Roger Halbheer on Security » Incident Sharing

10 Years of Trustworthy Computing at Microsoft

Roger Halbheer — Thu, 12 Jan 2012 10:33:15 +0000

Before joining Microsoft a little bit more than 10 years ago, I ran a team at PricewarehoureCoopers on e-Business Risk Management – classical security consulting in the Internet bubble time. When I announced that I will leave PwC and join Microsoft, I got interesting reactions (and remember, this was 2001). Mainly they were along two lines:

Oh, you are joining a desktop company? Why?
A security guy? Joining Microsoft? hmm…

So, these reactions came from the time immediately before we launched Windows XP (you are not on XP today, are you? If you are, read this article). Microsoft was not perceived as an enterprise player and was not seen as secure – they were wrong back then in the first case but right in the second one I guess. I joined being part of the consulting organization but soon met the country manager and I was having a chat with him about the perception on Microsoft’s security in the market. We (say: he ) then decided that we need to work on that and that I shall draw a job description – the job then was called Chief Security Officer and Chief Security Advisor later on. And then Nimda hit! And then Blaster hit! And then Slammer hit! I had the “privilege” back then to run the incident response team in Switzerland and had the privilege to have customers screaming at me, tell me that we fucked up (that was a quote).

Interestingly in the meantime the famous Bill Gates’ Memo hit the streets, saying:

There are many changes Microsoft needs to make as a company to ensure and keep our customers’ trust at every level – from the way we develop software, to our support efforts, to our operational and business practices. As software has become ever more complex, interdependent and interconnected, our reputation as a company has in turn become more vulnerable. Flaws in a single Microsoft product, service or policy not only affect the quality of our platform and services overall, but also our customers’ view of us as a company.

and even more important:

In the past, we’ve made our software and services more compelling for users by adding new features and functionality, and by making our platform richly extensible. We’ve done a terrific job at that, but all those great features won’t matter unless customers trust our software. So now, when we face a choice between adding features and resolving security issues, we need to choose security. Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve.

This memo led to the creation of Trustworthy Computing with Scot Charney running the organization since it’s beginning and Scott then created the Chief Security Advisor community, the community I was in since the beginning and have the honor to run today globally.

Coming back to the beginning: I remember the first keynote I did for Microsoft was on Trustworthy Computing immediately after this announcement. People approached me in the breaks and asked me whether I really believe what I just said: that Microsoft is going to change. And I confirmed that. I have never seen (not before nor after) a company stopping development for almost four months to address issues and then change the way the company operates – that radically. I would never ever put my name and my credibility at risk if I would not have believed back then and I am still convinced that we did and still do an outstanding job and that we are leading the industry today. Interestingly I do not get these questions anymore…

So, what happened over these 10 years of Trustworthy Computing? What were significant achievements? Well, there are numerous and I have to apologize to the teams I am not mentioning here upfront…

Immediately after SQL Slammer in 2003 we span up a process called Software Security Incident Response Process (SSIRP), a process which is still in place today and we constantly adapt it to new threats and especially new challenges. This was a huge effort as we needed to be able to ramp up an incident organization all across the globe 24*7 – and we still are today.
Probably the biggest and most fundamental change was the way we develop software. We introduced the Security Development Lifecycle (SDL) and constantly keep it updated. Not only did we change the development process internally, we make this information available to the industry for free. Others shall be able to learn from our learning from the past. What concerns me is the slow adoption of such methodologies from a vendor side as well as from a customer side. Who really asks for a process? Typically customers ask for product certification but not for a sound process – something we as an industry need to continue on changing.
Different teams were spun up to address security re-actively like the Microsoft Security Response Center and the Malware Protection Center.
Since 2006 we publish our Security Intelligence Report – the most comprehensive report in the market.
Our Digital Crimes Unit is fighting cybercrime from a legal as well as from a technology perspective. We are working closely with the Council of Europe and other organizations improving the legal situation. We are taking down botnets like Waledac, Rustock and Kelhios in close collaboration with the authorities. We are providing technology to fight sexual exploitation of children like PhotoDNA.

A lot of things happened over the course of the years and there is still a lot to do. These are just some highlights (besides the creation of the Chief Security Advisor community).

If you want to see a condensed version of the “life” of Trustworthy Computing”, here you go:

And the official story on the news center: At 10-Year Milestone, Microsoft’s Trustworthy Computing Initiative More Important than Ever

Sometimes I am asked how many people work at Microsoft on security. And the answer is "everybody” (well, almost ). It is not something we separate and put into a team labeled security. It is part of all our lives to one extent or another and this is the way it should be.

