Roger Halbheer on Security » Microsoft

New EMET Version

Roger Halbheer — Wed, 16 May 2012 08:00:37 +0000

Last October I blogged about EMET–Protection Against Zero-Days – a really great tool to protect your environment.

We just released a new version, which can be downloaded here: Enhanced Mitigation Experience Toolkit v3.0.

Before you test it, make sure you have your Bitlocker recovery key ready (or – before the next reboot, suspend Bitlocker and resume it again)

Roger

What Microsoft can teach Apple about security response

Roger Halbheer — Wed, 09 May 2012 14:01:41 +0000

I guess, I do not have to comment this – right?

What Microsoft can teach Apple about security response

To quote the summary:

Microsoft just released seven security updates to fix 23 vulnerabilities in Windows and other products. In February, Apple released a massive update that covered 51 vulnerabilities and also introduced an embarrassing security flaw. The contrast is striking.

Roger

Windows Defender Offline

Roger Halbheer — Fri, 27 Apr 2012 07:03:30 +0000

A few days ago, Windows Defender Offline was released. This is basically the tool to use, if you are unable to remove malware from a running PC.

To quote the website:

Sometimes, malicious and other potentially unwanted software, including rootkits, try to install themselves on your PC. This can happen when you connect to the Internet or install some programs from a CD, DVD, or other media. Once on your PC, this software might run immediately, or it might run at unexpected times. Windows Defender Offline can help remove such hard to find malicious and potentially unwanted programs using definitions that recognize threats. Definitions are files that provide an encyclopedia of potential software threats. Because new threats appear daily, it’s important to always have the most up-to-date definitions installed in Windows Defender Offline. Armed with definition files, Windows Defender Offline can detect malicious and potentially unwanted software, and then notify you of the risks.

You find it here.

Roger

Consumerization of IT–How to address this

Roger Halbheer — Thu, 26 Apr 2012 17:35:58 +0000

Bring Your Own Device or Consumerization of IT are fairly hot themes in a lot of customer organizations. When I talk to customers, there are typically different reactions, once we bring this up. Some tell us, that it is not part of their strategy; some tell us that they plan to do it but that they have a hard time figuring out, how to secure such an environment; very, very few customers tell us that they have this under control.

What is it all about?

For me, the trend really started to take off with the smartphones. Most companies tried to standardize the models but at the end of the day it was a lost battle for different reasons:

The standardization process was always slower than the development of new devices.
These devices were cool. Therefore the CEO bought a new one in the store around the corner and then came back to IT to enable it to read mails etc. If the CEO wants it, who pushes back?
Different people have different needs. Do they all need the same device?

Based on this, a few companies tried a different approach: They gave selected people money instead of hardware and let them choose themselves. The idea behind it is fairly simple: We typically publish a “one-size-fits-all” image and do not take into consideration that IT-literate people might be more productive if they are able to customize their environment the way they want – as long as they follow certain policies.

Over the course of the last few years, the problem became much bigger as a lot of different form factors hit the streets: from iPhone to iPads, from netbooks to developer notebooks to slates etc.

The challenge

Once we accept that there are different needs and that this might (or better: will) help some users to be more productive, the next question then is: How do we enable access to our company data without compromising security, privacy and compliance? And what do we do if somebody leaves the company? How can we delete our company data/contacts/mails and keep the user’s private environment in place? … and a lot more.

And, by the way, the user wants access anytime and anywhere.

Unfortunately there are no silver bullets but some ideas and approaches. We just published the Consumerization of IT Test Lab Guides, which can help do address some of your challenges or at least give you some food for thought. Here is the description of the papers:

While Consumerization of IT (CoIT) has remarkable potential for improving collaboration and productivity, many companies are grappling with the potentially enormous security risks of introducing consumer technologies in their IT environment. Therefore, IT needs to strike a balance between user expectations and enterprise requirements for security, privacy, control, and compliance.

The Consumerization of IT (CoIT) series of documents comprises the following documents :

A white paper entitled Consumerization of IT (CoIT), A Trend To Be Considered that introduces as its name indicates the topic;

Test Lab Guides (TLGs) that allow you to get hands-on experience using a pre-defined and tested methodology that results in a working configuration for the most frequent and relevant CoIT scenarios. Each of these guides also covers how to test and demo each capability.

