Roger Halbheer on Security » Process

Security of Car Software

Roger Halbheer — Fri, 09 Sep 2011 08:32:55 +0000

We have seen some of the attacks recently, where people started to attack either the locks or the technology/software in the car itself controlling the chassis etc.

On DarkReading I was just reading this article: Car Systems Reminiscent of Early PCs

One of the things I do not get with cars is the way they are engineered, especially when it comes to the technology we, as drivers, use. Why do car manufacturers have to develop their own navigation system if today’s smartphones have one as well, which even has current maps? Why do we not see a better integration of these technologies?

One scenario I painted to a newspaper years ago: My car is standing in the garage and would have access to my wireless. Additionally (due to Bluetooth) it even knows my calendar and thus my first meeting and the location of it. As the car has a navigation system it knows how long I am most likely driving the next morning. I would like to see my car now to reach out to my favorite news provider and this provider shall compile a podcast for me at the length of my trip with my preferences. Would be cool, no? And I would even pay for it.

Now, what about security? If the software doing all this is 10 years old, I do not want it as it is a not calculated risk – and this is what we have in our cars as they do not rely on software which is available on the market and current.

Personally I think that they should change the way they look at it and some manufacturers already do and switch to embedded systems.

Roger

Windows Security Praised

Roger Halbheer — Tue, 16 Aug 2011 19:05:40 +0000

A result of a study by Kasperski lab is fairly promising – even though it shows the problem being raising up the stack:

For the very first time in its history, the top 10 rating of vulnerabilities includes products from just two companies: Adobe and Oracle (Java), with seven of those 10 vulnerabilities being found in Adobe Flash Player alone. Microsoft products have disappeared from this ranking due to improvements in the automatic Windows update mechanism and the growing proportion of users who have Windows 7 installed on their PCs.

The article can be found here.

So, I think all application developers should start to use the Security Development Lifecycle.

Roger

Cloud Security in Office365

Roger Halbheer — Fri, 15 Jul 2011 08:12:29 +0000

You heard about the launch of Office365 recently and I hope you read the blog post on the application of the Cloud Computing Security Considerations to the private. cloud. If not, here it is: Security Considerations in a Private Cloud

To complete the series now, we released an additional paper on how these considerations can be applied to Office 365. It is not about the security features of Office 365. It is about how a the responsibilities between the customer and us can and shall be split. This is a really interesting paper in my opinion: Addressing Cloud Computing Security Considerations with Microsoft Office 365.

Additionally, we took a deeper look at the Cloud Security Alliance’ Cloud Control Matrix (CCM) at provided an answer for each question/control raised in this document: Standard Response to Request for Information – Security and Privacy.

These are all steps to provide you with the necessary transparency to get into the public cloud and on Office 365!

Roger

Security Considerations in a Private Cloud

Roger Halbheer — Fri, 24 Jun 2011 14:31:38 +0000

I am talking a lot about Cloud Security. There are a few observations I made:

Even though a lot of people are talking about the Cloud, there is still not too much knowledge about it. What is a private Cloud versus a public Cloud? What is Infrastructure as a Service, Platform as a Service, Application as a Service? And where are the key differences when it comes to risks?
A lot of businesses look at it as an all or nothing. This is simply a massive mistake. There are workloads (like your identity management) you will wait a really long time until you move it to the Cloud and keep on premise. There are others, you might want to move immediately to the public Cloud and some of it will stay in a private Cloud.
There is a lot of fear out there and not a lot of frameworks, which can help with to bring the whole discussion to rational level. Actually, there is a lot of material out there but not a lot, which is simple to read and consume.

That’s the reason, why Doug Cavit and me wrote the Cloud Computing Security Considerations about an year ago. We came up with 5 points to be considered, when looking at the Cloud from a security perspective:

Compliance and Risk Management: Organisations shifting part of their business to the cloud are still responsible for compliance, risk, and security management.

Identity and Access Management: Identities may come from different providers, and providers must be able to federate from on-premise to the cloud, as well as to enable collaboration across organisation and country borders.

Service Integrity: Cloud-based services should be engineered and operated with security in mind, and the operational processes should be integrated into the organisation’s security management.

Endpoint Integrity: As cloud-based services originate–and are then consumed–on-premise, the security, compliance, and integrity of the endpoint have to be part of any security consideration.

Information Protection: Cloud services require reliable processes for protecting information before, during, and after the transaction.

These five considerations are very well received and seem to work well for the customers to address part of the points above. The number 1 question I got, however, was: How can apply this to the different scenarios?

Therefore I am happy to announce, that we just released a paper to the web called: Addressing Cloud Computing Security Considerations with a Partner Private Cloud.

We show you how to split responsibilities between the partner and the customer and what the considerations mean for both sides – as always, your feedback is more than welcome!

Finally, stay tuned: In a few days, we will do the same with the public Cloud. This time, however focused on Office365. As soon as we go live with Office365, we will publish it.

Roger

Does the business really hate IT?

