The Security Development Lifecycle (SDL) threat modeling process has evolved over the last few years to be simpler and faster to apply. In this MSDN article, the authors provide both guidance and examples of how to threat model effectively and efficiently. The process centers around a fast modeling and analysis process that any developer or PM can learn.
http://msdn.microsoft.com/msdnmag/issues/06/11/threatmodeling/
Urs
User Account Control (UAC) is an often misunderstood feature in Windows Vista, see online article by Mark Russinovich on TechNet:http://www.microsoft.com/technet/technetmag/issues/2007/06/UAC/default.aspx
DNS issues come up quite a bit on web boards and mailing list. Recently there have been a flurry of questions related to DNS publishing. This could be because of the recent attacks to the root DNS servers or because of the Windows DNS server vulnerability a couple of weeks before. However, Thomas Shinder put together a good overview of different szenarios how to protect DNS servers behind a firewall and how to publish them:
Part 1: http://www.isaserver.org/tutorials/DNS-Publishing-Scenarios-Part1.htmlPart 2: http://www.isaserver.org/tutorials/DNS-Publishing-Scenarios-Part2.html
With Windows Server 2008 ("Longhorn"), it will be possible for the first time to have different password policies in the same domain. Very good reading on that topic, but I hope that we will make the "user interface" a bit easier until RTM. ;-)
http://www.windowsecurity.com/articles/Longhorn-Poised-Provide-Multiple-Domain-Passwords.html
Microsoft Forefront Client Security provides three important functions: protection, control, and reporting. This TechNet Library topic introduces the Forefront Client Security user interface and discusses the major features in more detail. As this library topic is intended to provide an overview, links are provided to more detailed reference materials. Additionally, a detailed description of the user interface and available features are available through the Client Security Administrator's Guide.
TechNet Library: http://technet.microsoft.com/en-us/library/bb432639.aspxClient Security Administrator's Guide: http://technet.microsoft.com/en-us/library/bb434993.aspx
Microsoft has become aware of a bug in the e-mail verification portion of the registration process for new Windows Live ID accounts. A way has been found to successfully complete the "verification" process for an e-mail address that the user does not own, using an email address the user does own. This problem is limited to the creation of new accounts and does not impact anyone with an existing Windows Live ID account. Means, at no time, this bug could have been used to hack into an existing live ID account!
Windows Live ID, as part of registration, verifies the associated e-mail account for each Windows Live ID. Since this authentication process, like many online services, verifies only a person’s e-mail address and not their identity, users should exercise caution when dealing with individuals online whose identity they cannot personally verify.
However, this issue has been resolved now.
A push to standards for network forensicsBy Beth Rosenberg, Network World, 06/20/07
Digital forensics is still a young science. That newness, coupled with the fast-changing world of computer technology, has resulted in a taxonomy and methodology for digital forensics that are poorly defined and confusing to computer security experts and law enforcement.
http://www.networkworld.com/news/2007/062007-techupdate.html?page=1
Very interesting online article about the profiling of an opearing system.
http://www.windowsecurity.com/articles/Profiling-Operating-System-Part1.html
In a IT world, it's not the gardener, it's the cleaner!!! Once again... Funny story about a bluetooth device... ;-)http://blogs.msdn.com/michael_howard/archive/2007/06/05/the-bluetooth-keyboard-mystery-solved.aspx
As I have mentioned in a blog entry yesterday, we have officially launched the Forefront and System Center product family in Switzerland, But we also have already announced the next generation of the Forefront security products codename "Sterling"! No tie to get lazy... ;-)
http://www.microsoft.com/forefront/prodinfo/roadmap/stirling.mspx
"Forefront codename “Stirling” is a single product that delivers unified security management and reporting with comprehensive, coordinated protection across clients, server applications, and the network edge. Through its deep integration with the existing infrastructure, such as Microsoft Active Directory and Microsoft System Center, customers can reduce complexity, making it easier to achieve a more secure and well-managed infrastructure."
BitLocker serves two very important purposes: it provides both full-volume data encryption and a way to validate the integrity of early startup components before Windows Vista starts. Check out this TechNet Magazine article for an overview of how BitLocker works and how it can help IT professionals protect their organizations with full volume encryption, secure decommissioning, and more.
http://www.microsoft.com/technet/technetmag/issues/2007/06/BitLocker/default.aspx
We have released a preview of our Malware Protection Portal, which will go live this summer.You can find it here: http://www.microsoft.com/security/portal/ Feedback is definitely welcome...
Microsoft is pleased to announce the release of the Microsoft Security Assessment Tool Version 3.0. The new version of the tool offers improved functionality and an improved customer and partner experience, including resource toolkits that contain supporting materials for both customers and partners. We have also made changes to the tool to protect our intellectual property (IP) and comply with Microsoft personally identifiable information (PII) and asset strategies.
Other changes made to the tool include:
http://www.microsoft.com/downloads/details.aspx?FamilyID=6D79DF9C-C6D1-4E8F-8000-0BE72B430212&displaylang=en
The problem of enterprise data protection is so big, companies have just begun wrapping their arms around it. Most experts and customers admit that in most companies the process of tracking down every piece of valuable company data -- and applying the appropriate tools to shield information from unwanted access or misuse -- remains in its beginning stages. The InfoWorld article discusses how enterprise companies are discovering their vulnerabilities, and the steps they are taking to address those vulnerabilities.
http://www.infoworld.com/article/07/06/25/26FEdataprotection_1.html
Though security industry experts were freely predicting the death of spam several years ago, the arrival of image-based attacks has resulted in a stunning renaissance in the volumes of unwanted e-mail reaching end-users' inboxes. And while filtering technologies have improved significantly and can thwart the ability of most image spam to force its way onto corporate networks today, some experts believe that the fight against the use of such AI (artificial intelligence) tactics on the part of spammers is only just getting underway...
