Sorry for being so late on that but I was enjoying the gorgeous weather in Switzerland and was skiing the last few days.

There were claims end of last week that researchers "cracked" Bitlocker. One of the corresponding articles you can find in eWeek.

What did they actually do? Well, they attacked the key that resides in memory. So, they are attacking a running machine. Let's start with looking into the risks. What do you want to achieve with Bitlocker? You want to make sure that if you lose your notebook, nobody is able to access the data on the disk. So, if the system is shut down, the claimed attack does not work anymore. Now, it comes to the states in between. If a machine is in the sleep state, we consider it running, so yes, it is vulnerable to this attack. We can now argue whether it is a good idea that the standard behavior of a Windows Vista machine is going to sleep if you close the lid. As Bitlocker is not enabled by default, I think we can argue around this but it is not optimal if you protect your machine with Bitlocker. If you find a machine in Hibernate, Bitlocker kicks in during the resume and needs the keys – this means a hibernated machine is not vulnerable to the attack.

What does this mean for you? There is an easy countermeasure to all these attacks: Put your machine to hibernation and you are done.

So, if you want more information on this, go to the Windows Vista blog. Last but not least, we published the Data Encryption Toolkit for Mobile PCs and there is a Bitlocker chapter in it, which you might want to read if you use it.

I am using Bitlocker with TPM – and Hibernation

Roger

OK, I think I need to take this up a little bit as well. Let's look into what happened over the last few days. I think up to now we ended up with five cables cut in the Middle East. So, there are a lot of theories who was actually damaging those cables. The best one comes from WSJ J

But there were a few pretty remarkable things: One is a statement I found in article about these cables. It is from Stephan Beckert of TeleGeography:

He said there are approximately 50 cable cuts a year, 65 percent of which are due to fishing trawlers dragging heavy nets and 18 percent of which are due to ships' anchors. "They don't even track terrorism," he said. "Cable cuts are a routine part of the business."

So, it is even a question whether this could not have been really business as usual and just the press and the bloggers taking it up.

The second thing was that it does not seem to me that any of the Critical Infrastructure bodies I know of got really nervous. How far would a critical infrastructure be hit if a region or a country would have been cut off the Internet? Well, for water, power etc. it would probably not be a real problem. What about the rest? In a lot of countries the banks are part of the critical infrastructure as they are critical to public wealth. If they lose international connectivity, this would be a serious problem. The same is true for a lot of businesses but for the perspective of the national critical infrastructure? I doubt.

Roger

Enjoy:

Roger

You probably remember my post regarding Oracle DBAs rarely install patches. It was about a study where Sentrigo claimed (after having asked 305 people) that more than 2/3 of Oracle DBAs do not install the patches provided by Oracle. Now Oracle recently published a blog post called To Patch of Not To Patch? with some interesting comments definitely worth looking at.

There are mainly two things I think we should look at:

• One of their key statements is that every administrator has to find a balance between the risk of patching and the risk of not patching. This is definitely true. There is the well-known truth "never touch a running system". Well, how true is it really? Some time ago I had this discussion with representatives of the Pharma industry. A key regulation to fulfill there is about validated systems – mainly systems, where every change has to be thoroughly tested and documented as a failure could lead to significant problems with medications and finally even to loss of life. Now, the regulators and the companies over time had to learn that not touching a system bears significant risks as well. The challenge – and I agree there with the Oracle blog – is to do proper risk management. The key problem however is that you know one risk pretty well (the risk of applying a patch incl. the reboots and downtime of applications and, and, and ..) whereas the risk of not patching is unknown. What can we do as a vendor to help here? To me the answer is pretty straightforward:
  • Deliver stable security updates people can trust and rarely break systems: When I talk to our customers, I get the impression that there are rarely issues with our updates. When I look at the support calls we get after a "Patch Tuesday" this confirms my impression
  • Make it easy to deploy updates: This means that we have to provide you with tools and processes to deploy updates without mayor challenges and problems
  • Keep the number of reboots to a minimum: Well, without doubt, there we have some room for improvement and we are working on that. It is, however, not too easy to solve.
  • Be transparent: By keeping the highest possible level of transparency without putting you at risk by revealing to much information to the bad guys we can make sure that the decision which part of a system you want to patch in your hands.
• Oracle claims that by making all updates cumulative it helps the administrators as once you decide to patch, your system is patched completely. This sounds great doesn't it? What happens if one of these updates breaks your system and you need to uninstall just that single one until the problem is fixed? What happens if you decide that you do not want to patch a certain component as your risk assessment shows that this system is not accessible on a certain port and there is no reason to touch that part? Should you not be able to decide yourself? Knowing that we have IE which we normally patch cumulative, I am personally for the reasons above not a big fan of these updates.

