SEC 203
Traditional approaches vs. contemporary attacks
How have bad-guy methods changed?
What motivates them now?
Large
global
events
Massive
worms
Making
headlines
Identity theft,
financial fraud
Spyware
Exploit
enterprises
Making
money
Identity
Spamming
Extortion
Phishing
theft
Malware becomes
more sophisticated
Increasingly
sophisticated
Poly- and
metamorphic
Evading anti-virus
software
Act as vulnerability
assessment tools
Use search
engines for
reconnaissance
Better targeting
Don’t advertise
presence
Attacks are useful
for longer times
Vulnerabilities
have street value
Common to modify
existing proven
attack code
More variants of
successful worms
Might result in new
and hidden entry
points
Criminals hire
attackers
Criminals reuse
their code
Huge market in
unknown
vulnerabilities
Capitalizing on
shrinking window of
exposure
Direct losses
$13,000
grows with frequency, extent, severity
(FBI 2005 Computer Crime Survey)
$83,000
small company, modest infection
(Counterpane Internet Security)
$millions
Indirect losses
$?
Counterpane Internet Security and MessageLabs
reputation, customer trust
40
35
30
25
20
15
10
5
0
Financial services,
banking
Materials,
manufacturing
Counterpane Internet Security and MessageLabs
Entertainment,
media
Parmaceutical,
healthcare
Travel,
transportation
35
30
25
20
15
10
5
0
Financial services,
banking
Pharmaceutical,
healthcare
Counterpane Internet Security and MessageLabs
Insurance, real
estate
Travel,
transportation
Retail, wholesale
60
50
40
30
20
10
0
Pharmaceuticals,
healthcare
Insurance, real
estate
Counterpane Internet Security and MessageLabs
Utilites, power,
energy
Retail, wholesale
Materials,
maufacturing
30
25
20
15
10
5
0
Insurance, real
estate
Pharmaceuticals,
healthcare
Counterpane Internet Security and MessageLabs
Materials,
manufacturing
Retail, wholesale
Government,
education
An economic opportunity lurks inside every
security problem
Learn how to express security issues in economic
terms
Look for ways to shift the balance in your favor
$72,000 User annual salary
260 Working days per year
2 Time to fix (hours)
2 People involved (user, tech)
$72, 000
260 days

2 people 2 hours
8 hours per day
 $138
1,000 Employees in organization
5% Infection rate, per month
(1000  5%) 12  $138  $82,800
Network World Magazine
$600 Hourly rate for a partner
260 Working days per year
2 Time to fix (hours)
1 Partner
$600  2080
260 days

1 partner  2 hours
8 hours per day
 $1200
1,000 Employees in organization
5% Infection rate, per month
(1000  5%) 12  $1200  $720,000
Network World Magazine
Postini
Postini
Postini
Postini
“Our first program pays you $0.50 for every validated free-trial registrant your
website sends to [bleep]. Commissions are quick and easy because we pay you
when people sign up for our three-day free-trial. Since [bleep] doesn't require a
credit card number or outside verification service to use the free trial, generating
revenue is a snap.
The second program we offer is our pay per sign-up plan. This program allows you
to earn a percentage on every converted (paying) member who joins [bleep]. You
could make up to 60% of each membership fee from people you direct to join the
site.
Lastly, [bleep] offers a two tier program in addition to our other plans. If you
successfully refer another webmaster to our site and they open an affiliate account,
you begin earning money from their traffic as well! The second tier pays
$0.02 per free-trial registrant or up to 3% of their sign-ups.”
