Roger's Security Blog : Policy

International Collaboration on Policies for Cybersecurity and Data Protection

rhalbh — Thu, 05 Nov 2009 20:41:43 GMT

Since a few years we are working with the Council of Europe in a partnership to help to drive a Cybersecurity treaty. We realize that a problem a lot of Law Enforcement agencies have is inconsistent legislation which makes is unbelievably hard to catch the criminals. The Council of Europe treaty is a great starting point and has been ratified not only by most of the member states of the Council of Europe but by a lot of additional countries around the globe.

Now, the European Union and the United States have agreed to treat such challenges as international issues and to develop joint policies based on shared values.

Unfortunately, the agreement is not too concrete but the fact that we have an agreement in place, should let us hope: EU-US Joint Statement on "Enhancing transatlantic cooperation in the area of Justice, Freedom and Security"

Roger

Why it pays to be secure – Chapter 3 – But how do I?

rhalbh — Sun, 18 Oct 2009 18:20:00 GMT

Our EMEA Security Program Manager, Henk van Roest, started this series internally and with his consent I am publishing it here in my blog as I think it contains a lot of great information for you to use.

Security — you hear about it every day. Being responsible for information security can be a daunting task, so where do you begin?

From the design of acceptable use policies to preventing insiders from stealing data, the job can be a challenging one. Join Senior Security Strategist with the Microsoft Trustworthy Computing Group Kai Axford, as he explores each layer of Defense in Depth during this eight-part webcast series. Kai shows you how mitigate the new risks in security and may have you rethinking the methods you’re using. He also spends time talking about your hot topics of the day.

Specifically there is an 8 part series as detailed below:

TechNet Webcast: 2008 Defense in Depth Security Series (Part 1 of 8): Why Does Security Matter? (Level 200) Original Air Date: January 7, 2008

In the first session of the series, we discuss risk and the impact of security on the business. We look at some popular methods to assess risk and identify the need for an overall security strategy. We also explore why you should care about information security, how to measure the success of your program, and how to prove it to your boss using the concept of Return on Security Investment (ROSI). Learn how security impacts the cash flow of your business. Bring your CFO to this one!

TechNet Webcast: 2008 Defense in Depth Security Series (Part 2 of 8): All Bark and No Bite (Level 200) Original Air Date: January 8, 2008

In our second session, we take a look at what is considered to be the most important aspect of information security: security policies. We discuss the policies that exist within your company and how to strengthen them. After all, what good is a policy if it is not enforceable? We also investigate the most cost-effective way for you to increase the security posture of your business. What is it? You have to tune in to see! You will not be disappointed.

TechNet Webcast: 2008 Defense in Depth Security Series (Part 3 of 8): Gates, Guards, and Guns (Level 200) Original Air Date: January 9, 2008

Today we look at an aspect of information security that is often overlooked by technical folks. It is the physical security aspect of our job. Are you aware that every year at DEFCON there is a lock picking contest? In this session, we dive into various techniques and methods that we should be considering when it comes to providing physical security around our datacenters. We discuss some of the recent trends in this area, such as IP video surveillance, and also discuss resources that can assist you in coming up with a good overall physical security plan. (No locks were harmed in preparation of this session.)

TechNet Webcast: 2008 Defense in Depth Security Series (Part 4 of 8): Living on the Edge (Level 200) Original Air Date: January 10, 2008

In case you are not aware, the Internet is not a safe and happy place. Have you thought about all the other branch offices and partners you are connected too? Bad things are going on and you would like to do what you can to keep them out in the wild. In today's session, we look at some of those risks, and also discuss some technologies you should be considering when looking at securing the perimeter. You know about Intrusion Protection Systems (IPS), Intrusion Detection Systems (IDS), and firewalls, but are they doing any good? Is the DMZ as we know it today…dead?

TechNet Webcast: 2008 Defense in Depth Security Series (Part 5 of 8): Keeping Your House in Order (Level 200) Original Air Date: January 14, 2008

We start the week by discussing a problem that is close to your heart: your network. But how can we even begin to take on that challenge? What are some of the things on the horizon that we need to be aware of? In this session, we look at technologies and concepts such as IP Security (IPSec) Domain Isolation and Network Access Protection (NAP). We also look into some practical things that you should be doing right now to protect one of your most valuable assets.

