1 00:00:01,140 --> 00:00:08,280 Welcome to a module on managing applications the first topic there will be broached seems very obvious 2 00:00:08,610 --> 00:00:15,650 still is extremely vital to all the previous modules provided ample proof that outdated software is 3 00:00:15,650 --> 00:00:18,090 an easy target for automated attacks. 4 00:00:20,270 --> 00:00:25,510 Penetrating a vulnerable system will be neither time consuming nor costly for a potential attacker. 5 00:00:27,320 --> 00:00:33,120 All it takes to takeover a PC is to use freely available tools. 6 00:00:33,220 --> 00:00:35,800 They will see to it in five minutes or less. 7 00:00:35,830 --> 00:00:37,920 Not a great challenge by any means. 8 00:00:40,430 --> 00:00:47,640 As you know programs are not perfect and all that secure a program is an application that has no bugs 9 00:00:47,640 --> 00:00:50,260 or flaws at all. 10 00:00:50,280 --> 00:00:51,820 This is rarely achieved. 11 00:00:54,410 --> 00:01:00,030 To combat this issue software company is really security updates for their products on a regular basis. 12 00:01:02,410 --> 00:01:10,340 Microsoft has throughout the years sculpted a well-designed and seemingly efficient policy in the past 13 00:01:10,700 --> 00:01:17,480 security updates would be released immediately after they were developed and tested. 14 00:01:17,480 --> 00:01:22,040 This meant that an administrator would never know if there would be half a day's work ahead of IMS bent 15 00:01:22,040 --> 00:01:30,150 on testing and implementing potential updates updates were a surprise for both administrators and users 16 00:01:32,540 --> 00:01:34,700 this method was amended some years ago. 17 00:01:35,950 --> 00:01:41,260 Updates are now released in monthly cycles and it's a rare occurrence if an update is released outside 18 00:01:41,260 --> 00:01:44,180 the cycle. 19 00:01:44,320 --> 00:01:48,940 If this happens it means that the bug has already been detected and there are tools on the internet 20 00:01:48,940 --> 00:01:51,580 for delivering an attack that exploits the bug. 21 00:01:53,130 --> 00:01:57,330 Microsoft needs to act at once in that case. 22 00:01:57,340 --> 00:02:00,700 Fortunately this is not a very frequent problem. 23 00:02:01,270 --> 00:02:03,640 Consider the diagram above. 24 00:02:03,640 --> 00:02:10,300 Think about what it represents this in theory is how a cycle of developing and publishing security updates 25 00:02:10,300 --> 00:02:13,040 should look like. 26 00:02:13,200 --> 00:02:21,350 If this strategy is put into effect this would be the best option and an ideal solution for us the initial 27 00:02:21,350 --> 00:02:26,010 point is the discovery of the security flaw in a system. 28 00:02:26,060 --> 00:02:28,340 The person who identifies it should report it. 29 00:02:30,510 --> 00:02:35,600 The information should not be published on the internet but report it to an appropriate software producer. 30 00:02:37,090 --> 00:02:43,750 Many people understand this rule and act on it software producers reaction to a report is a different 31 00:02:43,750 --> 00:02:44,850 matter. 32 00:02:44,920 --> 00:02:46,480 It can be diverse as well. 33 00:02:48,550 --> 00:02:53,800 It might happen that the researcher who reports on the bug is ignored for months and months and only 34 00:02:53,800 --> 00:02:56,340 when the information is finally taken to the Internet. 35 00:02:56,470 --> 00:03:02,080 The producer wakes up to the threat and takes proactive steps to battle it and cooperate with the researcher 36 00:03:04,460 --> 00:03:10,040 when a security critical problem is identified in their software the producer starts to work on developing 37 00:03:10,040 --> 00:03:16,850 and update fixes and hot fixes that aim to eliminate the bug. 38 00:03:16,940 --> 00:03:22,380 At this point we're in the second window of the graph. 39 00:03:22,400 --> 00:03:29,410 The risk that the bug will be exploited by an automated attack is still relatively low. 40 00:03:29,510 --> 00:03:33,930 If you assume a perfect scenario this risk could as well be non-existent. 41 00:03:36,650 --> 00:03:41,120 The only people aware of this problem are the person who reported on it and the software company that's 42 00:03:41,120 --> 00:03:42,340 working to remove it. 43 00:03:44,320 --> 00:03:47,320 Microsoft documents their updates as well. 44 00:03:47,320 --> 00:03:52,650 They are then described in knowledge articles that are publicly available. 45 00:03:52,670 --> 00:03:57,380 The point of this is to give administrators and uses a chance to make an informed decision whether or 46 00:03:57,380 --> 00:04:02,080 not they need to install a specific update by considering if they are directly affected. 47 00:04:02,120 --> 00:04:09,310 And if it detected flaw has bearing on their security policy at the time of release of a knowledge article 48 00:04:09,730 --> 00:04:11,400 an update is also released. 