Windows XP more dangerous OS than Vista, Windows 7

Microsoft has released a new Security Incident Report–the eighth volume of Microsoft’s quarterly overview of computer and network security trends. The report illustrates once again that security can be greatly improved by upgrading to the latest software, and through user education.

The Key Findings Summary points out some of the more relevant data discovered over the past three months. Here are some of the highlights:

• The 64-bit versions of Windows 7 and Windows Vista SP2 had lower infection rates than any other operating system configuration in 2H09, although the 32-bit versions both had infection rates that were less than half of Windows XP with its most up-to-date service pack, SP3.

• Domain-joined computers were much more likely to encounter worms than non-domain computers, primarily because of the way worms propagate. Worms typically spread most effectively via unsecured file shares and removable storage volumes, both of which are often plentiful in enterprise environments and less common in homes.

• In Windows XP, Microsoft vulnerabilities account for 55.3 percent of all attacks in the studied sample. (comparing targets of browser-based exploits)

• In Windows Vista and Windows 7, the proportion of Microsoft vulnerabilities is significantly smaller, accounting for just 24.6 percent of attacks in the studied sample. (comparing targets of browser-based exploits)

Vinny Gullotto, general manager of the Microsoft Malware Protection Center wrote in a post on The Official Microsoft Blog “The Internet holds great opportunity, but as cybercrime evolves it can be difficult to know how to stay protected.”

Gullotto goes on to explain “As businesses continue a gradual migration toward cloud computing, bot herders in the malware community have adopted their own version of cloud computing–a “black cloud” built on global networks of compromised computers to install spyware, spread malware and spam around the world. Moreover, malware kits are developed, released, and updated just like legitimate products–complete with advanced features and minor releases to improve kit effectiveness.”

I spoke with Graham Titterington, principal analyst at Ovum, about the Microsoft Security Incident Report, and he also pointed out the continuing trend of malware and other cyber attacks toward organized crime. Titterington told me that cyber criminals are very sophisticated, some even more so than legitimate businesses–complete with research and development teams, marketing, beta testing, and other tools to ensure the efficacy of the malicious code they develop.

Many look to legislators to craft new laws with harsher penalties to address the rise in cyber attacks and cyber crime. The problem with new laws is twofold. First, laws only hinder the activities of the law-abiding. Cyber criminals are already aware they are breaking the law, and obviously they don’t care. So, creating new laws will not impede cyber attacks.

The other–perhaps even larger issue–is that the Internet is global, but laws are regional. Just because an attacker violates a law in the United States doesn’t mean they have violated a law in Argentina. Tracking an attack to its true source, and engaging local authorities to cooperate in apprehending the perpetrators is like herding cats.

According to Titterington, the best that law enforcement can do to stop, or at least slow, cyber attacks is to follow the money. Disrupting the means for attackers to benefit monetarily from the attacks is arguably the quickest way to shut them down.

The latest Microsoft Security Incident Report also includes a new section with guidance from Microsoft on how to mitigate or protect against the threats described. The report says “Transform your security message from “no” to “how.” Demonstrate to your organization how to be secure rather than telling them what they can or cannot do.”

The advice from Microsoft includes tips such as using creative and engaging formats such as podcasts or contests, and focusing on “how-to” type formats. Microsoft also stresses the importance of basic user education–keeping users informed not to click on unknown or suspicious links, how to create and use strong passwords, not to share username or password information, and other common sense measures that need to be drilled on a regular basis.

The full Microsoft Security Incident Report v8 has 12 pages of information and links to additional resources to help IT administrators take specific action to protect their networks and computer systems from the threats discussed in the report.