advancing security progress and commitment john wylder cissp, chs strategic security advisor...
TRANSCRIPT
John Wylder CISSP, CHSJohn Wylder CISSP, CHSStrategic Security AdvisorStrategic Security [email protected]@microsoft.com
AgendaAgenda
Update on current security IssuesUpdate on current security Issues
Comments on threats and vulnerabilitiesComments on threats and vulnerabilities
Microsoft’s responseMicrosoft’s response
Suggestions and guidanceSuggestions and guidance
Questions and (hopefully) answersQuestions and (hopefully) answers
Breaking news….Breaking news….
Microsoft update full of Microsoft update full of teststests
““The biggest Windows security The biggest Windows security upgrade walks a fine line upgrade walks a fine line between making things safe and between making things safe and making things work” making things work”
The OregonianThe Oregonian Monday, July 19, 2004 Monday, July 19, 2004
Breaking news part 2….Breaking news part 2….
Mobile device virusMobile device virus
Antivirus researchers have Antivirus researchers have discovered the first bug to target discovered the first bug to target Microsoft's Pocket PC Microsoft's Pocket PC Russian-based antivirus firm Russian-based antivirus firm Kaspersky Labs said Duts was Kaspersky Labs said Duts was created by Ratter, the pseudonym of created by Ratter, the pseudonym of a virus writer who is an active a virus writer who is an active member of the international group member of the international group 29A. The group is famous for its 29A. The group is famous for its proof-of-concept viruses, like the proof-of-concept viruses, like the mobile phone-targeting Cabir and mobile phone-targeting Cabir and Rugrat, the first known virus capable Rugrat, the first known virus capable of attacking 64-bit Windows files. of attacking 64-bit Windows files. search security.com July 19, 2004search security.com July 19, 2004
SystemSystemSecuritySecurity
Security EcosystemSecurity Ecosystem
HostHost
ApplicationApplication
AccountAccount
TrustTrust
NetworkNetwork
External External InfluencesInfluences
(people, bugs, etc.)(people, bugs, etc.)
External External InfluencesInfluences
(people, bugs, etc.)(people, bugs, etc.)
Exploit of Exploit of misconfiguration, buffer misconfiguration, buffer overflows, open shares, overflows, open shares,
NetBIOS attacksNetBIOS attacks
Unauthenticated Unauthenticated access to applications, access to applications, unchecked memory unchecked memory allocationsallocations
Compromise of Compromise of integrity or privacy of integrity or privacy of accountsaccounts
Data sniffing on Data sniffing on the wire, network the wire, network
fingerprintingfingerprinting
Unmanaged trusts Unmanaged trusts enable movement enable movement among environmentsamong environments
The Typical Security Environment The Typical Security Environment TodayToday
……hard to manage, to support and ever increasingly complexhard to manage, to support and ever increasingly complex
Exploit TimelineExploit Timeline
Days From Patch to ExploitDays From Patch to ExploitThe average is now nine The average is now nine days for a patch to be days for a patch to be reverse-engineeredreverse-engineered
As this cycle keeps getting As this cycle keeps getting shorter, patching is a less shorter, patching is a less effective defense in large effective defense in large organizationsorganizations
Why does this Why does this gap exist?gap exist?
151151180180
331331
BlasterBlasterWelchia/ Welchia/ NachiNachi
NimdaNimda
2525SQL SQL
SlammerSlammer
exploitexploitcodecodepatchpatch
Days between patch and exploitDays between patch and exploit
Top information security issues for 2004Top information security issues for 2004
Viruses and worms remain biggest worryViruses and worms remain biggest worry
Patch managementPatch management
The patch management issue relates directly to the concern The patch management issue relates directly to the concern over viruses and worms. over viruses and worms.
““Hybrid threats will drive the need for hybrid solutions” Ed Hybrid threats will drive the need for hybrid solutions” Ed Yakabovicz ISO for Bank One’s Corporate Internet group.Yakabovicz ISO for Bank One’s Corporate Internet group.
““2004 might just be the year that the next big worm carries a 2004 might just be the year that the next big worm carries a destructive payload.” Kevin Beaver, CISSP. Principle Logic. destructive payload.” Kevin Beaver, CISSP. Principle Logic.
