Security Situation

of the Microsoft Windows

LECTURE 3
Microsoft Windows and the Threat
Landscape
CYU 07317 Security Strategies in Windows Platform 01/08/2025 1
 Why Security Strategies in Windows
Platforms ?
 Microsoft Windows is the most common operating
system used on computers today
 Almost 90% of desktop and laptop computers and 33%
of servers use a Window operating system
 Attackers are finding many vulnerabilities to exploit
System running Microsoft Windows
CYU 07317 Security Strategies in Windows Platform 01/08/2025 2
 Cont…
 Microsoft provides an operating system and application software for a wide
variety of solutions, including client computers, servers, and mobile devices
 Each new Windows release provides advanced security features
 That brings new and unique threats that could compromise a system’s
security
 Despite of it, it is important to understand the threats to Windows system
security and the steps to protect it from attackers

CYU 07317 Security Strategies in Windows Platform 01/08/2025 3

 Learning objectives
 Review key concepts and terms associated with information systems
security
 Discuss the tenets of information security: C-I-A triad
 Explain how Microsoft Windows and applications map to a typical IT
infrastructure
 List the main objectives of the Microsoft EULA
 Describe the limitations of liability in the Microsoft EULA
CYU 07317 Security Strategies in Windows Platform 01/08/2025 4
 Learning objectives
 Categorize Windows threats and vulnerabilities
 Recognize the anatomy of common Microsoft Windows
vulnerabilities
 Summarize the discovery-analysis-remediation cycle
 Analyse common methods of attack
 Discuss emerging methods of attack

CYU 07317 Security Strategies in Windows Platform 01/08/2025 5

 Attackers in Windows Platforms
 The tremendous change of technology, has caused the world to notice an increase of
attackers associated with various sophisticated skills and techniques
 Attackers are continually innovating their methods to compromise the most secured IT
infrastructure
 The job of the security professional has been becoming more difficult because of the
complexity of systems and the sophistication of attacks
 No single action, rule, or device is able to protect an information system from all attacks
at this era of STI.
 IT security Professionals are strongly advised to take a collection of strategies to make an IS
infrastructure safe
CYU 07317 Security Strategies in Windows Platform 01/08/2025 6
 Defence in depth
 The approach of using a collection of strategies is often
called defence in depth
 To maintain secure systems, it is important to understand how
environments are attacked and how computer systems
and networks can be protected to prevent data and
information loss
 Simply because, today’s most data and information are commonly stored in
a computer based system called information systems
CYU 07317 Security Strategies in Windows Platform 01/08/2025 7
 Goal of Information security
 The goal of Information security is to protect data/ information from
unauthorized use but to make the them available for authorized use
 Protecting information from unauthorized use and making the information
available for authorized use are completely separate idea
 It requires a different a collection of strategies called defence in depth
 Ensuring information is available and accessible for authorized use
sometimes can restrict the data from authorized use
 The defence in depth requires careful balance between security and usability
CYU 07317 Security Strategies in Windows Platform 01/08/2025 8
 Security controls
 The term security controls referred to a mechanisms
used to protect organization data and information
 In general, Security controls can be part of the operating
system or application software setup, part of a written
policy, or
 A physical device that limits access to an organization
resources
CYU 07317 Security Strategies in Windows Platform 01/08/2025 9
 Security controls…

 In a defence in depth, the term Security controls

can well be categorized based on:
i. What control is and
ii. What function they perform or how do they do

CYU 07317 Security Strategies in Windows Platform 01/08/2025 10

 Types of security control
In a defence in depth the following are types of security control based on
what control is:
i. Administrative controls: These are written policies, procedures,
guidelines, regulations, laws, and rules of any kind
ii. Technical controls: These are devices or processes that limit access
to resources. Examples include user authentication, antivirus software,
and firewalls. Technical controls are also called logical controls
iii. Physical controls: These are devices that limit access to or otherwise
protect a resource, such as fences, doors, locks, and fire extinguishers.
CYU 07317 Security Strategies in Windows Platform 01/08/2025 11
 Types of Security Control… what they
do/what function they perform
The Security controls can also be categorized based on function they
perform referred to as what they do
i. Preventive controls: Which prevent an action.They include locked doors, firewall
rules, and user passwords
ii. Detective controls: The one which detect that an action has occurred. Smoke
detectors, Windows event viewers, System Log, and system audits
iii. Corrective controls: These repair the effects of damage from an attack.
They include virus removal procedures, firewall table updates, and user authorization
database updates.
CYU 07317 Security Strategies in Windows Platform 01/08/2025 12
 Class Activity

