Macro and ActiveX Defenses
The bad news is that macro and Active X attacks are a class of attacks, which are both popular and effective, and will continue to morph and take advantage of new vulnerabilities and therefore will continue to be a risk no matter what you do. The good news is that because these attacks are so popular there are many ways to defend yourself or your organization against these attacks without having to jump through a lot of hoops.
Deploy Network Edge Strategies
The network edge is both your first and last line of defense against attacks using active content such as macros and ActiveX. To understand this, you need to think about how the malicious content can get into your network and how it can deliver any payload back out of it. In one sense, these attacks are passive in nature because the attacker is not actively attacking a specific target but instead, the attacker is relying on some action taken by an unsuspecting user to activate the attack.
Malicious content must pass through the network edge to get to where it can be activated, so this is where you build the first line of defense that was discussed in the section “Using AntiVirus and AntiMalware.” In many cases, the mechanism for delivery of Office documents with malicious content is through e-mail and therefore, it is possible to use your e-mail server to employ defensive strategies to prevent the content from ever getting into the hands of a user. Besides scanning for viruses, e-mail servers can filter for tip-offs such as mismatched headers or malicious sources based on blacklists. They can also be set to only allow plain text e-mails (which wouldn't effect attachments, but does kill all active content within the e-mails themselves).
From an outbound perspective, edge strategies are employed to ensure that the malicious content that has been executed within your environment can't actually deliver any value to the attacker. These strategies are based on filtering the data as it tries to leave your network and can include implementing egress filtering on firewalls, or deploying an application layer gateway or a data loss prevention (DLP) solution. In each of these cases, the traffic from your internal network is scanned as it attempts to cross the network boundary and is allowed or disallowed (or possibly quarantined) based on the policies/rule set you have defined.
Using Antivirus and Antimalware
You should install Antivirus and Antimalware software at all layers of your environment to ensure that viruses and malware are detected and neutralized. This includes integration with the border devices, with e-mail servers, and on an end-user device. The reason you need this at all layers is to eliminate the threat from your network as soon as possible, but not all traffic can be scanned at each layer.
For example, let's say your friend knows you enjoy collecting Star Wars action figures and he wants to send you a picture that he had found in an ad for the last one you need for your collection. Since he knows that your company monitors your e-mail, he decides to encrypt the file and names it something generic to circumvent your e-mail filters. Unfortunately, this action means that the content of the encrypted file won't be scanned until someone opens it rather than it being detected at network edge. Therefore, it is vital that scanning occurs at whatever point the mail is opened.
In addition to layering protection throughout the network, controls should also be configured to ensure that viruses are detected before they can actually run. To accomplish this, antivirus and antimalware software should be set to use heuristics as well as the specific virus/malware signatures in the files. The software should also always have real-time scanning enabled as well as a full scan of the hard drive should be performed at least once a week. Using all of these options is a trade-off because it does take more processor cycles to use your antivirus and antimalware software in this manner, but in almost all cases it is worth it.
Update Frequently
Like Windows, Office applications sometimes have vulnerabilities and these vulnerabilities are patched through updates. Updates to Office applications should either be downloaded and installed automatically on each individual machine or downloaded and integrated into whatever patching process you have within your environment. Windows Update allows for both Windows and Office patches to be downloaded at the same time and this option is available for all versions of Office newer than Office XP.
Even more important than keeping Office up-to-date is to keep your antivirus and antimalware signatures as current as possible. This software should be set to automatically download and install new signature files as soon as they are released (although establishing an internal site that updates from the manufacturer rather than having each computer download individually is a good strategy for accomplishing this). In their infancy, antivirus signature files did sometimes cause issues with computer systems and therefore testing was needed before deploying these files. However, this occurrence is now so rare that the risk associated with not using the newest signatures far outweighs the risk that a signature file will cause a problem on your systems.
Using Office Security Settings
Regardless of the version or type of Office application you are using, there are security settings that control how the application deals with active content and you should use these to ensure the security of your computer. In older versions of Office programs, the default settings generally allow all active contents to run, which is an issue from a security perspective. Microsoft has changed this philosophy in recent years, so the defaults for the newer versions are much more restrictive (but can be annoying to end-users because they tend to be set to ask for permission before running the content).
alt2 Epic Fail
Oversecuring an environment inevitably leads to undersecuring. Many companies pick the most restrictive settings possible when implementing security into their Office applications. Unfortunately, this usually causes issues with people not being able to do their work. When security settings impact the business, leaders rarely have the stomach for taking the time to tweak the security to get it to the right level and instead demand the application be allowed to run with the lowest security settings possible. Of course, this opens the business up to all kinds of attacks over the long term. Some of these attacks vectors would never have been available if a more reasonable security approach had been taken.
The security settings are separate for each Office application and are accessed through the menus of the particular Office application you are trying to secure. Prior to Office 2007, these menus are generally located through the “Tools” menu and are relatively easy to find. Office 2007 restructured the interface and relocated the security settings into an area named the “Trust Center” (shown in Figure 5.4), but made it much more difficult to get the settings.