TechNet Webcast: 2008 Defense in Depth Security Series (Part 6 of 8): Save the Box, Save the Network (Level 200) Original Air Date: January 15, 2008

Servers. We all love them. Wouldn't it be so much easier if we simply did away with everything else? There is no argument that the multitude of desktops, laptops, and mobile devices has created headaches for the IT security professional. Just when you lock down a desktop, the sales guy gets a new laptop, and then a new mobile phone. We cannot (legally) eliminate the users, but join us to see what we can do to stay ahead of the risks!

TechNet Webcast: 2008 Defense in Depth Security Series (Part 7 of 8): If You Build It (Securely), They Won't Come (Level 200) Original Air Date: January 16, 2008

Grab the caffeine and pizza! Today we step into the dark underground of AppDev and discuss methods for securing applications that run inside your infrastructure. As we harden the network and hosts, the bad guys are looking for other ways in, and often it is the applications being written by your own developers. Do your developers have the time and tools required to build their applications securely, or is security merely an afterthought? What tools are available to assist them? We show you today. No coding required.

TechNet Webcast: 2008 Defense in Depth Security Series (Part 8 of 8): If a Terabyte Falls in the Middle of the (Active Directory) Forest (Level 200) Original Air Date: January 17, 2008

Got data? Sure you do, but how much? Where is it? How is it protected? What is it worth to you? Which is the most important? If you could save only one database, which would it be? Answers to all these burning questions, as well as some closing thoughts from Kai, are going to be covered in this final session. You do not want to miss this electrifying and intense final webcast!

Henk and Roger

Is the “Managed Desktop” the ultimate solution?

rhalbh — Tue, 01 Sep 2009 11:39:09 GMT

When I talk about the big trends, one of them is about the call of the younger generation for more flexibility. Flexibility in this context is about where you work, when you work and how you organize yourself. If you take this as a given, you have to wonder whether today’s IT is able to cope with that. In a lot of companies, they roll out a “one size fits all”-image to the desktop and therefore making sure everybody has the same image. This has definitely a good side as the management of it is kind of less expensive as you know how the image looks like (or should look like).

The longer the more I question that for a limited set of users. Just to be very clear: I do not say that you should change this policy completely but it might be worth considering change it for a defined set of users. Let me give you a few examples:

There was one company (a worldwide company) who decided to let you take a test (if you want) and if you prove to be able to handle your computer yourself, you get money to buy what you think you need.
I used to work for a consulting company which was running Windows XP back then. You had basically two options: You could get a standard image loaded and completely managed by IT. Or you could get a standard image loaded, get the local admin and take care of it yourself. If you had problems, they tried to help you a little bit but pretty soon decided to flatten your computer and install the standard image – that was your risk you had to deal with but it worked fairly well (except for a lot of people being local admin on their box).
Last but definitely not least – look at Microsoft. You can get the Microsoft IT image if you want (even over the network you can do it yourself) or install and join the machine to the domain yourself. This makes sense as a lot of people have a different appetite for betas and beta testing. Additionally a Country Manager might have a different need than me. The key thing in here is about policy compliance and ensuring policy compliance – this is where Network Access Protection comes into play (something I want to blog about later).

So, giving the next generation the right tools to be productive rather than limit their productivity will be a real key challenge I guess.

For quite some time I felt like being the lonely guy in the desert. I actually had a CSO once leaving the room when I said this (about 3-4 years ago). I now just stumbled across an article: Unchain the Office Computers!Why corporate IT should let us browse any way we want.

Well, I do not like the Firefox example ;-) but basically this will be the future – I am convinced. Rather than walking around and telling everybody that this is not possible due to security reasons we have to think about how to make it possible. What would this mean? E.g. persistent protection of information (Rights Management), enforcing policy compliance on the network, the perimeter will probably be between client and server (or between trusted and un-trusted systems or between complaint and non-compliant systems)…

At least there will be a lot of interesting stuff to do…

Roger

Security Policies – Confidentiality

rhalbh — Tue, 01 Sep 2009 09:44:00 GMT

Hmm, think about it, when you write the next version of your policy:

Roger

Windows 7 XP Mode - Sophos error: facts not found

rhalbh — Thu, 27 Aug 2009 22:09:55 GMT

Well, the title is not completely from me – I just quoted another blog post. I wrote recently on Why Windows 7 XP Mode makes sense from a security perspective and was even quoted on the register. The “funny” thing was the history of that blog: I was readying some Tweets and blogs where XP Mode was just questioned. I actually never read Richard Jacobs’ blog post on this. I just wanted to share the process I went through.