49 00:04:12,830 --> 00:04:17,720 This marks the beginning of an arms race between the administrator who needs to implement the update 50 00:04:17,750 --> 00:04:22,880 in time and eliminate the threat and the people that will want to exploit the bug in other people's 51 00:04:22,880 --> 00:04:23,990 systems. 52 00:04:25,610 --> 00:04:31,100 This is because while source code analysis of office suite of Microsoft Word or of the entire Windows 53 00:04:31,100 --> 00:04:33,940 system is quite time consuming and rarely tried. 54 00:04:34,000 --> 00:04:38,290 A security update is as little as several or several dozens of kilobytes of code 55 00:04:41,780 --> 00:04:46,110 and analysis of this amount is not strenuous. 56 00:04:46,140 --> 00:04:52,690 There are many people who will devote a day or two to study the changes brought about by the code. 57 00:04:52,880 --> 00:04:58,590 If you'll know what problem is eliminated by a given code you'll know the nature of the problem itself. 58 00:05:00,910 --> 00:05:07,770 At this stage we're in the next to last section of the paragraph need to be aware that some of the people 59 00:05:07,770 --> 00:05:13,320 who discovered the nature of the bug the security flaw will try to make use of it. 60 00:05:13,400 --> 00:05:18,410 Thanks to this knowledge they will be able to develop automated tools that exploit a given flaw. 61 00:05:20,710 --> 00:05:27,390 Proof of concept type code would start to appear then the code would then be developed further and be 62 00:05:27,390 --> 00:05:30,060 automated by the same people or by others. 63 00:05:30,060 --> 00:05:36,470 Since the code is now published and widely available the risk is now very high. 64 00:05:37,740 --> 00:05:43,580 Will try to think at the moment how much time has passed until we've got here. 65 00:05:43,630 --> 00:05:46,250 If you haven't eliminated the flaw you're an easy target. 66 00:05:46,250 --> 00:05:48,970 Now to run an attack. 67 00:05:48,980 --> 00:05:53,330 It's enough to open a browser enter a phrase in your favorite search engine. 68 00:05:53,330 --> 00:05:57,230 Download a ready made tool and run it. 69 00:05:57,420 --> 00:05:58,800 That's all there is to it. 70 00:06:00,580 --> 00:06:04,910 Let's now consider briefly the length of time between the outline stages in the race. 71 00:06:06,290 --> 00:06:11,750 As we mentioned reaction time between reporting a flaw and a hotfix and update preparations differs 72 00:06:11,750 --> 00:06:13,800 greatly. 73 00:06:13,830 --> 00:06:17,200 It might take a week but it might take 3 months as well. 74 00:06:19,570 --> 00:06:23,560 This is decided on by a software company entirely. 75 00:06:23,690 --> 00:06:27,080 Statistics show that Microsoft is doing well in this regard. 76 00:06:28,520 --> 00:06:33,500 There are some companies that have known for a year of reported security critical flaws and vulnerabilities 77 00:06:33,800 --> 00:06:40,790 and still have not taken any steps to safeguard their products testing and developing an app that takes 78 00:06:40,790 --> 00:06:43,130 a month in the case of Microsoft. 79 00:06:43,190 --> 00:06:44,250 Why so long. 80 00:06:45,660 --> 00:06:50,120 Operating systems and most of the code provided by this company runs on many copies. 81 00:06:51,440 --> 00:06:58,450 Many PCs have different settings proofing or at least making sure that an update is secure. 82 00:06:58,450 --> 00:07:04,310 Might take a bit long if a swifter reaction is required. 83 00:07:04,330 --> 00:07:11,430 Security bulletins and internal updates are released the updates are not the same as the updates that 84 00:07:11,430 --> 00:07:13,080 are automatically available. 85 00:07:13,080 --> 00:07:20,890 For example at the Windows Update site you can request them online however either by submitting a form 86 00:07:20,920 --> 00:07:22,900 or sending an email. 87 00:07:22,930 --> 00:07:29,670 In this case you will receive a custom security update a custom security update usually eliminates less 88 00:07:29,670 --> 00:07:35,390 popular problems that occur only in some specific configurations or specific environments. 89 00:07:37,750 --> 00:07:42,530 They are not available for everyone because the problem they address pertains to a small portion of 90 00:07:42,530 --> 00:07:48,800 a customer base and because they have not been extensively tested. 91 00:07:49,020 --> 00:07:52,770 In that case a small audience lessens the risk that something will go wrong. 92 00:07:54,610 --> 00:07:56,480 As regards the last part of the graph. 93 00:07:56,650 --> 00:07:58,510 Things get really quick at this point. 94 00:07:59,690 --> 00:08:05,300 Experience shows that there is a day or two no more between an update release and developing a proof 95 00:08:05,300 --> 00:08:13,780 of concept code and exploit automating attack takes another day or even a few hours. 96 00:08:13,780 --> 00:08:17,560 This depends on what the flaw relates to. 97 00:08:17,680 --> 00:08:21,870 Even if it seems you can take time to react there's usually no time to lose.