Top information security issues for 2004,part Top information security issues for 2004,part 2.2.
Compliance with regulations (HIPPA, GLB) Compliance with regulations (HIPPA, GLB) is a growing concernis a growing concern
Is regulation the principal driver for security in your enterprise? Is regulation the principal driver for security in your enterprise? Yes (45%).Yes (45%).
How will compliance impact your security spending?How will compliance impact your security spending?
15% say “compliance is a big chunk of our budget. 15% say “compliance is a big chunk of our budget.
source searchsecurity.com source searchsecurity.com 1/14/20041/14/2004
““A combination of laws and regulations will push companies and A combination of laws and regulations will push companies and organizations towards more security, but it will still take longer than organizations towards more security, but it will still take longer than you would like.” Jonathan Callas, CTO PGP.you would like.” Jonathan Callas, CTO PGP.
Why businesses continue Why businesses continue to get attacked by viruses, to get attacked by viruses, worms, and frauds?worms, and frauds?
Failure to recognize that security is a Failure to recognize that security is a process issue, not an object, requiring risk process issue, not an object, requiring risk management & responsivenessmanagement & responsiveness
No 100% perfect securityNo 100% perfect security
Security is only as strong as the weakest linkSecurity is only as strong as the weakest link
When nothing happens, well, nothing When nothing happens, well, nothing happenshappens
No attention translates to zero or limited No attention translates to zero or limited security budget and investmentsecurity budget and investment
No provision equals no security readinessNo provision equals no security readiness
Feel-safe syndrome – we have not been Feel-safe syndrome – we have not been attacked in the pastattacked in the past
Why businesses continue Why businesses continue to get attacked by viruses, to get attacked by viruses, worms, and frauds?worms, and frauds?
There are no magic beans, no silver There are no magic beans, no silver bullets bullets
Fraudsters and attackers exploits the Fraudsters and attackers exploits the weakest links – it could be your weakest links – it could be your technology, process, and/or people technology, process, and/or people (including employees, partners, and (including employees, partners, and customers)customers)
Awareness alone is not enoughAwareness alone is not enough
““The organizers of the conference The organizers of the conference Infosecurity Europe 2004 announced Infosecurity Europe 2004 announced that they surveyed office workers at that they surveyed office workers at Liverpool Street Station in England, Liverpool Street Station in England, and found that and found that 7171 percent were percent were willing to part with their password for willing to part with their password for a chocolate bar.” a chocolate bar.”
Security pipeline April 20, 2004 Security pipeline April 20, 2004
Usage of FirewallsUsage of Firewalls
53.5
5
31.7
9.9
Internal and external
Internal,no external
No internal, external
No internal, noexternal
Source: Microsoft Customer Risk AssessmentsSource: Microsoft Customer Risk Assessments
Mapping Worms to “User” Days of Mapping Worms to “User” Days of RiskRisk
Reaction time is Reaction time is critical in preventing critical in preventing viruses and worms, viruses and worms, which can cost which can cost organizations billions. organizations billions.
Forrester Research Forrester Research said that customers said that customers typically required typically required more than 300 days more than 300 days to fully deploy to fully deploy patches for many of patches for many of these issues after the these issues after the fix appeared.fix appeared.
The race begins when The race begins when the technical details the technical details of an issue are made of an issue are made public. public.
