Before joining Microsoft a little bit more than 10 years ago, I ran a team at PricewarehoureCoopers on e-Business Risk Management – classical security consulting in the Internet bubble time. When I announced that I will leave PwC and join Microsoft, I got interesting reactions (and remember, this was 2001). Mainly they were along . . . → Read More: 10 Years of Trustworthy Computing at Microsoft]]>

Before joining Microsoft a little bit more than 10 years ago, I ran a team at PricewarehoureCoopers on e-Business Risk Management – classical security consulting in the Internet bubble time. When I announced that I will leave PwC and join Microsoft, I got interesting reactions (and remember, this was 2001). Mainly they were along two lines:

• Oh, you are joining a desktop company? Why?
• A security guy? Joining Microsoft? hmm…

So, these reactions came from the time immediately before we launched Windows XP (you are not on XP today, are you? If you are, read this article). Microsoft was not perceived as an enterprise player and was not seen as secure – they were wrong back then in the first case but right in the second one I guess. I joined being part of the consulting organization but soon met the country manager and I was having a chat with him about the perception on Microsoft’s security in the market. We (say: he ) then decided that we need to work on that and that I shall draw a job description – the job then was called Chief Security Officer and Chief Security Advisor later on. And then Nimda hit! And then Blaster hit! And then Slammer hit! I had the “privilege” back then to run the incident response team in Switzerland and had the privilege to have customers screaming at me, tell me that we fucked up (that was a quote).

Interestingly in the meantime the famous Bill Gates’ Memo hit the streets, saying:

There are many changes Microsoft needs to make as a company to ensure and keep our customers’ trust at every level – from the way we develop software, to our support efforts, to our operational and business practices. As software has become ever more complex, interdependent and interconnected, our reputation as a company has in turn become more vulnerable. Flaws in a single Microsoft product, service or policy not only affect the quality of our platform and services overall, but also our customers’ view of us as a company.

and even more important:

In the past, we’ve made our software and services more compelling for users by adding new features and functionality, and by making our platform richly extensible. We’ve done a terrific job at that, but all those great features won’t matter unless customers trust our software. So now, when we face a choice between adding features and resolving security issues, we need to choose security. Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve.

This memo led to the creation of Trustworthy Computing with Scot Charney running the organization since it’s beginning and Scott then created the Chief Security Advisor community, the community I was in since the beginning and have the honor to run today globally.

Coming back to the beginning: I remember the first keynote I did for Microsoft was on Trustworthy Computing immediately after this announcement. People approached me in the breaks and asked me whether I really believe what I just said: that Microsoft is going to change. And I confirmed that. I have never seen (not before nor after) a company stopping development for almost four months to address issues and then change the way the company operates – that radically. I would never ever put my name and my credibility at risk if I would not have believed back then and I am still convinced that we did and still do an outstanding job and that we are leading the industry today. Interestingly I do not get these questions anymore…

So, what happened over these 10 years of Trustworthy Computing? What were significant achievements? Well, there are numerous and I have to apologize to the teams I am not mentioning here upfront…

• Immediately after SQL Slammer in 2003 we span up a process called Software Security Incident Response Process (SSIRP), a process which is still in place today and we constantly adapt it to new threats and especially new challenges. This was a huge effort as we needed to be able to ramp up an incident organization all across the globe 24*7 – and we still are today.
• Probably the biggest and most fundamental change was the way we develop software. We introduced the Security Development Lifecycle (SDL) and constantly keep it updated. Not only did we change the development process internally, we make this information available to the industry for free. Others shall be able to learn from our learning from the past. What concerns me is the slow adoption of such methodologies from a vendor side as well as from a customer side. Who really asks for a process? Typically customers ask for product certification but not for a sound process – something we as an industry need to continue on changing.
• Different teams were spun up to address security re-actively like the Microsoft Security Response Center and the Malware Protection Center.
• Since 2006 we publish our Security Intelligence Report – the most comprehensive report in the market.
• Our Digital Crimes Unit is fighting cybercrime from a legal as well as from a technology perspective. We are working closely with the Council of Europe and other organizations improving the legal situation. We are taking down botnets like Waledac, Rustock and Kelhios in close collaboration with the authorities.  We are providing technology to fight sexual exploitation of children like PhotoDNA.

A lot of things happened over the course of the years and there is still a lot to do. These are just some highlights (besides the creation of the Chief Security Advisor community).