1. Describe the procedure of viewing login history for

your computer running Windows Operating System
2. What is the function on an Event Viewer in a
computer running Windows Operating System?
3. State how do you use an Event Viewer of your
Computer?
CYU 07317 Security Strategies in Windows Platform 01/08/2025 13
 Tenets of Information Security
The C-I-A Triad
 In the field of IS Security, the practice of securing information involves three main
attributes of information called the tenets of information security or the C-I-A
triad
 The three tenets of information security are:
i. Confidentiality: The assurance that the information cannot be accessed or viewed by
unauthorized users is confidentiality
ii. Integrity: The assurance that the information cannot be changed by unauthorized
users is integrity
iii. Availability: The assurance that the information is available to authorized users in
an acceptable time frame when the information is requested is availability
CYU 07317 Security Strategies in Windows Platform 01/08/2025 14
 Tenets of Information Security…
 In some cases, it is not enough to ensure
information is protected from changes
 Some information is private, privileged,
business confidential, or classified and must
be protected from unauthorized access of
any type

CYU 07317 Security Strategies in Windows Platform 01/08/2025 15

 Confidentiality

 Part of the value of confidential information is that it is available only to

a limited number of authorized users
 Some examples of confidential information include financial information,
either personal or corporate; personal medical information; and secret
military plans
 Sometimes, it is necessary to limit users with access to many resources
by only allowing them to access specific resources on a need-to-know
(NTK) basis
CYU 07317 Security Strategies in Windows Platform 01/08/2025 16
 Confidentiality…
 Example, a manager may have access to project documents that contain
sensitive information
 To limit the damage that could occur from accidents or errors, it is
common to limit access to documents that directly relate to the manager’s
projects only
 Documents that do not directly relate to the manager’s projects are not
accessible
 This means that although a user possesses sufficient access for a
resource, if the user does not have a specific need to know what a
resource stores, the user still cannot access it.
CYU 07317 Security Strategies in Windows Platform 01/08/2025 17
 Integrity
 Information is valid only when it is correct and can be trusted
 The second tenet of information security ensures that information can be
modified only by authorized users
 Ensuring integrity means applying controls that prohibit unauthorized
changes to information
 Controls that ensure information integrity can be based on the user’s role
 Regardless of the specific controls in use, the goal of integrity is to protect
information from unauthorized changes.
CYU 07317 Security Strategies in Windows Platform 01/08/2025 18
 Availability
 Secure information is serving the purpose for which it was created
 This means that secure information must be available when the information
is requested
 Many attacks focus on denying the availability of information
 One common type of attack that denies the availability of information is the
denial of service (DoS) attack
 This type of attack does not need to actually access or modify information,
but it prevents authorized users from accessing it
CYU 07317 Security Strategies in Windows Platform 01/08/2025 19
 Availability… hacktivists
 Example, an attack that denies access to Amazon.com’s web-based information would
have a negative impact on sales
 Amazon can’t afford to allow its information to be inaccessible for any length of time.
 Since so many businesses rely on available information to function properly, unavailable
information poses a risk to the primary business functions.
 At this era, a different type of adversary has joined the ranks of cyber attackers
 These attackers use their skills to make social statements
 The hacking abilities called hacktivists often target victims with the goal of making some
sort of social impact.
CYU 07317 Security Strategies in Windows Platform 01/08/2025 20
 Class Activity

1. Explain the meaning of the term Hacktivists as

used in cyber crime.
2. What are the main target of the Hacktivists?