However, my post again caused a reply by Jacobs – so he seems to read my blog…

Unfortunately he got some facts quite wrong – but at least he got some attention. If you are interested in the facts, read the James O’Neill’s post called Sophos error: facts not found – where I have the title from.

As I wrote in the first post: XP Mode is here to help our customers to benefit from the undisputable higher security in Windows 7 for 95% of their tasks and removing the migration blocker called “compatibility” by using XP Mode. Let me give you another example:

I helped a SME last weekend to migrate from an XP environment (even their server was on XP) to a state-of-the-art Windows Server 2008 SBS and Windows Vista environment. We failed! Because of one application, which is a 16bit-DOS accounting application which we have been unable to stabilize on Windows Vista and being able to print. Even though we switched on all the compatibility settings, it crashed about every 15 minutes. Migration is not an option as a customer of them is still using this application. So, what are the options:

Fall back to XP
Live with the crashes
Find a solution……

What we did at the end (after several hours of trial and error) was to keep one old XP box and to Remote Desktop to run this DOS application – basically we did XP Mode on a physical level instead of virtually and by far not as transparent as with XP Mode for the user – however, managing the XP box now is definitely harder (or at least as hard) than XP Mode (see James’ post).

So, as I said in my first post on this: It is all about Risk Management.

Roger

Why it pays to be secure – Chapter 1 – Data Breaches

rhalbh — Thu, 27 Aug 2009 12:20:19 GMT

Returning to the theme of deploying security updates once more, we need to look at the potential cost of not deploying updates, breaches……

Studies are available for the years 2007 & 2008 for US, UK and Germany as examples:

http://www.encryptionreports.com/costofdatabreach.html

Extract from United States Report:

Among the study’s key findings:

Total costs continue to increase: The total average costs of a data breach grew to $202 per record compromised, an increase of 2.5 percent since 2007 ($197 per record) and 11 percent compared to 2006 ($182 per record). Breaches are costly events for an organization; the average total cost per reporting company was more than $6.6 million per breach (up from $6.3 million in 2007 and $4.7 million in 2006) and ranged from $613,000 to almost $32 million.
Cost of lost business continues to carry the highest impact: The cost of lost business continued to be the most costly effect of a breach averaging $4.59 million or $139 per record compromised. Lost business now accounts for 69 percent of data breach costs, up from 65 percent in 2007, compared to 54 percent in the 2006 study.
Third-party data breaches increase, and cost more: Breaches by third-party organizations such as outsourcers, contractors, consultants, and business partners were reported by 44 percent of respondents, up from 40 percent in 2007, up from 29 percent in 2006 and 21 percent in 2005. Per-victim cost for third party flubs is $52 higher (e.g., $231 vs. $179) than if the breach is internally caused.
“First timers” cost more, repeat breaches continue: Data breaches experienced by “first timers” are more expensive than those experienced by organizations that have had previous data breaches. Per-victim cost for a first time data breach is $243 vs. $192 for experienced companies. More than 84% of all cases in this year’s study involved organizations that had more than one major data breach.
Training and awareness programs lead companies’ efforts to prevent future breaches, according to 53% of respondents. Forty-nine percent are creating additional manual procedures and controls. Of the technology options, 44% of companies have expanded their use of encryption technologies, followed by identity and access management solutions to prevent future data breaches.

Henk and Roger

Why it pays to be secure - Introduction

rhalbh — Sat, 22 Aug 2009 13:06:40 GMT

Henk van Roest, our EMEA Security Program Manager is running a pretty successful internal blog. Before summer vacation he started a series called “Why it pays to be secure” which I think has some great information in it. I asked him then to go public with it but he told me that he is not doing this kind of outside communication but that I should feel free to use the content, which I am going to do – thank you Henk.

