Roger's Security Blog : Behaviour

Why it pays to be secure – Chapter 3 – But how do I?

rhalbh — Sun, 18 Oct 2009 18:20:00 GMT

Our EMEA Security Program Manager, Henk van Roest, started this series internally and with his consent I am publishing it here in my blog as I think it contains a lot of great information for you to use.

Security — you hear about it every day. Being responsible for information security can be a daunting task, so where do you begin?

From the design of acceptable use policies to preventing insiders from stealing data, the job can be a challenging one. Join Senior Security Strategist with the Microsoft Trustworthy Computing Group Kai Axford, as he explores each layer of Defense in Depth during this eight-part webcast series. Kai shows you how mitigate the new risks in security and may have you rethinking the methods you’re using. He also spends time talking about your hot topics of the day.

Specifically there is an 8 part series as detailed below:

TechNet Webcast: 2008 Defense in Depth Security Series (Part 1 of 8): Why Does Security Matter? (Level 200) Original Air Date: January 7, 2008

In the first session of the series, we discuss risk and the impact of security on the business. We look at some popular methods to assess risk and identify the need for an overall security strategy. We also explore why you should care about information security, how to measure the success of your program, and how to prove it to your boss using the concept of Return on Security Investment (ROSI). Learn how security impacts the cash flow of your business. Bring your CFO to this one!

TechNet Webcast: 2008 Defense in Depth Security Series (Part 2 of 8): All Bark and No Bite (Level 200) Original Air Date: January 8, 2008

In our second session, we take a look at what is considered to be the most important aspect of information security: security policies. We discuss the policies that exist within your company and how to strengthen them. After all, what good is a policy if it is not enforceable? We also investigate the most cost-effective way for you to increase the security posture of your business. What is it? You have to tune in to see! You will not be disappointed.

TechNet Webcast: 2008 Defense in Depth Security Series (Part 3 of 8): Gates, Guards, and Guns (Level 200) Original Air Date: January 9, 2008

Today we look at an aspect of information security that is often overlooked by technical folks. It is the physical security aspect of our job. Are you aware that every year at DEFCON there is a lock picking contest? In this session, we dive into various techniques and methods that we should be considering when it comes to providing physical security around our datacenters. We discuss some of the recent trends in this area, such as IP video surveillance, and also discuss resources that can assist you in coming up with a good overall physical security plan. (No locks were harmed in preparation of this session.)

TechNet Webcast: 2008 Defense in Depth Security Series (Part 4 of 8): Living on the Edge (Level 200) Original Air Date: January 10, 2008

In case you are not aware, the Internet is not a safe and happy place. Have you thought about all the other branch offices and partners you are connected too? Bad things are going on and you would like to do what you can to keep them out in the wild. In today's session, we look at some of those risks, and also discuss some technologies you should be considering when looking at securing the perimeter. You know about Intrusion Protection Systems (IPS), Intrusion Detection Systems (IDS), and firewalls, but are they doing any good? Is the DMZ as we know it today…dead?

TechNet Webcast: 2008 Defense in Depth Security Series (Part 5 of 8): Keeping Your House in Order (Level 200) Original Air Date: January 14, 2008

We start the week by discussing a problem that is close to your heart: your network. But how can we even begin to take on that challenge? What are some of the things on the horizon that we need to be aware of? In this session, we look at technologies and concepts such as IP Security (IPSec) Domain Isolation and Network Access Protection (NAP). We also look into some practical things that you should be doing right now to protect one of your most valuable assets.

TechNet Webcast: 2008 Defense in Depth Security Series (Part 6 of 8): Save the Box, Save the Network (Level 200) Original Air Date: January 15, 2008

Servers. We all love them. Wouldn't it be so much easier if we simply did away with everything else? There is no argument that the multitude of desktops, laptops, and mobile devices has created headaches for the IT security professional. Just when you lock down a desktop, the sales guy gets a new laptop, and then a new mobile phone. We cannot (legally) eliminate the users, but join us to see what we can do to stay ahead of the risks!

TechNet Webcast: 2008 Defense in Depth Security Series (Part 7 of 8): If You Build It (Securely), They Won't Come (Level 200) Original Air Date: January 16, 2008

Grab the caffeine and pizza! Today we step into the dark underground of AppDev and discuss methods for securing applications that run inside your infrastructure. As we harden the network and hosts, the bad guys are looking for other ways in, and often it is the applications being written by your own developers. Do your developers have the time and tools required to build their applications securely, or is security merely an afterthought? What tools are available to assist them? We show you today. No coding required.