CYU 07317 Security Strategies in Windows Platform 01/08/2025 21

 Hacktivists….
 Hacktivists are groups of criminals who unite to carry out cyber attacks in support of
political causes
 Hacktivists are behind more and more large-scale attacks
 The intent of which is generally to bring attention to some political or social issue.
 For example, Charles Tucker, also known as the “Bitcoin Baron,” was recently sentenced to 20
months in prison for carrying out a series of hacktivist attacks in 2015.
 One of the attacks for which Mr. Tucker was convicted was a distributed denial of service
(DDoS) attack against the 911 service of Madison, WI.
 Hacktivists are increasingly disrupting critical services with the hope of bringing attention to a
specific issue
CYU 07317 Security Strategies in Windows Platform 01/08/2025 22
 Microsoft’s End-User License
Agreement
 A software license agreement must be accepted prior to the installation of any
Microsoft Windows product
 The software license agreement contains the Microsoft Software License Terms
and is also referred to as the End-User License Agreement (EULA)
 It is important to read the EULA before accepting it—don’t just blindly choose the
“I accept” option
 Each edition of Windows ships with a specific version of the EULA; so, it is
important to know the contents of the EULA for each edition of Windows present
in your environment.
CYU 07317 Security Strategies in Windows Platform 01/08/2025 23
 EULA…
 To find the EULA for any edition of Windows:
 Open a web browser, such as Internet Explorer.
 Enter the following address: https://www.microsoft.com/en-us/useterms/
 Enter the requested information for:
 How the software was acquired
 Product name
 Version
 Language
 Select the link for the desired EULA document.
CYU 07317 Security Strategies in Windows Platform 01/08/2025 24
 Windows Threats and Vulnerabilities
 Securing any platform requires an understanding of its
capability and the most likely ways the platform can be
compromised
 Understanding everything about Windows will not make your
systems more secure
 The main goal in securing an IT infrastructures environment is
to recognizing risks and implementing controls to mitigate the
risks
CYU 07317 Security Strategies in Windows Platform 01/08/2025 25
 Risk and Threat
 A risk is defined as any exposure to a threat
 A threat is any action that could lead to damage, disruption, or loss
 A threat by itself is not necessarily dangerous
 Example, lighting a fire could be considered a threat
 In the right environment, such as on a camping trip or in a fireplace, lighting a fire is
desirable
 However, lighting a fire in an operational datacentre is not desirable at all.
 Such an action will likely result in business process disruption and possibly even
damage
CYU 07317 Security Strategies in Windows Platform 01/08/2025 26
 Damage to occur
 For damage to occur, there has to be a threat, such as lighting a fire, in a
vulnerable environment, such as in a datacentre
 Attackers look for vulnerabilities or weaknesses in the operating system
and application software
 Once vulnerabilities are discovered, the next step is to devise an attack
that will exploit the weakness
 A successful attack is defined as one that realizes, or carries out, a threat
against vulnerabilities.
CYU 07317 Security Strategies in Windows Platform 01/08/2025 27
 Understanding methods of attack
 It is important to understand the most common methods of attack in
a Windows environment
 Simply because ,you can plan controls that limit an attacker’s ability to
realize threats
 The controls you implement can directly address vulnerabilities or restrict
an attacker’s ability to get into a position to realize a threat.
 Either way, by breaking the ability of an attacker to carry out a threat
against a vulnerability, you make your IT infrastructure more secure.
CYU 07317 Security Strategies in Windows Platform 01/08/2025 28
 Familiarising of the Microsoft Windows
Vulnerabilities
 Being a professional Cyber Security officer, it is recommended to
examine and analyse on how real vulnerabilities have been exploited
by attackers in your IT infrastructure
 The analysis helps to understand the nature of vulnerabilities and
methods of protecting systems from attackers