Different scenarios are covered:

Base Configuration – Provide secure corporate network access

Internet Proxy – Provide Internet access

Exchange Messaging – Provide email access and manage non-corporate devices security policies

Data Protection – Manage email security

Data Classification and Server Isolation – Manage sensitive server and application security

Remote Desktop Services Desktop Virtualization – Deliver applications to any devices

Remote Access Gateway – Secure remote access

I think that this is something you definitely should look into as it gives you approaches and guidance, how to align your architecture.

However, to start with: Know your data and know your data classification. There is a good chance that there are data sets, you want to give access only to users on machines you manage

Roger

Q1 Software Vulnerabilities

Roger Halbheer — Fri, 20 Apr 2012 08:42:46 +0000

This was an interesting article on cio.com: Apple, Oracle, Google Lead Major Vendors with Software Vulnerabilities in Q1, Security Report Says – by TrendMicro. Now, these stats are always a bit a challenge: They make a really good headline but if the statistics does not include the severity of the vulnerabilities, it is hard to judge, what this really means in practical terms.

Anyway, if you look at the article, it says:

Apple reported 91 vulnerabilities during the period, making it number one among the top 10 technology vendors in the industry, said the report, "Security in the age of Mobility."
Trailing Apple were Oracle (78 vulnerabilities), Google (73), Microsoft (43), IBM (42), Cisco (36), Mozilla (30), MySQL (28), Adobe (27) and Apache (24).
In addition, Trend Micro reported that Apple issued a record number of patches to its Safari browser in March during the period. A year earlier, March was also a mammoth month for patches, with Apple addressing 93 vulnerabilities, a third of them characterized as "critical," in its Leopard and Snow Leopard operating system.

If you set this into proportion to the size of the portfolio, it would look even better for us. However, this does by no means say that we feel good about 43 vulnerabilities but it shows that our Security Development Lifecycle pays off.

This is more or less consistent as well with what we see with customers: Typically they know today how to roll security updates out to their Microsoft environment but they are often challenged with the rest of their applications. However, if you look where the majority of vulnerabilities are, it is typically third-party code (and not “only” from the vendors stated above but in custom-written code).

Therefore I am still calling for customers to ask for a secure development lifecycle from their vendors

Roger

Keep all your software updated and current

Roger Halbheer — Fri, 13 Apr 2012 06:48:45 +0000

I know that I keep going and going on that. When I talk to customers and mainly to providers of the critical infrastructure about security, one of the key things to me is to keep the software updated. It is about patching and it is about staying on the latest version of your software. To me, today Windows XP is a huge risk out there. It was an outstanding operating system when it was launched but it is definitely outdated if you think about how the threat landscape looked like only 5-10 years ago. I am aware of the fact that not all systems can be upgraded because of compatibility issues, a vendor might not even exist anymore. Then these systems need definitely be shielded in different ways to keep them as far off the network as possible.

The reason for this post is, that I still see a lot of customers who developed a really good practice for handling Microsoft updates but not for the rest. I just read these two articles this morning:

So, make sure you cover all your software including third-party apps and open source.

Roger

Selecting the right Cloud partner

Roger Halbheer — Tue, 10 Apr 2012 06:13:02 +0000

One of the challenges customers always have is, how to select the right cloud partner and fairly often security drives this selection. The Cloud Security Alliance published the Cloud Controls Matrix quite a while ago and in addition a Consensus Assessments Initiative Questionnaire and a lot of request for information/proposal are based on this material.

Therefore we made our answers to these questions publically available: Cloud Security in Office365. In the meantime the Cloud Security Alliance worked on a Security, Trust and Assurance Registry (called STAR) with the goal to have all these answers in one place. Kellie Ann Chainier (she works at Microsoft on a lot of these challenges) just published a corresponding blog post: Cloud Security Alliance makes cloud security more transparent with new STAR Registry – short and worth reading

Roger

Security Updates and Exploit Code

Roger Halbheer — Mon, 19 Mar 2012 19:18:01 +0000

CORRECTION:So far there is “only” Proof of Concept code in the wild, no real exploit.

In our last update cycle we published the security bulletin MS12-020 Vulnerabilities in Remote Desktop Could Allow Remote Code Execution. Relatively soon after the release, there was a public exploit code available – we informed here: Proof-of-Concept Code available for MS12-020.

This would not necessarily make me blog as it is a fairly common scenario – unfortunately. In all the different discussion lists internally, I realized that a there was a lot of confusion and nervousness internally and with our customers, which I definitely can understand.