WormWorm Number of days Number of days from release of from release of exploit to worm exploit to worm appearanceappearance
Scalper Scalper (2002, (2002, FreeBSD)FreeBSD)
(*early disclosure)(*early disclosure)
11 days11 days
BlasterBlaster (2003, (2003, Windows) Windows)
16 days16 days
Code RedCode Red (2001, (2001, Windows)Windows)
24 days24 days
LionLion (2001, Linux) (2001, Linux) 53 days53 daysSlapperSlapper (2002, (2002, Linux)Linux)
58 days58 days
MelissaMelissa (1999, (1999, Windows)Windows)
64 days64 days
NimdaNimda (2001, (2001, Windows)Windows)
172 days172 days
SlammerSlammer (2003, (2003, Windows)Windows)
180 days180 days
RamenRamen (2001, (2001, Linux)Linux)
208 days208 daysSource: Microsoft, ForresterSource: Microsoft, Forrester
Reduce Security RiskReduce Security RiskAssess the environmentAssess the environmentImprove isolation and Improve isolation and resiliencyresiliencyDevelop and implement Develop and implement controlscontrols
Increase Business ValueIncrease Business ValueConnect with customers Connect with customers Integrate with partners Integrate with partners Empower employees Empower employees
Risk Risk LevelLevel
Impact toImpact toBusinessBusiness
ProbabilityProbabilityof Attackof Attack
ROIROI
ConnectedConnected
ProductiveProductive
“Give us better Give us better access control” access control” ”“Give us better Give us better
access control” access control” ”
“Develop reliable Develop reliable and secure softwareand secure software”
“Develop reliable Develop reliable and secure softwareand secure software”
“Simplify Simplify critical critical
maintenance maintenance ”
“Simplify Simplify critical critical
maintenance maintenance ”
““Reduce impact Reduce impact of malware”of malware”
““Reduce impact Reduce impact of malware”of malware”
Improve UpdatingImprove Updating
Engineering ExcellenceEngineering Excellence
Authentication, Authentication, Authorization, Access Authorization, Access ControlControl
Isolation and ResiliencyIsolation and Resiliency
“Provide betterProvide betterguidance guidance ”
“Provide betterProvide betterguidance guidance ”
Deliver Security Guidance, Deliver Security Guidance, Tools, ResponsivenessTools, Responsiveness
Isolation And ResiliencyIsolation And Resiliency
Mitigating risk through innovationMitigating risk through innovationReduce attack surface and vectorsReduce attack surface and vectors
Proactively deflect and contain threatsProactively deflect and contain threats
A computing platform that is A computing platform that is more resilient in the presence more resilient in the presence
of security threatsof security threats
Communicate and collaborate in a more secure mannerCommunicate and collaborate in a more secure mannerwithout sacrificing information worker productivitywithout sacrificing information worker productivity
Application-aware Application-aware firewallsfirewalls
Intrusion preventionIntrusion prevention
Dynamic system protectionDynamic system protection
Behavior blockingBehavior blocking
Advanced IsolationAdvanced IsolationClients who do not pass Clients who do not pass cancan be blocked and isolated be blocked and isolated
Isolated clients Isolated clients cancan be be given access to updates to given access to updates to get healthyget healthy
Health CheckupHealth CheckupCheck update level, Check update level, antivirus, antivirus, and other plug in and and other plug in and scriptable criteriascriptable criteria
Advanced UpdatingAdvanced Updating
Simplify the security update Simplify the security update process with predictability, process with predictability,
reduced downtime and advanced reduced downtime and advanced management toolsmanagement tools
Lower update costs while increasing efficiency Lower update costs while increasing efficiency Fewer installers and smaller update sizeFewer installers and smaller update size
Enhanced tools for desktops and serversEnhanced tools for desktops and servers
Extended across Microsoft technologiesExtended across Microsoft technologies
One update experienceOne update experience
Windows Update > Microsoft Windows Update > Microsoft UpdateUpdateSUS > Windows Update ServicesSUS > Windows Update ServicesSMS 2003SMS 2003
Delta updating for 30-80% smaller Delta updating for 30-80% smaller update packages update packages
Better quality updatesBetter quality updatesRollback capability for all updatesRollback capability for all updates
10-30% fewer reboots10-30% fewer reboots
Engineering ExcellenceEngineering Excellence
Raising the bar for software securityRaising the bar for software securityImproved development processImproved development process
New tools designed to help developersNew tools designed to help developers
Guidance and training focused on secure Guidance and training focused on secure codingcoding
Advance the state of the art of Advance the state of the art of secure software developmentsecure software development
Quality & Engineering Quality & Engineering ExcellenceExcellenceImproved Development ProcessImproved Development Process
