Thursday, October 30, 2003

Microsoft "Threats and Countermeasures" Guide

Microsoft published a new "Threats and Countermeasures Guide" (.exe, expands to .pdf) last month. Using my digital risk definitions provided by the Dynamic Duo (below), here's my evaluation of how well Microsoft uses the "threat" term in its new guide. A baseball analogy is used. Proper use of the term "threat" is bolded.

  • "Securing your network environment requires that strong passwords be used by all users. This helps avoid the threat of an unauthorized user guessing a weak password through either manual methods or tools to acquire the credentials of a compromised user account." Comment:Bravo. A threat is a party with capabilities and intentions, and an unauthorized user as described fits that model. One man on base.

  • "Because vulnerabilities can exist both when this value is configured, as well as when it is not, two distinct countermeasures are defined. Any organization should weigh the choice between the two based on their identified threats and the risks that they are trying to mitigate." Comment: Again, excellent. Two men on base.

  • "Blank passwords are a serious threat to computer security and they should be forbidden through both corporate policy and suitable technical measures." Comment:That's the first out! Microsoft should have used the term "vulnerability," meaning blank passwords are a weakness that can be exploited.

  • "The threat is that a globally visible named object, if incorrectly secured, could be acted upon by a malicious program which knew the name of the object." Comment: Out number two! Again, Microsoft should replace "threat" with "vulnerability." The "malicious program" is the real threat.

  • "This setting turns a repudiation threat (a backup operator could deny that they backed up or restored data) into a denial of service (DoS) vulnerability because a server could be forced to shut down by overwhelming it with logon events." Comment: This is awkward, as it mentions "threat" and "vulnerability" in the same sentence. However, clarifying that the threat is "a backup operator" shows proper usage of the term. Microsoft loads the bases.

  • "One potential threat is that of a user or users accidentally or deliberately filling the storage volume with data by causing an application log file to fill up the drive or by uploading files to the server." Comment: Another close call. The user is actually the threat, and the vulnerability is the weakness in design or configuration which allows that user to fill up the volume. I'll call that an RBI so Microsoft has a run on the board!

  • "The second potential threat is that of directory traversal exploits, in which an attacker takes advantage of a bug in a network service to navigate up the directory tree to the root of the system volume." Comment: Another RBI! This context is shaky as an exploit is actually a tool, and not a threat in and of itself. However, the context mentions an attacker using this tool, so I call that a valid use of the term threat.

  • "Firewalls located between the internal network and the Internet offer no protection against such internal threats." Comment: Microsoft puts another run on the board. Still two outs.

  • "Therefore, before deploying IPSec for any specific scenario, carefully consider and document the potential security threats that IPSec is intended to address, your security requirements, the costs of deploying IPSec versus the cost of not using it, and therefore the expected business benefits." Comment: Four runs! This is a reference to considering the threat model.

Aside from a minor mention in the last pages, that's all.

What of the document's title?

"Threats and Countermeasures: Microsoft Solutions for Security Security Settings in Windows Server 2003 and Windows XP."

Sorry, that's Microsoft's final out. "Threats" should really be "vulnerabilities," but would Microsoft admit its product has vulnerabilities? The entire document outlines weaknesses in Microsofts products and suggests countermeasures to mitigate those weaknesses. Kudos to Microsoft for writing the doc, and congratulations on a four run inning!

No comments: