Excerpt of a blog by Jeff Jones:
Windows Vista shipped to business customers on the last day of November 2006, so the end of November 2007 marks the one year anniversary for supported production use of the product.
This paper analyzes the vulnerability disclosures and security updates for the first year of Windows Vista and looks at it in the context of its predecessor, Windows XP, along with other modern workstation operating systems Red Hat, Ubuntu and Apple products.
http://blogs.technet.com/security/archive/2008/01/23/download-windows-vista-one-year-vulnerability-report.aspx
Urs
Virtualization will become dominant in enterprises, but the security risks are fuzzy at best. Meanwhile, the usual defense–firewalls, security appliances and such aren’t ready for virtualization.
http://blogs.zdnet.com/security/?p=821
IP addresses, string of numbers that identify computers on the Internet, should generally be regarded as personal information, the head of the European Union's group of data privacy regulators said Monday.
http://www.cbsnews.com/stories/2008/01/21/tech/main3734904.shtml?source=RSSattr=SciTech_3734904
ISC2, the non-profit international body that educated and certifies information security professionals, today announced the publication of its "Hiring Guide to the Information Security Profession".
The free 30-page guide is designed to provide human resources (HR) with best practice tips on how to best find, recruit, hire and retain qualified information security staff.
http://www.itpro.co.uk/news/157143/hr-given-guide-to-info-security-skills.html
or the guide only directly from ISC2: https://www.isc2.org/cgi-bin/hiring_guide.cgi
From the Blog of Michael Howard:
I really got a chuckle out of this news item, especially this line: “Coverity, which creates automated source-code analysis tools, announced late Monday its first list of open-source projects that have been certified as free of security defects.”
So we finally have the security silver bullet!Run this tool on your code, fix the bugs, and you’re secure (and maybe unbreakable?!)? I don’t think so.
There are three big problems with this line of thought:
Full blog post:http://blogs.msdn.com/michael_howard/archive/2008/01/10/open-source-projects-certified-as-secure-huh.aspx
After noted British television presenter Jeremy Clarkson took umbrage at the massive outcry regarding the loss of personal records for 25 million UK residents he decided to prove that it was an over-reaction (in his mind) by publishing his bank details in a newspaper column that he writes. According to Clarkson, the worst that could be done was that someone would be able to deposit money into his account.
Unfortunately for Clarkson, a reader was able to establish a £500 direct debit to a Diabetes charity, direct from his account. While this should not have been allowed to take place (the bank should have required correct proof of identity in order to establish the direct debit), it was a wakeup call for Clarkson, who acknowledged the misconceptions that he originally held and recognized that the loss of personal data can have significant negative effects on those whose data has been misappropriated.
http://www.beskerming.com/commentary/2008/01/11/319/Ignorance_is_no_Excuse
I'm tempted to say: FUN! ;-) But, I know...
"So at HITB in Dubai this week - some researchers announced a proof of concept 'bootkit' for Vista. A bootkit is a rootkit that is able to load from a master boot record and persist in memory all the way through the transition to protected mode and the startup of the OS. It's a very interesting type of rootkit.
So I had an interesting discussion with a former Bitlocker Drive Encryption (BDE) Sr. SDE (Software Development Engineer) this morning (Jamie Hunter) about whether BDE would mitigate these types of attacks if used properly and I'm very pleased to announce that it does!! This is a threat that the BDE team definitely anticipated and actively planned for!"
http://blogs.technet.com/robert_hensing/archive/2007/04/05/vbootkit-vs-bitlocker-in-tpm-mode.aspx
Every day, adversaries are attempting to invade our networks and access our servers, to bring them down, infect them with viruses, or steal information about customers, partners or employees. You are looking at Microsoft Windows Server 2008 to help to address these threats? To assist you in taking full advantage of the rich security features in Windows Server 2008, Microsoft is developing the Windows Server 2008 Security Guide.
When released in early 2008, the Windows Server 2008 Security Guide will provide IT professionals with best practices and automated tools to help strengthen the security of servers running Windows Server 2008.
The guide is now in Beta release, and is available for your review on Microsoft TechNet.
Executive Summary: http://www.microsoft.com/technet/security/prodtech/windowsserver2008/default.mspxBeta Program for the Guide: https://connect.microsoft.com/InvitationUse.aspx?ProgramID=1180&InvitationID=LHSG-DFWK-7BFX&SiteID=14
Detailed technical information about the latest updates released this month.
http://blogs.technet.com/swi/
Phishing e-mails that contain a Trojan horse designed to infect users' computers will continue to increase in 2008, comprising more than one-in-three malicious e-mail attachments, Microsoft said...
http://www.securityfocus.com/brief/656
Working together within different organizations and companies is always a big challenge. How can you work within different workspaces and share documents etc.? We just released a beta version of a Solution Accelerator we call "Extranet Collaboration Toolkit for SharePoint".
http://technet.microsoft.com/en-us/library/bb936676.aspx
On December 6, analyst firm Gartner Inc., announced that Microsoft Intelligent Application Gateway (IAG) 2007 is positioned in the Visionaries quadrant of their 2007 SSL VPN Magic Quadrant report. Not only was IAG described as an “excellent new product”, but Gartner also noted that our acquisition of Whale Communications “filled a serious gap in Microsoft’s secure application access strategy by adding a robust gateway and strong endpoint security.”
Gartner noted that we have too many divergent remote access solutions, but part of our strong score was due to our ability to demonstrate that we have a comprehensive vision for how these technologies and solutions align in the future. And what a future it is.
For more information on IAG 2007, visit www.microsoft.com/forefront/edgesecurityTo read the Magic Quadrant in its entirety, visit http://mediaproducts.gartner.com/reprints/microsoft/vol4/article5/article5.html
* Magic Quadrant for SSL VPN, 3Q07. John Girard. Publication Date: 6 December 2007 / ID Number: G00144950
Magic Quadrant DisclaimerThis Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. The Gartner report is available upon request from Microsoft. Go to: http://mediaproducts.gartner.com/reprints/microsoft/vol4/article5/article5.htmlThe Magic Quadrant noted above is copyrighted December 6, 2007, by Gartner, Inc. and is reused with permission.