SoBig spammed 100,000,000 mailboxes. What if…
10% Read email and clicked link
10,000,000
1% Signed up for a three-day trial
100,000
$0.50
$50,000
1% Enrolled for 1 year
1,000
$144
$144,000
Would you do it???
http://research.microsoft.com/research/sv/PennyBlack/
Consider a 10,000-member botnet
Attack
Requests/bot
Botnet total
Resource exhausted
Bandwidth flood
(uplink)
186 kbps
1.86 Gbps
T1, T3, OC-3, OC-12
Bandwidth flood
(downlink)
450 kbps
4.5 Gbps
T1, T3, OC-3, OC-12, OC-48
(2.488Gbps)
50% of Taiwan/US backbone
SYN flood
450
SYNs/sec
4.5M
SYNs/sec
4 dedicated Cisco Guard
($90k) or 20 tuned servers
Static http get
(cached)
93/sec
929,000/sec
15 servers
Dynamic
http get
93/sec
929,000/sec
310 servers
SSL handshake
10/sec
100,000/sec
167 servers
Low interest
rates!
Gimme credit
cards!
Extend your
penis!
Get a
better job!
Cheap movie
tickets!
18 months Duration of scam
10,000,000 Minutes fraudulently sold
$20,000 Paid to buddy
15 VoIP providers attacked
$300,000 Interconnect charges providers had to pay
Lavishly
Failed
35 years
$1,250,000
How Edwin spent his takings, until…
To meet bond conditions and fled
Prison time
Fines
Security vs. usability
Security vs. usability vs. cost
Is the security worth the cost?
Secure
You get to pick any two!
Usable
Cheap
Personal security
Event/city security
National security
Aviation security
Information security
Claim: protects you from gunshot death
Costs
Weight
Comfort
Convenience
Lack of style
Risk + likelihood: very low
Analysis
Risk not worth the cost
Claim: talking to strangers is dangerous
Costs
Fear of asking for help
Default stance of distrust
Reduction in civil society
Risk + likelihood: quite low
Analysis
More children will suffer
Claim: watch crowds everywhere, find criminals
Costs
Money
Privacy
High error rate
Risk + likelihood: questionable
Analysis
Did the costs actually help find criminals?
Tampa: no
Claim: protect United States from terrorists
Costs
Money
Lives
American reputation
Personal freedoms and liberties
Risk + likelihood: extremely low
Analysis
Did we get the most security possible, given the costs?
Is there any return in exchange for liberties?
Claim: identity + inspection = intent
Costs
Privacy (plus embarrassment)
Time (plus convenience)
Restrictions (liquids, pointy things)
Liberties (guilty first, massive profiling databases)
Money
Risk + likelihood: low
Analysis
Does any of it actually make airplanes more secure?
Can you pick bad guys out of a crowd?
Transmission x-ray
Backscatter x-ray
Passive-millimeter wave scanner
Will you exchange these?
Performance
Freedom and location of access
Ease or frequency of use
Portability
Time
Cost
Privacy
Passwords: remembering vs. writing down
RFID: inventory tracking vs. monitoring locations
System config: locked down vs. wild and free
Access control: strict vs. loose
Encryption: privacy vs. loss
Email: availability vs. integrity
Security admin vs. network admin
Security staff vs. executive management 
Seems to be effective…
Screen recorders
Steal session after logon
Capture credentials from HTTP
stream before SSL encryption
Hassle factor: forces user to select a
short password
So maybe it’s less secure!
Not worth the tradeoff—slow and clunky
Addresses symptom (stolen
credential) vs. root cause (malware)
Threat scenario is too specific
Have a private face-to-face conversation?
Drive from A to B without anyone knowing?
Fly?
Be totally invisible in a crowd?
But still leave your cell phone turned on?
Make purchases without revealing your identity?
Online?
Embed tracking devices in pets?
In people?
Surf the Internet anonymously?
Send email anonymously?
Yes
When threats are visible, obvious, immediate, recent
But common threats we forget about
No
When threats are invisible, nonobvious, delayed,
historical
But rare threats we tend to hype
Don’t spend more on mitigation than the asset is
worth!
Don’t destroy the asset in the process
Some risks you have to tolerate
Make the loss cost less
Transfer risk to someone else
Or simply ignore
Should you apply the patch?
Did you make that setting?
Did you get rid of Wintendo?
How did you configure the firewall?
What’s the ACL?