CYU 07317 Security Strategies in Windows Platform 01/08/2025 29

 Ransomware

 Ransomware is a recent type of malicious software that renders files or volumes

inaccessible, demanding a ransom payment in exchange for access to the captured
resources
 Most ransomware encrypts data and demands a payment using cryptocurrency in
exchange for the decryption key
 But ransomware alone isn’t destructive to computers
 All malware needs an opening, or a vulnerability, to succeed.
 In many cases, users provide common vulnerabilities that malware can exploit.
 In two of the attacks below, users give the malware the opening it needs by opening
a document or following a link.
CYU 07317 Security Strategies in Windows Platform 01/08/2025 30
 CryptoLocker
 Although ransomware had been around since about 1989, most attacks were small and
targeted.
 CryptoLocker signaled a change in tactics when it was released to the world in late 2013
 This ransomware attack infected over 250,000 Microsoft Windows computers.
 The attackers were paid an estimated $3 million by victims before an international effort
took down the botnet and servers
 CryptoLocker used a combination of operating system filename obfuscation and social
engineering to take over a victim’s computer. Here is how the CryptoLocker attack
unfolded
CYU 07317 Security Strategies in Windows Platform 01/08/2025 31
 Cont…
 The victim received a legitimate-looking email message with an attached ZIP file that contained the
disguised executable file payload.
 Since Windows hides file extensions by default, the malicious executable file appeared to be a PDF
file, and many users opened the file, executing the payload.
 The payload added a key to the Windows Registry that caused it to run at boot time and then
attempted to connect to the ransomware server.
 Once a connection was established with the server, the ransomware created a public and private key
pair and sent the private key to the ransomware server.
 Then, CryptoLocker found all files with common extensions and encrypted them with the generated
public key.
 Finally, CryptoLocker displayed a message to the victim and demanded a payment in bitcoin within a
short window of time, generally 72 hours.
CYU 07317 Security Strategies in Windows Platform 01/08/2025 32
 Cont…
 CryptoLocker’s success depended on authorized users executing the
malicious payload
 The ransomware only had to convince victims to click on the attachment
and the encryption process began
 As soon as victim reports surfaced, anti-malware software signature
databases were updated to better detect CryptoLocker’s attachments
before users ever saw them
 But by that time, many victims had already been successfully attacked.
CYU 07317 Security Strategies in Windows Platform 01/08/2025 33
 Locky
 Locky was another form of ransomware that was released in 2016.
 The Locky attack, like CryptoLocker, was delivered as an email attachment
 In Locky’s case, the attached file was a Microsoft Word document that contained the ransomware code
as a macro.
 When the victim opened the Microsoft Word document, the attacker had to trick the user into launching
the macro.
 The contents of the document appeared to be meaningless garbage.
 A pop-up message appeared that instructed the victim to enable macros if the data encoding is
incorrect.
 Many users simply enabled macros without considering the impact of that action. Once macros were
enabled, the attack sequence started.
CYU 07317 Security Strategies in Windows Platform 01/08/2025 34
 Cont …
 The Locky macro actually downloaded and executed the real ransomware.
Like CryptoLocker, Locky generates different encryption and decryption keys
for each computer it attacks.
 After creating the encryption/decryption key pair, it sends the decryption
(private) key back to the attacker.
 The private key is required to decrypt your files.
 After saving the private key back on the attacker’s ransomware server, Locky
encrypts the victim’s files using the public key. The rest of the attack is similar
toCYUits predecessor.
07317 Security Strategies in Windows Platform 01/08/2025 35
 WannaCry
 WannaCry is the most recent of the three ransomware attacks presented in this
section
 This ransomware attack was launched in May 2017 in a global attack on
computers running the Microsoft Windows operating system.
 Deployed as a worm, WannaCry was able to replicate itself and not rely on
unsuspecting victims to launch the payload.
 Worms are standalone malicious software programs that actively transmit
themselves without relying on an unsuspecting victim’s actions,
 Generally over networks, to infect other computers.
CYU 07317 Security Strategies in Windows Platform 01/08/2025 36
 Cont…
 WannaCry attacked a known exploit in the Windows operating system called EternalBlue, which is an exploit on
the Windows implementation of the Server Message Block (SMB) protocol.
 EternalBlue was originally developed by the National Security Agency (NSA) and was kept a secret until it was
leaked in April 2017.
 The SMB protocol defines how resources, such as printers and disk drives, are accessed by other computers on a
network.
 WannaCry exploited a weakness in SMB and automatically infected other computers on the same network that
did not have the updated security patches installed.
 Microsoft released emergency patches that directly addressed the WanaCry ransomware and stopped it from
replicating.
 However, WannaCry still was able to infect over 200,000 computers worldwide. In spite of the quick response,
WannaCry demonstrated that even current operating systems can be vulnerable to sophisticated ransomware
attacks.
CYU 07317 Security Strategies in Windows Platform 01/08/2025 37
 Discovery-Analysis-Remediation Cycle
 A recurring three-step process is followed
for addressing attacks.
 This process is referred to as the discovery-
analysis-remediation cycle.
 This process may occur exclusively within
your organization, outside your organization
to include cloud-based service providers, or
both
CYU 07317 Security Strategies in Windows Platform 01/08/2025 38
 Discovery
 The first step in responding to an attack is to know an attack has occurred
or is occurring.
 Discovering an attack is often more difficult than it would seem.
 Experienced attackers know that the success of an exploit often depends
on the amount of time vulnerable systems are exposed.
 Once an attack starts, a common goal of attackers is to become as
inconspicuous as possible. Keeping a low profile often allows an attack to
become more successful as time passes.
CYU 07317 Security Strategies in Windows Platform 01/08/2025 39
 Discovery…
 It is important to recognize what “normal” looks like.
 Usually, the only way to know something is not right is to compare
suspect activity with normal activity, often called a baseline.
 The most common method of accomplishing this is to use activity
and monitoring logs
 Log files often contain evidence to detect that something abnormal
has happened.

