In my last post, I briefly touched on different features of Windows Vista, which I think are important with regards to the view on Windows XP vs. Windows Vista. Let’s take a different approach now: I recently was on a panel in Eastern Europe where I was asked, which model generates more secure software: The shared source (like ours) or the Open Source. I asked back, whether they could define “more secure” for me. It turned out, that we were talking about vulnerabilities.

Let’s look at some statistics now and let’s start with vulnerabilities:

In Jeff Jones’ Desktop OS Vulnerability Report we published figures on vulnerabilities between Desktop OS Vendors and it turns out that this view already gives you a reason to migrate to Windows Vista:

But this is the view on an industry problem giving us confidence that our Security Development Lifecycle works. But how is the comparison between Widows XP and Windows Vista? He has a really interesting chart in there:

If we compare Windows XP and Windows Vista, we see different things:

• There are vulnerabilities we had to address in Windows XP which were not in Windows Vista anymore.
• There are vulnerabilities which had less impact on Windows Vista compared to Windows XP. A good example for this was the latest Out of Band Security Update we had to release, called MS08-067, which was Critical for all the OSs except Windows Vista and Windows Server 2008, where we rated it Important. The reason for that is UAC – even if you would have switched off the UI!
• Finally, there was one vulnerability which was introduced in new code in Windows Vista.

So, this picture shows very well that defense in depth in Windows Vista (with technologies like ASLR, DEP, UAC etc.) actually pays off.

An other view on this is the attack/malware side. In our Security Intelligence Report v5 we talk about browser-based exploits and where the criminals attack the victims on Windows XP and Windows Vista. If you look at the XP picture you see the following:

With regards to browser-based exploits, 58% of the time, Microsoft software was attacked and 42% 3rd party. This changes drastically in Windows Vista:

Here our software drops to 6%!

In the Security Intelligence Report we have some other figures as well (like the malware infection rate on the different OS) but I want to leave it with that.

We once discussed in our community an interesting question: If we could give our customers just one advice, what would that be? I think it would be to stay on the latest versions of all your software. The reason is not license fees or anything like that. The reason is that this is the only way to cope with the changing threat landscape!

Roger

The value of Windows Vista is often questioned. There are a lot of customers who still think that there might be nor reason to migrate to Windows Vista. I will publish two blog posts giving you some views on the security of our latest operating system. Most of the facts in here are widely known but this might give you some additional guidance.

Let’s start with the Operating System itself. We published the Windows Vista Security Guide, which is split into different sections as shown below:

Let’s look at some of the key challenges to face:

Defend Against Malware

There is different technology in Vista to help you to defend against malware and I would like to touch on a few (some of them not in the guide):

• ASLR (Address Space Layout Randomization): This is a piece of technology which just helps to defend against attacks against buffer overflows and similar. Basically it just makes sure that a potential exploit does not know where a vulnerable piece of software is located. There is actually a pretty good blog post (on Beta 2 of Vista but the technology is the same) by Michael Howard: Address Space Layout Randomization in Windows Vista.
• DEP (Dynamic Execution Prevention): Well, this was in Windows XP SP2 already. Basically it leverages a processor feature which is able to distinguish between executable and non-executable memory (to NX flag). Unfortunately a lot of hardware vendors disable this on processor level…
• User Account Control (UAC): The most hated/loved feature in Vista. There were so many debates about this but I am still a big supporter of UAC. Might well be that we have to adapt the User Interface (well, we have to adapt the user interface). Nevertheless it showed the value several times already: The last time with the out of band release where we could rate the update “only” Important for Vista but Critical for XP.
• Additionally, there is technology in the platform which was either available for download or built in to Windows XP (Windows Defender, Windows Firewall, Windows Security Center, Malicious Software Removal Tool, Software Restriction Policies). This technology and these tools help you to run the platform in a secure and safe way.
• Last but definitely not least, there are a lot of improvements around Internet Explorer 7. With one exception (Protected Mode), the features are available on XP as well. However, having the ability to run IE in protected mode by itself allows for a safer browsing experience.

You see, even without active protection, there is already a lot being done around the defense against malware.

So, looking at the next area:

Protect Sensitive Data

The nightmare scenario: You lost your notebook with sensitive data on! So, there is different technology you can use to protect information on your Notebook:

• Bitlocker Drive Encryption: This is well known and often discussed. I know that there is third-party software being able to deliver drive encryption but Bitlocker is built in to the platform, is part of your license, and can be managed through Active Directory (the recovery key can be mandated to be stored in AD). What a lot of people do not know is that Bitlocker has actually two components (see technical information):
  • It encrypts your disk
  • It verifies the integrity of some key boot components. This helps to boot into a more or less trusted state
• In order to protect your sensitive information, there is even more you can do. To me the most important piece of technology is Rights Management Services (RMS) in this space as it keeps the protection of the information persistent which allows you not to care anymore where the data resides.