I will basically copy/paste his series over time. So I do not want to take the credit for the great work he did. Let’s start with his introduction today.

In the Security Incident Response Team we are often faced with support cases from customers compromised through some malware which is wreaking havoc in their environment.

Usually the customer says that deploying updates to software (not just MS Software) is too time consuming, too expensive and too disruptive to their environment. Of course the resulting issue is usually also quite disruptive e.g. Conficker.

Microsoft has done a great deal of research into managing an IT environment as well as numerous studies with some of our customers to discover the “True” cost of a managed environment.

I thought it was useful to start a series of posts under on the subject of Update Management and Infrastructure Optimization that might allow you to have good conversations with your customers on the subject.

So for the purpose of this introduction I’ll just copy one little piece from a study done in 2006 (so this is not a ‘new’ thing):

WINDOWS DESKTOP BEST PRACTICES

In this research, IDC evaluated more than 20 potential best practices and identified three that are consistently used by top-performing IT departments for optimizing Windows desktops.

Standard desktop strategy (savings of $110/PC). Deploying a standardized desktop by minimizing hardware and software configurations.
Centrally managed PC settings and configuration (savings of $190/PC): Keeping deployed PCs standardized by preventing users from making changes that compromise security, reliability and the application portfolio.
Comprehensive PC security (savings of $130/PC): Proactively addressing security with antivirus, antispyware, patching, and quarantine.

http://download.microsoft.com/download/a/4/4/a4474b0c-57d8-41a2-afe6-32037fa93ea6/IDC_windesktop_IO_whitepaper.pdf

Henk and Roger

Legal Risks of the Cloud

rhalbh — Thu, 20 Aug 2009 15:36:43 GMT

I just stumbled across an interesting blog post named Legal Implications of Cloud Computing. I am not a lawyer and therefore unable to judge the details but overall it gives a good view of the risks and challenges.

Roger

Kaspersky’s View of a Secure Internet – Does this make sense? I think not

rhalbh — Sun, 19 Jul 2009 19:33:34 GMT

A few months ago, I already had some discussions with Eugene Kaspersky during an event of the Council of Europe on Cybercrime, how to address cybercrime on the Internet. At the moment, I am at a very, very slot connection and just got, what I saw on my RSS feed enclosure and could not verify the whole article but it is pretty much in line with the discussion we had there:

So, let me try to give you a perspective and some comments in this context. He seems to say: The short term solution is to get global cooperation with the police, because the police of different countries don’t know how to collaborate with one another. He believes the police want more successful investigations, not just to stop the criminals but to also own the list of successes. So nothing is getting done and each one is blaming the other for the problem. We have to start to work together, think globally, and create a global police force.I could not agree more with this but I am going one significant step further: We do not “only” need a better collaboration between the different police forces in different countries (or within a single country), we need a better collaboration between Law Enforcement, Judges, Prosecutors and the private sector. This requires a different way of thinking by all the parties but it is absolutely necessary. The biggest challenge here is, that there is not history of deep trust between these parties. From what I know, the Council of Europe is a great catalyst to help us all to get there. Additionally there are extremely good people in the different bodies like in Interpol, Europol who really want to move this on.

Next: The long term solution is to get governments around the globe to implement a universal list of rules and regulations for the public internet network. Well, yes and no. I am not completely sure, whether I want this. If these rules are written together with the industry, there is a certain chance that we regulate the right thing. However, knowing the different players at the moment, there is a good chance that this will not be used for the sake of a safer Internet but only to get a competitive advantage – and this would be really bad!

Finally he says: In addition, a personal ID will be required for internet access and for logging into financial websites, similar to a driver’s license or insurance card. “If you want to get connected or onto a website you will have to present an ID.” He explains. This is, where we had the discussion as I fundamentally object this idea. This is – in my opinion – not feasible as it would destroy one of the biggest advantages of the Internet: Free speech. Think about the events recently in Iran: Would the same kind of communication been feasible if we would have had strong authentication? Definitely not.

So, what we need is a model, which allows for both – and this is what we think the claims based authentication is about to deliver – it is part of the End to End Trust framework we introduced earlier.

