Directory —
Technology —
Blog Details for "Roger's Security Blog"
Roger's Security BlogRoger's Security BlogI am Microsoft' Chief Security Advisor for Europe, Middle East and Africa and this blog is mainly about information security. Articles
The Debate on Security Metrics
2008-05-09 09:58:00 Recently I was sitting on a panel which was pretty heterogeneous: There was a representative from IBM (actually from former ISS), customers, a representative from the Open Source community (who actually, during his presentation always said how bad our security is) ? well, and me. In order to have some fun, the moderator wanted to bring some fire in the discussion and said: We often hear people saying that Open Source is more secure than your software model, what do you have to say on this? Well, there were so many different themes on the table which were ? in my opinion ? more interesting to discuss than a debate on Open Source vs. Microsoft , I actually did not want to go down that road. So, I asked the moderator back: Could you please elaborate a little bit what you mean by "more secure". To cut this story short, we actually had a very good discussion on how security can be achieved, what is necessary and a little bit on metrics. Why am I raising this? Well I read a blog post this ... More About: Security , Debate , Metrics , Processes
Microsoft is winning the NAC war
2008-05-08 11:48:00 I just read an interesting chat with Joel Snyder from Opus One who did Interop testing on the different NAC solutions. I think he makes some statements which are worth to read (from my perspective anyway J): He also says that those who are anti-NAC simply don't understand the technology. What we ended up with was about a dozen demonstrations, all showing what you need for a complete NAC solution. And it really focused on "let's start with Microsoft and work out from there." Much more satisfying than trying to have three silos like we've done in the past that don't work together. We have seen some consolidation in the NAC space. Can you provide an update on the NAC market and where it's heading? Towards Microsoft, for sure. The key is that the desktop is EVERYTHING and Microsoft is making the right noises about standards and openness and making things work in the big picture. So we have already seen Microsoft and the Trusted Computing Group (TCG) get together, and I think it's ... More About: Trends , Winning
Testing our Security Technology
2008-05-05 18:05:00 Quite a while ago, I blogged on Virtual Labs, an offering we are making to you to get your hands dirty with our products and give you the opportunity to work with different hands-on labs. There is the VirtualLabs offering, containing MSDN and TechNet labs. The idea behind them is: It's simple: no complex setup or installation is required to try out Forefront Security running in the full-featured TechNet Virtual Lab. You get a downloadable manual and a 90-minute block of time for each module. You can sign up for additional 90-minute blocks any time. So, we give you a manual and access to VMs via Terminal Server and you can use them for 90 minutes ? cool isn't it? Just as an example, these are the Forefront Labs: Forefront Client Security TechNet Virtual Lab: A Technical Overview of Microsoft Forefront Client SecurityTechNet Virtual Lab: Deploying Forefront Client Security Part 1TechNet Virtual Lab: Deploying Forefront Client Security Part 2TechNet Virtual Lab: Forefront Client Sec... More About: Technology , Events , Training , Testing
How Microsoft IT does Threat Analysis
2008-05-05 17:49:00 I wrote on that already earlier. We make processes and tools available how we internally do Threat Modeling. To make it clear: this has nothing to do with the Security Development Lifecycle but much more with Microsoft 's own IT department. The reason for this post is that we just released version 2.1 of the Threat Modeling Tool, which is downloadable for free. You find it on the Application Threat Modeling website Roger More About: Events , Analysis , Training
8 Dirty Secrets Of The Security Industry
2008-05-03 22:17:00 I just read this article called 8 Dirty Secrets Of The Security Industry , which seems pretty nasty. Let's briefly have a look at them: Vendors do not need to be ahead of the hackers; they only need to be ahead of the buyer: Wow, this is a bad statement ? but how true is it? It might be true. Something I see from time to time: Companies that are making money with the bad things happening tend to reveal the threads and offer immediately the vaccination. So, how true is this statement? Antivirus certifications do not require or test for Trojans: I am not an AV specialist but to me these certifications are similar to the crash tests with cars: The vendors exactly know how the crash test is done, therefore the car can be prepared accordingly. Unfortunately the real accident does not follow the rules of the crash test? Does this mean they are useless? No, I think there is a certain value in these test but it shall be looked at with care. There is no perimeter: Wow, what news J - if y... More About: Technology , Trends
The Dumbest Thief of the Month
2008-05-03 21:48:00 If there would be a price for the "Dumbest Thief of the Month ", this guy deserves #1: Texan tries to cash $360bn cheque Roger More About: Fun , Cybercrime
Public Testing for Office
