Well, the title is not completely from me – I just quoted another blog post. I wrote recently on Why Windows 7 XP Mode makes sense from a security perspective and was even quoted on the register. The “funny” thing was the history of that blog: I was readying some Tweets and blogs where XP Mode was just questioned. I actually never read Richard Jacobs’ blog post on this. I just wanted to share the process I went through.

However, my post again caused a reply by Jacobs – so he seems to read my blog…

Unfortunately he got some facts quite wrong – but at least he got some attention. If you are interested in the facts, read the James O’Neill’s post called Sophos error: facts not found – where I have the title from.

As I wrote in the first post: XP Mode is here to help our customers to benefit from the undisputable higher security in Windows 7 for 95% of their tasks and removing the migration blocker called “compatibility” by using XP Mode. Let me give you another example:

I helped a SME last weekend to migrate from an XP environment (even their server was on XP) to a state-of-the-art Windows Server 2008 SBS and Windows Vista environment. We failed! Because of one application, which is a 16bit-DOS accounting application which we have been unable to stabilize on Windows Vista and being able to print. Even though we switched on all the compatibility settings, it crashed about every 15 minutes. Migration is not an option as a customer of them is still using this application. So, what are the options:

1. Fall back to XP
2. Live with the crashes
3. Find a solution……

What we did at the end (after several hours of trial and error) was to keep one old XP box and to Remote Desktop to run this DOS application – basically we did XP Mode on a physical level instead of virtually and by far not as transparent as with XP Mode for the user – however, managing the XP box now is definitely harder (or at least as hard) than XP Mode (see James’ post).

So, as I said in my first post on this: It is all about Risk Management.

Roger

Our EMEA Security Program Manager, Henk van Roest, started this series internally and with his consent I am publishing it here in my blog as I think it contains a lot of great information for you to use.

Returning to the theme of deploying security updates once more, we need to look at the potential cost of not deploying updates, breaches……

Studies are available for the years 2007 & 2008 for US, UK and Germany as examples:

http://www.encryptionreports.com/costofdatabreach.html

Extract from United States Report:

Among the study’s key findings:

• Total costs continue to increase: The total average costs of a data breach grew to $202 per record compromised, an increase of 2.5 percent since 2007 ($197 per record) and 11 percent compared to 2006 ($182 per record). Breaches are costly events for an organization; the average total cost per reporting company was more than $6.6 million per breach (up from $6.3 million in 2007 and $4.7 million in 2006) and ranged from $613,000 to almost $32 million.
• Cost of lost business continues to carry the highest impact: The cost of lost business continued to be the most costly effect of a breach averaging $4.59 million or $139 per record compromised. Lost business now accounts for 69 percent of data breach costs, up from 65 percent in 2007, compared to 54 percent in the 2006 study.
• Third-party data breaches increase, and cost more: Breaches by third-party organizations such as outsourcers, contractors, consultants, and business partners were reported by 44 percent of respondents, up from 40 percent in 2007, up from 29 percent in 2006 and 21 percent in 2005. Per-victim cost for third party flubs is $52 higher (e.g., $231 vs. $179) than if the breach is internally caused.
• “First timers” cost more, repeat breaches continue: Data breaches experienced by “first timers” are more expensive than those experienced by organizations that have had previous data breaches. Per-victim cost for a first time data breach is $243 vs. $192 for experienced companies. More than 84% of all cases in this year’s study involved organizations that had more than one major data breach.
• Training and awareness programs lead companies’ efforts to prevent future breaches, according to 53% of respondents. Forty-nine percent are creating additional manual procedures and controls. Of the technology options, 44% of companies have expanded their use of encryption technologies, followed by identity and access management solutions to prevent future data breaches.

This is a pretty interesting survey: Future of the Internet III: How the Experts See It

Here are the key findings:

• The mobile device will be the primary connection tool to the internet for most people in the world in 2020.
• The transparency of people and organizations will increase, but that will not necessarily yield more personal integrity, social tolerance, or forgiveness.
• Voice recognition and touch user-interfaces with the internet will be more prevalent and accepted by 2020.
• Those working to enforce intellectual property law and copyright protection will remain in a continuing "arms race," with the "crackers" who will find ways to copy and share content without payment.
• The divisions between personal time and work time and between physical and virtual reality will be further erased for everyone who is connected, and the results will be mixed in their impact on basic social relations.
• "Next-generation" engineering of the network to improve the current internet architecture is more likely than an effort to rebuild the architecture from scratch.

This shows to me that our End-to-End Trust vision is more important than ever as we will be relying on a trusted stack and a strong identity.