Anyway, patching is always a lose-lose game. It is like selling an insurance policy: you have to invest for something bad not happening. So, where is break/even? What we can do (and have to do) is further reduce the number of vulnerabilities to make patching less necessary and implement defense in depth measures to make the vulnerabilities hard to exploit but will they ever go away completely? I doubt

Roger

This is a follow-up of my last post about how I secure my environment. If you want to read the start of the series, see at the end of this post but please do not expect me to keep this rhythm J.

Let me start with an introduction first: After my first post, I got quite some reactions – which was very good and promising. You raised quite some questions mainly about monitoring and authentication. I will answer then and would like you to keep asking – that is the only way you get an answer, actually. However, I will start with a few different themes and then come to those. Mainly, I would like to start with Risk Management and how I secure my perimeter. From there on, we can talk about monitoring and how I do the authentication piece in my environment.

So, before you actually start to talk about how to secure something, we need two things:

• What are your assets?
• What are the risks for these assets?

If I look at my environment: My assets? Well, there are a few things I would like to protect: all the photos and videos of my family, my mailbox and a few others. But really critical information is not here. However, I would not like to read somewhere that somebody broke into my network…

What is the easiest way to get a good overview of your risks? The challenge there is always to compare the business risks (including the acceptable level of risks) with the actual risks you are taking in you infrastructure. A good tool that can help you here is the Microsoft Security Assessment Tool (MSAT). We just recently released a new version of it (you can have it in multiple languages). It is a really excellent tool from my point of view to give you and overview of you needs: Where you should invest more AND where you are doing too much! It does that in two steps:

1. You assess your own profile and create what we call a BRP (Business Risk Profile)
2. You assess your infrastructure. There are – again – two assessments available
   1. Security Assessment
   2. An assessment against the Core Infrastructure part of our Infrastructure Optimization model

So, I did both and afterwards it is generating some reports for me how I am doing against my Business Risk Profile. You could even compare with Businesses in similar segments (is there any family out there running a similar infrastructure??).

Security Assessment

Looking at my security assessment, this is the high-level overview:

BRP: Business Risk Profile, DiDI: Defense in Depth Index

The result is not really surprising: I am doing extremely well on Infrastructure and Applications. What about Operations? Well, I do not have any standardized build for my servers and clients nor is there any formal process to test them. Overall, I am not doing well on processes at home (why should I? I am the processJ). With regards to the people: As there are not too many people on my network, they are drilled what they are allowed to do and how to behave if something bad happens. Therefore I am doing much better than I actually would have to compared to my business risk profile.

Core Infrastructure

This is a similar picture as with the Security Assessment above: I am actually very good automated (some people call that level of automation "sick") for my profile, but I am not doing too well on processes:

So, now I know where I am and what I have to do. The next step is looking a little bit more into my network perimeter and how I defend my network from the outside.

As always: If you have anything you would like me to answer, drop me a mail or a comment.

Roger

Other posts in this series:

• Securing My Infrastructure: Introduction
• Security My Infrastructure: Introduction (part 2)

Additional Information

• Risk Management Guide
  • Overview
  • Download
• Microsoft Security Assessment Tool (MSAT):
  • Microsoft Security Assessment Tool
  • Download the tool
  • Utility Spotlight
• Security Tools