Well, we call it simply DaRT. You know the feeling: A machine does not boot anymore, crashed, has a virus you cannot clean with the OS in a running state or any of the other nightmare scenarios in daily operations of computers. Since quite some time there are recovery toolsets out there but with our acquisition of the sysinternal tools, the value of ours grew significantly. I just tested the latest version for Vista and believe me – it rocks (as far as a tool can rock that tries to recover me from a crash…). If you need information on this, there you go: Microsoft Diagnostics and Recovery Toolset

Let me give you a very brief insight:

Basically DaRT is based on the Vista Recovery Toolset. So, when you boot, you get a pretty familiar screen:

The only different is, that you see the link at the bottom to the Microsoft Diagnostic and Recovery Toolset – where all the magic happens J. If you decide to choose them, you get a broad selection of tools:

ERD Registry Editor: A registry editor for the OS you selected during the boot time

Explorer: Speaks for itself: Browse through the disks

Locksmith: With locksmith you can reset the passwords of all the local accounts. (you need physical access to the box to do this and have a look at this post before we start a big discussion on this: Windows Vista Recovery Console and the Password)

Solution Wizard: This is a cool thing. If you are unsure which tool you need to use, try this wizard and you are guided to the solution:

Crash Analyzer: If you have a mini-dump on the disk and include a debugger, you can look at crash dumps

TCP/IP Config: Obvious thing – but. Often I failed to access any resource on the network with these recovery toolsets as I could not change the network configuration (e.g. I have a fixed IP, am on a different network and should simply switch DHCP on).

File Restore: Restore accidentally deleted files

Hotfix Uninstall: If your system does not boot anymore because of a hotfix, this is the way to remove it (even though this never happens, does it?)

Disk Commander: Tools to fix your disk if you have problems with it.

SFC Scan: As the title says: Repair your system files

Disk Wipe: Securely erase your disk

Search: Hmm, cannot remember what this tool does J

Computer Management: It is not the "normal" Computer Management Console as the OS does not run but a console to do some repair activities:

Standalone System Sweeper: I do not like this too much as it is a tool to look for malware, rootkits etc.

So, this tool is definitely something you should look into. Download the trial!

Roger

As you may know, we announced version four of the Microsoft Security Intelligence Report earlier this week. Amongst the many interesting findings is data which relates to software vulnerability exploits. I wanted to highlight these as Shoaib, one of my blog readers, contacted me recently to get my views on a post he wrote.

Here are the key findings:

• During 2007, 32.2 percent of known security vulnerabilities (CVE IDs) in the Microsoft products analyzed for this report had publicly available exploit code. This is nearly identical to the totals from 2006 when 32.7 percent of known security vulnerabilities for the same products had publicly available exploit code.
• Microsoft matched each public exploit with its corresponding vulnerability using CVE identifiers and Microsoft security bulletins. The number of Microsoft security bulletins released in 2007 was 11.5 percent lower than in 2006, and the number of vulnerabilities covered by those bulletins was 29.6 percent lower than the number covered by the 2006 bulletins.
• In a product-by-product comparison, more recent versions of Microsoft products were proportionally less affected by publicly available exploit code than earlier versions. This trend is especially visible with Microsoft Office. Only 11.1 percent of known vulnerabilities in the 2007 Microsoft Office system had exploit code publicly available, compared with 45.8 percent for Office 2003 and Office XP, and 52.4 percent for Office 2000.We additionally looked at the exploits based on CVE.

We even added a table where we compared selected products in 2006 and 2007:

So, what is this giving us?

When we look at attacks and the "time to exploit", which is definitely decreasing, we have to take into consideration that malware (often exploiting vulnerabilities) is more and more focused on financial gain. The chart below shows this very well:

So, what does this and the report above allow us to conclude:

• Criminals are getting smarter, more professional and faster – with or without this kind of technology
• As a result of the Security Development Lifecycle, which sets standards for secure development practices that all Microsoft products have to adhere to, latest versions have significantly fewer vulnerabilities compared both to older versions and competitive products
• We have to continue to invest in producing high-quality security update (with "we" I mean the whole industry) in order to allow for shorter patching cycles
• The vendors have to work closely together with the customers to share best practices of Patch Management. This is something we do since a long time.

One final comment: To me it is not only about exploits, it is about the process of creating Security Updates as well. In this context I would like to remind you of my recent post on 0-Day-Patch – An new Metric for Security?

Roger

Are you working on Office System 2007? Ever looked for a command, you knew in 2003 exactly where it is but you were unable to locate it? Well, do not get me wrong: Since I am used to the Ribbon, I love it – really. And my wife is all of a sudden able to work with Excel as she seems to find stuff…

Nevertheless, there is a new add-on to test called Search Commands. Search Commands adds a tab to your ribbon and gives you the option to look for a command in Office 2007 – it immediately gives you all the commands that relate to your search – really cool.

How did I find it? We have a site called Office Labs with this kind of trials on.

Give it a try

Roger

I was in Bratislava this week for an IDC Conference. During these kind of events I often talk to the press as well. Additionally I had this time the opportunity to talk to a pretty well-known blogger in Slovakia called Jozef Vyskoč. You may have a look at his blog (provided your Slovakian is better than mine J).

However, this was a very interesting experience to me as it was more a peer discussion than a real interview as Jozef knows a lot about security. During the discussion he was asking an interesting question: What is, in my opinion, the ideal profile of a Chief Security Officer? Is it more a technology profile, a business profile, a communication profile,…?

This was a question which made me think and I would like to get your view on this as well but let me start:

From my point of view a CSO needs a broad architectural view on IT. He/she has to understand the implications of a decision at a broad scale and has to be able to judge the corresponding changes in the risk model. Additionally the CSO has to have very good communication skills – and this is, where I see the biggest challenge in today's organizations. The CSO is an engineer, much too often, with great technology skills. He/she is able to discuss the very last bit of the specification of TCP/IP knows all the ports for all the protocols by heart and impresses the technology specialists on that side. The challenge is, when they have to go to the board and talk about risks: They explain the latest exploit to the vulnerability in an OS in a way the CEO has no clue what the CSO is talking about…

I know that this is not completely the case and I hope that nobody out there just got a mirror in front of his/her face but what I wanted to say is: The CSO has to have a very broad IT skillset and in addition some business know-how and finally very, very good communication skills. We have to be able to make the business understand the risks in their language. This is the only way the business can take their role in risk management and decide on the risk management strategy and the acceptable level of risks.

What is your take on that?

Roger

This is actually an interesting statement. If you had ever to deal with the press you know how these headlines are composed. It might be that the person actually made the sentence in this way – the question is whether he meant it so absolute. Nevertheless, if you read the corresponding article on darkReading, I am impressed how closely we and IBM agree:

"The security industry is flying by the seat of its pants," Rahamani said. "Security infrastructure has been dictated by the bad guys... as new threats arise, we put new products in place. This is an arms race we cannot win."

And

"If we really want to get ahead of the threat, we need to start thinking about re-engineering our businesses and processes. We need to make them more secure and compliant by design, and we need to move more security and compliance technologies into the fabric of our standard infrastructure and application environments."

Think about that for a moment. Does this mean that we should get rid of today's solutions? I do not think so. Does this mean that we should think about overall approaches on security instead of going threat after threat? Absolutely. As I wrote last week, we published a whitepaper called "End to End Trust" which addresses exactly this. Therefore, I would invite IBM to join in to the debate. Only together we can win!

Roger