This was the time Windows XP was designed. Windows XP was launched in 2001 and – judging by its success – it was a really great piece of technology. It just runs, rock-solid. Well, it was attacked by a few worms like Blaster, Sasser which led to the development of Service Pack 1, which made us stop development for a few months to look for security vulnerabilities. Over all the years of improvement and learning, this finally led into Windows 7.

If you are still on Windows XP, you probably should re-think your strategy today as the Operating System you are using was not designed to survive in today’s threat landscape. Let me give you 10 reasons why you should definitely move off Windows XP as soon as possible:

1. First and foremost, Windows XP will go out of support April 8^th, 2014. From then onwards, there will be no more security updates for Windows XP. Even though it is still two years down the road, larger organizations typically need some time to migrate and I am convinced that you need to start now!
2. Changes in development processes like the introduction of the Security Development Lifecycle (SDL) over the last 10 years within Microsoft significantly reduced the number of vulnerabilities, the likelihood for getting infected by malware and the attack vectors. This can easily be seen when you look at the data from our Security Intelligence Report:
   
3. Most probably you are still using Internet Explorer 6, when you are running Windows XP. As the browser is your window to the Internet and the most attacked application you run, running a browser which is three versions behind the latest one is definitely not something you should do for different reasons. One is the point I made above. Development processes have come a long way in the industry to incorporate security into the product from a code level and you would want to leverage this. Additionally, there is a lot of technology built into a modern browser to protect you from current attacks like the Smartscreen filter. So, move off IE6 to Internet Explorer 9 (for Windows Vista and later) or at least Internet Explorer 8 if you stay on Windows XP (which you should not J). To show you the impact, here is a graph published by NSSLabs on how far the browser can protect you from socially engineered malware:
   
4. The Security Development Lifecycle is not only about reducing security vulnerabilities at a code level but it is about adding additional protection as well, if there is a vulnerability in the code. It is about Defense in Depth as well – or mainly. As a result we introduced technology like DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) into the platform, which makes it much harder to exploit a vulnerability in the code.
5. Ever tried to run Windows XP without being local Administrator? Yes, you will tell me know that you run it in the enterprise like that. What about changing the time zone when you travel with your notebook? Or adding your home printer? Or, or, or? I have to admit that I tried it more than once and gave up. User Access Control helps greatly. It is a huge improvement and makes the non-admin use of the OS much simpler. Even if you would decide to run as a local admin, you work with the user token until you need admin privileges.
6. On Windows XP you might be using some third-party disk encryption tool, something which comes for free on Windows 7 – even for USB sticks. It is called Bitlocker and Bitlocker To Go.
7. Talking of Bitlocker: One of the points which are often forgotten when talking about the OS is that one of the key attack vectors is during the boot process. We have seen successful attacks on Windows XP during the boot processes with rootkits. If you switch on Bitlocker on Windows 7 (and Vista) you get a fairly sound boot protection. If you use a 64-bit version with kernel protection, the risk of getting infected during the boot process is actually fairly low.
8. Managing Software Restriction Policies in Windows XP was a very hard – close to impossible – task. AppLocker on Windows 7 has improved this greatly.
9. There are quite some changes on the IP layer: We support IPv6 and there are a lot of improvements in the Windows Firewall.
10. The last point: Windows XP is just not cool anymore. Windows 7 is just much nicer, cooler to use and just much, much more fun

Besides all the security improvements, which make most sense if they are used in a combination like Bitlocker on Windows 64-bit and Applocker it has to be said that managing such a Windows 7 environment has proofed to be much, much more efficient than Windows XP.

I guess you did not have time to finish reading the post? Started your migration project immediately? Great, go ahead!

Roger

• Office 365 is compliant with EU Model Clauses, Data Processing Agreements and ISO 27001 among other standards.
• Office 365 is the first and only major cloud productivity service that enables HIPAA compliance.
• The Office 365 Trust Center provides in-depth information about the privacy and security practices for Office 365 and was recently redesigned to be more accessible and easy to understand.  The new site can be accessed at http://trust.office365.com.

