I am using it since the Beta and it is really cool. I am using Messenger (with the integration to Facebook etc.) as well as the Windows Live Writer to blog.

It rocks: Windows Live Essentials 2011 available for download now

Download and install!

Roger

This title immediately caught my attention and probably yours as well: How to detect a hacker attack – something I definitely want to know. And then I realized that the article a) is written from a techie and b) does not really cover the attacks I am worried of most. But I will address this toward the end and would appreciate your ideas as well.

If you look at the article, it gives 4 tips:

1. Suspiciously high outgoing traffic for dial-up and ADSL
2. Look out for strange looking files in the root directories of your drives and/or too much disk activity.
3. If your personal firewall is reporting blocking large packets of data from the same IP address
4. A lot of hackers still rely on trojans and backdoors. So, if your anti-virus software starts finding a lot of those, try increasing protection, use an Internet security suite instead of a basic anti-virus

That’s just an excerpt. If I look at my mom and dad – they never look at 1 (I do not do it either), 2 (I would just see it if I would clean up my machine), 3 (It might be in the event log but who is looking at the even log?). 4 is definitely a good thing as we said since ages (actually since Blaster) that there are three things you should do to protect your PC:

1. Switch on your firewall
2. Keep your software updated
3. Install an anti-malware solution and keep it updated (see Microsoft Security Essentials)

If we take it to a company level, the 4 tips about might look slightly different: 1 is network monitoring (if you see the anomalies), 2 is rarely done, 3 is rarely done and 4 again I hope is done.

But what really worries is me are not the attacks we are finding with the 4 tips above. Those are not the ones, which keep me up at night as they are noisy.

What about the stealth, targeted attacks – the real attacks? They do not create a lot of traffic (as the data is slipped out slowly), they hide the files “behind” other files, the use the universal firewall tunneling protocol (called HTTP) to transfer data and the malware they are using is just written for this single purpose: To attack just you!

How do we defend against those attacks? How do we even find them? They will sneak in through social engineering and I have to admit, that I am not clear what we can do against them – really. A few things come to my mind:

1. Risk Management – start with understanding your risk exposure not only from a technical side but who could be interested for what in your environment. How likely are you to be targeted by e.g. industrial espionage?
2. Patch Management – this is for sue. However, the targeted attacks often do not leverage technical vulnerabilities but the user. But staying on the latest versions of all your software is key to defend. This does not only mean security updates but “real” versions as well. If you are still on Windows XP, your risk exposure is significantly higher than on Windows 7
3. Information Protection – the classical encryption does not help here as the malware might impersonate you and then simply copy/past the data or transfer the data in plain text. I think that Rights Management Services could at least lower the risk of data loss.

What else? What do you do? I would be really interested hearing your ideas and approaches

Roger

I want to start upfront: I do not want to take a position here. I have an opinion as a person in my cultural context but I understand that this opinion is by far not the only one which is right or wrong.

This morning I read this article: FBI Drive for Encryption Backdoors Is Déjà Vu for Security Experts. This is definitely not new and we had it before. If there is a backdoor in encryption for the good guys, there will be one for the bad guys as well. However, if something bad happens to you and you want the criminals to be arrested, you will want the police to have the right means available to track the criminal down and send him/her to prison if necessary. This is kind of a dilemma.

I was once having a discussion with a former police man who said: “We can deliver an almost crime-free society – if we are willing to give up all our privacy.” And the idea is fairly simple: If a crime happens and we could immediately see who did it, the risk of committing the crime is so high, that you probably would think about it more than twice. But this is not what we want. I want my privacy – but where is the right balance? This is a discussion which is fairly old and a discussion which has to be re-visited over time and a discussion which will yield to different results in in different cultures: the US (see the laws after 9/11), in Europe, in the Middle East, in Africa or in Asia – and this is good.

So we have to understand how much privacy we are willing to give up to help the policy to combat child porn, hacking, and other illegal activities on the Internet. It will be interesting to see, where the discussion leads in the US as well as in other countries.

Finally, I am convinced that backdoors in crypto do not help to solve the problem: You will catch the stupid criminal anyway in one way or another without backdoor. The smart one will use a software to encrypt without backdoor and then the whole requirement does not help anymore…

Roger

Last week, when I was in South Africa, a partner of us pointed me to a very interesting paper by KPMG called Cloud computing: Australian lessons and experiences. What I like is, that a lot of the items I was recently raising, where actually reflected in quotes by customers of Cloud providers as well as by the general findings of the study.

I know that this is a very long post. If you do not want to read the whole post, please read at least one of the last quotes I have in here – which is by far the longest one.

