Roger's Security Blog : Processes

International Collaboration on Policies for Cybersecurity and Data Protection

rhalbh — Thu, 05 Nov 2009 20:41:43 GMT

Since a few years we are working with the Council of Europe in a partnership to help to drive a Cybersecurity treaty. We realize that a problem a lot of Law Enforcement agencies have is inconsistent legislation which makes is unbelievably hard to catch the criminals. The Council of Europe treaty is a great starting point and has been ratified not only by most of the member states of the Council of Europe but by a lot of additional countries around the globe.

Now, the European Union and the United States have agreed to treat such challenges as international issues and to develop joint policies based on shared values.

Unfortunately, the agreement is not too concrete but the fact that we have an agreement in place, should let us hope: EU-US Joint Statement on "Enhancing transatlantic cooperation in the area of Justice, Freedom and Security"

Roger

Security Compliance Management Toolkit Series for IE 8 and Windows 7

rhalbh — Fri, 30 Oct 2009 16:09:53 GMT

Just a brief one: the Security Compliance Management Toolkit Series has been updated to incorporate Internet Explorer 8 and Windows 7. So, to help you to manage security and compliance in your environment, you should have a look at it: http://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspx

Roger

Look at the Enhanced Mitigation Evaluation Toolkit

rhalbh — Thu, 29 Oct 2009 12:26:56 GMT

Recently we announced the availability of the Enhanced Mitigation Evaluation Toolkit. This is a toolkit which makes it easier to defend your application on different levels – free of charge. Read the post done by our Security Research and Defense guys: Announcing the release of the Enhanced Mitigation Evaluation Toolkit

Roger

Why it pays to be secure – Chapter 3 – But how do I?

rhalbh — Sun, 18 Oct 2009 18:20:00 GMT

Our EMEA Security Program Manager, Henk van Roest, started this series internally and with his consent I am publishing it here in my blog as I think it contains a lot of great information for you to use.

Security — you hear about it every day. Being responsible for information security can be a daunting task, so where do you begin?

From the design of acceptable use policies to preventing insiders from stealing data, the job can be a challenging one. Join Senior Security Strategist with the Microsoft Trustworthy Computing Group Kai Axford, as he explores each layer of Defense in Depth during this eight-part webcast series. Kai shows you how mitigate the new risks in security and may have you rethinking the methods you’re using. He also spends time talking about your hot topics of the day.

Specifically there is an 8 part series as detailed below:

TechNet Webcast: 2008 Defense in Depth Security Series (Part 1 of 8): Why Does Security Matter? (Level 200) Original Air Date: January 7, 2008

In the first session of the series, we discuss risk and the impact of security on the business. We look at some popular methods to assess risk and identify the need for an overall security strategy. We also explore why you should care about information security, how to measure the success of your program, and how to prove it to your boss using the concept of Return on Security Investment (ROSI). Learn how security impacts the cash flow of your business. Bring your CFO to this one!

TechNet Webcast: 2008 Defense in Depth Security Series (Part 2 of 8): All Bark and No Bite (Level 200) Original Air Date: January 8, 2008

In our second session, we take a look at what is considered to be the most important aspect of information security: security policies. We discuss the policies that exist within your company and how to strengthen them. After all, what good is a policy if it is not enforceable? We also investigate the most cost-effective way for you to increase the security posture of your business. What is it? You have to tune in to see! You will not be disappointed.

TechNet Webcast: 2008 Defense in Depth Security Series (Part 3 of 8): Gates, Guards, and Guns (Level 200) Original Air Date: January 9, 2008

Today we look at an aspect of information security that is often overlooked by technical folks. It is the physical security aspect of our job. Are you aware that every year at DEFCON there is a lock picking contest? In this session, we dive into various techniques and methods that we should be considering when it comes to providing physical security around our datacenters. We discuss some of the recent trends in this area, such as IP video surveillance, and also discuss resources that can assist you in coming up with a good overall physical security plan. (No locks were harmed in preparation of this session.)

TechNet Webcast: 2008 Defense in Depth Security Series (Part 4 of 8): Living on the Edge (Level 200) Original Air Date: January 10, 2008

In case you are not aware, the Internet is not a safe and happy place. Have you thought about all the other branch offices and partners you are connected too? Bad things are going on and you would like to do what you can to keep them out in the wild. In today's session, we look at some of those risks, and also discuss some technologies you should be considering when looking at securing the perimeter. You know about Intrusion Protection Systems (IPS), Intrusion Detection Systems (IDS), and firewalls, but are they doing any good? Is the DMZ as we know it today…dead?

