Windows 8 should provide improved security against malware and exploits compared with earlier versions of Windows, at least for a while. Now that the underground market for attack and malware kits is much more competitive than three years ago, it is likely that Windows 8 specific malware will be available quicker than Windows 7 specific malware appeared. Systems running the new Unified Extensible Firmware Interface are still vulnerable to MBR-based rootkits, just as previous OS versions were, according to one research company. On the day of Windows 8’s release, the firm announced for sale to its customers the availability of a zero-day vulnerability that circumvents all new security enhancements in Windows 8 and Internet Explorer 10.
Big-Scale Attacks
Destructive payloads in malware have become rare because attackers prefer to take control of their victims’ computers for financial gain or to steal intellectual property. Recently, however, we have seen several attacks some apparently targeted, others implemented as worms in which the only goal was to cause as much damage as possible. We expect this malicious behavior to grow in 2013. Whether this is hacktivism taken to a new level, as some claim, or just malicious intent is impossible to say, but the worrying fact is that companies appear to be rather vulnerable to such attacks. As with Distributed Denial of Service (DDoS) attacks, the technical bar for the hackers to hurdle is rather low. If attackers can install destructive malware on a large number of machines, then the result can be devastating.
An inside or outside attacker who has elevated privileges on the network for a long time could time-bomb many systems on multiple sites. This effect is likely worse than what is covered in many disaster recovery plans, so the IT staff may have to make some updates. The priority is to keep the business running, which is best achieved by having production networks, SCADA systems, etc. completely separated from the normal network, preventing them from getting hit in the first place. Then there will be a massive loss of data to deal with because users just love to store their data on their local machines. One challenge will be to reinstall thousands of machines while ensuring that the time bomb doesn’t resurface. Technologies that may prove useful include remote management features that are independent of the state of the PC and its OS, but these features will need to be tested before an incident happens.
All measures to detect and block these persistent threats should also be effective against the preliminary steps of such attacks, while the attacker tries to gain and elevate access. Remote application control would prevent servers and key systems from being affected unless an attacker has already taken full control of the update process, which can be determined by carefully monitoring who does what on the management systems. To keep the loss of data to a minimum, a reliable network backup process needs to be in place, as well as backing up local data and blocking attackers from shredding data on shared drives and folders on the network.
