A pretty interesting article on Spyware (and a lot of other "beasts"): The Increasing Complexity of the New Spyware Landscape

Roger

There is a cool workshop at Deepsec in Vienna mid of November, which is called "Defend the Flag". The idea is that you will be trained for a day and during the second day, you have to configure your systems and they will be attacked. The one that holds the longest wins. If you are interested, my colleague Gerhard Göschl blogged on it: Deepsec: Hacker Konferenz in Wien – Einladung zu kostenlosem Workshop "TechNet Briefing Spezial > Security"

Roger

Have you had a look at Symantec's latest Threat Report? It can be found here: http://www.symantec.com/content/de/de/about/downloads/PressCenter/ISTRXII_Main.pdf

I briefly read through it and one statement caught my eye:

Page 54: Of the five operating systems tracked in the first six months of 2007 (figure 18), Microsoft had the shortest average patch development time at 18 days, based on a sample set of 38 patched vulnerabilities. Of the 38 vulnerabilities, two affected third-party applications. This is lower than the average patch development time of 23 days in the second half of 2006 based on a sample set of 50 vulnerabilities, seven of which affected third-party applications.

This is a very motivating data point as this is one of the different things we have to be good at – besides making sure that we can reduce the number of vulnerabilities through processes like the Security Development Lifecycle. We proved the impact of SDL already:

See Jeff Jones' Windows Vista - 6 Month Vulnerability Report to get these details.

Roger

I hope you read my yesterday's blog on the RSA story (if not, it is here). I mentioned the Security Intelligence Report there. SIR is actually live in its third version, covering what we saw January to June 2007.

Let me point out some "highlights":

Vulnerability Trends – Unfortunately the trend that high severity keep growing for all software vendors. This is the figure from the report:

Attacks are moving up the stack – obvious, isn't it? We all know that since a long time. We have seen the phishing attacks in the past, we have seen the targeted Trojans, etc. However, in the last 6 months we saw a growth in phishing attacks of 150% compared to the second half of 2006. Targeted Trojans going for Personal Identifiable Information even grew by 500%!

Vista massively less likely to be infected by malware – This is what we expected to see but I am very proud the way it actually turned out. Have a look (this is normalized, so independent of the number of executions of the Malicious Software Removal Tool):

The same view but now by countries in Europe:

So, there is much, much more data in the Security Intelligence Report, where you can even have data on a country level (my friend Ole Tom – the CSA in Norway – showed me the malware in Norway did not grow the last 6 months J). So, go there, download it and have a look. If you want to get insights with webcasts, they will be on our portal as well.

And here is the link: http://www.microsoft.com/security/portal/SIR.aspx

Roger

Do you remember? In January 2002, Bill Gates sent a famous mail to all the Microsoft employees and announced Trustworthy Computing. Since then it became part of our DNA. The interesting thing to me is, that the four pillars of TwC remained the same (except for pillar four, which we had to re-name). Today the diagram still looks like this:

Trustworthy Computing

The key focus of the early years was to get security right within Microsoft. We always stressed, however, that TwC is an industry initiative. Looking at that it was natural that Privacy would be addressed more and more over time.

In parallel we had to learn that the threat landscape changed significantly. A few years ago we had the vandals on the web attacking our systems, bragging about the success of their attacks – today we have the organized crime going for money. To keep it simple, the landscape changed from cool to cash! Our Security Intelligence Report we are releasing today:

• 31.6 million phishing scams in H1 2007 representing 150% increase over H2 2006
• 500% increase in malicious code used to steal passwords / key stroke loggers
• Microsoft's Malicious Software Removal Tool removed infections of Win32/Bancos and Win 32/Banker alone from 615,220 computers in last six months. Both bot programs are used to steal private banking data

So it is pretty clear that Personal Identifiable Information (PII) is today the currency of the criminals.

So, which roles in a company are working with PII? Security people want to protect it. Privacy people want to make sure it is being managed correctly. And the business wants to use it to generate business.

Looking at the intelligence data there is a question that has to be raised: How good is the collaboration between these roles? This is the key question we wanted to get some insights into. Therefore we commissioned a company called The Ponemon Institute, which specializes in privacy research, to survey more than 3,600 security, data protection/compliancy, and marketing executives in the USA, UK and Germany. The research was with companies of various sizes and across many different industry sectors. This study is one of the key announcements Ben Fathi at his keynote he gave at RSA Europe today.

Let me take you briefly through the highlights (lowlights?) of the study.

Collaboration pays off: One of the key questions you will get asked when you look into this is what kind of motivation a manager could have in order to change something to make collaboration happen. The data is pretty clear and significant (we asked the companies whether they had a "significant data breach"):

Relationship between collaboration and one or more reported significant data breaches

This data shows us clearly that a good collaboration seems to lead to significantly less data breaches. The difference between companies with good collaboration and companies with poor collaboration is about 50%! So, you reduce the risk of losing PII significantly and as the CEO is personally liable in a lot of countries this might reduce the risk of the CEO going to jail significantly.

"But the collaboration is not poor": How good is the actual collaboration really? We asked the three groups, whether the business consults security and privacy when they use PII. Look at this:

Is security/privacy asked when PII is used by the business?

If you study this data, it is significant that the security and privacy people think that they are consulted but the business (e.g. marketing) does not really want to talk to us…

Why is this the case? Do you remember that I talked and blogged several times already on the necessity of security to become a strategic value for the business? Security and Privacy is and has to be a business enabler. Is this really true? See the red bar in the following diagram

This shows clearly that the business sees privacy and security as a hindering them to achieve the goals. I have to admit that I understand this. Security and privacy people tend to be paranoid and risk avoiding (do not get me wrong, I am one of these paranoid, risk avoiding people). We do not like to take risks – therefore we tend to say "no" to changes, to new ideas, to new business models… In my personal opinion, IT is here to serve the business and security/privacy is here to help IT to serve the business. There are clearly legal and regulatory boundaries as well as customer expectations to be met. But this is not in contradiction to what I said but definitely in line.

So, how shall we address this problem?

I would love to be able to give you the "silver bullet" just in this section. Before I give you my view on the "solution", let me share a final data point with you. We asked as well whether the combination of the roles would make sense. Here are the results:

This is interesting: If the collaboration does not work, people look for a combination of the roles, where it works, nobody cares of a combination!

This leads to a simple conclusion: There is no silver bullet at all. The solution depends on the culture of the company, the culture of the country and a lot of other requirements around this. The solution to look for is probably pretty individual per company.

Call to action:

There are two things I would like you to do:

• Go to your own company and look (honestly) internally. Ask yourself how the collaboration between security, privacy/compliance, and business actually works. How often did you have data breaches that could have been avoided? After this analysis, go out there and change!
• I was asked several times now, why Microsoft is doing that and whether we can give you a solution. I wish I could! The reason, why we did this study and why we go public with it now is that we want to open a dialogue within the industry at an issue we are convinced that it is evolving and that we have to start working on now – otherwise we will fall behind the criminals again! So, participate in this dialogue and start doing that now – I am looking forward to receiving a lot of feedback and comments!

If you want to get more information on this story, visit our website: http://www.microsoft.com/mscorp/twc/IAPPandRSA.mspx 

Roger