Security Minded - from Kai the Security Guy

Farewell! Kai Axford is Leaving Microsoft

2009-12-29T17:07:23Z

Friends,

After 10 years of working for the greatest software company in the world, I will be leaving Microsoft. I strongly believe that God directs our paths and His plan for me has been confirmed by the amazing opportunities He has provided for my family here in Texas. My wife and I moved around a lot during our childhood and we decided early on we would like to put down roots in Texas. This decision, while not easy, will allow us to honor that decision, and also allow me to grow in my information security career.

During my time at Microsoft, I’ve made some great friends inside the company, but also outside when speaking at various events. I have had the unique opportunity to meet some of the most passionate and intelligent technical people in the world and have learned from each of you. During my time at Microsoft, I was able to travel the world, work on many great teams, win some awards (thanks to those great teams), complete my MBA, start a family, and most importantly, meet the most beautiful woman in the world, who became my wife.

I am so excited about the next steps in my life, but I am sorry to leave the people here behind. To all those who’ve followed me over the years, I wish you and your families the very best for 2010 and the future!

You can catch up with me and all my new adventures at my new blog: http://kaiaxford.wordpress.com/

New Editor of the Microsoft Technical Audiences Security Newsletter

2009-08-17T19:17:55Z

Well, in case you don’t subscribe, I’m now the official editor of the Microsoft Technical Audience Security Newsletter. It’s nice to actually get a security professional as the actual owner of the newsletter, and hopefully I’ll be able to weed out the material that’s not related to our topic. That being said, we also want to start including some material that is pertinent to you not only in a “hard skill, how do I install/configure Microsoft’s Product X?”, but we also want to be sure that we have some good information out there that will assist you in the current economic situation that we now find ourselves. Yes, even the once booming world of information security has been hit by the bad economy. To that end, I would like to start covering some things like professional career advice, how to build those business skills, how to tweak your resume, etc. I think these will all be of great benefit.

Also, I want to hear your valid feedback. Don’t email me about how you ‘re sent in money to some Nigerian prince and you haven’t seen your money since. Also, don’t fire up an email to ask me why your machine tends to BSOD with a STOP 0x7E when you install that driver you wrote in your garage. If I don’t see valid suggestions about topics to discuss or ways to make this security newsletter better….it’s getting deleted.

This month we’re talking about database security. Good ‘ol SQL Injection. Get ready….it’s going to be a fun ride.

- Kai

Is Cloud Computing Really Risk Transference?

2009-02-19T00:07:15Z

The current buzz in the technology industry is all about this idea of Cloud Computing. It goes by many many names but we’ll just stick with this one to eliminate confusion. Sure, it’s a great idea and vendors are talking about “moving your data to the cloud” where someone else can manage your data, provide better uptimes, manage the patching process, etc. Unfortunately, as a security guy, I tend to look at the idea of cloud computing from a risk perspective…and it just isn’t fluffy cumulus clouds that I see…it’s more like the picture you see here.

From the security perspective, it appears to be nothing more than a matter of risk transference, very similar to what any good insurance policy will do for you. Companies are trying to be quick to market with their Cloud Computing Security Strategies, but I’ve yet to hear anyone truly identify the risk that this will solve. At the end of the day, it comes down to two simple questions that either your CSO or Legal Department will most assuredly ask:

Who ends up being liable for the data that’s stored in the cloud when it’s breached?

Who’s name and signature is going to be at the end of the Breach Notification letter you’ll send to your customers?

I’ve been doing a lot of research on the topic of “cloud computing security” the last few weeks, as I prep for my session at TechEd North America 2009 entitled “Securing the Cloud”. I have to tell you, I don’t see a lot of companies agreeing to become liable if your data gets breached on their network. I’m not sure how this really differs from putting your money in a bank, rather than in your mattress. The bank (through the powers of the FDIC) ensure my money up to a certain amount. Will my cloud vendor do the same?

Of course, with all new things, old problems still exist. How is that 3rd party auditors going to successfully conduct an external audit of your data, when the data and controls aren’t even on the premises? “Well, Mr... Sarbanes-Oxley Audit Master, I’d love to show the controls that we have in place to remain compliant with 404, but the data isn’t actually here. Perhaps you can contact our cloud provider to find out the controls they’re using to keep my customer data secure.” That probably isn’t go to go over to well. Remember, you can delegate authority, but not responsibility.

I just want to be sure that we are all really giving this a lot of thought before we start dumping our data up to some unknown entity in the clouds. There are plenty of positive things that cloud computing provides, but at what cost? I’ll take the extra time to patch my enterprise’s servers if it means keeping my data close.

As someone who travels extensively talking to security professionals, I learned long ago that I don’t have all the answers….and this is no exception. Let’s start a dialogue through the comments. What risks do you see with regard to moving to a cloud computing infrastructure and is your business headed that way?

