Roger Halbheer on Security » Processes

Implementing the Top 4 Defense Strategies

Roger Halbheer — Tue, 13 Dec 2011 13:45:57 +0000

The Australian Defense Signals Directorate maintains a list of the Top 35 Mitigation Strategies against targeted intrusions. This is just a reference to the top strategies:

Patch Applications
Patch the Operating System
Minimize the use of local admin
Application whitelisting
…

Looking at these 35 strategies, the DSD claims that

While no single strategy can prevent this type of malicious activity, the effectiveness of implementing the top four strategies remains unchanged. Implemented as a package, these strategies would have prevented at least 70% of the intrusions that DSD analysed and responded to in 2009, and at least 85% of the intrusions responded to in 2010.

This is pretty much in line with the anecdotal reference I could make where we see successful attacks either coming in through unpatched systems (point 1 and 2), flaws in applications developed in-house (kind of point 2) and social engineering (point 3 and 4). However, these things are not that new, aren’t they? We are talking about patch management since a long time – and patch management not only for the Microsoft environment but the all the applications, being it Microsoft, Adobe, in-house Apps as well as Open Source operating systems.

The DSD even went a step further and developed a really good paper called Implementing DSD’s Top Four for Windows Environments. Something definitely worth reading!

Roger

Windows Security Praised

Roger Halbheer — Tue, 16 Aug 2011 19:05:40 +0000

A result of a study by Kasperski lab is fairly promising – even though it shows the problem being raising up the stack:

For the very first time in its history, the top 10 rating of vulnerabilities includes products from just two companies: Adobe and Oracle (Java), with seven of those 10 vulnerabilities being found in Adobe Flash Player alone. Microsoft products have disappeared from this ranking due to improvements in the automatic Windows update mechanism and the growing proportion of users who have Windows 7 installed on their PCs.

The article can be found here.

So, I think all application developers should start to use the Security Development Lifecycle.

Roger

Video on Microsoft’s Datacenter

Roger Halbheer — Fri, 29 Jul 2011 10:13:43 +0000

A very good overview over the way we run Microsoft’s Cloud. The interesting thing is – if you look at the video – that most customers are still running their datacenters on generation 1-2, which means that the efficiency (labor as well as energy) we can deliver is significantly higher – not talking of our . . . → Read More: Video on Microsoft’s Datacenter

How Microsoft Uses File Classification Infrastructure

Roger Halbheer — Wed, 08 Jun 2011 07:51:01 +0000

Quite a while ago, I blogged about the File Classification Infrastructure in Windows Server 2008 R2:

In my opinion, this is an interesting tool, built in to your server platform.

Now, we just published a paper about how we use this File Classification infrastructure to protect PII. This is an interesting read: Microsoft IT Uses File Classification Infrastructure to Help Secure Personally Identifiable Information

Here is the summary:

In today’s high-tech world, collecting and storing data are business-critical processes that form an integral component of daily operations. However, the ever-increasing dependency on and use of electronic data also make data management more challenging—especially in light of government regulations for the appropriate use and storage of personally identifiable information (PII) and financial information. Improper storage of PII can also be a significant financial concern, as the cost of storage-related security breaches can be hundreds of dollars per record.

Microsoft Information Technology (IT) had been using an internally built solution to help secure personally identifiable information (PII), financial information, and other types of sensitive data by classifying internal file shares and Microsoft® SharePoint® sites. However, this solution was limited to defining information sensitivity at a file-share level. It also required each user to specify the sensitivity level of his or her file shares manually, which frequently led to mislabeled information.

This custom, internally developed solution also had a high total cost of ownership, requiring a significant amount of development and maintenance resources to fix identified issues and keep the system up to date, as each upgrade to the storage operating systems required upgrading the code.

Microsoft IT needed a solution that would bring consistency to the file classification process across all teams, and be able to scan content automatically at the file level for key words, terms, and patterns. It then had to apply the correct rights management protection based upon predefined security policies. Cost of ownership and performance were also important drivers for developing a new solution. Microsoft IT needed a system built from off-the-shelf, standardized Microsoft technology, that could scale across terabytes of data. With such a large amount of information, the solution had to be efficient at scanning files while maintaining a high degree of accuracy when identifying sensitive PII.

Roger

Cloud computing providers: Clueless about security?

Roger Halbheer — Wed, 04 May 2011 17:04:53 +0000

To me, one of the benefits of moving to the Cloud is security – obviously besides availability and costs.

Recent incidents made me doubt:

Amazon not only having significant downtime but in the same time losing customer data.
Sony’s game network being significantly compromised.

This is definitely not to blame them but I was heavily surprised. And then, I found this study by the Ponemon Institute: Cloud computing providers: Clueless about security?

If we look at this, it gives us a really scary picture of the industry – especially if I know how much effort we (and other Cloud provider) out into securing our customer’s data. If you look at the management summary, they say:

The majority of cloud computing providers surveyed do not believe their organization views the security of their cloud services as a competitive advantage. Further, they do not consider cloud computing security as one of their most important responsibilities and do not believe their products or services substantially protect and secure the confidential or sensitive information of their customers.