I just wanted to make sure, that you understand and see all the resources you have available to take an informed decision. We basically give you two assessments: A Severity Rating and Vulnerability Impact and an Exploitability Index:

The Security Rating and Vulnerability Impact describes how severe the vulnerability is and is described here in detail. If there are default mitigations in place, there is a chance that a vulnerability rating is lower. What is important is, that our assessment is always based on a default, out-of-the-box installation. If you decide to switch off the firewall, obviously there is a good chance that your risk is higher than flagged in our assessment.
The Exploitability Index shows how likely we think an exploit is. We provide this information since late 2008 but it seems still not too well known – it is described here. You always find it in the bulletin summary per month.

Let’s apply this now to MS12-020 described above: The security rating is “critical”, which is the highest possible rating we have and the exploitability index is on “1 – Exploit code likely”. So, in this case we have a critical vulnerability and we expected a working exploit code to hit the net – unfortunately we have proven to be right.

This is in no means to criticize anybody, it is more to give you all the information to take the right decisions upfront. This update was definitely one you want to set extremely high on your priority list…

Roger

Office 365 Single Sign-On with AD FS 2.0 whitepaper

Roger Halbheer — Mon, 05 Mar 2012 10:39:28 +0000

Sorry, I did not blog for quite a while.

When looking at the Cloud, one of the key challenges to address – in my opinion – is how to manage the identity of the different users. If you have to add an additional identity to all the logons you already have, the Cloud will just add to the burden. Therefore, I am a firm believer that you need to have federation between your on-premise identity and your cloud identities.

We just released a paper Office 365 Single Sign-On with AD FS 2.0 whitepaper on how to address this with Office 365 and ADFS 2.0:

Through its support for the WS-Federation (WS-Fed) and WS-Trust protocols, Microsoft Active Directory Federation Services (AD FS) 2.0 provides claims-based (Web) single sign-on (also known as identity federation) with the Microsoft Office 365 offering and its Web application and rich client applications.

Building on existing documentation, this document is intended to provide a better understanding of the different single sign-on deployment options for the services in services in Office 365, how to enable single sign-on using corporate Active Directory credentials and AD FS 2.0 to the service in Office, and the different configuration elements to be aware of for such deployment.

This document is intended for system architects and IT professionals who are interested in understanding the basics of the single sign-on feature of Office 365 with AD FS 2.0 along with planning and deploying such a deployment in their environment.

You should have an in-depth look at this

Roger

Internet Explorer aces security test as Google faces accusations

Roger Halbheer — Fri, 10 Feb 2012 10:06:56 +0000

I mean, I obviously like this article: Internet Explorer aces security test as Google faces accusations as it has a nice quote to start with:

Internet Explorer 9 should be the go-to browser for organizations concerned about protecting machines from malicious downloads, according to a new study from NSS Labs: Microsoft’s browser trounced rivals Chrome, Firefox, and Safari in the security company’s more recent malware-blocking tests, a significant win considering that traditional malware remains among the most prevalent threats to users

However, I am realistic: I currently feel like it depends on the moon and the stars (and to be fair: the test methodology), which browser is declared the “most secure”. Last week there were reports in the press that Chrome is the best, now it is Internet Explorer. I remember a case about an year ago, where a government agency (because of a vulnerability in IE) recommended to move off IE immediately. Literally a week later, the same government agency (because of a vulnerability in Firefox) recommended to move off Firefox and about two weeks later the same agency (because of vulnerability in Chrome) told the world not to use Chrome anymore – in other words: Stop using the Internet .

Seriously, I know that we invest a lot of work not only on the product itself to reduce the vulnerabilities in our software and make sure – if there is one – vulnerabilities have as little impact as possible. I think we came a long way and our code is much, much better than it was – and to me is better than most (all?) of our competitors. Additionally we know that the Internet Explorer is probably the most attacked piece of software we have as it is the window to the Internet. Therefore it needs additional focus and scrutiny and additional technology like the Smart Screen filter to filter malicious websites. Therefore I am convinced that it is the most secure browser out there but this is a risk management decision everybody has to make on their own.

The only thing I know for sure and which is not negotiable for me is:

Older versions of the browser have to disappear. If you are still Internet Explorer 6, get rid of it. If you are on older versions of Firefox, Chrome, etc. get rid of it. In this context, make sure that you are using a browser, which at least helps you to make this happen. I was recently starting my Firefox again (yes, I look at competitive products as well) and realized that I had to go to Help – About Firefox to find out that there are updates available. From a risk perspective this is not acceptable to me. Maybe I could change some options somewhere but this is just a standard installation… Again, a risk management decision.

Happy browsing

Roger