Risk management deals with threats
“We have to enable NTLMv2”
“Another patch? Let’s switch platforms”
“Another patch? OK, deploy it”
“All systems should be secure by default”
Every environment is unique
The risks differ for each environment
Risk tolerance differs
Products are designed based on assumptions
No product provides optimal security
Lemma: You cannot design an optimal
security strategy without a thorough
understanding of the usage and risks
High
Risk
Yes!
We worry!
What?
Me worry?
High
Low
Asset Value
Data
Application
Host
Internal network
Perimeter
Physical security
People, policies, and
process
Physical Where is the asset? How is access obtained?
Public area
Employee-only
Controlled
Available during business hours
Card-key readers
Card-key, PIN, and palm print
Network Access from where? How to authenticate?
Wired corpnet
Wireless corpnet
VPN
Kiosks
Internet
Domain logon (human and PC)
Domain logon plus certificates
(human and computer)
Domain logon, smartcard, quarantine
Disallowed
Disallowed except from corp PC
Primary factors
Overall value to the organization
Web site, runs 24/7, $2,000/hr revenue
Immediate financial impact of loss
Unavailable for six hours: 0.0685% per year
Annual value
$17,520,000
–$12,000
(Example ignores time of day, day of week, season, marketing campaigns)
Indirect business impact of loss
Attack: $10,000 to counteract negative
publicity; 1% lost annual sales: $175,200
–$185,200
Applying every patch is typically a poor strategy
Irritate end users
Burnout patch management team
Some patches are more important than others
Scrutinize the Mitigating Factors section of the bulletin
Understand the risk equation and the burden curve
Access * Value
Risk ≈
Difficulty
Where:
Access = Degree of access to an asset that an
attacker could gain via the vulnerability
Value = Value of the asset
Difficulty = Difficulty of carrying out a successful
attack
Access
Blaster with
Blaster
Mitigations
Difficulty
Annualized cost
Crisis
deployment
Burden
Upgrade
+1
Upgrade
Maintenance
Time
Damage potential How great is the damage if the
vulnerability is exploited?
Reproducibility
Exploitability
Affected users
How easy is it to reproduce the attack?
How easy is it to launch the attack?
As a rough percentage, how many
users are affected?
Discoverability
How easy is it to find the vulnerability?
Rating
High (3)
Medium (2)
Low (1)
Damage
potential
The attacker can subvert the
security system; get full trust
authorization; run as
administrator; upload content
Leaking sensitive information
Leaking trivial information
Reproducibility
The attack can be
reproduced every time and
does not require a timing
window
The attack can be
reproduced, but only with a
timing window and a
particular race situation
The attack is very difficult to
reproduce, even with
knowledge of the security
hole
Exploitability
A novice programmer could
make the attack in a short
time
A skilled programmer could
make the attack, then repeat
the steps
The attack requires an
extremely skilled person and
in-depth knowledge every
time to exploit
Affected users
All users, default
configuration, key customers
Some users, non-default
configuration
Very small percentage of
users, obscure feature;
affects anonymous users
Discoverability
Published information
explains the attack. The
vulnerability is found in the
most commonly used feature
and is very noticeable
The vulnerability is in a
seldom-used part of the
product, and only a few users
should come across it. It
would take some thinking to
see malicious use
The bug is obscure, and it is
unlikely that users will work
out damage potential
But try these, just in case…
HKLM\Software\Microsoft\Windows
NT\CurrentVersion\DisableHackers=1 (REG_DWORD)
HKLM\Wetware\Users\SocialEngineering\Enabled=no
(REG_SZ)
HKCU\Wetware\Users\CurrentUser\PickGoodPassword=1
(REG_BINARY)
HKLM\Hardware\CurrentSystem\FullyPatched=yes
(REG_SZ)
HKLM\Software\AllowBufferOverflows=no (REG_SZ)
It’s all about money
Save money…
Identify and mitigate risk
Ensure compliance
Make money…
Translate annoyances into differentiators
Select the trade-offs that balance security with
business goals
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
www.protectyourwindowsnetwork.com
Thanks
very much!
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.