Security Minded - from Kai the Security Guy

New Editor of the Microsoft Technical Audiences Security Newsletter

Well, in case you don’t subscribe, I’m now the official editor of the Microsoft Technical Audience Security Newsletter. It’s nice to actually get a security professional as the actual owner of the newsletter, and hopefully I’ll be able to weed out the material that’s not related to our topic. That being said, we also want to start including some material that is pertinent to you not only in a “hard skill, how do I install/configure Microsoft’s Product X?”, but we also want to be sure that we have some good information out there that will assist you in the current economic situation that we now find ourselves. Yes, even the once booming world of information security has been hit by the bad economy. To that end, I would like to start covering some things like professional career advice, how to build those business skills, how to tweak your resume, etc. I think these will all be of great benefit.

Also, I want to hear your valid feedback. Don’t email me about how you ‘re sent in money to some Nigerian prince and you haven’t seen your money since. Also, don’t fire up an email to ask me why your machine tends to BSOD with a STOP 0x7E when you install that driver you wrote in your garage. If I don’t see valid suggestions about topics to discuss or ways to make this security newsletter better….it’s getting deleted.

This month we’re talking about database security. Good ‘ol SQL Injection. Get ready….it’s going to be a fun ride.

- Kai

Is Cloud Computing Really Risk Transference?

The current buzz in the technology industry is all about this idea of Cloud Computing. It goes by many many names but we’ll just stick with this one to eliminate confusion. Sure, it’s a great idea and vendors are talking about “moving your data to the cloud” where someone else can manage your data, provide better uptimes, manage the patching process, etc. Unfortunately, as a security guy, I tend to look at the idea of cloud computing from a risk perspective…and it just isn’t fluffy cumulus clouds that I see…it’s more like the picture you see here.

From the security perspective, it appears to be nothing more than a matter of risk transference, very similar to what any good insurance policy will do for you. Companies are trying to be quick to market with their Cloud Computing Security Strategies, but I’ve yet to hear anyone truly identify the risk that this will solve. At the end of the day, it comes down to two simple questions that either your CSO or Legal Department will most assuredly ask:

Who ends up being liable for the data that’s stored in the cloud when it’s breached?

Who’s name and signature is going to be at the end of the Breach Notification letter you’ll send to your customers?

I’ve been doing a lot of research on the topic of “cloud computing security” the last few weeks, as I prep for my session at TechEd North America 2009 entitled “Securing the Cloud”. I have to tell you, I don’t see a lot of companies agreeing to become liable if your data gets breached on their network. I’m not sure how this really differs from putting your money in a bank, rather than in your mattress. The bank (through the powers of the FDIC) ensure my money up to a certain amount. Will my cloud vendor do the same?

Of course, with all new things, old problems still exist.  How is that 3rd party auditors going to successfully conduct an external audit of your data, when the data and controls aren’t even on the premises? “Well, Mr... Sarbanes-Oxley Audit Master, I’d love to show the controls that we have in place to remain compliant with 404, but the data isn’t actually here. Perhaps you can contact our cloud provider to find out the controls they’re using to keep my customer data secure.” That probably isn’t go to go over to well. Remember, you can delegate authority, but not responsibility.

I just want to be sure that we are all really giving this a lot of thought before we start dumping our data up to some unknown entity in the clouds. There are plenty of positive things that cloud computing provides, but at what cost? I’ll take the extra time to patch my enterprise’s servers if it means keeping my data close.

As someone who travels extensively talking to security professionals, I learned long ago that I don’t have all the answers….and this is no exception. Let’s start a dialogue through the comments. What risks do you see with regard to moving to a cloud computing infrastructure and is your business headed that way? 

Also, before I forget….I’ve found a really great cloud computing security blog called http://cloudsecurity.org. Two thumbs up! Check it out.

Sweetie…can I make some security modifications to the car?

This is just too awesome to miss. I always enjoy a good video, especially when it relates to security. I just recently bought a new SUV (traded in the 2004 Mustang GT convertible) with the new baby and now I’m very sad that I forgot to ask for this option when I did. The guys at DillonAero did a great job with this new vehicle. Makes you wonder what those cars in the presidential motorcade are for.

Not to mention, this would pretty much clear up the problem of non-IT people parking in the “IT Department” parking spot.