TechNet Webcast: 2008 Defense in Depth Security Series (Part 5 of 8): Keeping Your House in Order (Level 200) Original Air Date: January 14, 2008

We start the week by discussing a problem that is close to your heart: your network. But how can we even begin to take on that challenge? What are some of the things on the horizon that we need to be aware of? In this session, we look at technologies and concepts such as IP Security (IPSec) Domain Isolation and Network Access Protection (NAP). We also look into some practical things that you should be doing right now to protect one of your most valuable assets.

TechNet Webcast: 2008 Defense in Depth Security Series (Part 6 of 8): Save the Box, Save the Network (Level 200) Original Air Date: January 15, 2008

Servers. We all love them. Wouldn't it be so much easier if we simply did away with everything else? There is no argument that the multitude of desktops, laptops, and mobile devices has created headaches for the IT security professional. Just when you lock down a desktop, the sales guy gets a new laptop, and then a new mobile phone. We cannot (legally) eliminate the users, but join us to see what we can do to stay ahead of the risks!

TechNet Webcast: 2008 Defense in Depth Security Series (Part 7 of 8): If You Build It (Securely), They Won't Come (Level 200) Original Air Date: January 16, 2008

Grab the caffeine and pizza! Today we step into the dark underground of AppDev and discuss methods for securing applications that run inside your infrastructure. As we harden the network and hosts, the bad guys are looking for other ways in, and often it is the applications being written by your own developers. Do your developers have the time and tools required to build their applications securely, or is security merely an afterthought? What tools are available to assist them? We show you today. No coding required.

TechNet Webcast: 2008 Defense in Depth Security Series (Part 8 of 8): If a Terabyte Falls in the Middle of the (Active Directory) Forest (Level 200) Original Air Date: January 17, 2008

Got data? Sure you do, but how much? Where is it? How is it protected? What is it worth to you? Which is the most important? If you could save only one database, which would it be? Answers to all these burning questions, as well as some closing thoughts from Kai, are going to be covered in this final session. You do not want to miss this electrifying and intense final webcast!

Henk and Roger

Monitoring the Virtual Environment

rhalbh — Wed, 09 Sep 2009 00:44:13 GMT

I recently blogged on how I monitor my environment: Monitoring - a Key Activity to a Trustworthy Infrastructure? In the meantime, I am doing more. I was just recently looking into System Center Virtual Machine Manager (VMM).

So, I installed it on my monitoring server and started to manage my virtual hosts centrally. Basically VMM gives me some pretty good information at one single source. As an example, I can look at my hosts:

So, I see how they are doing and see the key performance indicators. Additionally, I see a similar picture for the virtual machines:

Now, there are a lot of functionalities, like a Library for machines and disks, drag and drop between hosts (if they use the same add-ons) etc. So, a lot of possibilities not only to monitor but to manage your machines centrally.

Last but not least, there is close integration with System Center Operations Manager, where VMM leverages this platform. So, you are able to look at the network (physically):

Or the health status of the virtual server:

where you can see that I have a problem at the moment at the very server you might be reading this post on…

So, a lot of additional possibilities to manage your environment.

Last but definitely not least there are the PRO Tips – tips which are based on the performance indicators which are collected by VMM and help you to take decisions, how to optimize your environment.

And everything can be used across our virtualization technology as well as VMWare!

Roger

Is the “Managed Desktop” the ultimate solution?

rhalbh — Tue, 01 Sep 2009 11:39:09 GMT

When I talk about the big trends, one of them is about the call of the younger generation for more flexibility. Flexibility in this context is about where you work, when you work and how you organize yourself. If you take this as a given, you have to wonder whether today’s IT is able to cope with that. In a lot of companies, they roll out a “one size fits all”-image to the desktop and therefore making sure everybody has the same image. This has definitely a good side as the management of it is kind of less expensive as you know how the image looks like (or should look like).