Let’s start at the beginning. When I talk about the big trends having an impact on security, these are the five items I am currently raising:

• Flexibility: The users are asking for more and more flexibility, where they work, when they work, how they work. They see IT as a tool to do their jobs – and they are right so!
• Security as an enabler: If we as a security community continue the ride along the lines “you cannot do it because of security” we will become even more irrelevant in some organizations than we are today. If you think that this is harsh, than look at this study and tell me again what you think: RSA Europe: Are you ready for security and privacy? - especially at the picture showing collaboration. Security’s job is to help IT to help the business to achieve the goals in a secure and safe way. In other words to help to manage IT-related risks. If we are smart, this becomes an asset rather than a nuisance.
• Cybercrime from cool to cash: That’s obvious – the criminals are, where the money is.
• The Cloud: The Cloud (and this is what the whole post is about) is a reality. You say no – not for you? Think again and read the rest of the post…
• Consumerization of IT: More and more, consumer devices have to be integrated into our IT infrastructure. Show me the company who consciously decided to integrate the iPhone into their infrastructure. I do not know of any but it is in there because the users love it. Get accommodated to the fact, that your users started to take IT strategy decisions, whether you like it or not. Your cheese has moved.

When it comes to the Cloud and the security approach, Doug Cavit and me wrote a paper called Cloud Security Considerations, which I think is worth reading. It is fairly short and covers the key aspects of the Cloud in these five areas:

• Compliance and Risk Management: Make sure that you approach the Cloud from a risk-based view. Try to understand the new risks and the risks, which will go away or at least which will be heavily reduced. However, compliance and risk management are still your core responsibility.
• Identity and Access Management: You will still want to manage your identities and make sure you can federate from on-premise to the Cloud. You do not want to get new identities, just because you consume a new Cloud service. Make sure, you have the right processes and technologies in place to deal with identity management in the Cloud as well.
• Service Integrity: Understand how the service is engineered and run to the extent needed for the service you consume and the data you put into the Cloud.
• Endpoint Integrity: Cloud security starts with the endpoint. You cannot protect the information in the Cloud without protecting your endpoint, where your security architecture starts.
• Information Protection: This is why we do it – yes? So, have a data classification scheme in place and implemented. That’s the only way to understand, which data to move to the Cloud and what you want to keep on-premise. Finally, think about how you get your data into the Cloud and back.

It is my firm believe that – if you do it right – you can increase your overall security by moving to the Cloud. At least in a lot of scenarios and with a lot of data. But it is not only about moving to the Cloud it is about how to get back as well.

So, that’s my believe and “my theory”. What about the reality? This is, what the study is all about. During my read, I copied quite some quotes from the study, which I thought are very interesting and important to all of us.

First of all, when I talk to customers, they are often reluctant thinking about the Cloud and if they do – well – they do not want start with too critical processes first as the Cloud is not seen to be ready for prime time yet. The study shows, that this is not true:

there were many instances of strategic and sensitive applications being accessed from the cloud.

Interesting. Is there more to the Cloud than just a “let’s sit and wait” approach? Could there be real benefit to it? I am convinced - but there might be a another side to your strategy as well:

This was a small enterprise that had adopted the cloud aggressively, with good outcomes, as a deliberate strategy to support rapid scalability. As the organisation grew and became more established, however, the unique industrial needs of this organisation meant that on-the-premises control would become mandatory, and a transfer back to an on-the-premises model was planned.

I once learned that in some cultures (not in the Western European one), if you write a strategy and decide upon it, you always look into ways to get out of the strategy as well if things change – if your cheese moved. A concept we should look into more often as well. What are the signals to get out and how do you do it? Think about plan B before you start plan A.

If you map this to your Cloud strategy: Think about getting to the Cloud and back. All the vendors will help you to get onto their services but how many help you to get back on premises? How do you have to convert the data and load your data back? Remember the time of document formats, where you lost most of the formatting, once you had to convert them?

Look at our stack briefly: It is actually the same technology on-premises as in the Cloud. If you use Exchange, SharePoint, OCS, whatever on-premise and the Cloud – the same. If you develop an application for Azure and want to move to your own Cloud or back on prem – this is what Windows Azure, SQL Azure, AppFabric are all about.

This scenario has to be feasible and supported.

What about the big advantage of the Cloud: the savings? Here is a customer quote from the study:

The quicker [installation] time was a cost saving. It was one of those projects that almost went under the radar; it was so smooth and so low cost.

Think about this statement for a second. If you are an IT shop, if you are a CIO, this is what you compete with! So, if your business gets this service and you as the IT organization are still running your infrastructure the way you used to do it 10 years ago, what will the user do? See my Consumerization of IT above… The user starts to take strategic IT decisions by moving to the Cloud without asking! So, do not feel too safe, just because you have a policy. And it goes further:

We can let [customers] provision themselves over the Web eventually, so they can choose our offerings, pick the one they want, get billed on a recurring basis...

This is the view of a fairly advanced IT. You have to get there to compete.

If you look at my flexibility item above. I want to be able to work where I want, when I want and how to balance my private and business life. This is where the Cloud can help. Again, a customer:

Anywhere around the world they’ve got live, useful information. That for me is the most important aspect of [cloud computing].

But security is always a concern if you plan the Cloud. The people who are still reluctant, often use security as their main area of concern:

The use of a cloud provider was seen to introduce a potential risk if the provider was unable to provide adequate protection of commercially sensitive information, especially customer information. There would also be serious consequences if cloud providers failed to maintain adequate service levels or experienced service outages.

