In order to judge the results and statistics of this database, we have to make sure we understand the contributors and where they come from:
Therefore the output will definitely have some US-centricity but is nevertheless interesting.

There is no secret that the attackers go for money. Cybercrime came from cool to cash! If you look what the attacker did after a successful attack, this proves this statement once more:

But how do they get in? How does a hacker actually attack a Web-Application? Again, not a lot of surprise here, more a confirmation of what we know already:

I think, having SQL Injection on top should not surprise anybody who is working in this space.

So, looking at it is definitely worth in order to get a better picture from a security intelligence point of view

Roger

When I read the article, I agreed but on the other hand I was quite surprised. The article actually tends to reduce the risks of the cloud to the hacking attack from the outside. As we know, the problem space is much, much bigger as we outlined in our Cloud Computing Security Considerations paper as did others in numerous other papers on the web.

However, there is one fundamental thing I agree with the article: When people talk about the Cloud and security they tend to forget the past. It seems to me when I read the blog sphere and article on the web like it the cloud is something completely new and the threat landscape is completely new and the risks are completely new. To me, it is “just” a variation of the theme. We had outsourcing in the past and we had virtualization in the past. Now, we combine the two, add some salt and pepper and have Cloud computing (I know that I am oversimplifying now).

I am completely aware and supportive of the fact that the Cloud is adding a lot of business opportunities – and new risks. But we definitely have to make sure that we do not forget what we learned in the last few years – the last two decades – of information security as the “old” risks – like the insider threat – do not go away because we move to the Cloud. Nor will the responsibility for securing our information being transferred to a cloud provider. And this is probably the most important thing we have to consider, when we plan the cloud.

Roger

The real interactive map can be found here: Do You Know Where Your Data Is In The Cloud?

Roger

When I started to think about the Cloud and security and thought about all the work I do with Law Enforcement and the challenges they face. Additionally, I started to think about the legal challenges we – as an industry – already had. Or better, the legal challenges I knew about. Our Cloud Security Challenges paper just touches a little bit on this but to me it is a big challenge (to big for an engineer ?)

Let me give you an example: A case which happens often is that Law Enforcement is approaching any mail-provider with the request to access the content of a mailbox because they have a case where the suspect is expected to have mails which can be used as evidence. This is actually fairly standard and within the legal boundaries of a country straight-forward if the law enforcement officer has a court decision. Now, with international providers it gets more complicated as a case in Belgium showed: The Belgium policed asked Yahoo! to give them access to a mailbox of a person living in Belgium based on a Belgium court decision. However, this data is hosted in the United States. Pretty normal: The police then should the FBI for help, they issue the corresponding papers (together with the court) and Yahoo! would hand over the data – this process is called MLAT (mutual legal assistance treaty). Belgium refused to do that as it was their position that a Belgium decision is good enough because the suspect lives in Belgium. Yahoo! now had two choices: Violate the US law by handing over the data or violate the Belgium court decision by not handing over the data – a lose-lose position they were in .

And the worst thing to me is that we all have just one goal: We want to get the criminals arrested – this is a battle where law enforcement, policy makers and the industry are on the same side! If you want to read more: Yahoo Fined By Belgian Court For Refusing To Give Up E-Mail Account Info

And there are a lot of cases like this. Cases where the data retention policy in one country asks for data up to 12 months and another country tells you that you are not allowed to keep data for longer than 8 months because of the Data Protection law – if you operate in both, what do you do?

The longer I work in this space the more complicated it gets for me and more of such challenges pop up. This morning I read the following article: A step in the right direction. Basically this blog post covers a privacy law put in place in Massachusetts which has broad impact as it is valid not only if you are located in Massachusetts but if the company owns or licenses, receives, stores, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment. In other words – if you “run the risk” of selling to somebody in Massachusetts, you are subject to this law!

As I said, the situation gets incredible complex.

Where does this lead us to? To me there are a few things which should be done:

• Governments and the industry have to work much closer together. The industry has to have the ability to show the stumbling blocks for the businesses and together – the government and the industry – have to find solutions which protects the citizens’ rights, helps to grow the economy and helps to go after the criminals.
• Governments have to think globally and act locally. Today’s cybercrime environment does not allow anymore for “local only” solutions. There needs to be a certain level of harmonization of laws across the countries and the willingness to collaboration fast. As there is not a global jurisdiction on that level, the willingness to have harmonized legislation will be key. The challenge however is that governments are re-elected locally – not globally…
• The Industry has to behave responsibly. In order to make this happen, the industry has to be seen as a partner for the government. The only way to get there – in my opinion – is to act responsibly. If I look at certain behaviors I see in the industry, it is sometimes too much focused on the short-term revenue, rather than a responsible behavior.

This will definitely be the basis for a better collaboration and an environment where the legal challenges (see the Yahoo! case above) do not have to be solved on the shoulders of the businesses “just because” of legal deficiencies between countries. As I said above, we all want to fight crime as it is necessary and as it is the only way to grow the Internet in the future. And this all helps us I think

Roger

If you are developing software internally you should definitely look at the site and think how to implement SDL in your organization. If you want help, there is the SDL Pro Network here to help you to implement SDL. Or leverage the tools we make available. Or much more…

If you are “just” buying software, look at the lifecycle and start to ask your vendors a few questions like:

• How do you engineer security into the products? (I am not talking about the classical software engineering processes – I am talking about security…)
• How do you do Threat Modeling (to me a key piece of the engineering process)
• …

Roger

So far, in the first 4 chapters, we have addressed the usual excuses for not Managing Your IT Environment and Security Updates:

1. Security is not worth it, nothing ever happens and if it does it will be “no big deal”
2. I installed the Microsoft updates, but my network was still compromised
3. OK now I understand why Security is important but no idea how I start
4. I now know what I want to do, I just don’t know how, I need training

Here we address the need for automation, cost reduction and standardization, Microsoft has literally hundreds of tools to help management assess risk and administrators implement security updates and policies.