If you are interested in the official press statement: http://www.microsoft.com/Presspass/press/2011/dec11/12-14O365CloudPR.mspx

Roger

• The Budapest Convention is probably the best convention out there allowing a wide adoption of a harmonized legislation to fight Cybercrime internationally.
• A lot of countries outside the Council adopted or are in the process adopting the convention
• It balances the fight against criminals with the protection of Privacy and Human Rights.
• The willingness and the activities to collaborate internationally increase
• The idea of the Cybersecurity Agenda as a mechanism to land and integrate Cybercrime and Cyberscurity resonated extremely well

A lot of good signs. There are some caveats however:

• There are countries rejecting adoption mainly because Council of Europe does not have a global mandate or because it is called Budapest Convention. I guess the criminals like this approach
• The economical challenges esp. in Europe decreases the amount of money available for this. The call then was, that the private sector has to do more. We are committed continuing supporting these activities but typically if governments are financially challenged- well they are our customers as well
• Where is the private sector? I just meet a few companies at these events: Some security vendors, some credit cad companies and us. Where are the others? Where is Google? Where is Apple? What about IBM? Amazon? The big Telcos? Why do they not participate in addressing crime and helping governments to get better and carry the burden? Do they not care?

Roger

If you are interested, the agenda can be found here. The presentations should be uploaded as well. Finally there should be a live stream here. I will be an a panel an Tuesday between 9:30-13:00 and again an Wednesday 9:00 -13:00 where we will run a special session on the anniversary

Roger

A friend of mine then sent me an article called Cyber War Will Not Take Place by Thomas Rid, King’s College London, UK, which therefore I needed to read and it is very, very refreshing. In his opening he claims:

Cyber war has never happened in the past. Cyber war does not take place in the present. And it is highly unlikely that cyber war will occur in the future. Instead, all past and present political cyber attacks are merely sophisticated versions of three activities that are as old as warfare itself: subversion, espionage, and sabotage. That is improbable to change in the years ahead.

According to this paper, a conflict has to have three criteria to meet to be classified as a war (and all three need to be there):

1. It has to be violent in its character
2. It has to be instrumental
3. It has to be of political nature

If all three are met, you can call it a war. That’s the first time that I (not being in this business) have seen a definition. If you apply the definition, all conflicts so far are really falling under the umbrella of subversion, espionage and sabotage.

This might make a significant difference as it might calm down the discussion and/or set it at least in the right perspective. It is definitely something which is worth looking at in my opinion

Roger

This discussion is over since a long time and most people probably accepted the fact that the world changed – the cheese moved. BYOD, Consumerization of IT or however you want to call it at the end of the day is a reality. They might have different forms: In our case at Microsoft it might be officially a pre-stage as internally we get the hardware but we can set it up the way we want as long as we are following the policies. But even this is not the complete truth as there are a lot of people buying their own hardware and using it to work. I am currently not only running my notebook with Windows 7, I am using Windows 8 Developer Preview on a slate as well – and as I want to understand how we can make it happen – I did not join it to the domain as I want to run the Consumerization of IT scenario. This immediately raises questions on security.

We most probably need mail (Outlook in my case), Lync and some documents on a slate. So, I need to have Outlook installed and connected to Exchange (including RMS-protected mail), Lync as well as OneNote and some documents I want to have with me while I am travelling. What does this mean for IT? What about me connecting to the corporate network? Let’s look at some of the scenarios and functionalities. I know that there are answers to some of the problems but lets look at the questions first:

