Who Exploits Vulnerabilities: the Path from Disclosure to Mass Market Exploitation

When vulnerabilities get exploited:
When Vulnerabilities are Exploited: the Timing of First Known Exploits for Remote Code Execution Vulnerabilities

How are vulnerabilities being exploited:
How Vulnerabilities are Exploited: the Root Causes of Exploited Remote Code Execution CVEs

Tim Rains
Director
Trustworthy Computing

The post Industry Vulnerability Disclosures Trending Up appeared first on Microsoft Security Blog.