Recently during an event at a University, I had the pleasure to participate in a panel discussion and it did not take too long until I was heavily in disagreement with the professors there. The reason? It became a discussion around consumer security and risk management. The claim the professors made was, that the consumer has to assess the risks of their actions.

Well, I am a believer today that this will not work (even though it would be preferable). I definitely agree that everybody should take responsibility for all the actions a person is doing. Nevertheless, there is a strong "but". Let's go back in history a little bit:

My grand-uncle was a farmer. Where he lived, nobody ever locked the doors - there was no reason to do that as there was nobody anyway who was interested getting into the house (at least it never happened) and he did not have too many valuables at home anyway. So he did a "risk assessment", looked at the "assets" and decided to do it that way.
When my parents later moved to the city where I grew up, it was normal having the doors locked and using keys: Different risks, different assets. We learned risk management on physical security over thousands of years and generations passed their experience over to the next one.

Now, look at the Internet. I finished my Master of Computer Science 1992 and the Internet was never seen there during my studies. It was shown to me about 2 years later by a student doing his internship (and I thought that I will never use this stupid thing but this is a different story). My parents probably got in touch with the Internet 1998 - so 9 years ago and we really want them to assess risks with this amount of experience?

Additionally see how the threat environment changed over the last 10 years: The writers of Blaster, Slammer and Sasser have been mainly vandals bragging about what they were doing. Today we see the organized crime investing a lot of money to fool my parents into doing something they do not want to and how are they trained?

So, what can we do about that. I personally think that there are different layers:

• Technology: The applications as well as the Operating Systems have to do a better job explaining the end user what the consequences are if they click somewhere. I personally think that we did a biiiig step with Windows Vista and we have to collect information about this but there is still room for improvement
• Education: There needs to be a better offering of trainings around these problems. And these trainings should be targeted at all the different ages. E.g. retired people have a lot of time to surf and they are willing to learn. There are models where teenagers teach seniors and this works extremely well.
• Media: I tried several times to motivate the general press to support education efforts but there is no murder, no blood involved and no-one to blame (except for the criminals that could do something) - so there is no motivation for the press to go after this.
• License to Internet: There are discussions in different countries in EMEA whether it would make sense to have something like a "driver's license". This will never going to happen as we would come back to the free Internet but the idea is basically not too bad. Mainly because users being a victim of every social engineering attack out there are a risk not only to themselves but to the Internet as such (think about DDoS, Botnets using them as Spam relay...). Now, do not quote me that I said that we need this! But there is definitely so good stuff in this idea.

I am sure that the next generation will address a lot of these problems as my kids are growing up with the Internet and they are using it just naturally. The challenge will be to educate this generation how to do "Risk Assessments" from th beginning. And with that we are back to Universities and schools. The teachers have to teach them (besides Math, Langugage,...) tons of different themes and they do not know about these problem anyway and therefore they do not address them. So it might take even more than one generation...

Any thoughts?

Roger

Over the last few months it became evident: The attacks are moving up the stack. We see less and less attacks on the operating systems but much, much more on the application. This is a trend that was basically predicted and unfortunately in this case the prediction was true.

We suffered ourselves from this trend as well, as we saw more and more 0day-attacks appearing in Office. Now, there are two things you have to do, when these things happen: Fix every single problem appearing (issue Security Updates) and think about how to make the existing products more resilient against these kind of attacks knowing that you cannot fundamentally change the product itself.

This is the reason, why we decided to launch MOICE (Microsoft Office Isolated Conversion Environment) to help you to protect yourself better against these kind of attacks. Additionally, there is the File Block utility to block knowns malicious files.

You find the corresponding information here:

•  Security Advisory: http://www.microsoft.com/technet/security/advisory/937696.mspx
• MOICE: http://support.microsoft.com/kb/935865

As part of your risk management process, you should definitely look into this 

Roger

Over the last few years, often when I met customers I asked them several question:

• Are you happy with our monthly Security Update rhythm?
• How do you see the quality of the Security Updates?
• Any feedback to the Security Bulletins?

Often, the feedback was pretty similar: Monthly is ok, the quality of the updates is more than ok (some medium customers decided not to test them anymore but deploy and then fix if anything went wrong - less effort to be spent) and I often got some feedback to the Bulletins.

Often I got reactions on the Advanced Notification as the customers wanted more details. This is always a delicate balance as we do not want to "0-day" ourselves by disclosing too much information to the criminals but giving our customers enough information to plan for the following Tuesday.

We now took all your feedback and tried to integrate the received feedback and changed both: The Advanced Notification and the Security Bulletins. You can find the details here: http://blogs.technet.com/msrc/

Roger

This week I am staying on the Campus in Redmond for internal meetings. By accident it happened to me that our Bluehat briefings are taking place and I had a chance to attend the Executive Day this afternoon. If you want to know more about Bluehat, visit our public website at http://www.microsoft.com/technet/security/bluehat/default.mspx. The goal of these briefings is to bring our people together with white hat security people in the economy.

Today I got certain things explained and showed that opened up my eyes. I mean, I am looking into the security economy (above and below the radar) since a long time and most of the things I saw were not new to me but today I saw certain successful attacks, I just knew that they work but I never got them demoed. It is really impressive to see some of these things live and to see how fast they are.

A few of my conclusions: 

• There is an excellent technical knowledge out there in the security economy. The people at the briefing are using their knowledge to protect our joint customers. But basically it is clear that the criminal economy has at least the same level of technical understanding as they have - and this is the really scaring part.
• The worst thing I think is a conclusion which is valid all over the place: Hacking gets much, much, much, much easier as the tools on the Internet get better and better. Additionally there are "security" companies that make these tools available for free as demos.
• Last but not least, I definitely think that this kind of dialog is extremely important: The meeting and knowledge sharing between the white hat hackers and the software vendors help to get an understanding how they look at things, how they try to understand our tools (and not only our tools) without having the source code and how they want to attack the environment.

So, I personally think that events like Bluehat are really excellent (and to stress it again, we do not work with black hats) for both sides. I simply fosters a common understanding.

Roger