Security Update Management Tools: http://technet.microsoft.com/en-gb/security/cc297183.aspx#EPC

Security Update Detection Tools: http://technet.microsoft.com/en-gb/security/cc297183.aspx#EID

Security Risk Assessment Tool: http://technet.microsoft.com/en-gb/security/cc297183.aspx#EUD

Lockdown, Auditing, Intrusion Detection, Remediation Tools: http://technet.microsoft.com/en-gb/security/cc297183.aspx#E2D

Virus and Malware Protection and Removal Tools & Apps: http://technet.microsoft.com/en-gb/security/cc297183.aspx#E1E

Reduce Your Risk: 10 Security Rules To Live By

This is from 2006 but it demonstrates on a conceptual level how the technology can change but the rules remain the same.  Yet again we learn that Security is a Process, not a Product!

http://technet.microsoft.com/en-us/magazine/2006.05.reducerisk.aspx

but yes, it is still my blog

From time to time I am looking into different ways of doing things. I ran my blog until now on SharePoint 2007 and an extension I found on Codeplex, which is part of the Community Kit for SharePoint called Enhanced Blog Edition. The reason for that was that I did not like the blog offered by SharePoint natively.

Now, I wanted to do a real revolutionary thing – for a Microsoftie : I wanted to migrate the blog on a Linux server with OpenSource software. I have to admit I failed. I started to play with the SUSE Enterprise Server (remember, we have a partnership with Novell). I set it up on my Hyper-V and it worked fairly soon without too much problems. The problems came as a Microsoftie wanted to add what is needed to run a blog and integrate the SUSE Server into Active Directory. I just gave up after spending a couple of hours and rolled back my plan – at least for the OS.

So, I decided to install Windows Server 2008 R2 and from there on wanted to experience the OpenSource side. Now, the blog runs in Windows Server 2880 R2, PHP, MySQL and WordPress. Until now, I really like WordPress as it gives me a lot of flexibility with all the PlugIns – more than I actually need. The only real hassle I had was the migration of the blog posts but finally even that worked….

So, for you nothing should change. Basically even the RSS-feed should still work even though the default feed now has a new URL but I used URL Rewriter to map.

So, if you experience any issue, please get in touch with me (see the About page)

Roger

And it was to be expected that the success of the Microsoft Security Essentials will be leveraged by criminals as well to do exactly what I just mentioned – it happened last week. Read yourself: If it calls itself “Security Essentials 2010”, then it’s possibly fake, innit?

Roger

• The user has to be tricked into pressing F1 in response to a Pop-Up (no automation)
• We are not aware of any attacks exploiting this issue
• It is Windows XP “only”

This leads me back to the discussions I had with customers over the last few weeks: Windows XP was released 31. December 2001 – 8 years ago. If you would give it 2 years development and engineering time, we are talking of a 10 year old operating system. During a discussion a friend of mine said “your are not driving a 10 years old car neither” – which is not accurate. If you look how the threat landscape developed on the Internet over the last 10 years, you should probably compare it with a 50 years old car. The real problem with Windows XP in my opinion is, that it is rock-solid – but in my opinion not suited anymore for today’s threats. As you have a great alternative now – you should definitely consider moving to Windows 7. And you should move from IE 6 (if you are still there) to IE8!!

If I would have one wish to you from a security perspective: Move to the latest version of your software – everywhere (knowing that this is not an easy task to do)

Roger

So, basically it is about helping you to plan, deploy, operate, and manage the baselines in your environment. As you might know, we provide free tools, which we call Solution Accelerators since quite a while (if you did not know, shame on us), we provide a Security Compliance Manager in this program as well and have the new version just in Beta now.

Basically the new Security Compliance Manager Solution Accelerator helps you to provides you a few pretty exciting features:

• Centralized management and baseline portfolio
• You can customize the security baselines
• You can compare them and export them (e.g. to GPOs)
• You can verify and monitor them

As a picture shows more than a thousand words, here are a few (cool!!) screenshots of the tool:

Check for Baselines

Compare Baselines

Customize the Baseline

Export it (to enforce it through GPOs)

Merge different Baselines

So, if you are as excited as I am, you should join the Beta program, which is now open. That’s the way to give feedback and influence it now! Therefore my “call to action” for you is:

• Join the Security Compliance Manager Beta. Then tell the development team what you think!
• Already a member? Bookmark this link for access to the program page.
• Help us spread the word—share the beta invitation link with your friends.
• Want to see where it all started? Download the current version: Security Compliance Management Toolkit.

The beta will run through March 2010. That means now is the time to join the beta program, take an early look at this tool, and provide the Security Solution Accelerators team with your feedback.

Want the facts straight from the development team? Check out this series of short videos! Better yet, post your own video response sharing your favorite feature.

Want more information on a specific feature? Interested in speaking with the development team? Please contact Michelle Arney.

Have a lot of fun!!

Roger