If I would have a wish for 2012, it would be that the industry would stand together much closer to address the issues of today and the future. I do not see that security is something the industry should compete on – rather collaborate to fight the criminals – together with the governments and the governments together with us. I was already fairly vocal about this in the Octopus Conference and will continue to ask for it. To help with this dialogue, we published a model called Cybersecurity Agenda for Governments and will soon publish a book on it as well.

In parallel, the teams internally will continue their great work to bring Trustworthy Computing to the next level. All of this is needed, when we think that there will be a third billion devices added to the Internet in the next five years!

Roger

Microsoft Malware Protection Center on Facebook and Twitter

Roger Halbheer — Thu, 28 Jul 2011 12:14:09 +0000

I know, I have been fairly slow in blogging currently but I was fairly busy with a few cool projects (which I will disclose later) and – time flies if you are having fun

Just a quick one:

The MMPC on Facebook and Twitter

The Microsoft Malware Protection Center (MMPC) officially launched its Facebook page and Twitter account. From this Welcome page, you can read the latest blog posts, see the latest Twitter feeds, and find out what threats most affect your desktop.

Roger

Cloud computing providers: Clueless about security?

Roger Halbheer — Wed, 04 May 2011 17:04:53 +0000

To me, one of the benefits of moving to the Cloud is security – obviously besides availability and costs.

Recent incidents made me doubt:

Amazon not only having significant downtime but in the same time losing customer data.
Sony’s game network being significantly compromised.

This is definitely not to blame them but I was heavily surprised. And then, I found this study by the Ponemon Institute: Cloud computing providers: Clueless about security?

If we look at this, it gives us a really scary picture of the industry – especially if I know how much effort we (and other Cloud provider) out into securing our customer’s data. If you look at the management summary, they say:

The majority of cloud computing providers surveyed do not believe their organization views the security of their cloud services as a competitive advantage. Further, they do not consider cloud computing security as one of their most important responsibilities and do not believe their products or services substantially protect and secure the confidential or sensitive information of their customers.

The majority of cloud providers believe it is their customer’s responsibility to secure the cloud and not their responsibility. They also say their systems and applications are not always evaluated for security threats prior to deployment to customers.

Buyer beware – on average providers of cloud computing technologies allocate10 percent or less of their operational resources to security and most do not have confidence that customers’ security requirements are being met.

Cloud providers in our study say the primary reasons why customers purchase cloud resources are lower cost and faster deployment of applications. In contrast, improved security or compliance with regulations is viewed as an unlikely reason for choosing cloud services.

The majority of cloud providers in our study admit they do not have dedicated security personnel to oversee the security of cloud applications, infrastructure or platforms.

Providers of private cloud resources appear to attach more importance and have a higher level of confidence in their organization’s ability to meet security objectives than providers of public and hybrid cloud solutions.

While security as a “true” service from the cloud is rarely offered to customers today, about one-third of the cloud providers in our study are considering such solutions as a new source of revenue sometime in the next two years.

What we should not think is, that the customer can just throw their data “over the wall” to the Cloud provider and then all the problems are solved. The customer still has obligations and as we state in our Cloud Computing Security Considerations paper:

Compliance and Risk Management: Organizations shifting part of their business to the cloud are still responsible for compliance, risk, and security management.

We are currently working on a series of papers for Private Clouds, Office 365 as well as Azure to show what still is the customer’s responsibility and what can be transferred to the Cloud Provider.

If you consider the points in the study above, it means that you have to do the due diligence and looking into what the provider does to secure your data. Process transparency is key in this respect!

Roger

Security Intelligence Report v9 is online

Roger Halbheer — Wed, 13 Oct 2010 15:46:05 +0000

Usually I blog intensively on the release of the Security Intelligence Report. However, this time I am out of office and have just little time to give you insight. We spent a lot of work to make it more comprehensive and give you a more stable view over quite some time. So there is a great opportunity to see trends regarding different figures like the Malware Infection Rates.

Additionally we re-designed the website. This is the most comprehensive report in the industry, so you should look into it: Security Intelligence Report

Roger

How to Detect a Hacker Attack

Roger Halbheer — Thu, 30 Sep 2010 12:33:03 +0000

This title immediately caught my attention and probably yours as well: How to detect a hacker attack – something I definitely want to know. And then I realized that the article a) is written from a techie and b) does not really cover the attacks I am worried of most. But I will address this toward the end and would appreciate your ideas as well.

