Roger Halbheer on Security » Processes

Keep all your software updated and current

Roger Halbheer — Fri, 13 Apr 2012 06:48:45 +0000

I know that I keep going and going on that. When I talk to customers and mainly to providers of the critical infrastructure about security, one of the key things to me is to keep the software updated. It is about patching and it is about staying on the latest version of your software. To me, today Windows XP is a huge risk out there. It was an outstanding operating system when it was launched but it is definitely outdated if you think about how the threat landscape looked like only 5-10 years ago. I am aware of the fact that not all systems can be upgraded because of compatibility issues, a vendor might not even exist anymore. Then these systems need definitely be shielded in different ways to keep them as far off the network as possible.

The reason for this post is, that I still see a lot of customers who developed a really good practice for handling Microsoft updates but not for the rest. I just read these two articles this morning:

So, make sure you cover all your software including third-party apps and open source.

Roger

Implementing the Top 4 Defense Strategies

Roger Halbheer — Tue, 13 Dec 2011 13:45:57 +0000

The Australian Defense Signals Directorate maintains a list of the Top 35 Mitigation Strategies against targeted intrusions. This is just a reference to the top strategies:

Patch Applications
Patch the Operating System
Minimize the use of local admin
Application whitelisting
…

Looking at these 35 strategies, the DSD claims that

While no single strategy can prevent this type of malicious activity, the effectiveness of implementing the top four strategies remains unchanged. Implemented as a package, these strategies would have prevented at least 70% of the intrusions that DSD analysed and responded to in 2009, and at least 85% of the intrusions responded to in 2010.

This is pretty much in line with the anecdotal reference I could make where we see successful attacks either coming in through unpatched systems (point 1 and 2), flaws in applications developed in-house (kind of point 2) and social engineering (point 3 and 4). However, these things are not that new, aren’t they? We are talking about patch management since a long time – and patch management not only for the Microsoft environment but the all the applications, being it Microsoft, Adobe, in-house Apps as well as Open Source operating systems.

The DSD even went a step further and developed a really good paper called Implementing DSD’s Top Four for Windows Environments. Something definitely worth reading!

Roger

Windows Security Praised

Roger Halbheer — Tue, 16 Aug 2011 19:05:40 +0000

A result of a study by Kasperski lab is fairly promising – even though it shows the problem being raising up the stack:

For the very first time in its history, the top 10 rating of vulnerabilities includes products from just two companies: Adobe and Oracle (Java), with seven of those 10 vulnerabilities being found in Adobe Flash Player alone. Microsoft products have disappeared from this ranking due to improvements in the automatic Windows update mechanism and the growing proportion of users who have Windows 7 installed on their PCs.

The article can be found here.

So, I think all application developers should start to use the Security Development Lifecycle.

Roger

Video on Microsoft’s Datacenter

Roger Halbheer — Fri, 29 Jul 2011 10:13:43 +0000

A very good overview over the way we run Microsoft’s Cloud. The interesting thing is – if you look at the video – that most customers are still running their datacenters on generation 1-2, which means that the efficiency (labor as well as energy) we can deliver is significantly higher – not talking of our . . . → Read More: Video on Microsoft’s Datacenter

How Microsoft Uses File Classification Infrastructure

Roger Halbheer — Wed, 08 Jun 2011 07:51:01 +0000

Quite a while ago, I blogged about the File Classification Infrastructure in Windows Server 2008 R2:

In my opinion, this is an interesting tool, built in to your server platform.

Now, we just published a paper about how we use this File Classification infrastructure to protect PII. This is an interesting read: Microsoft IT Uses File Classification Infrastructure to Help Secure Personally Identifiable Information

Here is the summary:

In today’s high-tech world, collecting and storing data are business-critical processes that form an integral component of daily operations. However, the ever-increasing dependency on and use of electronic data also make data management more challenging—especially in light of government regulations for the appropriate use and storage of personally identifiable information (PII) and financial information. Improper storage of PII can also be a significant financial concern, as the cost of storage-related security breaches can be hundreds of dollars per record.

Microsoft Information Technology (IT) had been using an internally built solution to help secure personally identifiable information (PII), financial information, and other types of sensitive data by classifying internal file shares and Microsoft® SharePoint® sites. However, this solution was limited to defining information sensitivity at a file-share level. It also required each user to specify the sensitivity level of his or her file shares manually, which frequently led to mislabeled information.

This custom, internally developed solution also had a high total cost of ownership, requiring a significant amount of development and maintenance resources to fix identified issues and keep the system up to date, as each upgrade to the storage operating systems required upgrading the code.

Microsoft IT needed a solution that would bring consistency to the file classification process across all teams, and be able to scan content automatically at the file level for key words, terms, and patterns. It then had to apply the correct rights management protection based upon predefined security policies. Cost of ownership and performance were also important drivers for developing a new solution. Microsoft IT needed a system built from off-the-shelf, standardized Microsoft technology, that could scale across terabytes of data. With such a large amount of information, the solution had to be efficient at scanning files while maintaining a high degree of accuracy when identifying sensitive PII.

Roger

Cloud computing providers: Clueless about security?

Roger Halbheer — Wed, 04 May 2011 17:04:53 +0000

To me, one of the benefits of moving to the Cloud is security – obviously besides availability and costs.

Recent incidents made me doubt:

Amazon not only having significant downtime but in the same time losing customer data.
Sony’s game network being significantly compromised.

This is definitely not to blame them but I was heavily surprised. And then, I found this study by the Ponemon Institute: Cloud computing providers: Clueless about security?