Roger

Henk van Roest, our EMEA Security Program Manager is running a pretty successful internal blog. Before summer vacation he started a series called “Why it pays to be secure” which I think has some great information in it. I asked him then to go public with it but he told me that he is not doing this kind of outside communication but that I should feel free to use the content, which I am going to do – thank you Henk.

I will basically copy/paste his series over time. So I do not want to take the credit for the great work he did. Let’s start with his introduction today.

In the Security Incident Response Team we are often faced with support cases from customers compromised through some malware which is wreaking havoc in their environment.

Usually the customer says that deploying updates to software (not just MS Software) is too time consuming, too expensive and too disruptive to their environment.  Of course the resulting issue is usually also quite disruptive e.g. Conficker.

Microsoft has done a great deal of research into managing an IT environment as well as numerous studies with some of our customers to discover the “True” cost of a managed environment.

I thought it was useful to start a series of posts under on the subject of Update Management and Infrastructure Optimization that might allow you to have good conversations with your customers on the subject.

So for the purpose of this introduction I’ll just copy one little piece from a study done in 2006 (so this is not a ‘new’ thing):

WINDOWS DESKTOP BEST PRACTICES

In this research, IDC evaluated more than 20 potential best practices and identified three that are consistently used by top-performing IT departments for optimizing Windows desktops.

• Standard desktop strategy (savings of $110/PC). Deploying a standardized desktop by minimizing hardware and software configurations.
• Centrally managed PC settings and configuration (savings of $190/PC): Keeping deployed PCs standardized by preventing users from making changes that compromise security, reliability and the application portfolio.
• Comprehensive PC security (savings of $130/PC): Proactively addressing security with antivirus, antispyware, patching, and quarantine.

http://download.microsoft.com/download/a/4/4/a4474b0c-57d8-41a2-afe6-32037fa93ea6/IDC_windesktop_IO_whitepaper.pdf

NSSLabs just recently published a study on browser security with regards to Phising and Malware protection, which we comissioned. To take it upfront: The whole methodology is transperent and therefore rather than challenging the results, let’s learn from them how we can improve.

As I do not want to take the joy away for you to read the study, I just want to show you two pieces of information from the report:

Let’s look at the Phising study first:

They looked at how long a user has to wait until a Phishing URL is blocked by the browser:

Scary to me is that Safari by far increases the mean of the group. Even though Chrome 2 is behind the other three, I guess that Internet Explorer, Firefox and Opera are comparable here (even though we are more than 20% faster).

So, speed is one thing, accuracy and completeness another one. Let me quote from the report: The average phishing URL catch rate for browsers over the entire 14 day test period ranged from 2% for Safari 4 to 83% for Windows Internet Explorer 8.  Internet Explorer 8 and Firefox 3 were the most consistent in the high level of protection they offered. Statistically, Internet Explorer 8 and Firefox 3 had a two-way tie for first, given the margin of error of 3.96%. Opera 10 beta came in third due to inconsistent protection during the test. Chrome 2 was consistent, albeit at a much lower rate of protection, and Safari offered minimal overall protection.

Or in graphical terms:

Again, the scary piece is the huge difference between the different browsers. Whereas Internet Explorer and Firefox are similar, the rest is far, far (and Safari even further) spread out.

Then they did a similar test with regards to socially engineered Malware protection:

Again, looking at the response time, I guess we can improve when it comes to the comparison with other browsers:

But again, there is a huge gap between the best and the worst (and they are very bad). When it comes then to the block rate, the game changes:

Again, to quote the report:

Internet Explorer 8  caught 81% of the live threats, an exceptional score which surpassed the next best browser (Firefox 3) by a 54% margin. Windows Internet Explorer 8 improved 12% between Q1 and Q2 tests, evidence of concerted efforts Microsoft is making in the SmartScreen technology.

Firefox 3 caught 27% of live threats, far fewer than Internet Explorer 8. It was, however, the best among products utilizing the Google SafeBrowsing API. (Note: Firefox 3.5 was not stable enough to be tested during the course of this test. A patch has subsequently become available to address the stability issue. We were able to manually verify that the protection was identical between versions 3.0.11 and 3.5).

Safari 4 caught 21% of live threats.  Overall protection varied greatly, with two short periods of severe dips.  Chrome 2 caught just 7% of live threats an 8% drop from the previous test. 

Opera 10 Beta caught a mere 1% of live threats, providing virtually no protection against socially engineered malware. In our test bed validation, we verified there was effectively no difference between Opera 9 and Opera 10 Beta.

So, this is definitely interesting material for your next browser discussion

Roger