TechNet Webcast: 2008 Defense in Depth Security Series (Part 8 of 8): If a Terabyte Falls in the Middle of the (Active Directory) Forest (Level 200) Original Air Date: January 17, 2008

Got data? Sure you do, but how much? Where is it? How is it protected? What is it worth to you? Which is the most important? If you could save only one database, which would it be? Answers to all these burning questions, as well as some closing thoughts from Kai, are going to be covered in this final session. You do not want to miss this electrifying and intense final webcast!

Henk and Roger

The Africa Cable – A Chance for Africa! – A Threat for the Internet?

rhalbh — Wed, 07 Oct 2009 17:10:00 GMT

The development in Africa especially with the new broadband services to me is a huge chance for the whole continent.

I just found this map on the next two years:

source: IntelFusion

Even though I have not been in Africa over the last few months, I heard that in different cities fiber is brought directly to the household, which brings technology and opportunities I would love to see here in Western Europe, where we still have to rely on copper. So, if the governments in Africa are serious with this, I think this is an outstanding growth opportunities for those markets.

On the other hand, when I talk to customers and governments in Western Europe, there is a lot of dis-trust as well. Can we trust the governments? How much malware will be spread coming from this continent? Actually, the kick for this post was the following article just outlining this: Africa - home of the world’s largest cyber pandemic – which makes me think.

If I look at our Security Intelligence Report back in April (the new one will be coming soon) and look at the malware infection rate we see, it is not worse nor better than any other region:

However, the data we have available from Africa might not be as broad as in other regions.

Another thing came to my mind. I was in Kenya two years ago on a business trip and I learned one thing – the idea of shipping outdated PCs to Africa to help people there does not work as it requires them to run old and outdated software which makes them open for attacks. Simple, isn’t it?

Looking at my figures, it is a problem but not smaller or bigger than any other region on this globe. Additionally, one of the reasons, why our teams work so hard to get Microsoft Security Essentials out of the door for all countries is just to reduce this threat. Make a professional Anti-Malware solution available to people who cannot afford one free of charge.

Rather than being threatened, let’s welcome this continent on the “broadband Internet” and help them now to learn from our challenges and failures in the past.

Roger

Thoughts on the Registered Traveler Programs at Airports

rhalbh — Wed, 30 Sep 2009 19:03:56 GMT

When I entered the US this time, I got a brochure on how I could avoid the line at immigration and just get a fast track by registering with the Global Entry Program, a program, which would pre-screen me and then I just have to register with a machine by entering the US. As I understand, this is a re-start of the Clear program TSA had a few years back. I looked at it and as waiting time in the lines in Seattle (where I enter the US in 95% of the cases) is shorter than the waiting time for the luggage, there is no real benefit for me opposed to the privacy and security questions (yes, I am paranoid).

This morning then, I read an interesting blog post by Bill Nagel, a Forrester analyst, called It’s The Database, Stupid, covering some of the worries linked to those programs. It is a really good – not emotional – read.

Roger

Patch Management, a key step towards compliance!

rhalbh — Fri, 22 May 2009 15:18:34 GMT

As you might have read, I recently blogged about my infrastructure and the future of a platform towards a better management of compliance – honestly, I actually played with our latest technology .

I wrote about

Now, a necessary and very important next step towards compliance as well as a secure environment is a sound Patch Management process and then – in the second place - the underlying technology. I blogged several times already about Patch Management as I see a lot of companies failing to deliver on this. I recently wrote a post called Patch Management – Cover the whole 9 yards. in there I mention different papers you could/should read:

and I reference Christopher Budd’s Ten Principles of Patch Management:

Service packs should form the foundation of your patch management strategy
Make Product Support Lifecycle a key element in your strategy
Perform risk assessment using the Severity Rating System as a starting point
Use mitigating factors to determine applicability and priority
Only use workarounds in conjunction with deployment
Issues with Security Updates are documented in the Security Bulletin Master Knowledge Base Article
Test updates before deployment
Contact Microsoft Customer Support Services if you encounter problems in testing or deployment
Use only methods and information recommended for detection and deployment
The Security Bulletin is always authoritative

First of all (and you see that in the articles referenced above) it is of outmost importance to have a process in place. Basically the core schema to run such a process is:

I have seen different complexities to deploy such processes. From highly complex to pretty simply and straight-forward ones. The ones of you who know me know, that my preference is KISS (Keep it Simple, Stupid). So, make the process as complex as necessary and as slim as possible.

So, once you have the process in place and take a conscious decision, the question is about deployment and reporting.

So, let’s talk about technology now.