ALERT: $250,000 Reward

REDMOND, Wash. — Feb. 12, 2009 — Today, Microsoft Corp. announced a partnership with technology industry leaders and academia to implement a coordinated, global response to the Conficker (aka Downadup) worm. Together with security researchers, Internet Corporation for Assigned Names and Numbers (ICANN) and operators within the Domain Name System, Microsoft coordinated a response designed to disable domains targeted by Conficker. Microsoft also announced a $250,000 reward for information that results in the arrest and conviction of those responsible for illegally launching the Conficker malicious code on the Internet.

“As part of Microsoft’s ongoing security efforts, we constantly look for ways to use a diverse set of tools and develop methodologies to protect our customers,” said George Stathakopoulos, general manager of the Trustworthy Computing Group at Microsoft. “By combining our expertise with that of the broader community we can expand the boundaries of defense to better protect people worldwide.”

As cyberthreats have rapidly evolved, a greater level of industry coordination and new tactics for communication and threat mitigation are required. To optimize the multiple initiatives being employed across the security industry and within academia, Microsoft helped unify these broad efforts to implement a community-based defense to disrupt the spread of Conficker.

Along with Microsoft, organizations involved in this collaborative effort include ICANN, NeuStar, VeriSign, CNNIC, Afilias, Public Internet Registry, Global Domains International Inc., M1D Global, AOL, Symantec, F-Secure, ISC, researchers from Georgia Tech, the Shadowserver Foundation, Arbor Networks and Support Intelligence.

“The best way to defeat potential botnets like Conficker/Downadup is by the security and Domain Name System communities working together,” said Greg Rattray, chief Internet security advisor at ICANN. “ICANN represents a community that’s all about coordinating those kinds of efforts to keep the Internet globally secure and stable.”

“Microsoft’s approach combines technology innovation and effective cross-sector partnerships to help protect people from cybercriminals,” Stathakopoulos said. “We hope these efforts help to contain the threat posed by Conficker, as well as hold those who illegally launch malware accountable.”

More information about how to protect yourself from Conficker can be found at http://www.microsoft.com/conficker. Customers interested in learning more about staying safe online can visit http://www.microsoft.com/protect.

Microsoft’s reward offer stems from the company’s recognition that the Conficker worm is a criminal attack. Microsoft wants to help the authorities catch the criminals responsible for it. Residents of any country are eligible for the reward, according to the laws of that country, because Internet viruses affect the Internet community worldwide. Individuals with information about the Conficker worm should contact their international law enforcement agencies.

Hyper-V Security Guide goes Beta

Well, I told everyone last year on my Virtualization Security Tour that this thing was coming out soon! Well, we released a Beta of the document on our Beta site, which you should join if you haven’t already. One of my jobs is to help do technical review of documents/slides internally for our Security Content Review Board. I just got the request today and have started looking it over…and now you can review it as well! Sweetness. I’d love to hear your comments!

You should also take a look at the TechNet article entitled Planning for Hyper-V Security which was just updated on 2/4/2009.

The Hyper-V Security Architecture..love it!

Also, don’t forget to check out the wonderfully and amazing article on virtualization security titled Security in a Virtual World, written by some guy with Hemingway type writing skillz. It talks about things to consider in your VM deployments.  It’s not about how to obtain the next set of epic gear in World of Warcraft (which is a whole ‘nother type of “virtual security”).

I’m currently out speaking at some internal Microsoft conferences, but I’ll be back next week!

Hello Baby!

Frantic in Dallas

I’m back…after a long absence.

The last 3 months or so have been crazy in my life. After my trip to London and Edinburgh in mid-September, I returned home patiently awaiting the delivery of our son in late-October. We went to the doctor on Monday, September 29th and the sonogram looked great. No worries. I was slotted to go to New York on Wednesday of that week. I asked the doc if it was okay for me to head out on Tuesday, speak on Wednesday, and then return Wednesday night. A quick turnaround. “Go”, he said, “this baby isn’t coming until late October, right on schedule.” I generally trust doctors, so I kissed my wife goodbye and headed to New York.

I got a voicemail from my wife as I landed in Cincinnati to change planes: “GET HOME NOW!"

I immediately call home, but my wife is being admitted to the hospital, and I can’t reach her. I get in touch with her parents and am told everything is okay with her, but she had to be admitted and I needed to get back. I then begin calling American Airlines trying frantically trying to arrange a return flight. I got hold of my wife and was assured that she was okay. I got in late and immediately rushed to the hospital.