2008-04-30 21:09:00 Are you working on Office System 2007? Ever looked for a command, you knew in 2003 exactly where it is but you were unable to locate it? Well, do not get me wrong: Since I am used to the Ribbon, I love it ? really. And my wife is all of a sudden able to work with Excel as she seems to find stuff? Nevertheless, there is a new add-on to test called Search Commands. Search Commands adds a tab to your ribbon and gives you the option to look for a command in Office 2007 ? it immediately gives you all the commands that relate to your search ? really cool. How did I find it? We have a site called Office Labs with this kind of trials on. Give it a try Roger More About: Public , Testing
The recent IIS Attacks
2008-04-29 22:04:00 There has been a lot of discussions in different blogs on the attacks on IIS servers. Microsoft Security Response Center has publised a post on it: Questions about Web Server Attacks Roger More About: Recent
Securing your Web Browser
2008-04-29 21:56:00 Cert.org published guidance on how to secure your browser. Here you would find them if you are interested: Securing Your Web Browser I am just not clear, how the browsing experience for my mom and dad would be? Roger More About: Security , Web Browser
Best Practices for Microsoft PKI & Certificate Management
2008-04-29 21:19:00 You might know Brian Komar. He wrote numerous books on PKI and Certificate Management and he is a well-known speaker at quite some events like TechEd and IT Forum. Now, nCipher organized a Webimar on Best Practices for Microsoft PKI & Certificate Management. If you are interested, you might register at the link above. Roger More About: Security , Technology , Processes
Blogging on MOSS 2007 (SharePoint)
2008-04-29 14:17:00 As you probably realized, I stopped the series "How I secure my Infrastructure" as the hit rate on the corresponding posts have been pretty low. However, if I have something which I think is interesting and/or cool, I will still add a post. This one has close to nothing to do with security but much more with blogging ? I simply would put it in the "cool" baskets. Actually I was talking to somebody recently about my blog and that I see the highest hit rates whenever I blog on real technical stuff. As soon as I raise questions on policies/organizations, the hit rate drops significantly. During this discussion I realized that the problem might well be that the blog is on TechNet ? and there you expect mainly technical stuff. Therefore I went out and started to think about running a second blog on a different URL. Finally I ended up using my SharePoint at home. So, what is cool on that ? so far nothing. I started to play a little bit with a blog site on SharePoint but, well, it looked ... More About: Blogging , Moss , Sharepoint
Security Updates and Exploits
2008-04-25 12:01:00 As you may know, we announced version four of the Microsoft Security Intelligence Report earlier this week. Amongst the many interesting findings is data which relates to software vulnerability exploits. I wanted to highlight these as Shoaib, one of my blog readers, contacted me recently to get my views on a post he wrote. Here are the key findings: During 2007, 32.2 percent of known security vulnerabilities (CVE IDs) in the Microsoft products analyzed for this report had publicly available exploit code. This is nearly identical to the totals from 2006 when 32.7 percent of known security vulnerabilities for the same products had publicly available exploit code. Microsoft matched each public exploit with its corresponding vulnerability using CVE identifiers and Microsoft security bulletins. The number of Microsoft security bulletins released in 2007 was 11.5 percent lower than in 2006, and the number of vulnerabilities covered by those bulletins was 29.6 percent lower than the nu... More About: Trends , Updates , Policy
Security Pros ignoring their own message
2008-04-25 09:17:00 As you probably know: I am Swiss. We have a saying in Switzerland (I do not know whether something like this exists in English as well) that the kids of the shoemaker always have the worst shoes? So, what about the security professionals? No, I am not talking about their shoes but what about the way they handle security? It seems that during Infosec (the information security exhibition in London) there were quite some notebook just lying around and ? even worse ? unlocked. Now, we ask the users to take care but we do not even do the basics right? I once said a few years ago that whenever I find an unlocked notebook in the office, I would add myself as a local admin (as most of us are admin on the box, this is a fairly easy task if the machine is not locked). Now, after doing that I waited for the next time we had a meeting together. It is Microsoft attitude that you take your notebook to the meetings (and some do e-mails during the meetings L). I then remotely rebooted their noteboo... More About: Security , Policy , Behaviour , Message , Processes
Our Malicious Software Removal Tool and Storm
2008-04-24 14:28:00 There is an interesting article on the value of the Malicious Software Removal Tool (MSRT ? the tool we release monthly to clean PCs) and the fight against storm. It gives you some insight how our Malware Protection Center works and what they did against storm. A pretty interesting reading (even though I do not like the title): Microsoft: We took out Storm botnet Roger More About: Cybercrime
