Feb-52010

Targeted Attacks -the "Real" Problem

When I talk to customers, the different attacks are often something we discuss (obviously). I often mention that Virus and Worm attacks on a broad scale (like Conficker etc.) are a serious problem but at least one we see, one we understand and one we can fight (because we see and understand it).

However, my real concern are targeted attacks on governments and companies as they are incredibly hard to detect. In the last few months, every once in a while we read in the press about an attack on a government and sometimes they went undetected for months until either something happened like a server crashed or law enforcement found out somehow.

This morning I read an article which actually claims that the problem is even bigger than I thought: Report Details Hacks Targeting Google, Others – actually the article just uses the Google attacks to attract the readers as it does not really talk about it but the content is interesting nevertheless

Roger


Published: Feb-05-10 | 0 Comments | 0 Links to this post
Tagged as: Incidents, Cybercrime

Jan-302010

Cloud Security Paper: Looking for Feedback

As most of you as well, I was looking for information and opinions on Cloud Security over the last year. I found a lot of papers but when I talk to our customers I realize that they think about the Cloud but Cloud Security is mainly something for the specialists – which it is not for me. Therefore I was looking into preparing something on a management level which is easy to read and understand and finally makes more appetite to look deeper into the subject.

Probably the biggest challenge we had was to make sure that we do not oversimplify. Finally, we did not want re-invent the wheel. There is very good material out there e.g. from the Cloud Security Alliance and ENISA which I rather reference than do something similar.

At the end we came up with two new papers. One is written by our Trustworthy Computing organization and is a high-level overview of the Cloud and the corresponding security opportunities and challenges. You can find it here: Security in Cloud Computing Overview.

Additionally Doug Cavit – a Principal Security Strategist at Microsoft – and me were working on core considerations you have to make when you include the Cloud into you IT strategy. The paper is located here: Cloud Computing Security Considerations. This is the paper I would like to get your feedback on. Please keep the target audience in mind. In other words, if you give this paper to your CIO or even your CEO, if you would give it to a government elite in your country or a journalist – what is your view on it? What are you missing? What is good?

To set your expectations: I will answer all mails with constructive feedback but as I am heavily on the road over the next few months, give me a little bit more than 24 hours (which I try to have normally) – but I will come back to you, promised! If you think that a call might be more accurate as you have so much to say, we might be able to do that – depending on the number of requests. What I cannot promise is that we include all the feedback into a next version – if a next version is needed. My experience shows that feedback is sometimes contradicting each other and sometimes I will disagree – and we might to have to sort that out.

So, you are definitely free to use the documents and if you would even be willing to take the time to give us feedback, I would highly appreciate. My mail is roger.halbheer@microsoft.com – looking forward to a lot of mails!

Roger


Published: Jan-30-10 | 2 Comments | 0 Links to this post
Tagged as: Cloud Computing, Security, Microsoft

Jan-292010

Data Protection Day: An Interesting Study

As you might know, it was time for the Data Protection Day in Europe again. Unfortunately I did not find the videos from this year’s competition yet but I guess we will find them later on the page and on YouTube.

However, we released a study on Privacy which is pretty interesting. Find the summary here Microsoft Releases a Study on Data Privacy Day

And there you can see a video as well which summarizes the results of the study:

Get Microsoft Silverlight

DCSIMG

Roger


Published: Jan-29-10 | 0 Comments | 0 Links to this post
Tagged as: Privacy, Events/Training

Jan-192010

IE Vulnerability: Going Out of Band

Just to make sure you have seen that: We just released a blog Security Advisory 979352 – Going out of Band

Quoting the blog:

Based on our comprehensive monitoring of the threat landscape we continue to see very limited, and in some cases, targeted attacks.  To date, the only successful attacks that we are aware of have been against Internet Explorer 6.

[…]

Given the significant level of attention this issue has generated, confusion about what customers can do to protect themselves and the escalating threat environment Microsoft will release a security update out-of-band for this vulnerability.

The release-time will be communicated tomorrow.

So, from my point of view, you should do two things now:

  1. Deploy the Security Update as soon as it is out
  2. Upgrade to Internet Explorer 8 if you have not done so yet

Roger


Published: Jan-19-10 | 0 Comments | 0 Links to this post
Tagged as: Incidents, Microsoft Products, Security

 Next >>