This is definitely true. But you should look at it from a risk-based approach. You will get additional risks as you introduce a new provider. But what do you gain? What risks will be reduced or will even disappear? That’s the balance which is important. So, there is a lot of work to do as the study finds:

Security concerns were also at the forefront of conversations with managers in organisations with an unknown adoption status. These managers almost all thought that the benefits of cloud computing were, at least for the time being, more than offset by the introduction of new threats, dependencies and exposures for their organisations. Such concerns were top of mind and clearly a significant barrier to adoption.

But

Respondents generally reported that they had worked through the issues and arrived at accommodations or compromises they could live with. Nonadopters frequently cited regulatory
issues as a barrier to using cloud computing.

Here, the Chief Security Advisors can help with. If we are talking about our technology and platform, involve us – that’s what we are here for.

Now – to me – the highlight of the report:

After evaluating the security capabilities of providers, however, the management in adopting organisations had come to different conclusions. They typically articulated the security issue in relative terms. On the one hand there was a consistent message that on-the-premises computing was not always as secure as people believed. As one respondent put it: People are under the illusion that because it’s sitting behind the company firewall its safe. On the other hand, they believed the key cloud service providers they were using had invested heavily in the infrastructure, skills and practices to maximise resilience to attack, and therefore were offering more security than they could build themselves. The same risks, in other words, existed in both scenarios, but they saw the risks as lower, on balance, under their cloud arrangements. Comments like this, from two different respondents, were common:

We actually think our security has been improved as a result of [cloud computing].

I’m fairly certain that we’re getting a better service level through an on-demand platform like [vendor] than we would on an internally hosted application.

Of particular interest here was that three organisations had gone further, with management employing cloud computing as part of a deliberate strategy to increase organisational security and resilience. They saw advantages in shifting computing away from homegrown facilities, which they considered an obvious target today, to in-the-cloud facilities that could be located anywhere, making it difficult, if not impossible, for attackers to identify.

Moving to the Cloud to strategically increase security? Wow! But you can only judge, if you are ready to handle it (see the Risk Management section in our paper).

All the positive experiences in security, service, integration and customisation described in the preceding sections were associated with cloud services that has been adopted and were still in use by the respective organisations. By definition, management had concluded that they were sufficiently developed, and backed by sufficiently trusted providers, for enterprise use.

The Cloud Providers, if selected carefully, have the capability and knowledge to run your Cloud on a higher security level. This leads back to the Service Integrity above.

For this specific vendor I do [have enough confidence]…they publish information about their storage and their security model and they also publish uptime statistics, so things like that give me a certain level of confidence. But I wouldn’t have that confidence with any random vendor.

So, when we address all the technological, procedural, legal requirements, we should not forget about the people. Loss of control is probably the number 1 real concern a lot of people have. They are so used to “owning” the data and the servers that it is incredibly hard to let go.

Management attitudes were also important within the IT department. Respondents frequently had to overcome emotional hurdles associated with letting go of control. Despite being enthusiastic about the potential benefits, cloud computing still represented a significant change: they would no longer have the comfort of knowing that their computers were locked in their own buildings, could be checked at any time and were not accessed by others.

This is the first time, I read a good comprehensive paper about the reality, knowing that this is “just” a sample and “just” Australia but quite some points I am thinking about regularly were addressed and seem to be consistent with my view of the world. At least it re-enforced my firm believe that a lot of customers who are telling me that they will not move to the Cloud because of security might have to re-think their strategy and start thinking about the Cloud because of security. Otherwise they risk losing the competition between internal IT and the external Cloud provider.

If you do not drive this adoption, the adoption will drive you.

Roger

I know that I am not an OpenSource expert and to be completely clear: I do not want to complain at all but I would definitely think whether I would bet my company’s business processes on it… Let me give you my story:

March this year I migrated my blog from a SharePoint based solution to an OpenSource solution and never ever regretted it. I actually enjoy it. I described the whole migration here: Migrating My Blog. I enjoy all the different possibilities WordPress is giving me and by running on Windows Server 2008 R2, I am easily able to operate it.

So far, so really good – but… I now wanted to upgrade PHP to the latest version and I failed. I installed it, made sure that the php.ini file is back in place, restarted the machine and:

Since then I tried everything: Removing all my plug-ins, trying to look at the PHP log (which was accidentally switched on, grew tremendously but when I needed it, nothing was written in there) etc. etc. – no success. Luckily, I run my blog in a Hyper-V environment, which allows me to take a Snapshot and then fall-back to configuration I know that it works.

I started to post in the wordpress.org forum and did not get any response so far.

So, honestly, for my blog it is ok and as I said above, I do not want to complain as I did not pay for it and it is really cool stuff! But it is not business critical (even though I see a fair amount of hits every day – thanks to you all) but if I would have to run my business on it, there are two options: Either I hire a team, which has in-depth knowledge of the stuff or I just hope (which is probably not a good option for a business).

I am just a little bit frustrated. At the moment I am back to the working environment and will take another try, once I find some time to drill down further (or get a good idea from the community).

Roger