The majority of cloud providers believe it is their customer’s responsibility to secure the cloud and not their responsibility. They also say their systems and applications are not always evaluated for security threats prior to deployment to customers.

Buyer beware – on average providers of cloud computing technologies allocate10 percent or less of their operational resources to security and most do not have confidence that customers’ security requirements are being met.

Cloud providers in our study say the primary reasons why customers purchase cloud resources are lower cost and faster deployment of applications. In contrast, improved security or compliance with regulations is viewed as an unlikely reason for choosing cloud services.

The majority of cloud providers in our study admit they do not have dedicated security personnel to oversee the security of cloud applications, infrastructure or platforms.

Providers of private cloud resources appear to attach more importance and have a higher level of confidence in their organization’s ability to meet security objectives than providers of public and hybrid cloud solutions.

While security as a “true” service from the cloud is rarely offered to customers today, about one-third of the cloud providers in our study are considering such solutions as a new source of revenue sometime in the next two years.

What we should not think is, that the customer can just throw their data “over the wall” to the Cloud provider and then all the problems are solved. The customer still has obligations and as we state in our Cloud Computing Security Considerations paper:

Compliance and Risk Management: Organizations shifting part of their business to the cloud are still responsible for compliance, risk, and security management.

We are currently working on a series of papers for Private Clouds, Office 365 as well as Azure to show what still is the customer’s responsibility and what can be transferred to the Cloud Provider.

If you consider the points in the study above, it means that you have to do the due diligence and looking into what the provider does to secure your data. Process transparency is key in this respect!

Roger

Mutual Authentication in Real Life–Launching a Nuclear Missile…

Roger Halbheer — Wed, 30 Mar 2011 16:25:33 +0000

A few years ago, I wanted to run an exercise with our incident response team in Switzerland. A customer, the government and me came together to develop the goals and the scenario. One of the key question we tried to answer together with the university, which we wanted to use as observers was, whether we would be able to ramp up the communication channels and keep them up even if bad things happen (like the building has to be evacuated). By ramping up the channels, I was not necessarily interested in the technical side but in the people side. Especially as the key leaders of the incident teams were the ones running the exercise. So, you had the people who knew each other for years sitting there and just listening in.

If you think about it: Even if you know that you are on call for an incident response team, if you get a call from national intelligence telling you that something bad happens, how can you know that they are genuine? Just because they know the incident number? An interesting question we realized that we did not address it if the key people were not present. Now this is for a security-related IT incident.

Reading this article An Unsung Hero of the Nuclear Age scared me as it seems that this problem was not even solved launching nuclear missile. It asks a fundamental question:

How can any missile crewman know that an order to twist his launch key in its slot and send a thermonuclear missile rocketing out of its silo—a nuke capable of killing millions of civilians—is lawful, legitimate, and comes from a sane president?

So, even though the article is fairly long it is worth reading

Roger

Microsoft Security Update Guide, Second Edition

Roger Halbheer — Mon, 28 Mar 2011 15:32:40 +0000

A while ago we released the Microsoft Security Update Guide to explain how we release security updates and how you should/could work with our updates. It encompasses these themes:

Get to know the security update release process
Learn how to evaluate risk
See how to mitigate security risks
Understand how quickly you need to apply updates
Assess your update
Get ongoing security

If you are somehow linked to the security update process in your organization, you should download it and look at it here: Microsoft Security Update Guide, Second Edition

Roger

Aligning Security with the Business

Roger Halbheer — Tue, 01 Mar 2011 16:25:53 +0000

Do you know the feeling? You should share a large file with somebody outside your organization. The file is too big to be sent by e-mail. What can you do? Well, you might have a service by internal IT (we have one) which is not really user-friendly, hard to use and – as you do not need to too often – you are never able to remember, where this single e-mail is which describes how to use the service. Right?

Well, this is partly because of the mailbox sizes and DOS on mails, attachments are limited. But why do we not have an easy way to share public information (e.g. the presentation deck I need next week)? Guess, what happens:

Survey: 85% of Employees Under 25 Use Personal E-Mail Accounts for Work

A surprise? Really? Not for me…

The main reason these workers turn to personal email seems to be the attachment size limits of their official work email accounts. As we’ve reported, Palo Alto Networks found that Web-based file sharing such as Megaupload is also very popular in the workplace.

Do you like your files on public file sharing sites? Even public files? I do not.

…or…

…I also noticed that many employees used personal accounts for work because they didn’t have offsite access to their company email

Well, there is OWA or DirectAccess – no need for the clumsy and not-user-friendly VPN anymore…

And we feel so good with our policy not to allow these things… We block certain websites, without giving the user an ability to solve the business problem. The user circumvents security and the security people sleep very well as they have such a stringent policy.

This is definitely a wrong perception of security.

Roger

Infrastructure Planning and Design Guide for Malware Response

Roger Halbheer — Sun, 20 Feb 2011 16:25:52 +0000

A new version of this guide went live – I think something, you should look at. There is a metrology and a process in detail:

So, if you want to learn more: http://technet.microsoft.com/en-us/library/cc162838.aspx

Roger

Quit Worrying About Cloud Security?

