Two of the most common ways that malware becomes installed on a computer are bundling and social engineering. With bundling, malware is packaged with useful software. Often the user is not aware of the negative aspects of the bundled software . With social engineering, the user is tricked into installing the software . Typically, the user receives a misleading e-mail or browser pop-up containing instructions to open an attachment or visit a Web site .
Windows Vista and Windows 7 offer significantly improved protection against both bundling and social engineering. With the default settings, malware that attempts to install via bundling or social engineering must circumvent two levels of protection: UAC and Windows Defender.
UAC either prompts the user to confirm the installation of the software (if the user is logged on with an administrative account) or prompts the user for administrative credentials (if the user is logged on with a Standard account). This feature makes users aware that a process is trying to make significant changes and allows them to stop the process . Standard users are required to contact an administrator to continue the installation. For more information, see the section titled "User Account Control" later in this chapter.
Windows Defender real-time protection blocks applications that are identified as malicious. Windows Defender also detects and stops changes the malware might attempt to make, such as configuring the malware to run automatically upon a reboot . Windows Defender notifies the user that an application has attempted to make a change and gives the user the opportunity to block or proceed with the installation . For more information, see the section titled "Windows Defender" later in this chapter.
NOTE Windows Defender adds events to the System Event Log. Combined with event subscriptions or a tool such as Microsoft Systems Center Operations Manager (SCOM), you can easily aggregate and analyze Windows Defender events for your organization.
These levels of protection are illustrated in Figure 2-1 .
figure 2-1 Windows Vista and Windows 7 use defense-in-depth to protect against bundling and social engineering malware attacks .
With Windows XP and earlier versions of Windows, bundling and social engineering malware installations were likely to succeed because none of these protections was included with the operating system or service packs.
Defense-in-depth is a proven technique of layered protection that reduces the exposure of vulnerabilities. For example, you might design a network with three layers of packet filtering: a packet-filtering router, a hardware firewall, and software firewalls on each of the hosts (such as Internet Connection Firewall). If an attacker manages to bypass one or two of the layers of protection, the hosts are still protected.
The real benefit of defense-in-depth is its ability to protect against human error. Whereas a single layer of defense is sufficient to protect you under normal circumstances, an administrator who disables the defense during troubleshooting, an accidental misconfiguration, or a newly discovered vulnerability can disable that single layer of defense. Defense-in-depth provides protection even when a single vulnerability exists.
Although most new Windows security features are preventive countermeasures that focus on directly mitigating risk by blocking vulnerabilities from being exploited, your defense-in-depth strategy should also include detective and reactive counter-measures. Auditing and third-party intrusion-detection systems can help to analyze an attack after the fact, enabling administrators to block future attacks and possibly identify the attacker. Backups and a disaster recovery plan enable you to react to an attack and limit the potential data lost.
Was this article helpful?