In an effort to show how well it is already doing to fend off daily attacks from an infinite swarm of hackers, Microsoft now wants its users to know that has a brand new way of protecting them. Unlike the previous updates which fixed and patched security vulnerabilities in the software of the system, this new method of security protects against the human aspect of computer security, or in other words, finally helps fight the human exploits that usually gets most users in trouble.
Highlighting their own success, and with good reason, Microsoft announced that it is now focusing on securing the computer users themselves from their own bad habits, which are now what lead to more security breaches than do the actual computer “hacking methods” most people believe cyber attacks really are.
These new types of attacks that target users as opposed to the machines themselves are called social engineering attacks, which work by exploiting the user’s trust, getting them to voluntarily hand over personal information in one way or another.
“We’re hardening the browser and the operating system, so it pushes attacks onto the user. You can’t resolve social engineering through a patch,” said Jeb Haber, principal program manager lead for Smartscreen Internet Explorer at Microsoft.
“The easiest way to infect a computer is to ask the user to do it… Socially engineered attacks take advantage of a user’s trust by convincing them to take an action that compromises their computer and/or data,” Haber said.
Either through fake websites that looks just like the real thing that steals your information (and gives you a virus to download disguised as the latest cool program), or simply dropping malware-infected USB drives around an organization’s facilities in hopes of employees picking them up and plugging them into their work computers (which was shown to be what about 60% of government employees fell victim to in a Homeland Security study), these methods have proven to be most effective at exploiting human behavior and trust.
The way that Microsoft is tackling these social engineering traps is by making it simple and effortless to run a quick background check on programs that users are about to download, launch, or which websites they enter their information into. One of these social engineering safeguards that has been around for a while is when some users receive a message from the browser or the search engine that a website a user is about to visit is fake or contains malware. But the latest, and most effective method that Microsoft revealed is in its latest upgrade in the Internet Explorer 9 browser.
“Users today are often conditioned to ignore the generic warnings that are shown for every download, such as: ‘This file type can harm your computer. Are you sure you want to run this file?’ This same warning is presented whether the file is an extremely common program or a piece of malware created literally minutes ago,” Haber said.
This new feature is called “application reputation,” and its job is to replace the old, generic warning that users get when they try to launch a program they downloaded from the web. The old warning popped up any time a downloaded program was about to be launched, no matter how well-known it was. The new feature will quickly scan the program to see if other people have downloaded it without issue, or whether it is an unknown program that could potentially be a virus.
In the weeks since this new feature has been rolled out, it has already proven to be extremely effective as it prevented 96% of users from opening files that would normally have infected their systems. Seeing as how much of an advance this is for Internet security, especially for not-too-security-savvy Internet users, this type of program background check should be used in other browsers as well. For now, it might be a good idea to check out Internet Explorer 9 and perhaps use this feature when you plan on downloading files and programs off the web.