Threat modelingThreat modelingCode inspectionCode inspectionPenetration testingPenetration testing
Unused features off by defaultUnused features off by defaultReduce attack surface areaReduce attack surface areaLeast PrivilegeLeast Privilege
Prescriptive GuidancePrescriptive GuidanceSecurity Tools Security Tools Training and EducationTraining and Education
Community EngagementCommunity EngagementTransparencyTransparencyClear policyClear policy
42
13
Quality & Engineering Quality & Engineering ExcellenceExcellenceHelping Developers Write More Secure Helping Developers Write More Secure CodeCode
.NET Framework 1.1.NET Framework 1.1Cryptographic APIsCryptographic APIsIntegrated PKIIntegrated PKI
Visual Studio .NET 2003Visual Studio .NET 2003Security ToolsSecurity ToolsWeb Services EnhancementsWeb Services Enhancements
Microsoft Security Developer CenterMicrosoft Security Developer CenterWriting Secure Code v2Writing Secure Code v2Developer webcastsDeveloper webcasts
Helping Developers Write More Secure CodeHelping Developers Write More Secure Code
Authentication, Authorization Authentication, Authorization And Access ControlAnd Access Control
Embracing identity and access managementEmbracing identity and access managementIntegrated secure single sign-on experienceIntegrated secure single sign-on experienceNew factors of authenticationNew factors of authenticationSeamless data protection across layersSeamless data protection across layers
Enable business solutions Enable business solutions with integrated platform with integrated platform
security technologiessecurity technologies
Windows IPSec integrationWindows IPSec integrationSSL, RPC over HTTPSSL, RPC over HTTPISA Server 2004ISA Server 2004
Deep Windows integrationDeep Windows integrationWPA, 802.1x, PEAPWPA, 802.1x, PEAP
Single sign-on, smartcards, Single sign-on, smartcards, biometricsbiometricsProvision for multiple credential Provision for multiple credential typestypes
Rights Management ServicesRights Management ServicesComprehensive Authorization Comprehensive Authorization Infrastructure (AD, EFS, ACLs…)Infrastructure (AD, EFS, ACLs…)
Guidance, Tools & ResponseGuidance, Tools & Response
Customer Education and PartnershipsCustomer Education and PartnershipsSeminars and publications Seminars and publications
Alliances and information exchangesAlliances and information exchanges
Corporation with law enforcementCorporation with law enforcement
Help customers through Help customers through prescriptive guidance, training, prescriptive guidance, training,
partnership and policypartnership and policy
Law #1: Law #1: Security Patches are a Fact of Life. Security Patches are a Fact of Life.
Law #2:Law #2: It Does No Good to Patch a System That Was Never It Does No Good to Patch a System That Was Never Secure to Begin With.Secure to Begin With.
Law #3:Law #3: There is No Patch for Bad Judgment. There is No Patch for Bad Judgment.
Law #4:Law #4: You Can’t Patch What You Don’t Know You Have. You Can’t Patch What You Don’t Know You Have.
Law #5:Law #5: The Most Effective Patch is The One You Don’t Have The Most Effective Patch is The One You Don’t Have to Apply. to Apply.
Law #6:Law #6: A Service Pack Covers a Multitude of Patches. A Service Pack Covers a Multitude of Patches.
Law #7:Law #7: All Patches Are Not Created Equal. All Patches Are Not Created Equal.
Law #8:Law #8: Never Base Your Patching Decision on Whether Never Base Your Patching Decision on Whether You’ve Seen Exploit Code… Unless You’ve Seen You’ve Seen Exploit Code… Unless You’ve Seen Exploit Code.Exploit Code.
Law #9:Law #9: Everyone Has a Patch Strategy, Whether They Everyone Has a Patch Strategy, Whether They Know It or Not.Know It or Not.
Law #10:Law #10: Patch Management is Really Risk Management. Patch Management is Really Risk Management.
The Ten Immutable Laws of The Ten Immutable Laws of Security Patch ManagementSecurity Patch Management
Security is not easy...Security is not easy...
Security is a Security is a journeyjourney where you attempt to where you attempt to secure a complex system of many entities:secure a complex system of many entities:
People (culture, knowledge, skills)People (culture, knowledge, skills)Process (policy, procedures, guidelines)Process (policy, procedures, guidelines)Product/Technology (hardware, software, networks)Product/Technology (hardware, software, networks)
These entities interact in rich and often-times These entities interact in rich and often-times unpredictable ways to cause problemsunpredictable ways to cause problemsSecurity will fall down if you continue to focus Security will fall down if you continue to focus on on one part of the problemone part of the problemProducts/Technology is not the whole problem Products/Technology is not the whole problem
nor is it the whole solutionnor is it the whole solutionIf it were easy, anybody could do it...If it were easy, anybody could do it...