CYU 07317 Security Strategies in Windows Platform 01/08/2025 40

 Analysis
 Once abnormal activity is identified, the next step is to analyse it
 Not all suspect activity is bad. Some activity has a rational explanation
 Perhaps the database server was under an unusual load due to too many users
running large reports.
 Load balancing could have been disabled so that all network activity was sent
through a single device.
 Both of these cases are abnormal but do not indicate attacks. Security information
and event management (SIEM) tools can make the analysis phase much more
efficient.
CYU 07317 Security Strategies in Windows Platform 01/08/2025 41
 Analysis…
 SIEM tools collect and aggregate security-related information from
multiple sources and devices and help prepare the data for
correlation and analysis.
 These tools can often cross-reference known vulnerability
databases to help identify suspect behavior
 The analysis phase includes validating suspect activity as abnormal
and then figuring out what is causing it.

CYU 07317 Security Strategies in Windows Platform 01/08/2025 42

 Analysis…
 The next step is to consult current vulnerability and security bulletin
databases to see if others are experiencing the same activity
 There are many security-related databases that serve this purpose, but
 Several repositories are the most popular and commonly used to
research vulnerabilities
 The table below lists the most common repositories for security
vulnerabilities and exposures.

CYU 07317 Security Strategies in Windows Platform 01/08/2025 43

 Common repositories for security
vulnerabilities and exposures
RESOURCE ADDRESS COMMENTS
Common Vulnerabilities and Exposures http://cve.mitre.or Dictionary of publicly known vulnerabilities and exposures
(CVE) g/ (focuses on the instance of vulnerability—not the flaw that
causes the vulnerability)
National Vulnerability Database http://nvd.nist.gov CVE data plus additional resources
/
United States Computer Emergency http://www.us-cer Numerous security alerts and bulletins
Readiness Team (US-CERT) t.gov/
Common Weakness Enumeration (CWE) https://cwe.mitre. A community-developed list of common software security
org/ weaknesses (focuses on the flaw that causes a vulnerability)
Full Disclosure http://seclists.org/ Vendor-neutral discussion of vulnerabilities and exploits
fulldisclosure/
Common Attack Pattern Enumeration and https://capec.mitr Dictionary of known patterns of attack
Classification (CAPEC) e.org/
CYU 07317 Security Strategies in Windows Platform 01/08/2025 44
 Remediation
 The third step in the cycle is to remediate the activity
Simply put, this means to contain any damage that has occurred, recover
from any loss, and implement controls to prevent a recurrence.
 The particular steps to take in any of these phases depend on the nature
of the attack
 Most vulnerabilities and exposures that are documented in a public
database are accompanied by suggested remediation steps.

CYU 07317 Security Strategies in Windows Platform 01/08/2025 45

 Remediation…
 It is possible to trace back from the discovery event that
indicated abnormal activity occurred.
 Controls that prevent any new activity that results in the
abnormal activity may be a good place to start
 Ensure that any new controls comply with operational
requirements and don’t interfere with critical business
processes.
CYU 07317 Security Strategies in Windows Platform 01/08/2025 46
 Common Forms of Attack
 Attacks on Windows platforms can take on many forms
 It is common to see several types of attacks combined to
accomplish the attacker’s goal
 The table below contains a brief list of the most common
types of attacks on any information systems.