Infosec: Security community must work together
2008-04-24 14:22:00 Ed Gibson, our CSA in the UK had an interview during Infosec with VNunet. He made some interesting statements: We have a good set of laws in place and they have teeth. But the police have priorities and budgets set by the Home Office and Any one of you here would volunteer for neighborhood watch if you thought it would improve your community. So why not online? Read and listen to the whole interview Roger More About: Security , Events , Community , Trends , Training
Technology to Circumvent Censorship (Part 2)
2008-04-24 13:56:00 Back in March I blogged on a Technology to Circumvent Censorship . I actually expected some dialogue on this but today somebody posted an interesting comment, I think is worth reading. Just click the link above and look at the second comment Roger More About: Security , Policy , Part
Security Intelligence Report v4 ? Live and Ready to be Read
2008-04-22 12:13:00 As you (hopefully) know, we publish a Security Intelligence Report every 6 month and today we just released version 4. Let me give you some key findings before you go and read it J Basically the intent of the report is, to provide a comprehensive overview of the threat landscape we are seeing in the Windows ecosystem. This should help you to understand the current threats (or even better, to give you data to prove what you already knew) and to help us to protect our customers better. Where does the data come from? We collect data mainly from the Malicious Software Removal Tool (MSRT) and Windows Defender. It is completely clear that this data does not allow us to draw any conclusion with regards to a single user ? we are not even interested in that. We sometimes ? to complete our analysis ? add public sources as well. This gives us the broadest set of data in the industry. So, what are the key findings? The amount of malware we removed with the Malicious Software Removal Tool ... More About: Microsoft , Trends
0-Day-Patch ? An new Metric for Security?
2008-04-18 21:51:00 The Federal Institute of Technology in Zurich released a study at Blackhat, which is definitely worth looking into. Now, let's be serious: They looked at a metric they call 0-Day-Patch being the number of patches a vendor is able to release at the day of the public disclosure of a new vulnerability. We could discuss again the value of this metric but it definitely shows how well responsible disclosure works for a vendor. They then took Apple and Microsoft to be compared over 6 years and We find global and vendor specific trends and measure the effectiveness of the patch development process of two major software vendors. So, I just want to take the pictures. The following picture shows the percentage of vulnerabilities that are open for longer than a given period: The second graph is the same for Apple: The next (and last graph) is the number of unpatched vulnerabilities at any given time: What I like here is, that it seems that we are able to keep the number consisten... More About: Security , Trends , Metric
The ideal profile of a CSO
2008-04-18 07:00:00 I was in Bratislava this week for an IDC Conference. During these kind of events I often talk to the press as well. Additionally I had this time the opportunity to talk to a pretty well-known blogger in Slovakia called Jozef Vysko?. You may have a look at his blog (provided your Slovakian is better than mine J). However, this was a very interesting experience to me as it was more a peer discussion than a real interview as Jozef knows a lot about security. During the discussion he was asking an interesting question: What is, in my opinion, the ideal profile of a Chief Security Officer? Is it more a technology profile, a business profile, a communication profile,?? This was a question which made me think and I would like to get your view on this as well but let me start: From my point of view a CSO needs a broad architectural view on IT. He/she has to understand the implications of a decision at a broad scale and has to be able to judge the corresponding changes in the risk model. ... More About: Profile , Ideal , Processes
SDL and End to End Trust
2008-04-17 14:48:00 Last week we published ? as you hopefully know ? our "End to End Trust " whitepaper. If not, please read my blog post on it J Now, Eric Bidstrup just commented on End to End Trust in the light of the Security Development Lifecycle (or better: the other way around). It might be interesting for you to have a look at this as well. SDL and "End to End Trust" Roger More About: Microsoft , Processes
Hacking Back?
2008-04-16 21:50:00 Pretty often there is a discussion how far it is allowed to hack back. I was just reading an interesting post called Hackers Could Become The Hacked? which I wanted to share with you Roger More About: Security , Back , Cybercrime
Office Binary Formats on the Web
2008-04-15 07:32:00 I just wanted to make you aware that we put the Office Binary Formats on the web. We did this for interoperability reasons but often this can be very useful for forensics as well: Microsoft Office Binary (doc, xls, ppt) File Formats Roger More About: Interoperability
How long does it take to hack a Power Plant?