If you want to see a condensed version of the “life” of Trustworthy Computing”, here you go:

And the official story on the news center: At 10-Year Milestone, Microsoft’s Trustworthy Computing Initiative More Important than Ever

Sometimes I am asked how many people work at Microsoft on security. And the answer is "everybody” (well, almost ). It is not something we separate and put into a team labeled security. It is part of all our lives to one extent or another and this is the way it should be.

If I would have a wish for 2012, it would be that the industry would stand together much closer to address the issues of today and the future. I do not see that security is something the industry should compete on – rather collaborate to fight the criminals – together with the governments and the governments together with us. I was already fairly vocal about this in the Octopus Conference and will continue to ask for it. To help with this dialogue, we published a model called Cybersecurity Agenda for Governments and will soon publish a book on it as well.

In parallel, the teams internally will continue their great work to bring Trustworthy Computing to the next level. All of this is needed, when we think that there will be a third billion devices added to the Internet in the next five years!

Roger

This made us thinking about what . . . → Read More: Cybersecurity–More than a good headline]]> A lot of governments all across the globe are working on starting, restarting or pushing their Cybersecurity initiative. What often concerns me is, that the last real headline has more impact on the strategy and the themes to be addressed than a structure or a plan or a strategy.

This made us thinking about what is needed to run a successful Cybersecurity Agenda within a country? What themes ought to be addressed and in which form.

We came up with a fairly simple model:

To explain the model, we just published two papers about it:

• Cybersecurity white paper abstract – a one pager with a high-level description
• Cybersecurity: More than a good headline – a few more pages going deeper into the discussion of the different subjects.

In parallel we are working on a book about this, giving much more examples and background – so stay tuned.

The only thing I really know: When I do a presentation explaining Cybersecurity and at the end show the slide above, governments love it. Typically they approach me asking for the deck – if they are not politically correct they tell me that they just want to get this slide.

Comments are very welcome. If you need/want further information, get in touch with me. Happy to help

Roger

Just a quick one:

The MMPC on Facebook and Twitter

The Microsoft Malware Protection Center (MMPC) officially launched its Facebook page . . . → Read More: Microsoft Malware Protection Center on Facebook and Twitter]]> I know, I have been fairly slow in blogging currently but I was fairly busy with a few cool projects (which I will disclose later) and – time flies if you are having fun

Just a quick one:

The MMPC on Facebook and Twitter

The Microsoft Malware Protection Center (MMPC) officially launched its Facebook page and Twitter account. From this Welcome page, you can read the latest blog posts, see the latest Twitter feeds, and find out what threats most affect your desktop.

Roger

We now just published a special Intelligence Report on this botnet:

Read an overview of the Win32/Rustock family of rootkit-enabled backdoor Trojans background, functionality, how it . . . → Read More: Special Intelligence Report on the Rustock Takedown]]> As you might remember, on Match 16th Microsoft together with other industry players was successfully able to take down the Rustock botnet and thus significantly reducing the spam level.

We now just published a special Intelligence Report on this botnet:

Read an overview of the Win32/Rustock family of rootkit-enabled backdoor Trojans background, functionality, how it works, and threat telemetry data with analysis for 2010 to May 2011. This document provides legal and technical action used to takedown the Rustock botnet and how to detect and remove the threat using Microsoft antimalware products.

You will find it here.

Roger

There is now a version 2, which is still as important as version . . . → Read More: Ten Immutable Laws Of Security (Version 2.0)]]> You might have known the 10 Immutable Laws Of Security since quite a while. It is kind of the “collected non-technical wisdom” of what we see in security respeonse being it in Microsoft Security Response Center or in our Security Product Support.

There is now a version 2, which is still as important as version 1 was. The 10 Laws are:

Law #1: If a bad guy can persuade you to run his program on your computer, it’s not solely your computer anymore.
Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer anymore.
Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.
Law #4: If you allow a bad guy to run active content in your website, it’s not your website any more.
Law #5: Weak passwords trump strong security.
Law #6: A computer is only as secure as the administrator is trustworthy.
Law #7: Encrypted data is only as secure as its decryption key.
Law #8: An out-of-date antimalware scanner is only marginally better than no scanner at all.
Law #9: Absolute anonymity isn’t practically achievable, online or offline.
Law #10: Technology is not a panacea.

Just make sure that you keep them in mind – there is no “patch” for them . The whole set of explanations can be found here: Ten Immutable Laws Of Security (Version 2.0)

Roger

So, if you want to learn more: http://technet.microsoft.com/en-us/library/cc162838.aspx

Roger

This is the intro (to make you curious for more):

This document provides an overview of the Win32/Zbot family of password-stealing trojans. The document examines the . . . → Read More: Fighting a Botnet]]> Microsoft Malware Protection Center published a document on Battling the Zbot Threat, a special edition of the Security Intelligence Report. It is a very good document, worth looking at.