CYU 07317 Security Strategies in Windows Platform 01/08/2025 47

 Common Forms of Attack
 Attacks on Windows platforms can take on many forms.
 It is common to see several types of attacks combined to
accomplish the attacker’s goal
 The table below contains a brief list of the most common types of
attacks on any information systems.

CYU 07317 Security Strategies in Windows Platform 01/08/2025 48

 Common Information Systems Attack
Types
Phishing Phishing attacks generally start with a message that contains
a link or image to click, or a file to open. Taking these
actions launches malware attacks.
Malware Malicious software, also called malware, is software that is
designed to carry out tasks that the user would not normally
allow.
Denial of service Any action that dramatically slows down or blocks access to
one or more resources.
Injection attacks A family of attacks that depend on the ability to send
instructions to a software application that cause the
application to carry out unintended actions. SQL injection is
the most commonly recognized type of this attack.

CYU 07317 Security Strategies in Windows Platform 01/08/2025 49

 Unprotected Windows Share A situation that allows attackers to install tools, including
malicious software.
Session hijacking and credential reuse Many online applications set up sessions with valid users
providing authentication credentials at the beginning of
the session. Attackers often attempt to take over valid
sessions or capture the credentials provided to
impersonate valid users.

Cross-site scripting Specially crafted malicious code used to attack web

applications.
Packet sniffing The process of collecting network messages as they
travel across a network in hopes of divulging sensitive
information, such as passwords.

CYU 07317 Security Strategies in Windows Platform 01/08/2025 50

 LECTURE SUMMARY
 Securing Windows operating systems and applications is not easy, but it is
possible
 It is necessary for an organization to successfully meet its operational
goals.
 The first step in securing a Windows environment, and then maintaining a
secure environment, is to understand how your computers, devices, and
cloud-based services are vulnerable
 From there, a study of the most common attacks against vulnerabilities
leads to steps that respond to threats and make your environments more
secure..
CYU 07317 Security Strategies in Windows Platform 01/08/2025 51
 LectureSummary…
 Learning about past attacks against information systems environments is
more than a technical history lesson
 It is a study of techniques attackers use to compromise today’s IT
environments.
 In spite of the increasing sophistication of attackers, many of today’s
attacks are either a resurgence of or a variation on earlier attack
methods
 Close attention to previous exploits makes you far more active to
respond to the next attack
CYU 07317 Security Strategies in Windows Platform 01/08/2025 52
 Architecture of the Windows
• Windows Run Modes
• The architecture of the Windows operating system consists of two main
layered components—kernel (or supervisor) mode and user mode programs.
Kernel mode and user mode programs run in a privileged mode, also called
kernel or supervisor mode, and interact closely with the physical hardware.
User mode programs interact with both users and kernel mode programs..

CYU 07317 Security Strategies in Windows Platform 01/08/2025 53

 Windows operating system
components
 Programs running in kernel mode have
complete access to the computer’s hardware
and system services
 This level of access is needed by the operating
system and provides an attractive target for
attackers.

CYU 07317 Security Strategies in Windows Platform 01/08/2025 54

 Attacker‘s technical tips
 One common goal of attackers is to run a program of their choice
in kernel mode
 At that level of privilege, an attacker can pretty much own a
computer
 Pay special attention to any vulnerability you encounter that could
allow an attacker to escalate privilege to kernel mode

CYU 07317 Security Strategies in Windows Platform 01/08/2025 55

 Windows running
 Kernel Mode
 Programs running in kernel mode have complete access to the
computer’s hardware and system services. This level of access is
needed by the operating system and provides an attractive target
for attackers.
 The table below shows the main kernel mode program
components.

CYU 07317 Security Strategies in Windows Platform 01/08/2025 56

 Key concept and terms covered
 Administrative control  Corrective control
 Attacker  Defense in depth
 Authorized user  Detective control
 Availability  End-User License Agreement
 C-I-A triad (EULA)
 Hacktivist

CYU 07317 Security Strategies in Windows Platform 01/08/2025 57

 Key concept and terms covered
…
 Integrity  Risk
 Logical control  Security control
 Malicious software  Technical control

 Physical control  Threat

 Preventive control  Unauthorized user

 Vulnerability
 Ransomware
 Worm
CYU 07317 Security Strategies in Windows Platform 01/08/2025 58
 END

CYU 07317 Security Strategies in Windows Platform 01/08/2025 59