Sorry for being so late on that but I was enjoying the gorgeous weather in Switzerland and was skiing the last few days.

There were claims end of last week that researchers "cracked" Bitlocker. One of the corresponding articles you can find in eWeek.

What did they actually do? Well, they attacked the key that resides in memory. So, they are attacking a running machine. Let's start with looking into the risks. What do you want to achieve with Bitlocker? You want to make sure that if you lose your notebook, nobody is able to access the data on the disk. So, if the system is shut down, the claimed attack does not work anymore. Now, it comes to the states in between. If a machine is in the sleep state, we consider it running, so yes, it is vulnerable to this attack. We can now argue whether it is a good idea that the standard behavior of a Windows Vista machine is going to sleep if you close the lid. As Bitlocker is not enabled by default, I think we can argue around this but it is not optimal if you protect your machine with Bitlocker. If you find a machine in Hibernate, Bitlocker kicks in during the resume and needs the keys – this means a hibernated machine is not vulnerable to the attack.

What does this mean for you? There is an easy countermeasure to all these attacks: Put your machine to hibernation and you are done.

So, if you want more information on this, go to the Windows Vista blog. Last but not least, we published the Data Encryption Toolkit for Mobile PCs and there is a Bitlocker chapter in it, which you might want to read if you use it.

I am using Bitlocker with TPM – and Hibernation

Roger

As you have seen in my post The Fun of Travel, I was in Belgrade this week. It was the opening event for a tour by IDC in Central and Eastern Europe. IDC has a series of security events across Eastern Europe and I had the honor of having a keynote there. Usually, when I visit these kind of events, we are trying to add some press engagements and customer meetings as well. This time it was all about press and I had 5 interviews, two with TV. I just got the raw cut of one of the interviews, which will be on Fox in Serbia this Sunday (and yes, I got the approval to link to it here and put it on Soapbox).

Unfortunately they cut the questions. So, they are (approximately):

• What is Microsoft's security vision?
• What were Microsoft's biggest achievements in security in the last few years?
• Why did Microsoft enter the security products business?
• Will Microsoft continue to work with other security vendors collaboratively?
• What is the impact on the security vendors, now with Vista having more protection in the OS?
• What are the key trends we see and how do they impact our customers and Microsoft?

It is about a 4 minutes clip. If you are interested, you will find it here on Soapbox

Roger

This is a follow-up of my last post about how I secure my environment. If you want to read the start of the series, see at the end of this post but please do not expect me to keep this rhythm J.

Let me start with an introduction first: After my first post, I got quite some reactions – which was very good and promising. You raised quite some questions mainly about monitoring and authentication. I will answer then and would like you to keep asking – that is the only way you get an answer, actually. However, I will start with a few different themes and then come to those. Mainly, I would like to start with Risk Management and how I secure my perimeter. From there on, we can talk about monitoring and how I do the authentication piece in my environment.

So, before you actually start to talk about how to secure something, we need two things:

• What are your assets?
• What are the risks for these assets?

If I look at my environment: My assets? Well, there are a few things I would like to protect: all the photos and videos of my family, my mailbox and a few others. But really critical information is not here. However, I would not like to read somewhere that somebody broke into my network…

What is the easiest way to get a good overview of your risks? The challenge there is always to compare the business risks (including the acceptable level of risks) with the actual risks you are taking in you infrastructure. A good tool that can help you here is the Microsoft Security Assessment Tool (MSAT). We just recently released a new version of it (you can have it in multiple languages). It is a really excellent tool from my point of view to give you and overview of you needs: Where you should invest more AND where you are doing too much! It does that in two steps:

1. You assess your own profile and create what we call a BRP (Business Risk Profile)
2. You assess your infrastructure. There are – again – two assessments available
   1. Security Assessment
   2. An assessment against the Core Infrastructure part of our Infrastructure Optimization model

So, I did both and afterwards it is generating some reports for me how I am doing against my Business Risk Profile. You could even compare with Businesses in similar segments (is there any family out there running a similar infrastructure??).

Security Assessment

Looking at my security assessment, this is the high-level overview:

BRP: Business Risk Profile, DiDI: Defense in Depth Index

The result is not really surprising: I am doing extremely well on Infrastructure and Applications. What about Operations? Well, I do not have any standardized build for my servers and clients nor is there any formal process to test them. Overall, I am not doing well on processes at home (why should I? I am the processJ). With regards to the people: As there are not too many people on my network, they are drilled what they are allowed to do and how to behave if something bad happens. Therefore I am doing much better than I actually would have to compared to my business risk profile.

Core Infrastructure

This is a similar picture as with the Security Assessment above: I am actually very good automated (some people call that level of automation "sick") for my profile, but I am not doing too well on processes:

So, now I know where I am and what I have to do. The next step is looking a little bit more into my network perimeter and how I defend my network from the outside.

As always: If you have anything you would like me to answer, drop me a mail or a comment.

Roger

Other posts in this series:

• Securing My Infrastructure: Introduction
• Security My Infrastructure: Introduction (part 2)

Additional Information

• Risk Management Guide
  • Overview
  • Download
• Microsoft Security Assessment Tool (MSAT):
  • Microsoft Security Assessment Tool
  • Download the tool
  • Utility Spotlight
• Security Tools

OK, I think I need to take this up a little bit as well. Let's look into what happened over the last few days. I think up to now we ended up with five cables cut in the Middle East. So, there are a lot of theories who was actually damaging those cables. The best one comes from WSJ J

But there were a few pretty remarkable things: One is a statement I found in article about these cables. It is from Stephan Beckert of TeleGeography:

He said there are approximately 50 cable cuts a year, 65 percent of which are due to fishing trawlers dragging heavy nets and 18 percent of which are due to ships' anchors. "They don't even track terrorism," he said. "Cable cuts are a routine part of the business."

So, it is even a question whether this could not have been really business as usual and just the press and the bloggers taking it up.

The second thing was that it does not seem to me that any of the Critical Infrastructure bodies I know of got really nervous. How far would a critical infrastructure be hit if a region or a country would have been cut off the Internet? Well, for water, power etc. it would probably not be a real problem. What about the rest? In a lot of countries the banks are part of the critical infrastructure as they are critical to public wealth. If they lose international connectivity, this would be a serious problem. The same is true for a lot of businesses but for the perspective of the national critical infrastructure? I doubt.

Roger

It's here now and ready to go: We just announced that we RTMed Windows Vista SP1 and Windows Server 2008 (two days earlier than expected)

Read more here:

• Press Pass: http://www.microsoft.com/Presspass/press/2008/feb08/02-04VistaSP1MA.mspx
• Windows Vista Blog: http://windowsvistablog.com/blogs/windowsvista/archive/2008/02/04/announcing-the-rtm-of-windows-vista-sp1.aspx - it includes the schedule how we will make it available on Windows Update
• Windows Server Blog: http://windowsvistablog.com/blogs/windowsvista/archive/2008/02/04/announcing-the-rtm-of-windows-vista-sp1.aspx - it includes some guidance for the upgrade.

Congratulations to the product teams!

Roger