Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
The consumerization of IT, meaning the use of consumer services and devices in the workplace, has in recent years accelerated worldwide. Employees are using services, such as social media, as well as consumer devices like laptops, mobile phones, and tablets in the workplace – a phenomenon known as Bring Your Own Device (BYOD). With BYOD employees are allowed – and sometimes encouraged – to bring their personally-owned devices to work and use those devices to access company resources, such as files and applications. For many organizations, embracing BYOD can help businesses improve productivity, as well as reduce costs associated with deploying and supporting company-issued assets. At same time, BYOD also comes with management and security concerns.
Our Trust in Computing survey, conducted in nine countries for Microsoft by comScore found that BYOD has gained wide acceptance in several countries, with 78% of organizations allowing employees to bring their own computers to the office for work purposes, and 31% subsidizing purchases of employee-owned computers for work use. There were some interesting variations among the nine countries surveyed. For example, Chinese companies were the most likely (86%) to allow BYOD, and Japanese companies the least likely (30%). Read more
This week, we will be releasing three installments of our new “Trust in Computing” research study. In late 2012, Microsoft Trustworthy Computing commissioned comScore to conduct a survey to help uncover current attitudes and perceptions related to security and privacy. This research explores trends in attitudes and opinions across nine countries/regions, and among three audience segments. Read more
Twelve months ago we launched a Windows Phone application that was designed to provide our readers with an easy way to access Trustworthy Computing blogs through their Windows Phone devices. Since then, we have received lots of feedback from users on the value it has provided and suggestions for improvements. Today I am pleased to share that a new version of our Trustworthy Computing Blogs Windows Phone application is now available. Read more.
A few years ago I wrote a whitepaper, with contributions from several other people, that describes key steps in the process we use to investigate, engineer and release security updates at Microsoft. We also recorded a video series with some of the folks at Microsoft that do the engineering work on security updates. Recently I have had a couple of customers ask about this process, so I thought we’d simply put these resources on the Microsoft Security blog to make them easy to find.
In today’s digital world, organizations simply cannot afford to conduct business online without taking security into account. Whether you buy or sell software, security has to be a top priority. It’s just good business. In part one of this series we touched on security standards as an important topic that was discussed at the Security Development Conference last month. In this part of the series, we share insights on the importance of security to organizations that conduct business online.
While at the Security Development Conference, I had an opportunity to sit down with Edna Conway, Chief Security Officer, Global Supply Chain for Cisco and discuss how they think about security in the context of the supply chain. Edna discusses how security is the first and most important node of the supply chain at Cisco. She shares how they embed security early on into the design and development stage of a product’s concept. Watch this short video to hear more about how Cisco embeds software security into its portfolio of products. Read more.
Almost 70 years ago, government officials met in San Francisco and formed the United Nations, as a result of growing concerns around international peace and security. Interestingly enough, last month, Microsoft hosted the Security Development Conference 2013 in San Francisco, CA where security professionals from hundreds of organizations around the world met to discuss proven security development practices that can help reduce organizational risk.
While at the event, I had an opportunity to meet with several distinguished security leaders and discuss advancements that are being made across the industry. For those of you that missed the conference, I encourage you to follow this series as we dive deeper into some of the hot topics to surface from this year’s conference.
One of the topics that generated a lot of discussion at the conference was the emergence of secure software development standards, specifically ISO 27034. While at the conference, Microsoft announced its Declaration of Conformity with ISO 27034-1. Check out this short video as we hear from Scott Charney, Corporate Vice President for Trustworthy Computing and Steve Lipner, Partner Director of Program Management at Microsoft on the significance of this standard. Read more.
It’s no surprise that mobile phone usage has exploded over the past decade. According to a study by ITU, there are roughly 6.8 billion mobile cellular subscriptions worldwide today. As technology becomes more and more woven into the fabric of society, smartphone usage has become an increasingly common extension for desktop computing devices. Employees are configuring their personal smartphones to access company information and IT Professionals often struggle with how to manage the protection of corporate data.
This dynamic has created new opportunities for cybercrime. Cybercriminals are increasingly targeting smartphone devices using a variety of tactics for malicious intent. These tactics include the repackaging of popular applications with malicious code for download in app stores or marketplaces, malicious URLs designed to deceive users into downloading apps or provide personal information, or leveraging erroneous SMS messages or “smishing” as a means to drive up a smartphone subscriber’s bill. Read more.
Today we released a new version of our Enhanced Mitigation Experience Toolkit (EMET 4.0). EMET is a free mitigation tool designed to help IT Professionals and developers prevent vulnerabilities in software from being successfully exploited. The tool works by protecting applications via the latest security mitigation technologies built into Windows, even in cases where the developer of the application didn’t opt to do this themselves. By doing so, it enables a wide variety of software to be made significantly more resistant to exploitation – even against zero day vulnerabilities and vulnerabilities for which an update has not yet been applied.
EMET has been a very popular tool among customers trying to manage risk associated with insecure applications they have in their environments. Over the past year we have seen some attackers evolve their tactics in ways that we believe can be mitigated with a tool like EMET. We have also received feedback from a number of customers on how we could make EMET better fit their needs. This information has been invaluable in enhancing the latest version of the tool. EMET 4.0, released today, incorporates a number of new enhancements including protection against Man in the Middle attacks leveraging the Public Key Infrastructure (PKI), and hardening of Return-Oriented Programming (ROP) mitigations. This version also addresses some known compatibility issues and is designed to work with some of our latest technologies such as Internet Explorer 10 and Windows 8. Read more
Many of the CISOs I talk to tell me that “Advanced Persistent Threats” (APT) style attacks are among their top concerns. As I have written about before, the problem with the term APT is that it doesn’t describe this category of threats very accurately. This makes it harder to understand and mitigate this type of threat. Many of the threats we see in this category are not any more “advanced” or technically sophisticated than many of the broad-based attacks currently in use on the Internet. At Microsoft we find that a more accurate and useful term for this category of threat is “targeted attacks by determined adversaries”. The vast majority of these attacks use unpatched vulnerabilities for which updates are available, weak passwords, and social engineering to compromise systems.
Microsoft has released a series of whitepapers that are designed to help organizations understand and manage the risk posed by targeted attacks by determined adversaries. Read more.
While on the road in Asia, I had an opportunity to meet with security professionals from Malaysia, India and Singapore to discuss regional threat trends based on data from our latest Microsoft Security Intelligence Report. These discussions and an analysis of the threat landscape for Asia are summarized below. Read more.