A Microsoft tool entering its fourth iteration has seen slow adoption, but it could help greatly reduce the risk of successful attacks, according to a Verizon security expert and an author of the 2013 Verizon Data Breach Investigations Report.
The beta version of the fourth version of the Enhanced Mitigation Experience Toolkit (EMET) was released by Microsoft last week. The tool, which helps shield memory corruption vulnerabilities from exploitation, can make it much more difficult for attackers to gain an initial foothold into corporate systems, said Chris Porter, managing principal with Verizon's RISK Team. Administrators have been shirking the tool because some thought it was too complicated to deploy in some enterprises, Porter told CRN.
"It seems to be an effective control," Porter said. "We recommend taking a targeted approach with it against Internet Explorer and software that might be targeted by different groups."
Microsoft's EMET favors small organizations with less complex environments. But the tool is favored among nearly all security experts and is referred to in the 20 Critical Controls, a document created by a consortium of industry security experts to provide best practices to mitigate threats.
The 2013 Verizon DBIR found that 92 percent of all attacks emanate from outside the corporate network. Malware was used in 40 percent of the 621 breaches analyzed by Verizon. Many attacks required user interaction, typically clicking on a malicious link or file attachment. Attackers are exploiting vulnerabilities, installing spyware or keyloggers to steal account credentials, Verizon found.
In most cases, focusing on finding specific vulnerabilities and blocking specific exploits is a losing battle, Porter said. Patching is becoming easy on desktops, with automated updates for certain components that interfere less with software configurations, he said. If users don't have administrative rights and there's stronger configuration on the desktop, then organizations should wait before pushing out a patch, he added.
"There's a balance between configuration management and patch management," Porter said. "If you have very strong configurations, then you can patch in a targeted fashion and broadly over time."
If deployed properly, the final version of Microsoft's EMET, due out in May, could thwart zero-day vulnerabilities by preventing an attacker from targeting flaws regardless of whether the latest updates have been installed on an endpoint system. It does so by enabling administrators to apply data execution prevention, a defensive technology, to legacy software.
NEXT: Microsoft's EMET Tool Getting Easier To Deploy, ConfigureThe latest version of Microsoft's EMET addresses man-in-the-middle attacks by enabling administrators to closely validate digitally signed SSL/TLS certificates, according to Microsoft. Software engineers also added capabilities to help thwart attackers from bypassing Data Execution Prvention using an exploit that relies on return-oriented programming. Some of the mitigations in the toolkit were added from Microsoft's BlueHat Prize submissions in 2012.
The BlueHat contest was designed to reward software engineers for building new defensive mechanisms that can be applied to legacy software. Katie Moussouris, senior security strategist at Microsoft, recently confirmed to CRN that Microsoft is in the planning stages of BlueHat v2.0. Future entrants should stay tuned for developments on the MSRC and Ecostrat blogs, Moussouris said.
Microsoft said it has made its EMET tool much easier to deploy and is encouraging administrators to give it a try. For example, no source code is needed to implement Data Execution Prevention, making it easier to deploy mitigations on software that was written before the defensive technology was made available.
Administrators can use group policy or System Center Configuration manager to deploy EMET. It also has a graphical user interface to configure mitigations so it is consistent regardless of the underlying platform. "There is no need to locate up and decipher registry keys or run platform-dependent utilities," Microsoft said.
The minimum requirements in EMET 4 beta are Windows XP Service Pack 3 and above for client operating systems and Windows Server 2003 Service Pack 1 and above for servers.
No tool is a silver bullet, say security experts. Vulnerability management needs to be part of an organization's security program regardless of whether the EMET tool is used or not, said Wolfgang Kandek, CTO of vulnerability management vendor Qualys.
"Most of the malware that is being installed on workstations do a lot of credential-stealing and it's getting on systems by exploiting a known flaw or zero-day vulnerability," Kandek said. "There's no single tool that can defend against all attacks and no appliance that can secure your environment alone."
PUBLISHED APRIL 23, 2013