2008-04-14 21:19:00 I start to get scared ? more and more. Back in September I blogged on Critical Infrastructure Protection ? Live which shows what would happen if somebody would be able to tamper with power generators. Now, during RSA there was a guy called Ira Winkler telling the audience that they had the job to do a penetration testing on a power company network and that they got in in a day. I do not think that this is surprising especially as part of their successful attack was using social engineering techniques (which the attackers usually do heavily) but it is still very, very scary! It is said that they gained access to the grid. The question is ? how far. Read it yourself. Roger More About: Terrorism , Power , Hack , Long , Plant
?The Security Business has no Future? (Quote by IBM)
2008-04-14 08:52:00 This is actually an interesting statement. If you had ever to deal with the press you know how these headlines are composed. It might be that the person actually made the sentence in this way ? the question is whether he meant it so absolute. Nevertheless, if you read the corresponding article on darkReading, I am impressed how closely we and IBM agree: "The security industry is flying by the seat of its pants," Rahamani said. "Security infrastructure has been dictated by the bad guys... as new threats arise, we put new products in place. This is an arms race we cannot win." And "If we really want to get ahead of the threat, we need to start thinking about re-engineering our businesses and processes. We need to make them more secure and compliant by design, and we need to move more security and compliance technologies into the fabric of our standard infrastructure and application environments." Think about that for a moment. Does this mean that we should get rid of today's solution... More About: Business , Trends , Future , Quote
Forefront Codename ?Stirling? Beta ready for Download
2008-04-09 16:08:00 I had the opportunity to see the Beta of our next generation of Forefront environment the first time last week and I think that it rocks. Have a look yourself and/or download the beta: http://www.microsoft.com/forefront/stirli ng/en/us/default.aspx Roger More About: Download , Ready , Stirling
End-To-End Trust: We want your Feedback
2008-04-08 19:10:00 You probably saw my blog post on End-To-End Trust last week. This week at RSA Craig Mundie, Microsoft's Chief Research and Strategy Officer, talked about our ideas and views on this topic. In parallel, we announced the availability of a Whitepaper on End-To-End Trust by Scott Charney, our Vice President Trustworthy Computing. This whitepaper sets out a framework for industry discussion. Why is trust on the Internet a challenge? Well, the Internet has certain attributes criminals love: It is global It is more or less anonymous It is extremely hard to trace somebody back to the individual There are valuable targets So, it is clear that crime will stay in this extremely valuable environment. What is the new challenge? When we started Trustworthy Computing, the attacks were on the lower layers of the stack. They were against the Operating System. Fixing the problems in the different Operating Systems requires working with a few selected vendors as there are not too many in th... More About: Feedback
Building a faster Internet
2008-04-05 10:14:00 Does not solve any of the security problems (challenges?) but it sounds promising anyway Building A Faster Internet Roger More About: Technology
Security Compliance Management ? Beta Available
2008-04-04 08:36:00 Compliance is the theme of the day at the moment. We often even see the Security Officers starting to report to the head of compliance. So, if you are interested in this, we just launched the Security Compliance Management Beta for you to download. I quote from the website: The Security Compliance Management toolkit consists of 12 desired configuration management (DCM) Configuration Packs that you can use with Microsoft System Center Configuration Manager 2007. You can use the Configuration Packs to scan the computers in your environment to determine their level of compliance with baselines prescribed in security guides from Microsoft for Windows® XP SP2, Windows Vista®, and Windows Server® 2003 SP2. Customers can then use the DCM feature in Configuration Manger 2007 to produce reports that IT professionals can use to remediate security baseline settings and provide proof of compliance to a known baseline. Customers also can customize all of the prescribed security baselines and Con... More About: Compliance , Processes
Where next? ? Watch out for RSA
More articles from this author:2008-04-03 17:13:00 We are six years into Trustworthy Computing (TwC). When we launched it, we said a number of things: "It is a 10-year vision". Well, that's something we have had to update. As long as there are criminals out there using the Internet to steal, Trustworthy Computing will be around. "It is an industry initiative" ? well, when I did my first keynote on TwC in 2002 (I am getting old J) and I said this (just after Nimda, Code Red and Slammer) people laughed at me and said that we better fix the problem within Microsoft . To an extent they had a point, and we've come a long way since then though we know there is still much to do. But today few would disagree that security and cybercrime is anything less than an industry challenge that we all have a responsibility to address. ? The nature of the security threat has evolved, as has the industry's and our own approach. Notoriety used to be the name of the game, now it's often nothing more than a base desire to steal. Threats have become ... More About: Watch , Trends 1, 2, 3, 4, 5, 6 |
|
