Security: Home vs. the Enterprise
Published: July 14, 2010
Author: Frank Simorjay, Senior Product Manager, Microsoft Trustworthy Computing
Version 8 of the Microsoft® Security Intelligence Report provides information for the latter half of 2009, from July to December. It includes many topics that are relevant to threats your organization faces on a daily basis. In this article we will take a quick look at the differences between threats for home (non-domain) users and those who use enterprise (domain-joined) computers.
You might wonder why non-domain users and those who use domain-joined computers face different threats. The reason is because their computer behavior patterns tend to be very different.
Enterprise users typically use computers to perform business functions and may have limitations placed on their Internet and email usage through technologies such as Group Policy, managed firewalls, and proxies. These users are also more likely to be collaborating with several members on a team, or working with customers and clients. They frequently share files using local or remote file shares, or removable solid state thumb drives. Among these users are "road warriors" who take enterprise laptops home or to other locations and unwittingly expose them to public and home networks that are not managed as carefully as networks in the workplace.
Home users are more likely to use their computers for entertainment purposes, such as playing games, watching videos, and communicating with friends. Home users have full control of their computers, and are typically more willing to install applications and browser extensions when they are prompted by websites to do so, especially when viewing videos that require the installation of video drivers. Unfortunately, criminals are also well aware that home users are more willing to install software. They frequently prey on this behavior by working to exploit users' willingness to trust Web content and convincing them to install or apply seemingly innocent software add-ons that in fact are Trojans.
The following figure shows the threat category breakdown for domain-joined versus non-domain computers in the second half of 2009:
Comparing the threats encountered by domain-joined computers and non-domain computers can provide insights into the different ways attackers target enterprise and home users and which threats are more likely to succeed in each environment.
The figure below shows the relative prevalence of different categories of malware and unwanted software on infected domain-joined and non-domain computers, and is expressed as a percentage of the total number of computers of each type that were cleaned. Totals exceed 100 percent because some computers were cleaned of more than one category of malware.
Worms accounted for two of the top three malware categories detected on domain-joined computers. The worm family Win32/Conficker, which employs several methods of propagation that work more effectively within typical enterprise network environments than they do over the public Internet, leads the list by a wide margin.
Other malware categories that are more common in domain environments include Win32/RealVNC, categorized as Miscellaneous Unwanted Software, and remote administration tools. RealVNC is a program that enables a computer to be controlled remotely, similar to Remote Desktop. It has a number of legitimate uses, but attackers also use it to gain control of users' computers for malicious purposes. Detections of RealVNC and other Virtual Network Computing (VNC) programs, which are often used for remote administration, are partially responsible for the relative prevalence of the Miscellaneous Unwanted Software category on domain-joined computers.
The Miscellaneous Trojan category includes the rogue or fake anti-malware security software-related families Win32/Renos and Win32/FakeXPA, which were more likely to be found on non-domain computers.And Win32/Taterf is a worm that is designed to steal the passwords of users who play massively multiplayer online role-playing games (MMORPGs). Such games are not common in the workplace, yet both categories were detected with similar frequency on both domain-joined and non-domain computers. Frethog, a family of Trojans, and Taterf both rely heavily on removable drives to propagate, a technique that was probably developed to help spread them in Internet cafés and public gaming centers, but one that has had the (perhaps unexpected) effect of spreading them efficiently in enterprise environments as well.
Protecting your users requires diligence in both network environments and in users' homes. The following list includes best practices and solutions that need to be considered when protecting your users:
If you found this information useful, you will likely find much other valuable information in the Security Intelligence Report, including information about protecting your networks, systems, and people.
Microsoft Security Intelligence Report