Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
For many years attackers have used rogue security software, also known as fake antivirus software or “scareware”, to fool computer users into installing malware and/or divulge confidential information. These programs typically mimic the general look and feel of legitimate security software programs and claim to detect a large number of nonexistent threats while urging users to pay for the “full version” of the software to remove the threats. Attackers typically install rogue security software programs through exploits or other malware, or use social engineering to trick users into believing the programs are legitimate and useful. Some versions emulate the appearance of the Windows Security Center or unlawfully use trademarks and icons to misrepresent themselves (some examples of this below).
As I’ve written previously, three key objectives of information security are to maintain the confidentiality, integrity and availability of an organization’s information. With many organizations adopting cloud services, more and more of the security professionals I have been talking to lately have been interested in topics related to reliability and availability.
Reliability is ultimately about customer satisfaction, which means that managing reliability is a more nuanced challenge than simply measuring uptime. For example, customer satisfaction will be low for a service that never goes down, but that is really slow or difficult to use.At a high level, each cloud session consists of a cloud consumer using a computing device to connect to a cloud-based service that is hosted by an internal or external cloud provider. When planning for a highly available cloud service, it’s important to consider the expectations and responsibilities of each of these parties. In planning, organizations need to acknowledge the real-world limitations of technology, and recognize that failures can and will occur. They can then use good design to isolate and repair service failures quickly to avoid or minimize impact of the service’s availability to users.
One topic that I get asked about each time we release a new volume of the Microsoft Security Intelligence Report is malware infection rates for operating systems and service packs. We released new data late this year in volume 13 of the report (SIRv13). Accordingly, I am dedicating a couple of articles to discussing the new malware infection rate data for operating systems and service packs.
The latest data published in SIRv13, focusing on the first half of 2012, shows that newer operating systems, such as Windows 7 and Windows Vista, continue to have lower malware infection rates than older operating systems like Windows XP Service Pack 3. Windows 7 Service Pack 1 and Windows Server 2008 R2 had the lowest infection rates in the second quarter of 2012. The infection rate for Windows XP Service Pack 3, the oldest supported operating system from Microsoft, is the highest by a significant margin.
Last year, the inaugural Security Development Conference brought together leading security professionals from a variety of industries around the world to share security development practices and how their organizations successfully adopted them. More than 300 organizations attended this conference. At the conference I had the opportunity to discuss the importance of security development practices with keynote speaker Richard A. Clarke, former Special Advisor to the President for Cyber Security. I also had the opportunity to discuss the urgency for organizations to adopt security development practices with General Michael V. Hayden, former Director, U.S. Central Intelligence Agency and U.S. National Security Agency. You can read more about last year’s event in our wrap up blog post.
Registration is now open for the second annual Security Development Conference (SDC 2013) which is being held in San Francisco on May 14th and 15th. SDC 2013 will bring together some of the best and brightest information security professionals from a variety of industries. Attendees will learn about proven security development practices through interactions with peers, industry luminaries and organizations that have successfully adopted such practices. There are three tracks at SDC 2013 targeting different areas critical to the success of security development. Track sessions will cover the latest security development techniques and processes that can reduce risk and help protect organizations in this rapidly evolving technology landscape.
As the holidays approach and 2013 is on the horizon, December is a natural time to reflect on events of the past year and what we have learned from them. Subsequently, every December I inevitably am asked to extrapolate or predict what the threat landscape might look like next year. I’m not Nostradamus, and I know that we can’t use the past to predict the future with absolute accuracy. But I wanted to share my thoughts on the top five trends that I predict we’ll see in the coming year based on current observations of the threat landscape.
Author: Matt Thomlinson, General Manager, Trustworthy Computing
Targeted attacks by determined adversaries (also known as Advanced Persistent Threats or APTs) have been a hot topic recently. Although targeted attacks continue to make up a small fraction of the attacks we see today, reports of attacks targeting organizations and governments have attracted a lot of attention. We know that one of the first things determined adversaries do if they are able to successfully compromise their target organization’s network is to try to compromise the organization’s directory services. The reason is clear: a directory service contains the credentials that users, administrators and systems use to authenticate to the network and get access to the organization’s resources. If the attackers can get access to all these credentials, they can get access to more resources on the network.
One of the most pressing challenges facing organizations today is attaining and maintaining compliance with various industry and government regulations and standards. Failure to comply with certain regulations can result in heavy financial penalties that can put many organizations under severe pressure. This series of blog posts will look at how the Microsoft Security Development Lifecycle (SDL) can be used to help organizations meet various compliance requirements.
The Microsoft Security Development Lifecycle (SDL) has been used at Microsoft for more than eight years to help reduce the number and severity of vulnerabilities in Microsoft products and services, thus limiting the opportunities for attackers to compromise computers. Microsoft has freely shared the processes, tools and guidance that form the SDL for more than five years to help our customers, partners and industry colleagues also develop more secure software. However, it can be difficult to make a business case for the adoption and enforcement of a software development process that could be perceived as a “development tax”.
This article in our free security tools series focuses on the benefits of the Microsoft Anti-Cross-site Scripting Library (Anti-XSS). Cross-site scripting (XSS) is an attack technique in which an attacker inserts malicious HTML and JavaScript into a vulnerable webpage, often in an effort to distribute malware or to steal sensitive information from the website or its visitors.