Also, before I forget….I’ve found a really great cloud computing security blog called http://cloudsecurity.org. Two thumbs up! Check it out.

Sweetie…can I make some security modifications to the car?

2009-02-16T19:26:21Z

This is just too awesome to miss. I always enjoy a good video, especially when it relates to security. I just recently bought a new SUV (traded in the 2004 Mustang GT convertible) with the new baby and now I’m very sad that I forgot to ask for this option when I did. The guys at DillonAero did a great job with this new vehicle. Makes you wonder what those cars in the presidential motorcade are for.

Not to mention, this would pretty much clear up the problem of non-IT people parking in the “IT Department” parking spot.

ALERT: $250,000 Reward

2009-02-13T05:15:34Z

REDMOND, Wash. — Feb. 12, 2009 — Today, Microsoft Corp. announced a partnership with technology industry leaders and academia to implement a coordinated, global response to the Conficker (aka Downadup) worm. Together with security researchers, Internet Corporation for Assigned Names and Numbers (ICANN) and operators within the Domain Name System, Microsoft coordinated a response designed to disable domains targeted by Conficker. Microsoft also announced a $250,000 reward for information that results in the arrest and conviction of those responsible for illegally launching the Conficker malicious code on the Internet.

“As part of Microsoft’s ongoing security efforts, we constantly look for ways to use a diverse set of tools and develop methodologies to protect our customers,” said George Stathakopoulos, general manager of the Trustworthy Computing Group at Microsoft. “By combining our expertise with that of the broader community we can expand the boundaries of defense to better protect people worldwide.”

As cyberthreats have rapidly evolved, a greater level of industry coordination and new tactics for communication and threat mitigation are required. To optimize the multiple initiatives being employed across the security industry and within academia, Microsoft helped unify these broad efforts to implement a community-based defense to disrupt the spread of Conficker.

Along with Microsoft, organizations involved in this collaborative effort include ICANN, NeuStar, VeriSign, CNNIC, Afilias, Public Internet Registry, Global Domains International Inc., M1D Global, AOL, Symantec, F-Secure, ISC, researchers from Georgia Tech, the Shadowserver Foundation, Arbor Networks and Support Intelligence.

“The best way to defeat potential botnets like Conficker/Downadup is by the security and Domain Name System communities working together,” said Greg Rattray, chief Internet security advisor at ICANN. “ICANN represents a community that’s all about coordinating those kinds of efforts to keep the Internet globally secure and stable.”

“Microsoft’s approach combines technology innovation and effective cross-sector partnerships to help protect people from cybercriminals,” Stathakopoulos said. “We hope these efforts help to contain the threat posed by Conficker, as well as hold those who illegally launch malware accountable.”

More information about how to protect yourself from Conficker can be found at http://www.microsoft.com/conficker. Customers interested in learning more about staying safe online can visit http://www.microsoft.com/protect.

Microsoft’s reward offer stems from the company’s recognition that the Conficker worm is a criminal attack. Microsoft wants to help the authorities catch the criminals responsible for it. Residents of any country are eligible for the reward, according to the laws of that country, because Internet viruses affect the Internet community worldwide. Individuals with information about the Conficker worm should contact their international law enforcement agencies.

Hyper-V Security Guide goes Beta

2009-02-06T22:34:36Z

Well, I told everyone last year on my Virtualization Security Tour that this thing was coming out soon! Well, we released a Beta of the document on our Beta site, which you should join if you haven’t already. One of my jobs is to help do technical review of documents/slides internally for our Security Content Review Board. I just got the request today and have started looking it over…and now you can review it as well! Sweetness. I’d love to hear your comments!

You should also take a look at the TechNet article entitled Planning for Hyper-V Security which was just updated on 2/4/2009.

The Hyper-V Security Architecture..love it!

Also, don’t forget to check out the wonderfully and amazing article on virtualization security titled Security in a Virtual World, written by some guy with Hemingway type writing skillz. It talks about things to consider in your VM deployments. It’s not about how to obtain the next set of epic gear in World of Warcraft (which is a whole ‘nother type of “virtual security”).

I’m currently out speaking at some internal Microsoft conferences, but I’ll be back next week!

Hello Baby!

2009-02-02T07:09:55Z

Frantic in Dallas

I’m back…after a long absence.

The last 3 months or so have been crazy in my life. After my trip to London and Edinburgh in mid-September, I returned home patiently awaiting the delivery of our son in late-October. We went to the doctor on Monday, September 29th and the sonogram looked great. No worries. I was slotted to go to New York on Wednesday of that week. I asked the doc if it was okay for me to head out on Tuesday, speak on Wednesday, and then return Wednesday night. A quick turnaround. “Go”, he said, “this baby isn’t coming until late October, right on schedule.” I generally trust doctors, so I kissed my wife goodbye and headed to New York.