The longer the more I question that for a limited set of users. Just to be very clear: I do not say that you should change this policy completely but it might be worth considering change it for a defined set of users. Let me give you a few examples:

There was one company (a worldwide company) who decided to let you take a test (if you want) and if you prove to be able to handle your computer yourself, you get money to buy what you think you need.
I used to work for a consulting company which was running Windows XP back then. You had basically two options: You could get a standard image loaded and completely managed by IT. Or you could get a standard image loaded, get the local admin and take care of it yourself. If you had problems, they tried to help you a little bit but pretty soon decided to flatten your computer and install the standard image – that was your risk you had to deal with but it worked fairly well (except for a lot of people being local admin on their box).
Last but definitely not least – look at Microsoft. You can get the Microsoft IT image if you want (even over the network you can do it yourself) or install and join the machine to the domain yourself. This makes sense as a lot of people have a different appetite for betas and beta testing. Additionally a Country Manager might have a different need than me. The key thing in here is about policy compliance and ensuring policy compliance – this is where Network Access Protection comes into play (something I want to blog about later).

So, giving the next generation the right tools to be productive rather than limit their productivity will be a real key challenge I guess.

For quite some time I felt like being the lonely guy in the desert. I actually had a CSO once leaving the room when I said this (about 3-4 years ago). I now just stumbled across an article: Unchain the Office Computers!Why corporate IT should let us browse any way we want.

Well, I do not like the Firefox example ;-) but basically this will be the future – I am convinced. Rather than walking around and telling everybody that this is not possible due to security reasons we have to think about how to make it possible. What would this mean? E.g. persistent protection of information (Rights Management), enforcing policy compliance on the network, the perimeter will probably be between client and server (or between trusted and un-trusted systems or between complaint and non-compliant systems)…

At least there will be a lot of interesting stuff to do…

Roger

Windows 7 XP Mode - Sophos error: facts not found

rhalbh — Thu, 27 Aug 2009 22:09:55 GMT

Well, the title is not completely from me – I just quoted another blog post. I wrote recently on Why Windows 7 XP Mode makes sense from a security perspective and was even quoted on the register. The “funny” thing was the history of that blog: I was readying some Tweets and blogs where XP Mode was just questioned. I actually never read Richard Jacobs’ blog post on this. I just wanted to share the process I went through.

However, my post again caused a reply by Jacobs – so he seems to read my blog…

Unfortunately he got some facts quite wrong – but at least he got some attention. If you are interested in the facts, read the James O’Neill’s post called Sophos error: facts not found – where I have the title from.

As I wrote in the first post: XP Mode is here to help our customers to benefit from the undisputable higher security in Windows 7 for 95% of their tasks and removing the migration blocker called “compatibility” by using XP Mode. Let me give you another example:

I helped a SME last weekend to migrate from an XP environment (even their server was on XP) to a state-of-the-art Windows Server 2008 SBS and Windows Vista environment. We failed! Because of one application, which is a 16bit-DOS accounting application which we have been unable to stabilize on Windows Vista and being able to print. Even though we switched on all the compatibility settings, it crashed about every 15 minutes. Migration is not an option as a customer of them is still using this application. So, what are the options:

Fall back to XP
Live with the crashes
Find a solution……

What we did at the end (after several hours of trial and error) was to keep one old XP box and to Remote Desktop to run this DOS application – basically we did XP Mode on a physical level instead of virtually and by far not as transparent as with XP Mode for the user – however, managing the XP box now is definitely harder (or at least as hard) than XP Mode (see James’ post).

So, as I said in my first post on this: It is all about Risk Management.

Roger

Why it pays to be secure – Chapter 1 – Data Breaches

rhalbh — Thu, 27 Aug 2009 12:20:19 GMT

Returning to the theme of deploying security updates once more, we need to look at the potential cost of not deploying updates, breaches……

Studies are available for the years 2007 & 2008 for US, UK and Germany as examples:

http://www.encryptionreports.com/costofdatabreach.html

Extract from United States Report:

Among the study’s key findings:

Total costs continue to increase: The total average costs of a data breach grew to $202 per record compromised, an increase of 2.5 percent since 2007 ($197 per record) and 11 percent compared to 2006 ($182 per record). Breaches are costly events for an organization; the average total cost per reporting company was more than $6.6 million per breach (up from $6.3 million in 2007 and $4.7 million in 2006) and ranged from $613,000 to almost $32 million.
Cost of lost business continues to carry the highest impact: The cost of lost business continued to be the most costly effect of a breach averaging $4.59 million or $139 per record compromised. Lost business now accounts for 69 percent of data breach costs, up from 65 percent in 2007, compared to 54 percent in the 2006 study.
Third-party data breaches increase, and cost more: Breaches by third-party organizations such as outsourcers, contractors, consultants, and business partners were reported by 44 percent of respondents, up from 40 percent in 2007, up from 29 percent in 2006 and 21 percent in 2005. Per-victim cost for third party flubs is $52 higher (e.g., $231 vs. $179) than if the breach is internally caused.
“First timers” cost more, repeat breaches continue: Data breaches experienced by “first timers” are more expensive than those experienced by organizations that have had previous data breaches. Per-victim cost for a first time data breach is $243 vs. $192 for experienced companies. More than 84% of all cases in this year’s study involved organizations that had more than one major data breach.
Training and awareness programs lead companies’ efforts to prevent future breaches, according to 53% of respondents. Forty-nine percent are creating additional manual procedures and controls. Of the technology options, 44% of companies have expanded their use of encryption technologies, followed by identity and access management solutions to prevent future data breaches.

