One of the interesting data points we always publish is the Malware Infection Rate. Remember, there is a huge amount of data we . . . → Read More: Microsoft Security Intelligence Report – What it means for EMEA]]> “Unfortunately” I have been on vacation when we released the Security Intelligence Report last week. Nevertheless I would like to take the opportunity and look at it more from a EMEA perspective.

One of the interesting data points we always publish is the Malware Infection Rate. Remember, there is a huge amount of data we can collect from different like the Malicious Software Removal Tool, Microsoft Security Essentials, Defender, etc. given you agreed to share your data with us.

If we look at the heat map in EMEA, this is the picture you will see:

So, there are different countries which are red (highly infected) and green (not very infected). Now, obviously we do not have the same amount of data for all the countries. If we take the countries with more than 100’000 average executions per month of the Malicious Software Removal Tool, we see this ranking for the best and the worst countries worldwide (the bold countries have an execution rate with more then a million average executions per month):

Let’s take the EMEA countries in this list and see how they developed over the last three reports. The best countries first:

It is actually good to see that with the exception of Senegal all the EMEA countries in the top list could reduce their infection rate. Often this is based on a good collaboration between the public and the private sector.

But what about the other end of the ranking? Let’s see:

Here the picture is not as clear. Some countries like Serbia and Montenegro, Turkey etc. have a very bad 1H09 but then came back to their “normal” level. Unfortunately we cannot see a clear trend here but there are some countries, which are slowly improving (e.g. Russia). There is definitely coordinated activity needed in these countries. Turkey for example is working on pulling people together to address the issue.

If we turn it around and look at it from an Operating System perspective, we definitely see that newer Operating Systems are better than older (which was to be expected):

From the malware we can turn to the vulnerabilities. Since quite a while we are talking about having the problem moving up the stack, which is reflected in the picture on the industry-wide vulnerabilities:

This means as well, that you definitely should cover all your applications when you think about patch management and you have to do this for all your vendors:
When it comes to patching, we see a fairly good coverage with Windows Update, Microsoft Update and WSUS. Especially if you are looking at the relative growth compared to the Windows installed base:

So, you see: There is a lot of great information in the Security Intelligence Report – go and look at it.

Even though I did not go into the details here but Rogue Security Software is still a huge a problem out there and there is a chapter again on this theme as well!

Finally, if I could have three take-away, this would be it:

• Get a coordinated approach to fight malware between the public and private sector
• Move to the latest version of software, wherever you can
• Cover all the products you have with your Patch Management processes

Roger

When I started to think about the Cloud and security and thought about all the work I do with Law Enforcement and the challenges they face. Additionally, I started to think about the legal challenges we . . . → Read More: Legal Challenges of International Business and the Cloud]]> To start with: I am an engineer not a lawyer – and this might be part of the problem…

When I started to think about the Cloud and security and thought about all the work I do with Law Enforcement and the challenges they face. Additionally, I started to think about the legal challenges we – as an industry – already had. Or better, the legal challenges I knew about. Our Cloud Security Challenges paper just touches a little bit on this but to me it is a big challenge (to big for an engineer ?)

Let me give you an example: A case which happens often is that Law Enforcement is approaching any mail-provider with the request to access the content of a mailbox because they have a case where the suspect is expected to have mails which can be used as evidence. This is actually fairly standard and within the legal boundaries of a country straight-forward if the law enforcement officer has a court decision. Now, with international providers it gets more complicated as a case in Belgium showed: The Belgium policed asked Yahoo! to give them access to a mailbox of a person living in Belgium based on a Belgium court decision. However, this data is hosted in the United States. Pretty normal: The police then should the FBI for help, they issue the corresponding papers (together with the court) and Yahoo! would hand over the data – this process is called MLAT (mutual legal assistance treaty). Belgium refused to do that as it was their position that a Belgium decision is good enough because the suspect lives in Belgium. Yahoo! now had two choices: Violate the US law by handing over the data or violate the Belgium court decision by not handing over the data – a lose-lose position they were in .

And the worst thing to me is that we all have just one goal: We want to get the criminals arrested – this is a battle where law enforcement, policy makers and the industry are on the same side! If you want to read more: Yahoo Fined By Belgian Court For Refusing To Give Up E-Mail Account Info

And there are a lot of cases like this. Cases where the data retention policy in one country asks for data up to 12 months and another country tells you that you are not allowed to keep data for longer than 8 months because of the Data Protection law – if you operate in both, what do you do?

The longer I work in this space the more complicated it gets for me and more of such challenges pop up. This morning I read the following article: A step in the right direction. Basically this blog post covers a privacy law put in place in Massachusetts which has broad impact as it is valid not only if you are located in Massachusetts but if the company owns or licenses, receives, stores, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment. In other words – if you “run the risk” of selling to somebody in Massachusetts, you are subject to this law!

As I said, the situation gets incredible complex.

Where does this lead us to? To me there are a few things which should be done:

• Governments and the industry have to work much closer together. The industry has to have the ability to show the stumbling blocks for the businesses and together – the government and the industry – have to find solutions which protects the citizens’ rights, helps to grow the economy and helps to go after the criminals.
• Governments have to think globally and act locally. Today’s cybercrime environment does not allow anymore for “local only” solutions. There needs to be a certain level of harmonization of laws across the countries and the willingness to collaboration fast. As there is not a global jurisdiction on that level, the willingness to have harmonized legislation will be key. The challenge however is that governments are re-elected locally – not globally…
• The Industry has to behave responsibly. In order to make this happen, the industry has to be seen as a partner for the government. The only way to get there – in my opinion – is to act responsibly. If I look at certain behaviors I see in the industry, it is sometimes too much focused on the short-term revenue, rather than a responsible behavior.

This will definitely be the basis for a better collaboration and an environment where the legal challenges (see the Yahoo! case above) do not have to be solved on the shoulders of the businesses “just because” of legal deficiencies between countries. As I said above, we all want to fight crime as it is necessary and as it is the only way to grow the Internet in the future. And this all helps us I think

Roger