SummarySummaryA computing platform that is more A computing platform that is more
resilient in the presence resilient in the presence of security threatsof security threats
Advanced UpdatingAdvanced Updating
Expanded Authentication, Expanded Authentication, Authorization, Access Authorization, Access ControlControl
Security Guidance, Tools, Security Guidance, Tools, ResponsivenessResponsiveness
Engineering ExcellenceEngineering Excellence
Enable business solutions with Enable business solutions with integrated platform security integrated platform security
technologiestechnologies
Advance the state of the art of Advance the state of the art of secure software developmentsecure software development
Help customers through Help customers through prescriptive guidance, training, prescriptive guidance, training,
partnership and policypartnership and policy
Simplify the security update Simplify the security update process with predictability, process with predictability,
reduced downtime and advanced reduced downtime and advanced management toolsmanagement tools
Isolation and ResiliencyIsolation and Resiliency
Extended supportExtended supportMonthly patch releasesMonthly patch releasesSMS 2003SMS 2003Baseline guidanceBaseline guidanceCommunity Community investmentsinvestments
Windows XP Service Pack 2Windows XP Service Pack 2Broad trainingBroad trainingISA Server 2004ISA Server 2004Windows Server 2003 Service Windows Server 2003 Service Pack 1Pack 1Updating enhancements Updating enhancements
Active protection technologyActive protection technologyVisual Studio “Whidbey”Visual Studio “Whidbey”Next generation inspectionNext generation inspection
20032003
20042004
FutureFuture
Learn: Take training, read Learn: Take training, read guidance, help educate guidance, help educate usersusers
Learn: Take training, read Learn: Take training, read guidance, help educate guidance, help educate usersusersConnect: Participate in community. Connect: Participate in community.
Subscribe to security Subscribe to security newsletters.newsletters.
Connect: Participate in community. Connect: Participate in community. Subscribe to security Subscribe to security newsletters.newsletters.
Manage Risk: Implement a security Manage Risk: Implement a security plan and security risk plan and security risk management process.management process.
Manage Risk: Implement a security Manage Risk: Implement a security plan and security risk plan and security risk management process.management process.
Upgrade laptops & remote Upgrade laptops & remote systems to Windows XPsystems to Windows XP
Upgrade laptops & remote Upgrade laptops & remote systems to Windows XPsystems to Windows XP
Standardize edge servers Standardize edge servers on Windows Server on Windows Server 20032003
Standardize edge servers Standardize edge servers on Windows Server on Windows Server 20032003
Defense in depth: Implement multiple Defense in depth: Implement multiple countermeasures.countermeasures.
Defense in depth: Implement multiple Defense in depth: Implement multiple countermeasures.countermeasures.
http://www.microsoft.com/security/guidancehttp://www.microsoft.com/security/guidance
ResourcesResourcesGeneralGeneralhttp://www.microsoft.com/securityhttp://www.microsoft.com/security
ConsumersConsumershttp://www.microsoft.com/protecthttp://www.microsoft.com/protect
Security Guidance CenterSecurity Guidance Centerhttp://www.microsoft.com/security/guidancehttp://www.microsoft.com/security/guidance
ToolsToolshttp://www.microsoft.com/http://www.microsoft.com/technettechnet/Security/tools/Security/tools
How Microsoft IT Secures MicrosoftHow Microsoft IT Secures Microsofthttp://www.microsoft.com/http://www.microsoft.com/technet/itsolutions/msittechnet/itsolutions/msit
E-Learning ClinicsE-Learning Clinicshttps://www.microsoftelearning.com/securityhttps://www.microsoftelearning.com/security
Events and WebcastsEvents and Webcastshttp://www.microsoft.com/seminar/events/security.mspxhttp://www.microsoft.com/seminar/events/security.mspx
© 2004 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.