Henk and Roger

Legal Risks of the Cloud

rhalbh — Thu, 20 Aug 2009 15:36:43 GMT

I just stumbled across an interesting blog post named Legal Implications of Cloud Computing. I am not a lawyer and therefore unable to judge the details but overall it gives a good view of the risks and challenges.

Roger

Windows Server 2008 Hyper-V Role EAL 4+ certified by BSI

rhalbh — Sat, 15 Aug 2009 00:17:16 GMT

That’s new: We have Windows Server 2008 Hyper-V Common Criteria EAL 4+ certified. The new thing is that we certified it in Germany by the BSI (Bundesamt für Sicherheit in der Informationstechnik). You can find the report here: https://www.bsi.bund.de/cae/servlet/contentblob/612768/publicationFile/35487/0570a_pdf.pdf

Roger

Manage Network Access Protection at Microsoft

rhalbh — Tue, 14 Jul 2009 00:04:55 GMT

As you know, I am a big fan of the concepts behind Network Access Protection as it allows to dynamically define zones on you network.

We just published a whitepaper called Manage Network Access Protection at Microsoft:

Network Access Protection (NAP) is a powerful new Windows Server 2008 feature that can help protect networks from malicious software (malware) and other threats. Describes how organizations can use NAP to institute requirements for accessing a network, create policies that check for compliance with those requirements, and update and manage devices that are not in compliance.

Here you find this information:

Technical White Paper
Webcasts:
- IT Pro Webcast
- WMA
- MP3

Have fun

Roger

Microsoft awarded for Security

rhalbh — Tue, 16 Jun 2009 10:03:02 GMT

This is probably one of the best news I read since a long time. I often said, that I am convinced that we are in a lot of areas around security leading the industry. The complexity of building multi-purpose software in a secure way started to be addressed by us back when we introduced the Security Development Lifecycle which we make available publically on the web.

Today, Microsoft was recognized in the SD Times 100: 2009, an annual list from Software Development Times that acknowledges companies for being industry leaders in software development. Microsoft was awarded (as well as in other categories), alongside the likes of Coverity and Fortify a top spot in secure development. This is the first time since SD Times started publishing its “Top 100” list that Microsoft has been recognized in this category.

You can read this story here: DOWNLOAD ISSUE 6/15/2009 NOW! from page 21 onwards

Roger

Securing Microsoft’s Cloud Infrastructure

rhalbh — Thu, 28 May 2009 22:44:56 GMT

A lot of people and companies are talking about “the Cloud” today. I guess that there are not too many companies that share the same track record of running online services as Microsoft. 1994 we launched MSN and since then we are in this business.

Microsoft Global Foundation Services (the group responsible for this infrastructure) just published a document called Securing Microsoft’s Cloud Infrastructure which is definitely worth reading. In my opinion a few items will be key when talking about a trustworthy cloud, one of them being transparency. Transparency how your data is handled, how software is written and operated, how incidents are dealt with, etc. This paper definitely helps on our side to drive in this direction although we did already a lot in this respect like making the Security Development Lifecycle available and communicating transparently about security challenges etc.

To show the importance of security for our online services as well, I would like to quote the paper:

The core driver to creating an effective security program is having a culture that is aware of and highly values security. Microsoft recognizes that such a culture must be mandated and supported by company leaders. The Microsoft leadership team has long been committed to making the proper investments and incentives to drive secure behavior. In 2002, the company formed the Trustworthy Computing initiative with Bill Gates committing Microsoft to fundamentally changing its mission and strategy in key areas. Today, Trustworthy Computing is a core corporate value at Microsoft, guiding nearly everything the company does. At the foundation of this initiative are these four pillars: Privacy, Security, Reliability, and Business Practices. For more information on Trustworthy Computing, see the Microsoft Trustworthy Computing page.