Roger Halbheer — Thu, 23 Jun 2011 12:55:27 +0000

Back at the times of outsourcing, there was real tension between IT and the business. Internal IT had the “comfortable” position of having a monopoly: The business used the internal IT and basically just had to pay the bill. Then times came, where the business was not satisfied anymore. That basically started with the time of the PC. IT was in kind of a losing position: If the decentralized IT worked, it was just what users expected, if it did not, users complained. Additionally, as IT was treated as an art rather than an engineering discipline (that’s the way it is still run in a lot of occasions), cost just grew, without a real need of rationalizing. IT is critical for all the businesses but the value is hard to measure (until you lose your mail server once for a day).

Then outsourcing came and everything was getting better – not really. A lot of companies outsourced a problem – they used the same people with the same attitude and outsourced everything to the outsourcing provider. But now they had a contract – and so did the outsourcer. There were (and still are) numerous meetings I have been in, where the customer and the outsourcer were fighting, whether applying a patch is part of the contract or not and whether patch management should be done more than every six months. Finally, the customer had to learn to become a customer as well and specify their needs.

Why do I write this? Because I see similar discussions today with the Cloud. Business is not satisfied with how internal IT delivers. They are too slow, too expensive and too unreliable – therefore the business is looking at the promises of the Cloud: Fast, reliable, inexpensive. What does it really mean for the business? For IT?

To me the business has to understand that if they move to the public cloud, there is a good chance that they have to adapt their business processes. Remember the huge ERP projects? It is not that different. This might be good as it forces the organization to clean up – but it shall be a conscious decision. Even for the part you are moving to the cloud, you still have to keep part of your responsibilities: You are still ultimately responsible for your compliance. You should keep your identity management in house and risk management for your business cannot be outsourced. You have to have a data classification, which is applied and lived – this is, how we described it in our Cloud Computing Security Considerations. Last but not least: You are the customer of a standardized service. Make sure you understand this as this will be a long-term partnership you are going for, with very, very limited flexibility of the final solution.
If you move to the private cloud, the situation is slightly different as you might have more influence on how your solution looks like but even the private cloud is not an outsourcing as you knew it – e.g. most probably you will not be able to tell the cloud provider how they will run their datacenters. You will run on your own OS-instances (does not necessarily mean your own hardware as the solution will most probably be virtualized) but even the question of the data location might have to be negotiated. And: It definitely costs more.
If you are an IT organization: Become a Cloud provider. Become the partner for your business in the Cloud. You business will want to have part of it in a private cloud – offer this in a way you can compete with third-parties as you will not be able to compete in the public cloud.

This decision has to be a strategic decision and not a decision taken because business does not like their own IT. For the internal IT it might be a threat (if you decide to sit and wait) or an opportunity if you take the strategic decision and opportunity.

Now, the reason for this post was actually in an article, which was sent to me: Why businesses move to the cloud: They hate IT

Roger

Ten Immutable Laws Of Security (Version 2.0)

Roger Halbheer — Thu, 16 Jun 2011 08:56:14 +0000

You might have known the 10 Immutable Laws Of Security since quite a while. It is kind of the “collected non-technical wisdom” of what we see in security respeonse being it in Microsoft Security Response Center or in our Security Product Support.

There is now a version 2, which is still as important as version 1 was. The 10 Laws are:

Law #1: If a bad guy can persuade you to run his program on your computer, it’s not solely your computer anymore.
Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer anymore.
Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.
Law #4: If you allow a bad guy to run active content in your website, it’s not your website any more.
Law #5: Weak passwords trump strong security.
Law #6: A computer is only as secure as the administrator is trustworthy.
Law #7: Encrypted data is only as secure as its decryption key.
Law #8: An out-of-date antimalware scanner is only marginally better than no scanner at all.
Law #9: Absolute anonymity isn’t practically achievable, online or offline.
Law #10: Technology is not a panacea.

Just make sure that you keep them in mind – there is no “patch” for them . The whole set of explanations can be found here: Ten Immutable Laws Of Security (Version 2.0)

Roger

How Microsoft Uses File Classification Infrastructure

Roger Halbheer — Wed, 08 Jun 2011 07:51:01 +0000

Quite a while ago, I blogged about the File Classification Infrastructure in Windows Server 2008 R2:

In my opinion, this is an interesting tool, built in to your server platform.

Now, we just published a paper about how we use this File Classification infrastructure to protect PII. This is an interesting read: Microsoft IT Uses File Classification Infrastructure to Help Secure Personally Identifiable Information

Here is the summary:

In today’s high-tech world, collecting and storing data are business-critical processes that form an integral component of daily operations. However, the ever-increasing dependency on and use of electronic data also make data management more challenging—especially in light of government regulations for the appropriate use and storage of personally identifiable information (PII) and financial information. Improper storage of PII can also be a significant financial concern, as the cost of storage-related security breaches can be hundreds of dollars per record.

Microsoft Information Technology (IT) had been using an internally built solution to help secure personally identifiable information (PII), financial information, and other types of sensitive data by classifying internal file shares and Microsoft® SharePoint® sites. However, this solution was limited to defining information sensitivity at a file-share level. It also required each user to specify the sensitivity level of his or her file shares manually, which frequently led to mislabeled information.