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9022560&intsrc=news_ts_head
How Software is Built - Interview with Michael Howard, senior security program manager in the Security Engineering team at Microsoft:
http://howsoftwareisbuilt.com/2007/06/24/michael-howard-microsoft-interview/
Mobility has changed computer threats and the techniques that guard against them. As laptops wander outside the perimeter and come back to the network, you need better ways to protect your systems. Find out how you can use Windows Firewall to protect your computers—on the Internet and on your own internal network. In this article, Steve Riley discusses inbound vs. outbound protection, the Windows Filtering Platform, the Advanced Security interface, and network profiles.
http://www.microsoft.com/technet/technetmag/issues/2007/06/VistaFirewall/default.aspx
The new Advanced Group Policy Management (AGPM) tool from Microsoft, by Derek Melber.
http://www.windowsecurity.com/articles/Using-Advanced-Group-Policy-Management-Protect-GPOs.html
Privacy Guidelines for Developing Software Products and ServicesIn response to requests from customers, partners, ISVs, educators, advocates, and regulators, Microsoft created a public set of privacy guidelines for developing software products and services. These guidelines are based on our internal guidelines and our experience incorporating privacy into the development process. By documenting our principles, we hope to help anyone building products and services to meet customer expectations and deliver a more trustworthy experience.
http://www.microsoft.com/downloads/details.aspx?FamilyId=C48CF80F-6E87-48F5-83EC-A18D1AD2FC1F&displaylang=en
Managing and Protecting Personal Information A multifaceted approach to data privacy management involves a combination of people, processes, and technology solutions. This paper focuses on the important role technology plays in helping enterprises responsibly protect and manage personal information, mitigate risk, achieve compliance, and promote trust and accountability.
http://www.microsoft.com/downloads/details.aspx?FamilyId=53035B0D-66BE-415A-AADC-AE47105AF354&displaylang=en
We published the second Security Intelligence Report. Now, you might ask, why this is significant. Think about the data sources, we build the report on: Since FY05 the Malicious Software Removal Tool was run over 5 Billion times and removed more than 27 Million of Malware. Since November 2005 when we launched the Beta, Windows Live Online Safety Scanner was downloaded more than 15 Million times. Now, we collect information about the OS we are running on, the Service Packs and the Patch Level as well as the locale. We do not collect any Personal Identifiable Information - obviously. But this gives us a pretty broad bases to look at - and there are some really interesting figures in there.
http://www.microsoft.com/downloads/details.aspx?FamilyId=AF816E28-533F-4970-9A49-E35DC3F26CFE&displaylang=en
A good overview of information warfare:http://www.fas.org/irp/crs/RL31787.pdf
The Data Encryption Toolkit for Mobile PCs provides tested guidance and powerful tools to help customers protect their organizations’ most vulnerable data—the information residing on their laptops. Free and available on TechNet, the Toolkit has four components: the Executive Overview, Security Analysis, the Planning and Implementation Guide, and the Encrypting File System (EFS) Assistant. The Toolkit’s strategies are easy to understand, and show how to use two key encryption technologies: BitLocker Drive Encryption, which is included with specific versions of Windows Vista, and the EFS, which is included with Windows XP Professional and Windows Vista.
http://www.microsoft.com/technet/security/guidance/clientsecurity/dataencryption/default.mspx
New online tool charts cybersecurity standards developments essential guidance to cybersecurity architectsITU has developed an online tool to keep track of crucial ICT security standards work through a single access point. For the first time, ICT security vendors, service providers, developers, researchers and the public will now have security standards at their fingertips, with one common user interface.
http://www.itu.int/newsroom/press_releases/2007/NP07.html
Data protection policies need to be well thought out and consider not only the systems in direct control of the business, but also the credentials by which employees can access those systems remotely. Beyond policy, though, awareness is a key element to the protection of data in your business and in your home.
By Jeff Williams, CIPP CISSPhttp://www.microsoft.com/technet/community/columns/sectip/st0607.mspx
Today the Department of Justice and FBI announced the results of an ongoing cyber crime initiative to disrupt and dismantle “botherders” and elevate the public’s cyber security awareness of botnets. OPERATION BOT ROAST is a national initiative and ongoing investigations have identified over 1 million victim computer IP addresses. The FBI is working with our industry partners, including the CERT Coordination Center at Carnegie Mellon University, to notify the victim owners of the computers. Through this process the FBI may uncover additional incidents in which botnets have been used to facilitate other criminal activity.
“The majority of victims are not even aware that their computer has been compromised or their personal information exploited,” said FBI Assistant Director for the Cyber Division James Finch. “An attacker gains control by infecting the computer with a virus or other malicious code and the computer continues to operate normally. Citizens can protect themselves from botnets and the associated schemes by practicing strong computer security habits to reduce the risk that your computer will be compromised.”
The FBI also wants to thank our industry partners, such as the Microsoft Corporation and the Botnet Task Force, in referring criminal botnet activity to law enforcement.
See the full article: http://www.fbi.gov/pressrel/pressrel07/botnet061307.htm