If you look at the article, it gives 4 tips:

Suspiciously high outgoing traffic for dial-up and ADSL

Look out for strange looking files in the root directories of your drives and/or too much disk activity.

If your personal firewall is reporting blocking large packets of data from the same IP address

A lot of hackers still rely on trojans and backdoors. So, if your anti-virus software starts finding a lot of those, try increasing protection, use an Internet security suite instead of a basic anti-virus

That’s just an excerpt. If I look at my mom and dad – they never look at 1 (I do not do it either), 2 (I would just see it if I would clean up my machine), 3 (It might be in the event log but who is looking at the even log?). 4 is definitely a good thing as we said since ages (actually since Blaster) that there are three things you should do to protect your PC:

Switch on your firewall
Keep your software updated
Install an anti-malware solution and keep it updated (see Microsoft Security Essentials)

If we take it to a company level, the 4 tips about might look slightly different: 1 is network monitoring (if you see the anomalies), 2 is rarely done, 3 is rarely done and 4 again I hope is done.

But what really worries is me are not the attacks we are finding with the 4 tips above. Those are not the ones, which keep me up at night as they are noisy.

What about the stealth, targeted attacks – the real attacks? They do not create a lot of traffic (as the data is slipped out slowly), they hide the files “behind” other files, the use the universal firewall tunneling protocol (called HTTP) to transfer data and the malware they are using is just written for this single purpose: To attack just you!

How do we defend against those attacks? How do we even find them? They will sneak in through social engineering and I have to admit, that I am not clear what we can do against them – really. A few things come to my mind:

Risk Management – start with understanding your risk exposure not only from a technical side but who could be interested for what in your environment. How likely are you to be targeted by e.g. industrial espionage?
Patch Management – this is for sue. However, the targeted attacks often do not leverage technical vulnerabilities but the user. But staying on the latest versions of all your software is key to defend. This does not only mean security updates but “real” versions as well. If you are still on Windows XP, your risk exposure is significantly higher than on Windows 7
Information Protection – the classical encryption does not help here as the malware might impersonate you and then simply copy/past the data or transfer the data in plain text. I think that Rights Management Services could at least lower the risk of data loss.

What else? What do you do? I would be really interested hearing your ideas and approaches

Roger

How to Deal With Vulnerabilities

Roger Halbheer — Tue, 27 Jul 2010 14:53:53 +0000

This is always a fairly emotional theme. What is better to protect the ecosystem? Public or private disclosure? Should somebody paying for vulnerabilities or not? Is a vulnerability auction ethical or not?

I know that there are numerous views on that and I do not want to debate them here and now. What I just want to do here, is to show Microsoft’s position:

Since a long time Microsoft is working with the researcher community in close collaboration and my understanding is that the researcher community is fairly impressed with what we do, once they get the opportunity to look behind the scenes. One of the outcomes of this outreach is Bluehat – a Microsoft internal event where the researcher talk to our developers. A very and interesting and insightful get together.

When it comes to handling vulnerabilities, I guess you know Microsoft Security Response Center – the group within Microsoft chartered with handling security vulnerabilities. The policies behind working with the researcher community is two-fold:

We are not paying for security vulnerabilities, nor do we intend to do so. There was an article on ZDNet again a few days ago: Microsoft: No plans to pay for security vulnerabilities
We just recently announced a slight change in strategy towards Coordinated Vulnerability Disclosure, an approach, where the collaboration between the finder and the vendor shall be deepened.

For me, the joint goal between researcher and vendors has to be to protect the ecosystem against the criminals. And with ecosystem I mean not only the big enterprises, having security teams which are able to work on detailed vulnerability information but small and medium businesses as well as the consumer like my mom and dad as well. Therefore we think that the point above help to meet the requirements.

What are your thoughts on that?

Roger

A Detailed Analysis of an Attack – Do We Need an International Incident Sharing Database?

Roger Halbheer — Wed, 21 Apr 2010 12:46:34 +0000

I recently came across a paper called Shadows in the Cloud, which is actually a follow-up report of Tracking GhostNet: Investigating a Cyber Espionage Network, an investigation of the attacks on the office of the Dalai Lama and some governmental bodies. The report is written by two bodies who had the privilege to investigate those attacks: the Information Warfare Monitor and the Shadowserver Foundation.

