I would like you to sit back, close your eyes and think about the year 2001. Think about how you used technology back then, how you used the Internet. Now, let’s take it a little bit further back in history and think of the year 2000. Just after we realized that the Year-2000-Problem was handled very well by the industry. How you used technology, how you used the Internet, the speed of your Internet connection (I think for me it was ISDN-Dial-Up).

This was the time Windows XP was designed. Windows XP was launched in 2001 and – judging by its success – it was a really great piece of technology. It just runs, rock-solid. Well, it was attacked by a few worms like Blaster, Sasser which led to the development of Service Pack 1, which made us stop development for a few months to look for security vulnerabilities. Over all the years of improvement and learning, this finally led into Windows 7.

If you are still on Windows XP, you probably should re-think your strategy today as the Operating System you are using was not designed to survive in today’s threat landscape. Let me give you 10 reasons why you should definitely move off Windows XP as soon as possible:

1. First and foremost, Windows XP will go out of support April 8^th, 2014. From then onwards, there will be no more security updates for Windows XP. Even though it is still two years down the road, larger organizations typically need some time to migrate and I am convinced that you need to start now!
2. Changes in development processes like the introduction of the Security Development Lifecycle (SDL) over the last 10 years within Microsoft significantly reduced the number of vulnerabilities, the likelihood for getting infected by malware and the attack vectors. This can easily be seen when you look at the data from our Security Intelligence Report:
   
3. Most probably you are still using Internet Explorer 6, when you are running Windows XP. As the browser is your window to the Internet and the most attacked application you run, running a browser which is three versions behind the latest one is definitely not something you should do for different reasons. One is the point I made above. Development processes have come a long way in the industry to incorporate security into the product from a code level and you would want to leverage this. Additionally, there is a lot of technology built into a modern browser to protect you from current attacks like the Smartscreen filter. So, move off IE6 to Internet Explorer 9 (for Windows Vista and later) or at least Internet Explorer 8 if you stay on Windows XP (which you should not J). To show you the impact, here is a graph published by NSSLabs on how far the browser can protect you from socially engineered malware:
   
4. The Security Development Lifecycle is not only about reducing security vulnerabilities at a code level but it is about adding additional protection as well, if there is a vulnerability in the code. It is about Defense in Depth as well – or mainly. As a result we introduced technology like DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) into the platform, which makes it much harder to exploit a vulnerability in the code.
5. Ever tried to run Windows XP without being local Administrator? Yes, you will tell me know that you run it in the enterprise like that. What about changing the time zone when you travel with your notebook? Or adding your home printer? Or, or, or? I have to admit that I tried it more than once and gave up. User Access Control helps greatly. It is a huge improvement and makes the non-admin use of the OS much simpler. Even if you would decide to run as a local admin, you work with the user token until you need admin privileges.
6. On Windows XP you might be using some third-party disk encryption tool, something which comes for free on Windows 7 – even for USB sticks. It is called Bitlocker and Bitlocker To Go.
7. Talking of Bitlocker: One of the points which are often forgotten when talking about the OS is that one of the key attack vectors is during the boot process. We have seen successful attacks on Windows XP during the boot processes with rootkits. If you switch on Bitlocker on Windows 7 (and Vista) you get a fairly sound boot protection. If you use a 64-bit version with kernel protection, the risk of getting infected during the boot process is actually fairly low.
8. Managing Software Restriction Policies in Windows XP was a very hard – close to impossible – task. AppLocker on Windows 7 has improved this greatly.
9. There are quite some changes on the IP layer: We support IPv6 and there are a lot of improvements in the Windows Firewall.
10. The last point: Windows XP is just not cool anymore. Windows 7 is just much nicer, cooler to use and just much, much more fun

Besides all the security improvements, which make most sense if they are used in a combination like Bitlocker on Windows 64-bit and Applocker it has to be said that managing such a Windows 7 environment has proofed to be much, much more efficient than Windows XP.

I guess you did not have time to finish reading the post? Started your migration project immediately? Great, go ahead!

Roger

A long title but this was the title of the official press statement yesterday. Compliance is always a key question in the public cloud space. Therefore it is very important for us that we now achieved three things:

• Office 365 is compliant with EU Model Clauses, Data Processing Agreements and ISO 27001 among other standards.
• Office 365 is the first and only major cloud productivity service that enables HIPAA compliance.
• The Office 365 Trust Center provides in-depth information about the privacy and security practices for Office 365 and was recently redesigned to be more accessible and easy to understand.  The new site can be accessed at http://trust.office365.com.

If you are interested in the official press statement: http://www.microsoft.com/Presspass/press/2011/dec11/12-14O365CloudPR.mspx

Roger

The Australian Defense Signals Directorate maintains a list of the Top 35 Mitigation Strategies against targeted intrusions. This is just a reference to the top strategies:

1. Patch Applications
2. Patch the Operating System
3. Minimize the use of local admin
4. Application whitelisting
5. …

Looking at these 35 strategies, the DSD claims that

While no single strategy can prevent this type of malicious activity, the effectiveness of implementing the top four strategies remains unchanged. Implemented as a package, these strategies would have prevented at least 70% of the intrusions that DSD analysed and responded to in 2009, and at least 85% of the intrusions responded to in 2010.

This is pretty much in line with the anecdotal reference I could make where we see successful attacks either coming in through unpatched systems (point 1 and 2), flaws in applications developed in-house (kind of point 2) and social engineering (point 3 and 4). However, these things are not that new, aren’t they? We are talking about patch management since a long time – and patch management not only for the Microsoft environment but the all the applications, being it Microsoft, Adobe, in-house Apps as well as Open Source operating systems.

The DSD even went a step further and developed a really good paper called Implementing DSD’s Top Four for Windows Environments. Something definitely worth reading!

Roger