So, I think that Eugene should stop with this claim. It does not really add to a fruitful discussion. Let’s collaborate (as stated above) to jointly work towards one goal: A safer Internet.

Roger

Physical Security: ATMs equipped with Pepper Spray

rhalbh — Fri, 10 Jul 2009 15:36:15 GMT

This is “real” hard-core security. If the ATM feels that it is tempered with, it releases pepper spray. It is kind of a “self-defense” mechanism. I just hope it never thinks that I am tempering with the machine when I just want to get money…

ATMs fitted with pepper spray

Roger

How we do IT: Direct Access

rhalbh — Mon, 25 May 2009 11:02:54 GMT

You might know that we have something we call the Microsoft IT Showcase, where our internal IT shows how they use our technology to run our environment.

Now, we just published a new article, which might be interesting for you to read called Using DirectAccess to Provide Secure Access to Corporate Resources from Anywhere.

I tell you (as a long-term user of DirectAccess): This technology really rocks!

Roger

File Classification Infrastructure in Windows Server 2008 R2

rhalbh — Thu, 14 May 2009 17:56:27 GMT

We recently revealed the File Classification Infrastructure in Windows Server 2008 R2. This infrastructure can help you to classify files not only based on the location where it is stored but based on content as well. However, there is not too much value for me to blog more about that, let the experts speak: Classifying files based on location and content using the File Classification Infrastructure (FCI) in Windows Server 2008 R2

Roger

Google Chrome and Silent Patching

rhalbh — Mon, 11 May 2009 04:58:49 GMT

This morning I opened one of the Swiss Sunday newspapers and Google Chrome made it to the front-page with a “best practice approach” for deploying security updates. In the article itself it was claimed that Chrome is one of the best browsers with regards to security as the deploy patches silently, without letting the user know, even if Chrome is not running and there is no way to disable this. Here are some of similar stories:

Give me a break here.

I am really tired of hearing those things. When Chrome shipped, three things actually hit my inbox:

Chrome was shipped (in a Beta) with a few pretty significant vulnerabilities in, which were known for quite a while (like the carpet bombing flaw). The excuse by Google was “it is just a beta”. Tell me please, how you would comment if we would have done the same with Windows 7.
I got quite some mails by angry customers and journalists telling me that Chrome found a way around User Account Control as Chrome installs without UAC kicking in. Journalists called as they claimed to have found “a severe vulnerability”, customers called as they were angry with us as Chrome simply popped up all over the place in their network even though their user were non-admin. Well, well, Chrome simply installs an executable in the user context. Directories which the user has write permissions. So, for sure Chrome can install – really bad practice in my opinion.
There was a pretty strange paragraph in the EULA which was then removed later.

And now the silent patching. A few years back, when we designed Windows XP SP2 we talked about switching Automatic Updates on by default. This caused a lot of people screaming and telling us that it is unacceptable to switch AU on by default (which we actually do in the meantime). We recently updated the Windows Update client – and it caused a lot of you to scream and tell us that it is unacceptable for us to silently update a component on Windows. And we heard you loud and clear. And now I hear that Chrome is best practice because they silently fix security vulns? And you cannot even switch this off? So, what is the policy the industry shall follow?

I agree that the most secure way for consumers would be to automatically fix security vulns. This is actually what I tell my parents: Simply install security updates. This is for consumers and there is an option. Not having an option is unacceptable – at least for me. Additionally, again for the consumer, having Anti-Malware being part of the Operating System out of the box and enable by default would be desirable. However, this is not acceptable today for competition reasons.

So, what I do not get is why people do not look at these problems holistically and more from a policy perspective rather than from a company by company perspective. Silently installing components without even giving me the option to choose is not acceptable today for me – but I want to have the option to do it if I want.

And finally: I would question the enterprise-readiness of such software. At least, I would never deploy it in an enterprise environment.

Roger

The Carbon Footprint of Spam

rhalbh — Sat, 25 Apr 2009 22:36:18 GMT

McAfee just published an interesting report as they are taking a different approach on Spam. They were looking at the environmental impact of Spam. So, how much energy do we have to invest in order to fight spam?