If we look at this, it gives us a really scary picture of the industry – especially if I know how much effort we (and other Cloud provider) out into securing our customer’s data. If you look at the management summary, they say:

The majority of cloud computing providers surveyed do not believe their organization views the security of their cloud services as a competitive advantage. Further, they do not consider cloud computing security as one of their most important responsibilities and do not believe their products or services substantially protect and secure the confidential or sensitive information of their customers.

The majority of cloud providers believe it is their customer’s responsibility to secure the cloud and not their responsibility. They also say their systems and applications are not always evaluated for security threats prior to deployment to customers.

Buyer beware – on average providers of cloud computing technologies allocate10 percent or less of their operational resources to security and most do not have confidence that customers’ security requirements are being met.

Cloud providers in our study say the primary reasons why customers purchase cloud resources are lower cost and faster deployment of applications. In contrast, improved security or compliance with regulations is viewed as an unlikely reason for choosing cloud services.

The majority of cloud providers in our study admit they do not have dedicated security personnel to oversee the security of cloud applications, infrastructure or platforms.

Providers of private cloud resources appear to attach more importance and have a higher level of confidence in their organization’s ability to meet security objectives than providers of public and hybrid cloud solutions.

While security as a “true” service from the cloud is rarely offered to customers today, about one-third of the cloud providers in our study are considering such solutions as a new source of revenue sometime in the next two years.

What we should not think is, that the customer can just throw their data “over the wall” to the Cloud provider and then all the problems are solved. The customer still has obligations and as we state in our Cloud Computing Security Considerations paper:

Compliance and Risk Management: Organizations shifting part of their business to the cloud are still responsible for compliance, risk, and security management.

We are currently working on a series of papers for Private Clouds, Office 365 as well as Azure to show what still is the customer’s responsibility and what can be transferred to the Cloud Provider.

If you consider the points in the study above, it means that you have to do the due diligence and looking into what the provider does to secure your data. Process transparency is key in this respect!

Roger

Mutual Authentication in Real Life–Launching a Nuclear Missile…

Roger Halbheer — Wed, 30 Mar 2011 16:25:33 +0000

A few years ago, I wanted to run an exercise with our incident response team in Switzerland. A customer, the government and me came together to develop the goals and the scenario. One of the key question we tried to answer together with the university, which we wanted to use as observers was, whether we would be able to ramp up the communication channels and keep them up even if bad things happen (like the building has to be evacuated). By ramping up the channels, I was not necessarily interested in the technical side but in the people side. Especially as the key leaders of the incident teams were the ones running the exercise. So, you had the people who knew each other for years sitting there and just listening in.

If you think about it: Even if you know that you are on call for an incident response team, if you get a call from national intelligence telling you that something bad happens, how can you know that they are genuine? Just because they know the incident number? An interesting question we realized that we did not address it if the key people were not present. Now this is for a security-related IT incident.

Reading this article An Unsung Hero of the Nuclear Age scared me as it seems that this problem was not even solved launching nuclear missile. It asks a fundamental question:

How can any missile crewman know that an order to twist his launch key in its slot and send a thermonuclear missile rocketing out of its silo—a nuke capable of killing millions of civilians—is lawful, legitimate, and comes from a sane president?

So, even though the article is fairly long it is worth reading

Roger

Microsoft Security Update Guide, Second Edition

Roger Halbheer — Mon, 28 Mar 2011 15:32:40 +0000

A while ago we released the Microsoft Security Update Guide to explain how we release security updates and how you should/could work with our updates. It encompasses these themes:

Get to know the security update release process
Learn how to evaluate risk
See how to mitigate security risks
Understand how quickly you need to apply updates
Assess your update
Get ongoing security

If you are somehow linked to the security update process in your organization, you should download it and look at it here: Microsoft Security Update Guide, Second Edition

Roger

Aligning Security with the Business

Roger Halbheer — Tue, 01 Mar 2011 16:25:53 +0000

Do you know the feeling? You should share a large file with somebody outside your organization. The file is too big to be sent by e-mail. What can you do? Well, you might have a service by internal IT (we have one) which is not really user-friendly, hard to use and – as you do not need to too often – you are never able to remember, where this single e-mail is which describes how to use the service. Right?

Well, this is partly because of the mailbox sizes and DOS on mails, attachments are limited. But why do we not have an easy way to share public information (e.g. the presentation deck I need next week)? Guess, what happens:

Survey: 85% of Employees Under 25 Use Personal E-Mail Accounts for Work

A surprise? Really? Not for me…

The main reason these workers turn to personal email seems to be the attachment size limits of their official work email accounts. As we’ve reported, Palo Alto Networks found that Web-based file sharing such as Megaupload is also very popular in the workplace.

Do you like your files on public file sharing sites? Even public files? I do not.

…or…

…I also noticed that many employees used personal accounts for work because they didn’t have offsite access to their company email

Well, there is OWA or DirectAccess – no need for the clumsy and not-user-friendly VPN anymore…

And we feel so good with our policy not to allow these things… We block certain websites, without giving the user an ability to solve the business problem. The user circumvents security and the security people sleep very well as they have such a stringent policy.

This is definitely a wrong perception of security.

Roger

Infrastructure Planning and Design Guide for Malware Response

Roger Halbheer — Sun, 20 Feb 2011 16:25:52 +0000

A new version of this guide went live – I think something, you should look at. There is a metrology and a process in detail:

So, if you want to learn more: http://technet.microsoft.com/en-us/library/cc162838.aspx

Roger