Our first child was born on October 2nd, 2008. (He is currently in training to join the Green Bay Packers in 2031.)

After his birth I had 4 weeks of vacation and 4 weeks of parental leave. Now that we’re in 2009, I’ve dug myself out of email and now I’m ready to hit the ground running.

So What Ya Working On, Kai?

Well first let me say that I have been spared the first round of layoffs that we announced a few weeks ago. Unfortunately, I have several good friends who were let go. My thoughts are with them and their families. Let’s hope this economy thing fixes itself sooner than later.

I’ve also been working on getting sessions submitted for TechEd 2009. Here’s the ones I submitted and their status. Love to hear what you think about the sessions. Are these good ideas or what would you like to see?

SECURING THE CLOUD (APPROVED)
==========================
You've heard the buzzwords for the computing that takes place outside the walls of your company - Cloud Computing, Software as a Service (SaaS), Grid Computing, Storage in the Cloud, etc. Have you considered the security risks that such a paradigm shift presents to your business? Security is one of the biggest hurdles preventing the move to "computing in the cloud". Join Kai Axford, a Sr. Security Strategist with Microsoft's Trustworthy Computing Group as he identifies and discusses the IT security risks such a move could have on your organization.

SECURING WINDOWS ESSENTIAL BUSINESS SERVER 2008 (APPROVED)
===================================================
It's about time! Microsoft has just released the multi-server solution targeting the mid-size business after years of enterprise and small business love. Your thinking about making the move to EBS...but what about security? Is this a "full featured" Forefront TMG? How do the filters work in my Exchange Server security? What flavor or System Center do I get and how do I use it? Join Kai Axford, a Sr. Security Strategist with Microsoft's Trustworthy Computing Group as he demonstrates and discusses this mid-size product in a highly interactive and engaging session.

SECURITY FINANCE FOR IT SECURITY GEEKS: GET THE BUDGET YOU REALLY WANT! (PENDING)
===================================================================
IT security people understand technologies and security risks. Too often we miss out on getting the budgets we want and need, simply because we don't know how to justify the project to the non-technical bean counters. In this session, you'll learn some simple capital budgeting and project justification methods such as NPV and IRR that CFOs love. We'll show you how you can use tried and true financial analysis to prove that you really do need that bright shiny firewall appliance. Heavy on the geek, light on the finance.

THE SECURITY SHOW v2.0 (PENDING)
============================

Are you tired of Death By Powerpoint? Too much Microsoft lecture with little time for questions? Afraid of another monotone PM talking about some (yawn) topic? Then check out "The Security Show v2.0"!!! This interesting talk show format brings together the top security minds discussing the toughest security issues of today. The best part is we allow you to get involved and interact with the guests. Don't delay! Limited seats are available for this daily show!

DAY 1: The Cybercriminal Underground
DAY 2: SDL and Why Should I Care?
DAY 3: Inside the Microsoft Security Response Center
DAY 4: Chat with a Ninja

Thoughts?

Big Bang Machine Hacked!

Well, apparently no one planned any information security with the super collider. I love the quote from this guy who is obviously not a security guy “We don’t know who they were but there seems to be no harm done.” Right. No harm done. We’re sorta sure.

Time to buy a tin-foil hat.

Batten Down the Hatches Texas!

Well, I’ve been pretty much just keeping only a cursory interest in Hurricane Ike once my family on the East Coast was going to be safe. Now I have to pay attention again.

A friend of mine sent me this today, which means my flight on Saturday will either be arriving early or departing really really late (if at all). I may be trying to stock up on bottled water. I’m sure Keith will have to buy a generator to keep his 3 monitors running. I love to torment my team in Redmond when they send pictures of 3-foot snow drifts in January…by sending them pictures of the wind blowing a few leaves in my pool in Dallas.

Looks like they may be getting the last laugh.

The Last Episode on Physical Security!

This wraps up the 4-part series where I discuss physical security at Microsoft with one of the guys who keeps you safe when you visit Redmond or any other of the many Microsoft campuses around the world. Thanks Johnny for making us all feel safe when we step onto the campus and thanks for sharing your terrific story of security convergence and how that happens here.

I have one more series still in the bag, and it’s about How Microsoft IT Does Smart Cards, where will sit down and find out the challenges we faced in deploying smart cards to 80,000+ employees around the world. Good stuff for sure!

