If businesses and consumers stuck to security basics, they could have avoided all cases of Conficker worm infection detected on 1.7 million systems by Microsoft researchers in the last half of 2011.
According to the latest Microsoft Security Intelligence report, all cases of Conficker infection stemmed from just two attack methods: weak or stolen passwords and exploiting software vulnerabilities for which updates existed.
BATTLING BOTS: Microsoft names alleged Kelihos botnet creator
So using strong passwords and boosting password security in combination with promptly patching known vulnerabilities would have gone a long way toward reducing the number of Conficker infections, which rose by more than 500,000 in the fourth quarter of 2011, according to the study.
Despite these simple steps, Conficker has remained at the top of the enterprise threat list for the past two and a half years, the study says.
In defense of computer owners, the worm often carries key loggers that steal passwords, says Tim Rains, Microsoft's director of trustworthy computing. The report includes a graphic listing some of the passwords that Conficker tries when it's on a machine inside the enterprise trying to get into file shares, and the list is a who's who of weak passwords (11, 22, admin, asdfgh, foofoo, Password).
The report has recommendations for businesses trying to battle advanced persistent threats (APT), which it describes as targeted attacks that can use a variety of methods and that are carried out by adversaries who are very determined. That determination and commitment to long-term infiltration are the key features of APTs, Rains says.
To fight them requires holistic risk management that includes prevention, but also effective detection. A big-data approach to aggregating network security and traffic data and analyzing it for anomalous behavior increases the chances of noticing malicious activity of stealthy malware, he says.
Businesses should also architect their networks in segments designed to contain successful attacks, giving IT security more time to discover them and respond. That response should be well thought out and rehearsed so it can be implemented quickly when the time comes, he says.