This is the intro (to make you curious for more):

This document provides an overview of the Win32/Zbot family of password-stealing trojans. The document examines the background of Win32/Zbot, its functionality, how it works, and provides telemetry data and analysis from calendar year 2010 about how this threat is detected and removed by Microsoft antimalware products and services.

Roger

Let’s start from the beginning. As soon as Stuxnet hit the news, it was interesting to see, what was happening. There was a ton of speculation out . . . → Read More: Stuxnet talks – do we listen?]]> Stuxnet is a severe threat – that’s something we know for sure. But if we look at it – what do we really know? What can we learn?

Let’s start from the beginning. As soon as Stuxnet hit the news, it was interesting to see, what was happening. There was a ton of speculation out there about the source and the target of the worm, especially since it hit mass-media. It is obvious that this is a story which is interesting for a broad audience – however, wesecurity professionals need different sources.

If you look at this interview at CNN, they are giving background information but in the meantime are pushing for the story.

Unfortunately, even professionals seems to build their defense on what is heard somewhere because someone said… This is not the right source of information.

So, a lot of speculation on different channels, social media as well as mass media. What do we learn from that?

Rely on trusted sources only if you want to run your incident response.

I think, this is not the first time I am promoting this approach

If you want real information on Stuxnet, there you go:

• MMPC Encyclopedia
• Microsoft Malware Protection Center blog posts since July this year to give you insight into the problem

This is one side of the problem. What about the critical infrastructure? It seems to be common knowledge that Stuxnet is leveraging a vulnerability in the Siemens PLC code to manipulate parameters in control systems. This leads us to an interesting question, which is how to protect embedded systems.

So far, I am convinced that within the industry we know fairly well how to protect classical IT systems like servers and PCs. If we extend this to embedded systems, the problem becomes much bigger. I once worked on this problem for medical devices. I was talking to the hospitals and they were telling me that they are not allowed by regulation to touch any technology on a medical device (even though they are connected to their internal network to exchange patient data). If you talk to the regulator, they are telling you that they are satisfied with a risk management process by the vendor (nobody really checks the risks in the process as the regulation does not address this) and if you talk to the vendor they do not want to take the cost of maintaining the software on these devices – a classical example of passing the hot potato from one player to the other. This is a latent risk, which might be above the acceptable risk threshold for a society.

What can we do to approach this? On a tactical level, this means reducing the risk by shielding such systems. Do not attach them directly to the network but indirectly behind a reverse proxy. On a strategic level, we have to look at it from a maintenance perspective like any other IT-system. E.g. FDA realizes that not patching a system might create higher risks than patching systems. This by itself is a remarkable statement. This does not – by no means – allow you to just deploy without testing but probably without re-validating.

When it comes to SCADA systems, one of my readers, Shoaib Yousuf, wrote a really good article published in Computerworld and CIO in Australia called Smart grid security: Critical success factors showing the different approaches to secure such systems.

What do we learn from that?

Realize that systems with embedded IT have to be maintained and protected like any other IT device, taking into consideration the special safety needs.

And then finally, who are the players behind Stuxnet? A lot of people in the press and the blogosphere talk about an “act of war”. This is hard to tell based on public sources as there is too much speculation and misinformation. Fact is, that nations are ramping up their cyber capabilities and/or are partnering with high-skilled groups in that area. But does this already mean that we have seen a nation state attacking another one with Stuxnet?

Do not rely your judgment on sources, where speed is more important than accuracy (something I often see in Twitter).

Scot Charney recently decomposed the threats in his paper called Rethinking Cyber Threats and Strategies (or – if you really want – the pdf-version J). He separates four categories of attacks:

1. Conventional Cybercrime
2. Military Espionage
3. Economic Espionage
4. Cyber warfare

What did we see with Stuxnet? We do not know and just jumping on the bandwagon of the mass-media because it is “cool” would be a little bit too easy. Fact is that the industry come together to fight this beast – which is the right thing to do – and I hope that the governments come together to find the criminals behind the worm and take appropriate actions.

What do we learn from that?

Do not draw conclusions on who is behind an attack just because of the media (being them social media or mass media).

Finally, this just leads me to my final plea, as fairly often, when I blog on such things: Without good collaboration within the industry, between the industry and the governments and between governments, it will be very, very hard to fight such attacks.

And the “really finally”, as security professionals, we have to make sure that at least we keep an eye on the facts and to not help to spread fuzz

Roger