Roger Halbheer on Security

New EMET Version

Roger Halbheer — Wed, 16 May 2012 08:00:37 +0000

Last October I blogged about EMET–Protection Against Zero-Days – a really great tool to protect your environment.

We just released a new version, which can be downloaded here: Enhanced Mitigation Experience Toolkit v3.0.

Before you test it, make sure you have your Bitlocker recovery key ready (or – before the next reboot, suspend Bitlocker and resume it again)

Roger

What Microsoft can teach Apple about security response

Roger Halbheer — Wed, 09 May 2012 14:01:41 +0000

I guess, I do not have to comment this – right?

What Microsoft can teach Apple about security response

To quote the summary:

Microsoft just released seven security updates to fix 23 vulnerabilities in Windows and other products. In February, Apple released a massive update that covered 51 vulnerabilities and also introduced an embarrassing security flaw. The contrast is striking.

Roger

Windows Defender Offline

Roger Halbheer — Fri, 27 Apr 2012 07:03:30 +0000

A few days ago, Windows Defender Offline was released. This is basically the tool to use, if you are unable to remove malware from a running PC.

To quote the website:

Sometimes, malicious and other potentially unwanted software, including rootkits, try to install themselves on your PC. This can happen when you connect to the Internet or install some programs from a CD, DVD, or other media. Once on your PC, this software might run immediately, or it might run at unexpected times. Windows Defender Offline can help remove such hard to find malicious and potentially unwanted programs using definitions that recognize threats. Definitions are files that provide an encyclopedia of potential software threats. Because new threats appear daily, it’s important to always have the most up-to-date definitions installed in Windows Defender Offline. Armed with definition files, Windows Defender Offline can detect malicious and potentially unwanted software, and then notify you of the risks.

You find it here.

Roger

Consumerization of IT–How to address this

Roger Halbheer — Thu, 26 Apr 2012 17:35:58 +0000

Bring Your Own Device or Consumerization of IT are fairly hot themes in a lot of customer organizations. When I talk to customers, there are typically different reactions, once we bring this up. Some tell us, that it is not part of their strategy; some tell us that they plan to do it but that they have a hard time figuring out, how to secure such an environment; very, very few customers tell us that they have this under control.

What is it all about?

For me, the trend really started to take off with the smartphones. Most companies tried to standardize the models but at the end of the day it was a lost battle for different reasons:

The standardization process was always slower than the development of new devices.
These devices were cool. Therefore the CEO bought a new one in the store around the corner and then came back to IT to enable it to read mails etc. If the CEO wants it, who pushes back?
Different people have different needs. Do they all need the same device?

Based on this, a few companies tried a different approach: They gave selected people money instead of hardware and let them choose themselves. The idea behind it is fairly simple: We typically publish a “one-size-fits-all” image and do not take into consideration that IT-literate people might be more productive if they are able to customize their environment the way they want – as long as they follow certain policies.

Over the course of the last few years, the problem became much bigger as a lot of different form factors hit the streets: from iPhone to iPads, from netbooks to developer notebooks to slates etc.

The challenge

Once we accept that there are different needs and that this might (or better: will) help some users to be more productive, the next question then is: How do we enable access to our company data without compromising security, privacy and compliance? And what do we do if somebody leaves the company? How can we delete our company data/contacts/mails and keep the user’s private environment in place? … and a lot more.

And, by the way, the user wants access anytime and anywhere.

Unfortunately there are no silver bullets but some ideas and approaches. We just published the Consumerization of IT Test Lab Guides, which can help do address some of your challenges or at least give you some food for thought. Here is the description of the papers:

While Consumerization of IT (CoIT) has remarkable potential for improving collaboration and productivity, many companies are grappling with the potentially enormous security risks of introducing consumer technologies in their IT environment. Therefore, IT needs to strike a balance between user expectations and enterprise requirements for security, privacy, control, and compliance.

The Consumerization of IT (CoIT) series of documents comprises the following documents :

A white paper entitled Consumerization of IT (CoIT), A Trend To Be Considered that introduces as its name indicates the topic;

Test Lab Guides (TLGs) that allow you to get hands-on experience using a pre-defined and tested methodology that results in a working configuration for the most frequent and relevant CoIT scenarios. Each of these guides also covers how to test and demo each capability.

Different scenarios are covered:

Base Configuration – Provide secure corporate network access

Internet Proxy – Provide Internet access

Exchange Messaging – Provide email access and manage non-corporate devices security policies

Data Protection – Manage email security

Data Classification and Server Isolation – Manage sensitive server and application security

Remote Desktop Services Desktop Virtualization – Deliver applications to any devices

Remote Access Gateway – Secure remote access

I think that this is something you definitely should look into as it gives you approaches and guidance, how to align your architecture.

However, to start with: Know your data and know your data classification. There is a good chance that there are data sets, you want to give access only to users on machines you manage

Roger

Build your own sniffing kit

Roger Halbheer — Tue, 24 Apr 2012 09:06:03 +0000

When people look at attackers, they always think that they are extremely smart people. There are really smart people building the kits but the ones applying it? Well, you just need the right guidance:

Hacker’s Tiny Spy Computer Cracks Corporate Networks, Fits In An Altoid Tin

Fairly easy, isn’t it?