Microsoft understands that success in the rapidly changing business of online services is dependent upon the security and privacy of customers’ data and the availability and the resiliency of the services Microsoft offers. Microsoft diligently designs and tests applications and infrastructure to internationally recognized standards in order to demonstrate these capabilities and compliance with laws and with internal security and privacy policies. As a result, Microsoft customers benefit from more focused testing and monitoring, automated patch delivery, cost-saving economies of scale, and ongoing security improvements.

Here are the links to the different papers we published today:

Roger

How we do IT: Direct Access

rhalbh — Mon, 25 May 2009 11:02:54 GMT

You might know that we have something we call the Microsoft IT Showcase, where our internal IT shows how they use our technology to run our environment.

Now, we just published a new article, which might be interesting for you to read called Using DirectAccess to Provide Secure Access to Corporate Resources from Anywhere.

I tell you (as a long-term user of DirectAccess): This technology really rocks!

Roger

Patch Management, a key step towards compliance!

rhalbh — Fri, 22 May 2009 15:18:34 GMT

As you might have read, I recently blogged about my infrastructure and the future of a platform towards a better management of compliance – honestly, I actually played with our latest technology .

I wrote about

Now, a necessary and very important next step towards compliance as well as a secure environment is a sound Patch Management process and then – in the second place - the underlying technology. I blogged several times already about Patch Management as I see a lot of companies failing to deliver on this. I recently wrote a post called Patch Management – Cover the whole 9 yards. in there I mention different papers you could/should read:

and I reference Christopher Budd’s Ten Principles of Patch Management:

Service packs should form the foundation of your patch management strategy
Make Product Support Lifecycle a key element in your strategy
Perform risk assessment using the Severity Rating System as a starting point
Use mitigating factors to determine applicability and priority
Only use workarounds in conjunction with deployment
Issues with Security Updates are documented in the Security Bulletin Master Knowledge Base Article
Test updates before deployment
Contact Microsoft Customer Support Services if you encounter problems in testing or deployment
Use only methods and information recommended for detection and deployment
The Security Bulletin is always authoritative

First of all (and you see that in the articles referenced above) it is of outmost importance to have a process in place. Basically the core schema to run such a process is:

I have seen different complexities to deploy such processes. From highly complex to pretty simply and straight-forward ones. The ones of you who know me know, that my preference is KISS (Keep it Simple, Stupid). So, make the process as complex as necessary and as slim as possible.

So, once you have the process in place and take a conscious decision, the question is about deployment and reporting.

So, let’s talk about technology now.

In order to get an overview over the state of your computers, you might use the Microsoft Baseline Security Analyzer. This is an excellent tool to scan your Windows machines and get an overview of the security state of the machines. It might not deliver the same level of sophistication as very expensive tools, but the difference is: We provide it for free and – in my opinion – it gives you a good starting point to look at vulnerabilities including the level of Security Updates of a given PCs. Here is an example of one of these assessments:

But this does not really resolve your base problem about the Security Update compliance of the computers on your network as well as the distribution of them. From my point of view, there are different options to do so:

If you are a small and medium business, one of the coolest solutions for you to go is System Center Essentials. It is System Center Configuration Manager, System Center Operations Manager and Windows Server Update Services in one package. However, it is limited to 30 servers and 500 clients. If you are in this limit, it rocks.
System Center Configuration Manager: If you already use this technology to distribute software and configurations, leverage this.
Windows Server Update Services: It is kind of unbelievable but this is free! So, to be clear – we do not charge for it! You can download and install it and it scales even for large Enterprises (did I tell you already that it is free ?).
A third-party solution

I am using WSUS and am more than happy with it. The way I am organized is, that I get regularly a mail from WSUS with the current state of “the nation”:

As I am mail-driven, this allows me to see, what I have to do with regards to WSUS. I then can log-on to my WSUS server to get more granular reports:

From here on, I can decide, which actions I want to take, based on detailed reports I can get by clicking one of the texts in the UI:

BTW: this machine is patched in the meantime – so do not even think about it

Even if you cannot enforce the security update level technically that way (and we will talk about Network Access Protection in a later post), it at least helps you to understand, where you stand and what you have to do in order to get compliant.

Again (as I did so often) my call to action to you: Make sure that you have a straight-forward process in place and then use technology (like WSUS) to deploy the updates and ensure that you have deployed them correctly!

Roger