I got a voicemail from my wife as I landed in Cincinnati to change planes: “GET HOME NOW!"

I immediately call home, but my wife is being admitted to the hospital, and I can’t reach her. I get in touch with her parents and am told everything is okay with her, but she had to be admitted and I needed to get back. I then begin calling American Airlines trying frantically trying to arrange a return flight. I got hold of my wife and was assured that she was okay. I got in late and immediately rushed to the hospital.

Our first child was born on October 2nd, 2008. (He is currently in training to join the Green Bay Packers in 2031.)

After his birth I had 4 weeks of vacation and 4 weeks of parental leave. Now that we’re in 2009, I’ve dug myself out of email and now I’m ready to hit the ground running.

So What Ya Working On, Kai?

Well first let me say that I have been spared the first round of layoffs that we announced a few weeks ago. Unfortunately, I have several good friends who were let go. My thoughts are with them and their families. Let’s hope this economy thing fixes itself sooner than later.

I’ve also been working on getting sessions submitted for TechEd 2009. Here’s the ones I submitted and their status. Love to hear what you think about the sessions. Are these good ideas or what would you like to see?

SECURING THE CLOUD (APPROVED)
==========================
You've heard the buzzwords for the computing that takes place outside the walls of your company - Cloud Computing, Software as a Service (SaaS), Grid Computing, Storage in the Cloud, etc. Have you considered the security risks that such a paradigm shift presents to your business? Security is one of the biggest hurdles preventing the move to "computing in the cloud". Join Kai Axford, a Sr. Security Strategist with Microsoft's Trustworthy Computing Group as he identifies and discusses the IT security risks such a move could have on your organization.

SECURING WINDOWS ESSENTIAL BUSINESS SERVER 2008 (APPROVED)
===================================================
It's about time! Microsoft has just released the multi-server solution targeting the mid-size business after years of enterprise and small business love. Your thinking about making the move to EBS...but what about security? Is this a "full featured" Forefront TMG? How do the filters work in my Exchange Server security? What flavor or System Center do I get and how do I use it? Join Kai Axford, a Sr. Security Strategist with Microsoft's Trustworthy Computing Group as he demonstrates and discusses this mid-size product in a highly interactive and engaging session.

SECURITY FINANCE FOR IT SECURITY GEEKS: GET THE BUDGET YOU REALLY WANT! (PENDING)
===================================================================
IT security people understand technologies and security risks. Too often we miss out on getting the budgets we want and need, simply because we don't know how to justify the project to the non-technical bean counters. In this session, you'll learn some simple capital budgeting and project justification methods such as NPV and IRR that CFOs love. We'll show you how you can use tried and true financial analysis to prove that you really do need that bright shiny firewall appliance. Heavy on the geek, light on the finance.

THE SECURITY SHOW v2.0 (PENDING)
============================

Are you tired of Death By Powerpoint? Too much Microsoft lecture with little time for questions? Afraid of another monotone PM talking about some (yawn) topic? Then check out "The Security Show v2.0"!!! This interesting talk show format brings together the top security minds discussing the toughest security issues of today. The best part is we allow you to get involved and interact with the guests. Don't delay! Limited seats are available for this daily show!

DAY 1: The Cybercriminal Underground
DAY 2: SDL and Why Should I Care?
DAY 3: Inside the Microsoft Security Response Center
DAY 4: Chat with a Ninja

Thoughts?

Big Bang Machine Hacked!

2008-09-15T15:00:33Z

Well, apparently no one planned any information security with the super collider. I love the quote from this guy who is obviously not a security guy “We don’t know who they were but there seems to be no harm done.” Right. No harm done. We’re sorta sure.

Time to buy a tin-foil hat.

Batten Down the Hatches Texas!

2008-09-11T03:03:11Z

Well, I’ve been pretty much just keeping only a cursory interest in Hurricane Ike once my family on the East Coast was going to be safe. Now I have to pay attention again.

A friend of mine sent me this today, which means my flight on Saturday will either be arriving early or departing really really late (if at all). I may be trying to stock up on bottled water. I’m sure Keith will have to buy a generator to keep his 3 monitors running. I love to torment my team in Redmond when they send pictures of 3-foot snow drifts in January…by sending them pictures of the wind blowing a few leaves in my pool in Dallas.

Looks like they may be getting the last laugh.

The Last Episode on Physical Security!

2008-09-10T13:42:00Z

This wraps up the 4-part series where I discuss physical security at Microsoft with one of the guys who keeps you safe when you visit Redmond or any other of the many Microsoft campuses around the world. Thanks Johnny for making us all feel safe when we step onto the campus and thanks for sharing your terrific story of security convergence and how that happens here.

I have one more series still in the bag, and it’s about How Microsoft IT Does Smart Cards, where will sit down and find out the challenges we faced in deploying smart cards to 80,000+ employees around the world. Good stuff for sure!