Even though the report is out since quite some weeks, I think it makes sense to dig in it here as there are a few fairly remarkable conclusions and statements in there. One of the key things we should think about globally is an International Incident Sharing Database (see the end of the post).

Sharing and Collaboration

If you are a regular reader of my blog posts, you know that I am a big supporter of international collaboration and I am clear about the need of a common set of rules to establish this collaboration. If you read through the paper, you see in different areas that they were challenged during the investigation. On page 8 that state that On our side, we felt unsure about the protocol around information sharing, and were in an awkward position to be able to give information over to governments and affected parties directly without being entirely clear about whom would be responsible and whether or not our interlocutors were appropriate authorities. The notification problems around Ghostnet informed our approach to the Shadows in the Cloud investigation, including being more conscious from the outset of documenting our notification procedures. Think about that for a second. You investigate a security incident e.g. in your company. During the investigation you realize that you are not the only victim but that there are others, being it companies or governments. What do you do with this information? Whom do you contact? How can you be sure that this information gets into the right hands? A fairly hard question to answer and finally, what kind of information are you allowed to pass on? Additionally, Information sharing, generally speaking, is immature and underdeveloped, often hampered by proprietary concerns surrounding the commercial market for cyber security services (page 10) and Information sharing among victims of network intrusions and espionage is rare (page 10). Well, what I see fairly often is, that incidents do not happen as they are not supposed to happen. Rarely somebody talks openly about what happened to them.

In order to combat such attacks, the legal collaboration is key (again ). As otherwise, it points to the possibility of a perfect storm that may result from a lack of international consensus, ill-developed and implemented security practices, a paucity of notification mechanisms, and the growing confluence of cyber crime, traditional espionage, and the militarization of cyberspace (page 10). This simply tells us that we will lose the fight without international legal collaboration and harmonization as well as the willingness of the public and the private sector to share information.

Technology

From a technical perspective, they started to use Internet-based services. For example, they used Twitter to control the botnet as well as free mail services like Gmail and free blog services like Baidu. This is to enhance the command and control infrastructure of a botnet, something I was never aware of but is actually a logical enhancement of what we know already. The next point, when it comes to technology is the software they seem to have exploited: We observed the group using PDF, PPT, and DOC file formats to exploit Adobe Acrobat and Acrobat Reader, Microsoft Word 2003 and Microsoft PowerPoint 2003 – old software, software which was designed to cope with completely different threats than the ones existing today! And even is they decided to stay on the previous versions: The Microsoft Word 2003 and PowerPoint 2003 files were mostly older exploits, which have been circulating in the underground hacker community for some time. In other words: It is about patch management again… But to be fair, they fell victim of some vulnerabilities in PDF which were not patched at the time of the attack.

Source

Finally let’s think about the people behind the attacks. It is a joint understanding that the attacks originated from China. The Chinese government was accused to be the source behind it but they denied it and it has never been proven otherwise. Generally – not only in China – it can be expected that there is a close collaboration between governments and the hacking or as the report states: The degrees of the reported relationship vary between “authorize” to “tacit consent” to “tolerate” (Henderson 2007b).

Conclusions

What can we learn from the report? Actually nothing new, it just re-enforces my view of the world:

We have to be better in sharing incident information. This has two sides: One is between victims. There has to be a way (and, honestly, I do not have a solution yet) to find the right contact within a government or an organization to help them understand that they were attacked.
We need smooth and fast international legal collaboration. This has to be based on a solid harmonized legislation.
There are two calls when it comes to your software maintenance: Make sure you are on the latest version of your software and make sure you are patched. Patch Management is one of your fundamental processes in your organization!

And now to the final point I am thinking of since quite a while. The airline industry suffered initially from quite some technical incidents. The way the industry finally dealt with it was, to establish a sharing of incident information (as well as near misses) and a global body taking care of the airline safety (and the willingness of the governments to collaborate and share). The same actually started now in certain countries in the healthcare sector.

When it comes to Information Security we all deny incidents unless they become public – because we fear an impact on our reputation. We have to start thinking differently. We need a place where we are able to (anonymously?) file incident which happened or ways somebody was attacked to be shared between security professionals. That’s the only way where we can learn collectively and increase the pace of the products becoming better at defending and security professionals improve their skills in protecting the critical information. The critical question is who can own such a database? It has to be an organization which is trusted internationally and therefore cannot be state-owned. It could be an international association or and inter-governmental organization. Ideas are very welcome as I am convinced that there is a huge need of an International Incident Sharing Database.

Roger