Well, maybe I’ll get a great refund in in 2009

Apparently the IRS just realized that they had about 1,800 unauthorized web servers attached to their corporate network!!! Now I’m glad to hear that their CIO is working to get them removed, but sounds to me this is a great opportunity for them to implement a domain isolation model using IPsec. Now you know I’m a friend of the US GOV, and I bring this issue up to raise the following point:

Do you know how many unauthorized web servers, file servers, etc. exist on YOUR network?

If so, how do you identify them and more importantly how do you mitigate the risk this presents? Yes, you can threaten and write policies, but at the end of the day, you can only protect what you can enforce. What solutions are those of you in the field using?

Part Three of Four as We Chat About Physical Security

UPDATE: I got your emails about there being a problem with this Silverlight video (thanks Doug!), so I re-rendered and have re-posted the video. Nothing stinks worse than having the movie go out in mid-series! OH YES! I actually had the privilege yesterday of getting an hour long Capabilities Tour of the Microsoft Global Security Operations Center yesterday while in Redmond. Amazing stuff and I’ll post about that shortly as well…

Part 3 of my chat with Johnny Walker! He’s got great security info to share.

The Security Show: Episode 3 “Gates, Guards and Guns”

More of my sitdown with Johnny Walker who helps run our Microsoft Global Security Operations Center. When we talk about physical security, as IT Pros, we’re typically talking about securing the datacenters and the boxes themselves. Johnny also has to consider things like Loss Prevention, Executive Protection, and Life Safety (fire, flood, earthquake, etc.) Why did my brain just get a whole lot more full?

Good stuff!

You got to love convergence! The Security Show: Episode 3 – Gates, Guards, and Guns

In Episode 3 of the popular Security Show, we sit down with Johnny Walker who is a Group Program Manager with Microsoft Global Security Operations Center (GSOC). We’ve done a podcast on TechNet Radio with Johnny in the past, but this time we get into a little more detail as he explains the methods by which we help secure the Microsoft worldwide campus. He’s going to be talking about the very important topic of “convergence” which is the much talked about concept of the IT Security and Physical Security world coming together. If you’re interested in How Microsoft IT Does Physical Security, you should download Johnny’s whitepaper.

Enjoy!

NEWS: ISA Server and Forefront TMG will be supported on hardware virtualization!

Supported Virtualized Security Solutions? Yeah….We Got That!

We’ve gotten many requests for this and today we’re announcing that ISA Server and Forefront Threat Management Gateway (TMG) will now be supported on hardware virtualization. This means that as long as a virtualization platform has been validated under the Microsoft’s Server Virtualization Validation Program (SVVP), then we will support that product within the limits of the Microsoft Product Support Lifecycle. That means when all heck break loose on your box at 3:00AM on a Saturday, you pick up the phone and you talk to a support professional who will be happy to assist you….and not handle the call like a cousin calling about her Mac not booting: “Sorry…unsupported config. Not much I can do for you.” (Trust me….I used to BE a support professional for Microsoft platforms and while we did try to assist, we were always left to “best effort”. No guarantee of success. Try passing that along to your boss!)

Also, there is a new MUST READ document called “Security Considerations with Forefront Edge Virtual Deployments”, by ISA Systems Engineer, Jim Harrison, and Forefront Edge PM, Gershon Levitz that explains the proper techniques for getting your security solution to run in a virtual environment. Some really good (and much needed) guidance and how to get it all working correctly. These guys are smart on the whole concept of these two products and we absolutely got the best guys to provide guidance for you. Worth a read!

Virtualization Security?

Also, be on the lookout for a new Virtualization Security article coming from me in the Viewpoint column of the September issue of the Microsoft Security Newsletter, which if you haven’t subscribed, I highly recommend you do. It’s one stop shopping for all the security news at Microsoft. Also, be sure to check out my last article on Defense in Depth from June 2008. Trust me, it’s not like any other security article you’ve ever read!

The Security Show: Episode Two – Stopping James Bond (Part IV)

This is the last of Episode Two and I hope everyone has been enjoying this interesting session with the FBI. In this final session, we wrapup and get a few comments from the audience. Good stuff.

Next time, I’ll be posting Episode 3 titled “Gate, Guards, and Guns” where we’ll spend some time talking with Mr. Johnny Walker from the Microsoft Global Security Operations Center and we’ll learn about how we secure our campuses through the use of life safety technologies and things like video surveillance. As the worlds of physical and information security begin to converge, this should prove to be a timely discussion and one that you should enjoy.