As you all know, I have two main pet themes: Risk Management and Compliance Management as I see very often that there is room for improvement when it comes to such processes within our customers. Internally, we often think about how we can make it easier for our customers to manage compliance in their networks.

So, basically it is about helping you to plan, deploy, operate, and manage the baselines in your environment. As you might know, we provide free tools, which we call Solution Accelerators since quite a while (if you did not know, shame on us), we provide a Security Compliance Manager in this program as well and have the new version just in Beta now.

Basically the new Security Compliance Manager Solution Accelerator helps you to provides you a few pretty exciting features:

• Centralized management and baseline portfolio
• You can customize the security baselines
• You can compare them and export them (e.g. to GPOs)
• You can verify and monitor them

As a picture shows more than a thousand words, here are a few (cool!!) screenshots of the tool:

Check for Baselines

Compare Baselines

Customize the Baseline

Export it (to enforce it through GPOs)

Merge different Baselines

So, if you are as excited as I am, you should join the Beta program, which is now open. That’s the way to give feedback and influence it now! Therefore my “call to action” for you is:

• Join the Security Compliance Manager Beta. Then tell the development team what you think!
• Already a member? Bookmark this link for access to the program page.
• Help us spread the word—share the beta invitation link with your friends.
• Want to see where it all started? Download the current version: Security Compliance Management Toolkit.

The beta will run through March 2010. That means now is the time to join the beta program, take an early look at this tool, and provide the Security Solution Accelerators team with your feedback.

Want the facts straight from the development team? Check out this series of short videos! Better yet, post your own video response sharing your favorite feature.

Want more information on a specific feature? Interested in speaking with the development team? Please contact Michelle Arney.

Have a lot of fun!!

Roger

I just worked my way through the list SANS published. Looking at the list it is not surprising but scary to see which errors made it to the top of the list:

1. Cross-site Scripting
2. SQL Injection
3. Classic Buffer Overflow
4. Cross-Site Request Forgery
5. Improper Access Control

It shows as we often say that the attacks moved up the stack and a lot of challenges are based on improperly written applications. So, if you are organization is developing applications, you should start to implement a process like the Security Development Lifecycle. If you need information about this, look at our website: Microsoft Security Development Lifecycle

Roger

I read this article this morning: Safer Internet Day: How children can undermine corporate security and it actually reminds me of all the PCs I looked at in my private environment. When I see a heavily infected PC, the parents always keep telling me that the Peer-to-Peer network software on the PC was installed by the kids and that they are downloading software. This is a problem at home – but definitely a bigger one on your corporate notebook.

What can you do against it? Well, you could lock down the notebooks – and make it impossible for people to work anymore.I think much more it is about awareness as well as enforcing policy compliance. It is pretty obvious that if somebody runs illegal copies of software on a corporate asset, this puts you as a company at legal risks. Therefore it might make sense to run a Software Inventory and check regularly for such software – an then kick off the corresponding administrative processes.

Roger

When I travel through Africa, the high piracy rate is often something we address. Not necessarily from a commercial perspective but much more from a security angle. We know that pirated software is often infected with malware and therefore used for criminal activities. However, the discussion is a difficult one as a lot of people do not really see the value of software as you cannot touch it. I sometime face discussions like a customer telling me that they hired a consulting company to assess their security and now they want Microsoft’s help to fix the problems. We we talk about Microsoft Consulting Services, the customer tells me: “I am paying so much for your software, why do I have to pay for consultants as well?”. It is often clear for them that consulting has a price but the value of software is what we have to “sell” there.

Now, the government of Nigeria and Microsoft started to use music to fight Cybercrime (not only piracy). This is a thrilling way to spread the word and to address the target audience – something I think you should look at.

Here you find the press release by the Nigerian government: EFCC, Microsoft, Employ Music To Fight Cybercrime

The music clip can be found here.

And finally, a blog post but Tim Cranton, an Associate General Counsel at Microsoft: ‘Maga No Need Pay’: Nigeria Gets Creative to Fight Cyber Scams

Have a lot of fun

Roger

When I talk to customers, the different attacks are often something we discuss (obviously). I often mention that Virus and Worm attacks on a broad scale (like Conficker etc.) are a serious problem but at least one we see, one we understand and one we can fight (because we see and understand it).

However, my real concern are targeted attacks on governments and companies as they are incredibly hard to detect. In the last few months, every once in a while we read in the press about an attack on a government and sometimes they went undetected for months until either something happened like a server crashed or law enforcement found out somehow.

This morning I read an article which actually claims that the problem is even bigger than I thought: Report Details Hacks Targeting Google, Others – actually the article just uses the Google attacks to attract the readers as it does not really talk about it but the content is interesting nevertheless

Roger