Roger

5 Common Types of Security Professionals

Roger Halbheer — Mon, 23 Apr 2012 15:01:53 +0000

I am following Shoaib’s blog since quite a while – actually due to the beauty of the Internet, we only met virtually so far .

He just posted on his blog: 5 Common Types of Security Professionals

I really like this post. The way he categorizes them is:

The NO-MASTER
The By-The-Book Preacher
The Dinosaur
The Technology-Solves-It-All
The paranoid

The reason, why I like it so much is that I am deeply convinced that security can only be successful if it is aligned to business needs and not necessarily to policies and to fear. So, thinking about where security can become a business enabler would often be worthwhile. Additionally, we probably should think about our risks as well. It might well be that the we think that the world might end if a certain risk materializes but it might not even make it in the Top-100 risks of your company…

So, maybe we should change our approach or at least be honest and look in which of the 5 buckets we fit…

Thanks Shoaib

Roger

Q1 Software Vulnerabilities

Roger Halbheer — Fri, 20 Apr 2012 08:42:46 +0000

This was an interesting article on cio.com: Apple, Oracle, Google Lead Major Vendors with Software Vulnerabilities in Q1, Security Report Says – by TrendMicro. Now, these stats are always a bit a challenge: They make a really good headline but if the statistics does not include the severity of the vulnerabilities, it is hard to judge, what this really means in practical terms.

Anyway, if you look at the article, it says:

Apple reported 91 vulnerabilities during the period, making it number one among the top 10 technology vendors in the industry, said the report, "Security in the age of Mobility."
Trailing Apple were Oracle (78 vulnerabilities), Google (73), Microsoft (43), IBM (42), Cisco (36), Mozilla (30), MySQL (28), Adobe (27) and Apache (24).
In addition, Trend Micro reported that Apple issued a record number of patches to its Safari browser in March during the period. A year earlier, March was also a mammoth month for patches, with Apple addressing 93 vulnerabilities, a third of them characterized as "critical," in its Leopard and Snow Leopard operating system.

If you set this into proportion to the size of the portfolio, it would look even better for us. However, this does by no means say that we feel good about 43 vulnerabilities but it shows that our Security Development Lifecycle pays off.

This is more or less consistent as well with what we see with customers: Typically they know today how to roll security updates out to their Microsoft environment but they are often challenged with the rest of their applications. However, if you look where the majority of vulnerabilities are, it is typically third-party code (and not “only” from the vendors stated above but in custom-written code).

Therefore I am still calling for customers to ask for a secure development lifecycle from their vendors

Roger

Run your company like a burrito?

Roger Halbheer — Thu, 19 Apr 2012 09:40:44 +0000

This has nothing to do with security nor with technology – but it is worth (in my opinion) 20 minutes of your time!

Recently a friend of mine told me to read Good to Great: Why Some Companies Make the Leap…And Others Don’t by Jim Collins. Well, I said kind of “yeah, yeah” but downloaded it and started to read – and I love it. The reason is that it is one of the few management books which really start with “make sure you have the right people” and the rest then falls into place – it is not that easy (not even in the book) but it starts there.

Today, I saw a status update by one of my former managers (about 20 years ago) on Facebook linking to a video from TEDxKoeln by Heiko Fischer called The Future of Work – going into a very similar direction. It takes you 17:15 minutes but in my opinion, well invested 17:15 minutes. If you cannot watch it embedded, here is the link.

If you have seen it now, please do not tell me that this is something your management has to change. I am convinced that it always starts with you – just think about it.

Roger

Keep all your software updated and current

Roger Halbheer — Fri, 13 Apr 2012 06:48:45 +0000

I know that I keep going and going on that. When I talk to customers and mainly to providers of the critical infrastructure about security, one of the key things to me is to keep the software updated. It is about patching and it is about staying on the latest version of your software. To me, today Windows XP is a huge risk out there. It was an outstanding operating system when it was launched but it is definitely outdated if you think about how the threat landscape looked like only 5-10 years ago. I am aware of the fact that not all systems can be upgraded because of compatibility issues, a vendor might not even exist anymore. Then these systems need definitely be shielded in different ways to keep them as far off the network as possible.

The reason for this post is, that I still see a lot of customers who developed a really good practice for handling Microsoft updates but not for the rest. I just read these two articles this morning:

So, make sure you cover all your software including third-party apps and open source.

Roger

Selecting the right Cloud partner

Roger Halbheer — Tue, 10 Apr 2012 06:13:02 +0000

One of the challenges customers always have is, how to select the right cloud partner and fairly often security drives this selection. The Cloud Security Alliance published the Cloud Controls Matrix quite a while ago and in addition a Consensus Assessments Initiative Questionnaire and a lot of request for information/proposal are based on this material.

Therefore we made our answers to these questions publically available: Cloud Security in Office365. In the meantime the Cloud Security Alliance worked on a Security, Trust and Assurance Registry (called STAR) with the goal to have all these answers in one place. Kellie Ann Chainier (she works at Microsoft on a lot of these challenges) just published a corresponding blog post: Cloud Security Alliance makes cloud security more transparent with new STAR Registry – short and worth reading

Roger