FIGURE 5.4. Microsoft Word Trust Center
To access the Trust Center in Office 2007 applications, you must open the general menu by clicking on the Office symbol in the top left-hand corner of the application. This will open up a menu that has a small button in the bottom right-hand corner that says “Word Options” (or “Excel Options,” “Access Options,” etc.… depending upon the application). After clicking on the Options button, the Options menu is brought up and you will select Trust Center from the context menu on the left side of the screen. This will bring up information in the right-hand pane, but not the Trust Center itself. The last step is to locate and click the Trust Center Settings… button within the right pane, which will bring up the menu shown in Figure 5.4.
All of the Office applications have the same security setting options from a general perspective, but they are not exactly the same. For example, Excel has an additional option for “External Content” that other Office products (such as Word and PowerPoint) do not. Table 5.1 discusses each of the menus within the Trust Center and what they are used for from a general perspective. Additional information about Trust Center can be obtained from Microsoft's Web site.[B]
Bhttp://office.microsoft.com/en-us/help/ha100310711033.aspx
Table 5.1. Trust center options
| Menu | Use and options description |
|---|---|
| Trusted publishers | Contains a list of Certificate Authorities that the office application should trust for digital signing |
| Trusted locations | Contains a list of paths that the office application should trust when opening files. By default, this only includes the locations for templates and add-ins from Microsoft. This list affects how Office operates based on other settings within the Trust Center menu, and adding the locations where you keep your documents will weaken the security of your computer |
| Add-ins | A list of options you can choose for how the Office application deals with add-ins This list generally includes options for disabling all applications add-ins requiring digital signatures by a trusted publisher for any add-ins and for disabling user notification when Office stops an unsigned add-in from running |
| ActiveX settings | Provides different options for how Office deals with ActiveX controls for all documents stored in locations not in the Trusted Locations list. By default, this is set to prompt the user before enabling ActiveX controls with minimal restrictions Also provides an option for always running in “safe mode” |
| Macro settings | Provides different options for how Office deals with ActiveX controls for all documents stored in locations not in the Trusted Locations list. By default, this is set to disable all macros with notification Also provides an option to trust access to the VBA project object model |
| Message bar | Provides options for whether the Message Bar shows within Office |
| External content (Excel only) | Provides different options for securing data connections and links within an Excel workbook |
| Privacy options | Provides options related to the Office online, including checking Office documents that are from, or link to, suspicious Web sites as determined by Microsoft Also provides an option for bringing up the Document Inspector that searches for hidden content within a document |
Office 2007 defaults attempt to strike a balance between security and usability. It allows you to manage all of the Trust Center settings through Group Policy, if you are in a domain environment. For earlier versions of Office, you should go through the security options within the Tools menu and determine which settings are necessary within your environment.
Working Smart
In one of the earlier tips in the chapter, the importance of training end users to work smart in regards to the security of their computers was discussed. Working smart includes understanding the basic security processes everyone should use when dealing with their computer. An obvious example would be to delete the spam e-mail promising you “more powerful orgasms” before opening the virus.exe attachment that came with it. Almost everyone who sees an e-mail like this would immediately delete it; however, just scrolling past an e-mail in Outlook with malicious code imbedded may execute the code even if you don't intend to open it.
Rule #1 for working smart is to think before you click on something. We generally think of this in relation to visiting a Web site, but applying the same thought process can be beneficial when working with Office because of the amount of active content currently being used in these applications. A large percentage of the e-mails, documents, and spreadsheets people share with each other include some embedded links or buttons which may redirect you to a Web site or run some macro. Take a second and ask yourself whether you have ever opened the document before, then run a virus scan against any documents before you open them for the first time (most virus scanners place a “scan” option in the menu that appears when you right-click on a file).
Also, consider whether you trust the source where you got the document. Did you download it from a legitimate Web site like Microsoft.com or was it something you found as you were searching for a free MP3 of the newest “Weird Al” song? Did you ask your boss to post a document you needed on your group's SharePoint site or did someone just randomly e-mail it to you with a sort of suspicious subject line? Always think twice before making a decision to click on something that may cause security issues.
If you take a second to think about where the document came from, and whether you actually trust that source, then you can take actions before opening the document. If it came to you out of the blue from someone, then confirm that they sent it to you by calling or sending them an e-mail (make sure it is a new e-mail because opening the questionable e-mail to reply “Did you send this to me?” defeats the purpose). When in doubt, you should always check with your network administrators or security staff before doing anything you suspect; otherwise, it may reduce the security of your network.
Finally, it is incredibly important to take a second to consider whether to allow something to happen on your computer when Office or Windows pops up a box asking you whether you want something to run. This is the last line of defense and working smart means you consider whether you are actually asking for something to happen before that permission box appears or if something is happening in the background without your knowledge.
Summary
As we usher in new technologies and accept them with open arms, we are sometimes blinded by the eagerness to adopt functionality over security. New programming languages, features, and functionality added to our complicated work environment will not only simplify work tasks, but also open the door of opportunity. Unfortunately, the door may be open not only for business to thrive on but also for the attackers to leverage.
As demonstrated by the attacks in this chapter, you can see that combining technology and some ingenuity can allow attackers to execute very precise and effective attacks. Preparing for these attacks and thinking like your adversary will help you minimize the impact of some of these attacks. Unfortunately, security is a process and no product you buy off the shelf will protect you against all attacks. Luckily, you have taken one of the best steps you can: purchasing this book and learning how to think like and defend yourself from attackers.