And there is a lot, lot more but I do not want to write too long blogs which then nobody reads :)

I would like you to look into this and I would like you to look into the above mentioned guide and the really go for Windows Vista deployment…

Roger

If is once again one of these posts with the start like “I am just sitting in a session…”. Actually I had some time today to visit sessions and look into some things I have never seen. We often have discussions around the future of our products and what we in the field think should be in there. Then you see just slide ware but sometimes it is not too easy to keep up with the pace of the developers in all the products and see what they are actually developing and how it looks today.

Therefore I took the opportunity to sit in a session on”he Next Version of ISA Serve: A Sneak Peak Demo

Let me give you an update on it (no particular order, just the way I saw it today):

• ISA Server will be renamed in Threat Management Gateway and will be part of the Forefront Suite. Therefore TMG (the new abbreviation for Threat Management Gateway) will collaborate and share information with the other Forefront products in your network (e.g. Forefront Client Security, NAP etc) in order to assess the threats and protect information. This would mean that if a client sends out information to the Internet on an unusual level, we will block it, but it into Quarantine and Scan it… Way cool.
  • It you want to, you can block encrypted zip-files :)
• Web Protection:
  • Scan files that are downloaded by the users for malware and block them on the gateway by the TMG server.
    • We can even inspect outbound SSL traffic as we are bridging SSL on the server if you want it. The user is informed that SSL will be inspected. This is very important from a privacy perspective. So, with this technology we can block invalid or expired certs. Last but not least here, you can exclude certain sites or site groups (e.g. Finance and Banking) from the SSL inspection. So, you can configure it the way that you do not inspect the traffic but the certificate will be validated or nothing is done at all.
    • For large files, the user gets a page to inform him/her that the file is downloaded by the TMG server and scanned there. If it is ok, it is forwarded to the client. Whether this is kicked off it decided by the download time (more than 10s).
    • We can handle files in cache as well.
  • We include URL filtering
    • Block sites you do not want the users to browse to
    • We can even categorize sites (e.g. to categorize them as Malicious) and you can override the setting as you need.
• Logging and Reporting
  • The console itself still looks very similar to what you are used to from ISA Server 2006 – there is no need to change a lot, isn’t it?
  • We enhanced logging with e.g. the information we just touched upon above.
  • There is a new node called Web Access Policy where you configure all the different policies above. There is even a really good wizard to deploy these policies.
• Active Protection Technology (Network Intrusion System from Microsoft Research named GAPA)
  • GAPA will be part of Forefront Client Security as well.
  • As I said above, there will be quite some ways to protect your network from attacks. By determining unusual behavior we can block traffic from infected machines and in addition we would be able to kick off actions in the rest of the product suite.
  • We will deliver signatures to help you a little bit in order to gain some time before you patch as we learned that the average customer needs more than a month to deploy a security update. To be clear here: This does not replace proper patch management!
• Network Access Protection
  • We include NAP into the VPN part of the product. We had quarantine in the VPN implementation of ISA Server 2004 already. However, for a lot of customers that took them a long time to deploy as they had to write customer scripts. With NAP you can build on the same technology you can deploy on your network and it is much easier than the scripting version. However, do not just switch it on – this is a project not just a feature…..
  • The nice thing is that you not only check the machine during the logon but during the whole session. So, if the machine falls out of compliance during a session, it is taken into quarantine, fixed and brought back to the network again..
• Array Support
  • You will be able to take two Standard server, join them and have an array. There will still be an Enterprise version to manage multiple arrays but for smaller deployments, this is definitely good news.
• And a lot more

As I said: This is way cool…

I am looking forward to getting my hands on the final product!!!!

Roger

As we all know, next week the new President of the United States will be elected. Behind the scenes a lot of teams are preparing the transition from President Bush to the new president. It seems now that a commission is getting ready to advise on cybersecurity for the next president.

We will see how much this will “change” once the president is in place: Cyber advice for the next president

Roger

As you are probably used from us, we are issuing our Security Intelligence Report twice an year. It is by far the most comprehensive report across the industry. This report helps us to understand the threat landscape and will help you to do the same as we believe that the more we share this knowledge the better our customers will be protected.

So, let’s have a look at some content of the report:

The very chapter is completely new and will give you some insights into the way we see the underground economy works. Basically it shows you how people who are not too IT-literate get access to malicious  code

And then how they can offer their underground, criminal services in order to make money

This is new and really interesting from a background perspective.

In addition we do, what you expect us to do :-) - talk about the trends we see. So the number of reported vulnerabilities in the industry went down again:

As is your share in the reported vulnerabilities…

A new chapter in the report is browser-based exploits and we found an interesting difference how the criminals exploit vulnerabilities in XP vs Vista.

This is the chart on browser-based exploits targeting Microsoft and third-party software on computer running Windows XP:

and then the same on Vista:

And last but definitely not least, we can look at the map within EMEA (you find the world-map in the report) when it comes to the malware distribution. So, this is data collected by the Malicious Software Removal tool based on locale (and it is normalized by the number of executions):

So, in the meantime I expect you to be really interested in reading the whole report. So you should go ahead! You can find it here.

Roger