In order to get an overview over the state of your computers, you might use the Microsoft Baseline Security Analyzer. This is an excellent tool to scan your Windows machines and get an overview of the security state of the machines. It might not deliver the same level of sophistication as very expensive tools, but the difference is: We provide it for free and – in my opinion – it gives you a good starting point to look at vulnerabilities including the level of Security Updates of a given PCs. Here is an example of one of these assessments:

But this does not really resolve your base problem about the Security Update compliance of the computers on your network as well as the distribution of them. From my point of view, there are different options to do so:

If you are a small and medium business, one of the coolest solutions for you to go is System Center Essentials. It is System Center Configuration Manager, System Center Operations Manager and Windows Server Update Services in one package. However, it is limited to 30 servers and 500 clients. If you are in this limit, it rocks.
System Center Configuration Manager: If you already use this technology to distribute software and configurations, leverage this.
Windows Server Update Services: It is kind of unbelievable but this is free! So, to be clear – we do not charge for it! You can download and install it and it scales even for large Enterprises (did I tell you already that it is free ?).
A third-party solution

I am using WSUS and am more than happy with it. The way I am organized is, that I get regularly a mail from WSUS with the current state of “the nation”:

As I am mail-driven, this allows me to see, what I have to do with regards to WSUS. I then can log-on to my WSUS server to get more granular reports:

From here on, I can decide, which actions I want to take, based on detailed reports I can get by clicking one of the texts in the UI:

BTW: this machine is patched in the meantime – so do not even think about it

Even if you cannot enforce the security update level technically that way (and we will talk about Network Access Protection in a later post), it at least helps you to understand, where you stand and what you have to do in order to get compliant.

Again (as I did so often) my call to action to you: Make sure that you have a straight-forward process in place and then use technology (like WSUS) to deploy the updates and ensure that you have deployed them correctly!

Roger

Get Safe Online – This Week

rhalbh — Tue, 18 Nov 2008 16:00:17 GMT

We see this concept all over Europe: There are National Security Awareness Days (or how ever they are called) in a lot of European countries. During these events, the industry (from software to banking to government to …) gets together to raise awareness on the most important trends, criminals explore attacking their victims.

This week in the UK there is the Get Safe Online Week, which is a very good example for me how this can work out. A lot of partners come together this week to drive awareness around different themes in the area of Online Safety.

I quote from their press release:

Today (which was actually yesterday) the UK’s fourth annual Get Safe Online kicks off, a weeklong internet safety awareness campaign encouraging UK computer users to take steps to ensure that they and their machines are protected.

In a time of economic uncertainty, online security is becoming even more important as the growth of the ‘shadow economy’ in stolen identities can mean a person’s assets such as savings accounts can be stolen and emptied faster than ever.

Particularly, the use of ‘phishing attacks’ is rapidly on the rise – where criminals send fraudulent emails designed to trick internet users into submitting their financial or other confidential details. 23% of UK internet users surveyed said that they or someone they knew fell victim to such an attack this year, compared to just eight per cent in 2007.

The image of the geeky hacker is inaccurate: the vast majority of computer crime in the UK is highly organized, with criminals dealing in the buying and selling of personal information used to defraud targets such as full name, address, passport details, driver's license number, date of birth, bank account details and sort codes, plus credit card numbers and security codes.

Get Safe Online Week aims to give everyone the tools and confidence to enjoy and use the internet safely. In the span of a couple of hours, anyone can learn a few simple steps to remain up-to-date and aware about online safety – a small investment compared to the potential loss and inconvenience if they are instead victims of identity theft.

I think that this is a great initiative, which needs our broad support:

Roger

Security Pros ignoring their own message

rhalbh — Fri, 25 Apr 2008 10:17:16 GMT

As you probably know: I am Swiss. We have a saying in Switzerland (I do not know whether something like this exists in English as well) that the kids of the shoemaker always have the worst shoes… So, what about the security professionals? No, I am not talking about their shoes but what about the way they handle security?

It seems that during Infosec (the information security exhibition in London) there were quite some notebook just lying around and – even worse – unlocked. Now, we ask the users to take care but we do not even do the basics right? I once said a few years ago that whenever I find an unlocked notebook in the office, I would add myself as a local admin (as most of us are admin on the box, this is a fairly easy task if the machine is not locked). Now, after doing that I waited for the next time we had a meeting together. It is Microsoft attitude that you take your notebook to the meetings (and some do e-mails during the meetings L). I then remotely rebooted their notebook… I can tell you, the look they had on their face during that was really worth it.

If you want to read the whole story on Infosec: Infosec: Security pros 'ignoring' their own message

Roger