Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
Today we’re announcing the release of the Microsoft Threat Modeling Tool 2014. This is the latest version of the free Security Development Lifecycle Threat Modeling Tool that was previously released back in 2011.
More and more of the customers I have been talking to have been leveraging threat modeling as a systematic way to find design-level security and privacy weaknesses in systems they are building and operating. Threat modeling is also used to help identify mitigations that can reduce the overall risk to a system and the data it processes. Once customers try threat modeling, they typically find it to be a useful addition to their approach to risk management.
We have been threat modeling at Microsoft for more than 10 years. It is a key piece of the design phase of the Microsoft Security Development Lifecycle (SDL). In 2011 we released the SDL Threat Modeling Tool, free of charge, to make it easier for customers and partners to threat model as part of their software development processes. The tool has been very popular and we have received a lot of positive customer feedback in addition to suggestions for improvement. Read more
Posted by: Tracey Pretorius, Director, Trustworthy Computing
On April 8, 2014, security researchers announced a flaw in the OpenSSL encryption software library used by many websites to protect customers’ data. The vulnerability, known as “Heartbleed,” could potentially allow a cyberattacker to access a website’s customer data along with traffic encryption keys.
After a thorough investigation, Microsoft determined that Microsoft Account, Microsoft Azure, Office 365, Yammer and Skype, along with most Microsoft Services, are not impacted by the OpenSSL “Heartbleed” vulnerability. Windows’ implementation of SSL/TLS is also not impacted. A few Services continue to be reviewed and updated with further protections. Read more
On Monday, Tim Rains was featured on TechNet Radio in which he discussed “The Risk of Running Windows XP After Support Ends” with Blain Barton, Senior Technical Evangelist at Microsoft. This is a recommended video for any IT Professionals currently using Windows XP today in their environment. Questions covered in the discussion include:
Posted by: Sean Finnegan Director, Cybersecurity
Last week, we published a paper on “Threat Modeling a Retail Environment.” The intent of this paper was to help provide the retail industry with risk and mitigation guidance that could be applied in their environment where there is a unique set of requirements and challenges. As a follow on to that information, today we published a new paper focused on “Protecting Point of Sale Devices from Targeted Attacks.” Given point of sale (POS) devices were the focus of many recent targeted attacks in the retail industry, we thought this guidance would be helpful. Read more
New data in the Microsoft Security Intelligence Report volume 15, indicates that the malware infection rate of the United States increased precipitously between the fourth quarter of 2012 and the first quarter of 2013. The Malicious Software Removal Tool (MSRT) cleaned malware on 8.0 of every 1,000 computers scanned (Computers Cleaned per Mille or CCM) in the US in the second quarter of 2013, compared to the worldwide average 5.8 in the same quarter. This was more than double the infection rate of the fourth quarter in 2012 of 3.3, as illustrated in Figures 1 and 2. With the exception of the third quarter of 2011, the US has enjoyed infections rates consistently below the worldwide average. The infection rate in the fourth quarter of 2012 was one of the lowest recorded CCMs for the US in the history of the Microsoft Security Intelligence Report. The percentage of systems that encountered threats in the US during this period increased only slightly from 13.4 percent in the fourth quarter of 2012 to 14.1 percent in the first quarter of 2013. This is well below the worldwide average encounter rate of 17.8 percent in in the first quarter of 2013. The encounter rate in the US decreased in the second quarter of 2013 to 11.5 percent, despite the malware infection rate remaining relatively high. Read more
It’s been well publicized that on April 8th, 2014 Microsoft discontinues product support for Windows XP. Released in 2001, the support policy for the life of Windows XP soon followed in October 2002. In September 2007, we announced that support for Windows XP would be extended an additional two years to April 8 2014. We are very clear about the lifecycle of our products, deliberately communicating this information years in advance, because we know customers need time to plan for changes to their technology investments and manage upgrades to newer systems and services.
We’ve also focused on communicating regularly, such as an article posted in August of last year. That piece focused on the fact that supported versions get security updates that address any newly discovered vulnerabilities, which Windows XP won’t receive after April 8, 2014. This means that running Windows XP when the product is obsolete (after support ends), will increase the risk of technology being affected by cybercriminals attempting to do harm. This blog post continues on from that article, and also provides guidance to consider as people look ahead.
Many of the enterprise customers I’ve talked to recently have finished, or are in the process of finishing, technology projects that move their desktop computing environments from Windows XP to Windows 7 or Windows 8. However, I’ve also talked to some small businesses and individuals that don’t plan to replace their Windows XP systems even after support for these systems ends in April. In light of this, I want to share some of the specific threats to Windows XP-based systems that attackers may attempt after support ends, so that these customers can understand the risks and hopefully decide to immediately upgrade to a more secure version of Windows, or accelerate existing plans to do so. Read more
Posted by: Michael Howard, Principal Consultant, Cybersecurity
If you have followed this blog, or followed anything Microsoft has done with the Security Development Lifecycle, you’ll know that we are proponents of the benefits of threat modeling as a way to understand the risks to and potential mitigations for a system.
The computer industry is full of systems that look somewhat alike, and have similar “moving parts”; for example, banking, health care, telecommunications and so on. In the wake of high profile attacks on organizations in the retail industry, we thought developing new guidance that helps with the unique requirements and challenges of that industry could be helpful. We decided that the best way to do this was to team up cybersecurity expertise with retail expertise. We combined the security expertise of senior consultants Tim Delong, Mark Simos and myself from the Microsoft Consulting Services Cybersecurity team, with retail industry expertise of Vic Mile and Marty Ramos from Microsoft’s Retail industry vertical team. Read more
In this six part series we examined many factors that are likely contributing to relatively high malware infection rates of countries/regions in the Middle East and southwest Asia. Here are the articles in the series for reference:
I have had the opportunity to travel to many parts of the world to discuss threats and best practices, including those locations with the lowest malware infection rates in the world, as well as some of the locations I discussed in this series with relatively high malware infection rates. The locations that typically have low malware infection rates include Finland, Japan, and Norway. We recently published a series of articles on some of these locations that includes commentary from local security professionals.
When I talk with security professionals in locations with relatively high infection rates they are always interested in learning about the practices that the countries/regions with consistently low malware infection rates employ to be so successful. Here is a summary of those best practices. Read more
This series examines malware infection rates and the factors contributing to them in several locations in the Middle East and southwest Asia including Bahrain, Egypt, Israel, Iraq, Jordan, Kuwait, Lebanon, Oman, Pakistan, Palestinian Authority, Qatar, Saudi Arabia, Syria, Turkey, and the United Arab Emirates. This region of the world has had high malware infection rates compared to other parts of the world. I looked at how malware encounter rates effect malware infection rates in the region. I also examined how anti-virus software usage and Windows XP market share impact infection rates in these locations. Read more
This is Part 4 of a series of articles on the threat landscape in the Middle East and southwest Asia. This series examines malware infection rates and the factors contributing to them in several locations in the region including Bahrain, Egypt, Israel, Iraq, Jordan, Kuwait, Lebanon, Oman, Pakistan, Palestinian Authority, Qatar, Saudi Arabia, Syria, Turkey, and the United Arab Emirates. Read more