Roger Halbheer — Fri, 04 Feb 2011 10:47:00 +0000

Well, it is not THAT easy but at least there are people starting to claim that it is not as hard as it seems to be sometimes. I stumbled across the following article: Why you can quit worrying about cloud security (thank you Jim), which makes a lot of interesting statements on how the US Federal Government should look at the cloud and in a lot of cases, they are in line with what Doug Cavit and me wrote in the Cloud Computing Security Considerations:

“We must push the envelope,” said James Williams, CIO at NASA’s Ames Research Center, which is developing the Nebula infrastructure as a service offering for the entire agency. “It’s not so much about making the cloud secure but about using the cloud to leverage best practices in security across an enterprise.”

Interesting! I recently had a discussion with our Chief Security Advisor in Australia and he told me how currently the Cloud comes into the play: Customers are not looking for a cloud solution but a way to improve their GRC processes. In parallel they have to reduce costs. Why not use the Cloud for this? Instead of trying to get ISO 27001 certified – we are. Instead of getting the ISO audit under SAS 70 Type II – we have. And the reason for that is fairly simple: We need to in order to help you to get compliant and then – it is our core business. Is running a datacenter in a compliant way yours?

So, the article above mentions four reasons, why you should stop worrying:

1. Sharing the cloud with strangers isn’t always a deal breaker.

[…]

Those risks are real, but they shouldn’t be deal breakers if proper steps are taken, especially given the potential financial rewards of multitenancy services. “You make a mistake if, in order to get security, you avoid co-tenancy entirely,” Rasch said.

There are ways to make such environments safer. At the Treasury Department, for example, officials are choosy about what they send to the cloud.

[…]

But Williams warned that cloud customers need to look below the surface. “Serious attention must be paid to crypto-implementation for processing and storage,” he said. He advises administrators to investigate each provider’s encryption strategy to answer the ultimate question: “Do you trust the algorithm as implemented by the vendor?”

It has to be about understanding your data and the classification thereof. If you do not understand your data, you cannot take the decision as described above. It reflects the last point in our paper on Information Protection. Additionally, trust leads back to certification. The encryption has to be FIPS certified.

2. FedRAMP is good start, but only the beginning.

Federal officials are optimistic that the budding Federal Risk and Authorization Management Program will simplify cloud security, but agencies shouldn’t let their guards down. Even after it’s finalized, don’t expect FedRAMP to relieve you of all security burdens.

I cannot (and do not want to) comment on FedRAMP. But what I keep saying (and again wrote in the paper), whatever you do with the Cloud, compliance and risk management remains your responsibility!

However, the interesting thing is that as soon as money is involved the discussions starts, which are the right standards to build something like that upon… I will not comment that further.

3 Outsourcing to the cloud? Don’t abdicate on security

Cloud computing increases the importance of a security best practice that every agency CIO might soon need to implement: continuous monitoring of IT resources and activities

See the point I made above. It is your responsibility. One thing is important to understand: If you are shooting for a public Cloud, you have to be aware of the fact, that this is a standard service, out of the box. The ability to customize it to your compliance needs is very, very limited as this is what the public Cloud is all about. You will have to trust the standards applied and the audits done by the Cloud provider. These audit reports have to be accessible to you if you are a customer (maybe under NDA). We are talking about economy of scale as you are looking for lower costs.

If you need tighter security, more controls etc. you might want to consider a private Cloud (on- or off-premise).

4. Off-the-shelf security terms are often negotiable.

Not all cloud security challenges are caused by still-evolving best practices and immature technologies. Some are the result of ongoing confusion about where a cloud service provider’s data management responsibilities end and the agency’s begin.

For example, don’t assume that the cloud provider will automatically back up data and store it on off-site tapes — a reasonable assumption under long-standing data protection practices. Similarly, a traditional intrusion detection system might not be included in a standard cloud contract.

“Those are services you can add, but if you don’t ask, you are not getting them oftentimes,” Cronin said.

Avoid unpleasant surprises and finger-pointing by diligently combing through cloud quotes to clearly understand what is being provided. And be ready to negotiate for anything that’s not spelled out in the document.

Therefore we ask customers to run a strong security and risk management team within their organizations. They need to be included in contract negotiations and I would definitely expect a Cloud provider to run the service in a professional way. At the end of the day, you have to be able to trust your provider.

And finally, there is a very interesting statement at the end:

“There is initially a belief that the cloud may not be as secure as [an agency’s] own infrastructure,” Cronin said. “But a cloud solution can be more secure than many federal systems that are on legacy infrastructures using legacy controls.”

If you are honest and try to get around your feelings: How good is your security? Really! Don’t get me wrong. I do not claim that security is bad everywhere and only Cloud providers know how to deal with it but I have seen a lot of very scary things, which cannot be changed internally because you are internal. If the best practices are applied by the provider you “have to” apply to these processes. This might be a great opportunity to increase your security.

And finally, there was an Australian KPMG report, which makes similar statements: Customer Experience: Security Can Improve in the Cloud

Roger