• Authentication: As it is not a device IT controls, how is the user authenticated? So we might want to require a PIN or a password to unlock the device. This makes sense anyway but there needs to be more than a “only” a paper policy. For those of you who have seen the build presentations on Windows 8 might have seen a new way to authenticate: A user can have a picture and store three gestures to unlock. A great way to authenticate to a slate but does the policy allow for that? Even if it is not a domain authentication, it is the authentication to the holy grail – the mail.
• Lost devices: Typically these devices are cool – that’s the reason why our users buy them – no? So, the risk of them getting stolen – or lost as they are small – is fairly high. How is the data and how are the credentials on the PC protected? So, we talk of disk encryption first, remote wipe second.
• Disk Encryption: There are devices like Windows Phone 7, which have a very sound security model and a very good device security but unfortunately no encryption, yet. There are others with “encryption” built in, which is broken in minutes as the device can be jail broken easily. What is the policy there? On the slate there will be a need for disk encryption as well. Which user will use something like this without being told? Yes, I know. You will but you are definitely not a representative sample as security people. On Windows we can switch Bitlocker on and will have at least the ability to securely protect the disk.
• Wipe: I would want my device to be wiped after a few unsuccessful authentication attempt or – if I lose it – I want to be able to remote-wipe the business data if I am IT.
• Network Access: Now the device comes on our network. What happens if the devices does not have any anti-malware protection? It might spread all the dirt on your network. Not something we typically enjoy. There are solutions to that – since a long time we talk about Server and Domain Isolation Using IPsec and Group Policy which at least separated the trusted and the untrusted devices. But we basically want the devices on the network and have them accessing the data – if they follow certain policies. Therefore we need a way to do policy enforcement and health checks with the ability to quarantine.
• VPN Access: This might be easier as we can enforce the policies as mentioned above much easier as the machines come through a well-defined channel where we can check them but are we allowed to? Think about privacy implications as well.
• Mail: Finally talking of mail. Access to e-mail is probably one of the crucial areas to enable and manage as a lot of confidential information is buried somewhere in mail. Additionally, to access mail, the keys will be needed if the mail is encrypted. Thus a lot of critical information is on such a device.
• Data: As a user I want my data (or at least key part of my data) synced between my devices. In my case between the business notebook and my slate. This should be done in a secure and safe way. Do we as IT want to allow the use of technologies like Live Mesh, which can either do a peer-to-peer synchronization or a peer-to-peer-to-Skydrive sync. In other words, a copy of the data can be hosted in the public cloud secured with a LiveID password.

So, a lot of different problems/questions. However, they are only partly new as I have seen a lot of people taking data home to their own private PC – the one the kids are gaming on – to do their work. Taking home means USB or even sending the data to the private mail account.

Protecting such an environment can have different approaches and I would be interested in what you think and what you need:

• First and foremost we need policies clarifying what can be done and what not. For severe violations, there needs to be disciplinary action.
• We want to have some policy enforcement. Basically, the key functionality the user is interested in is often e-mail and therefore Exchange might be one of your key management point for this. Exchange is basically able to enforce the following policy options to your device (from Understanding Exchange ActiveSync): Remote Wipe, Device Password Policies (minimum length, characters, alphanumeric, inactivity time, enforce history, enable recovery, wipe device after failed attempts), device encryption. Therefore, it can be expected that the key requirements can be met. But there is a fair chance as well that not all devices fulfill all the requirements. Or even worse: The active sync client could simply lie to the server.
• Would it be an option for an IT organization to require a client installation? Would the policy “if you want to use your own device, you have to let us install a piece of software” something which can be implemented? I am not completely sure are the user will look at the device as his/her own and will refuse interference. On the other hand it is the company’s data. A fairly interesting conflict. If we are allowed to install a client, all of a sudden technologies like Network Access Protection become feasible as we have a trusted piece of software being able to check the health of a computer

But what else is needed? Do you need management? Inventory? What else would you expect in such a scenario from your technology? Let me know – I am interested in this debate.

Roger

Today I heard of TouchMountain – PeakFinder on steroids. These are some screenshots from the marketplace:

You can see the map around you:

But the real cool thing is the real view through the camera:

Including webcams:

And if a peak is missing, there is an interface to add it.

Last but not least: If an app still has five stars in their rating after 10 people submitting, it has to be really, really, really cool

Roger

Probably I should convince my kids, not my wife

Roger