A few days ago, Windows Defender Offline was released. This is basically the tool to use, if you are unable to remove malware from a running PC.

To quote the website:

Sometimes, malicious and other potentially unwanted software, including rootkits, try to install themselves on your PC. This can happen when you connect to the Internet or install some programs from a CD, DVD, or other media. Once on your PC, this software might run immediately, or it might run at unexpected times. Windows Defender Offline can help remove such hard to find malicious and potentially unwanted programs using definitions that recognize threats. Definitions are files that provide an encyclopedia of potential software threats. Because new threats appear daily, it's important to always have the most up-to-date definitions installed in Windows Defender Offline. Armed with definition files, Windows Defender Offline can detect malicious and potentially unwanted software, and then notify you of the risks.

You find it here.

Roger

Years ago information security or cybersecurity was in the hands of specialists, which set the rules and the users had to follow – in theory. Whether the users really followed the rules, policies and recommendations is a different story but it worked that way. I rarely remember a CIO/CFO or CEO really being interested in security – until things broke.

Today, life is different. If I look at the public space, a lot of people want to talk about cybersecurity in one way or another, a lot of governments across the globe started cybersecurity initiatives etc. This is a really good development as societies will run into huge challenges if technology fails but it poses some new challenges as well:

• As security professionals, we are not used to simplify our messages and the work we do. We are not really used to explain cybersecurity to people who are already challenged with technology in general.
• This leads from my point of view to government elites, politicians and a lot of private sector organizations using military terminology. All of a sudden we get caught in talking about “weaponizing technology” – which leads politicians thinking about applying similar rules and laws that regulate the distribution of weapons to technology. For us it is fairly clear that this does not work that way in most cases but the terminology implies this. The same thing happens, when it comes to defense. Military is used to “shoot back”. I had this discussion with a lot of people in different governments and non-IT people have a challenge understanding that it might be really, really hard to even figure out who is (technically) behind an attack – worse to figure out who is politically behind an attack. Or do we really for sure know who stood behind Stuxnet? There are public speculations but that’s it.
• Trends like “Bring your own device” or social networks challenge our approach to security and our approach to defending our networks.

So, what needs to change? In my opinion, different things:

• I do quite some roundtables and sessions with people who do not know technology too well and security not at all. The typical approach (not mine) mainly by security product vendors is to use a lot of data to scare people, tell them what is wrong and how bad the world is – just to tell them in the next steps that their products addresses all the issues. To me, it is rather about education than about scare. It is about showing the people the world on the Internet is not that different to the real world – criminals mainly use the new technologies to commit “old” crimes with some exceptions like that the criminal does not have to show up at your store anymore. But we as a community need to change the way we talk. We need to simplify the message and help non-security people get a better feeling for the real risks.
• We need to push back heavily when people use military terminology. I do not want to get into the discussion of “militarization of the cyberspace” but I want to make it clear that the analogies of the military world do not work. I love analogies but only if they work – here they fail. It is even worse, they lead to wrong conclusions. I heard politicians talking about regulating cyber weapons. How do you want to regulate lines of code?

Therefore, we mainly need to change the way we communicate outside the core set of security people. We need to leave the bubble and make our knowledge accessible to business people in a pragmatic way and understandable…

Roger

I know that I keep going and going on that. When I talk to customers and mainly to providers of the critical infrastructure about security, one of the key things to me is to keep the software updated. It is about patching and it is about staying on the latest version of your software. To me, today Windows XP is a huge risk out there. It was an outstanding operating system when it was launched but it is definitely outdated if you think about how the threat landscape looked like only 5-10 years ago. I am aware of the fact that not all systems can be upgraded because of compatibility issues, a vendor might not even exist anymore. Then these systems need definitely be shielded in different ways to keep them as far off the network as possible.

The reason for this post is, that I still see a lot of customers who developed a really good practice for handling Microsoft updates but not for the rest. I just read these two articles this morning:

• Security Updates Available for Adobe Reader and Acrobat
• Google Patches Chrome 18 for Flash Flaws

So, make sure you cover all your software including third-party apps and open source.

Roger

This has nothing to do with security nor with technology – but it is worth (in my opinion) 20 minutes of your time!

Recently a friend of mine told me to read Good to Great: Why Some Companies Make the Leap...And Others Don't by Jim Collins. Well, I said kind of “yeah, yeah” but downloaded it and started to read – and I love it. The reason is that it is one of the few management books which really start with “make sure you have the right people” and the rest then falls into place – it is not that easy (not even in the book) but it starts there.

Today, I saw a status update by one of my former managers (about 20 years ago) on Facebook linking to a video from TEDxKoeln by Heiko Fischer called The Future of Work – going into a very similar direction. It takes you 17:15 minutes but in my opinion, well invested 17:15 minutes. If you cannot watch it embedded, here is the link.

If you have seen it now, please do not tell me that this is something your management has to change. I am convinced that it always starts with you – just think about it.

Roger

This was an interesting article on cio.com: Apple, Oracle, Google Lead Major Vendors with Software Vulnerabilities in Q1, Security Report Says – by TrendMicro. Now, these stats are always a bit a challenge: They make a really good headline but if the statistics does not include the severity of the vulnerabilities, it is hard to judge, what this really means in practical terms.

Anyway, if you look at the article, it says:

Apple reported 91 vulnerabilities during the period, making it number one among the top 10 technology vendors in the industry, said the report, "Security in the age of Mobility."
Trailing Apple were Oracle (78 vulnerabilities), Google (73), Microsoft (43), IBM (42), Cisco (36), Mozilla (30), MySQL (28), Adobe (27) and Apache (24).
In addition, Trend Micro reported that Apple issued a record number of patches to its Safari browser in March during the period. A year earlier, March was also a mammoth month for patches, with Apple addressing 93 vulnerabilities, a third of them characterized as "critical," in its Leopard and Snow Leopard operating system.

If you set this into proportion to the size of the portfolio, it would look even better for us. However, this does by no means say that we feel good about 43 vulnerabilities but it shows that our Security Development Lifecycle pays off.

This is more or less consistent as well with what we see with customers: Typically they know today how to roll security updates out to their Microsoft environment but they are often challenged with the rest of their applications. However, if you look where the majority of vulnerabilities are, it is typically third-party code (and not “only” from the vendors stated above but in custom-written code).

Therefore I am still calling for customers to ask for a secure development lifecycle from their vendors

Roger