This custom, internally developed solution also had a high total cost of ownership, requiring a significant amount of development and maintenance resources to fix identified issues and keep the system up to date, as each upgrade to the storage operating systems required upgrading the code.

Microsoft IT needed a solution that would bring consistency to the file classification process across all teams, and be able to scan content automatically at the file level for key words, terms, and patterns. It then had to apply the correct rights management protection based upon predefined security policies. Cost of ownership and performance were also important drivers for developing a new solution. Microsoft IT needed a system built from off-the-shelf, standardized Microsoft technology, that could scale across terabytes of data. With such a large amount of information, the solution had to be efficient at scanning files while maintaining a high degree of accuracy when identifying sensitive PII.

Roger

Cloud computing providers: Clueless about security?

Roger Halbheer — Wed, 04 May 2011 17:04:53 +0000

To me, one of the benefits of moving to the Cloud is security – obviously besides availability and costs.

Recent incidents made me doubt:

Amazon not only having significant downtime but in the same time losing customer data.
Sony’s game network being significantly compromised.

This is definitely not to blame them but I was heavily surprised. And then, I found this study by the Ponemon Institute: Cloud computing providers: Clueless about security?

If we look at this, it gives us a really scary picture of the industry – especially if I know how much effort we (and other Cloud provider) out into securing our customer’s data. If you look at the management summary, they say:

The majority of cloud computing providers surveyed do not believe their organization views the security of their cloud services as a competitive advantage. Further, they do not consider cloud computing security as one of their most important responsibilities and do not believe their products or services substantially protect and secure the confidential or sensitive information of their customers.

The majority of cloud providers believe it is their customer’s responsibility to secure the cloud and not their responsibility. They also say their systems and applications are not always evaluated for security threats prior to deployment to customers.

Buyer beware – on average providers of cloud computing technologies allocate10 percent or less of their operational resources to security and most do not have confidence that customers’ security requirements are being met.

Cloud providers in our study say the primary reasons why customers purchase cloud resources are lower cost and faster deployment of applications. In contrast, improved security or compliance with regulations is viewed as an unlikely reason for choosing cloud services.

The majority of cloud providers in our study admit they do not have dedicated security personnel to oversee the security of cloud applications, infrastructure or platforms.

Providers of private cloud resources appear to attach more importance and have a higher level of confidence in their organization’s ability to meet security objectives than providers of public and hybrid cloud solutions.

While security as a “true” service from the cloud is rarely offered to customers today, about one-third of the cloud providers in our study are considering such solutions as a new source of revenue sometime in the next two years.

What we should not think is, that the customer can just throw their data “over the wall” to the Cloud provider and then all the problems are solved. The customer still has obligations and as we state in our Cloud Computing Security Considerations paper:

Compliance and Risk Management: Organizations shifting part of their business to the cloud are still responsible for compliance, risk, and security management.

We are currently working on a series of papers for Private Clouds, Office 365 as well as Azure to show what still is the customer’s responsibility and what can be transferred to the Cloud Provider.

If you consider the points in the study above, it means that you have to do the due diligence and looking into what the provider does to secure your data. Process transparency is key in this respect!

Roger

Mutual Authentication in Real Life–Launching a Nuclear Missile…

Roger Halbheer — Wed, 30 Mar 2011 16:25:33 +0000

A few years ago, I wanted to run an exercise with our incident response team in Switzerland. A customer, the government and me came together to develop the goals and the scenario. One of the key question we tried to answer together with the university, which we wanted to use as observers was, whether we would be able to ramp up the communication channels and keep them up even if bad things happen (like the building has to be evacuated). By ramping up the channels, I was not necessarily interested in the technical side but in the people side. Especially as the key leaders of the incident teams were the ones running the exercise. So, you had the people who knew each other for years sitting there and just listening in.

If you think about it: Even if you know that you are on call for an incident response team, if you get a call from national intelligence telling you that something bad happens, how can you know that they are genuine? Just because they know the incident number? An interesting question we realized that we did not address it if the key people were not present. Now this is for a security-related IT incident.

Reading this article An Unsung Hero of the Nuclear Age scared me as it seems that this problem was not even solved launching nuclear missile. It asks a fundamental question:

How can any missile crewman know that an order to twist his launch key in its slot and send a thermonuclear missile rocketing out of its silo—a nuke capable of killing millions of civilians—is lawful, legitimate, and comes from a sane president?

So, even though the article is fairly long it is worth reading

Roger

Microsoft Security Update Guide, Second Edition

Roger Halbheer — Mon, 28 Mar 2011 15:32:40 +0000

A while ago we released the Microsoft Security Update Guide to explain how we release security updates and how you should/could work with our updates. It encompasses these themes:

Get to know the security update release process
Learn how to evaluate risk
See how to mitigate security risks
Understand how quickly you need to apply updates
Assess your update
Get ongoing security

If you are somehow linked to the security update process in your organization, you should download it and look at it here: Microsoft Security Update Guide, Second Edition

Roger