These are the key findings from their report:

An estimated worldwide total of 62 trillion spam emails were sent in 2008
Globally, annual spam energy use totals 33 billion kilowatt-hours (KWh), or 33 terawatt hours (TWh). That’s equivalent to the electricity used in 2.4 million homes in the United States, with the same GHG emissions as 3.1 million passenger cars using two billion United States gallons of gasoline.
Spam filtering saves 135 TWh of electricity per year. That’s like taking 13 million cars off the road
If every inbox were protected by a state-of-the-art spam filter, organizations and individuals could reduce today’s spam energy by approximately 75 percent or 25 TWh per year. That’s equivalent to taking 2.3 million cars off the road
The average GHG emission associated with a single spam message is 0.3 grams of CO2. That’s like driving three feet (one meter) in equivalent emissions, but when multiplied by the annual volume of spam, it’s like driving around the Earth 1.6 million times
A year’s email at a typical medium-size business uses 50,000 KWh; more than one fifth of that annual use can be associated with spam
Filtering spam is beneficial, but fighting spam at the source is even better. When McColo, a major source of online spam, was taken offline in late 2008, the energy saved in the ensuing lull — before spammers rebuilt their sending capacity — equated to taking 2.2 million cars off the road
Much of the energy consumption associated with spam (80 percent) comes from end-users deleting spam and searching for legitimate email (false positives). Spam filtering accounts for just 16 percent of spam-related energy use

And that’s just by using Spam-Filters! The whole report can be found here: The Carbon Footprint of Email Spam.

Needless to say that – if you are using Exchange you already have a good Spam-protection out of the box. You even get better with Forefront for Exchange and even better with Stirling:

For Exchange Server 2003 it is the Intelligent Message Filter
In Exchange Server 2007, there are different technologies applied. You find the corresponding information here.
And Forefront: Protecting Your Microsoft Exchange Organization with Microsoft Forefront Security for Exchange Server

I deployed Stirling, the next version of Forefront, on my Exchange Server. I have five active mailboxes (really a huge load ) and a few operational ones. The figures of Sitlring are very interesting:

During the last month, I got 58’636 incoming messages. My Spam-Filter found 57’439 as being Spam, which means that I had a Spam-Rate of 97.96% (and I do not know of any mail I lost in the transit).

If you look at the overview statistics, it looks like this:

The details of the connection filter:

And last but definitely not least, the performance of the filter after the mails passed all the connection-level filters:

What I like with the last statistics is, that the SPAM Confidence Level is either very high or very low but nothing in between. So, the filter gives me a clear message on whether it is SPAM or not. There is close to nothing which is “maybe SPAM” – it is less than 1%!

Roger

The Windows 7 UAC “Vulnerability”

rhalbh — Tue, 03 Feb 2009 12:03:00 GMT

It is always interesting how some things spin off. The claimed UAC vulnerability in Windows 7 in one of those events. There are numerous blogs which claim that they found a huge vulnerability in Windows 7. The reason for that is that you can change the settings for UAC without getting a UAC prompt.

Let’s have a look at it: A lot of people complained about UAC in Windows Vista – I guess you remember. I heard all these statements “I do not want to get all the UAC elevation prompt just because I change my Windows settings”. We heard you loud an clear. So, we decided to do what you asked us: Not show you an elevation prompt when you change settings in Windows. So the default configuration in Windows 7 looks as shown below:

And guess what: We do not notify you when you make changes to Windows settings – UAC being one of those!

However, if you want to go further and put the slider up one level to “Always notify”, the same screen looks slightly different:
And again, guess what: We notify you when you make changes to the Windows settings – UAC being one of those.

So, basically to give you my view:

We did, what you asked us to do: Reduce the number of UAC prompts especially when you change your Windows settings
We do what the prompt tells you we are doing

In my opinion, this is not a vulnerability. We can debate now, when we should generally show a UAC prompt but this is a completely different debate than to claim this being a vulnerability. And if you come to me now and say that we should show more UAC prompts, please carefully reconsider your statement before you comment and think about all the Windows Vista discussions.

BTW: I am a big fan and supporter of UAC and think that the team did an outstanding job – already in Windows Vista

Roger