360 likes | 508 Views
Advancing Security. John Wylder CISSP, CHS Strategic Security Advisor jwylder@microsoft.com. Progress and Commitment. Agenda. Advancing Security. Update on current security Issues Comments on threats and vulnerabilities Microsoft’s response Suggestions and guidance
E N D
Advancing Security John Wylder CISSP, CHS Strategic Security Advisor jwylder@microsoft.com Progress and Commitment
Agenda Advancing Security Update on current security Issues Comments on threats and vulnerabilities Microsoft’s response Suggestions and guidance Questions and (hopefully) answers Progress and Commitment
Breaking news…. Microsoft update full of tests “The biggest Windows security upgrade walks a fine line between making things safe and making things work” The Oregonian Monday, July 19, 2004
Breaking news part 2…. Mobile device virus • Antivirus researchers have discovered the first bug to target Microsoft's Pocket PC • Russian-based antivirus firm Kaspersky Labs said Duts was created by Ratter, the pseudonym of a virus writer who is an active member of the international group 29A. The group is famous for its proof-of-concept viruses, like the mobile phone-targeting Cabir and Rugrat, the first known virus capable of attacking 64-bit Windows files. search security.com July 19, 2004
External Influences(people, bugs, etc.) Exploit of misconfiguration, buffer overflows, open shares, NetBIOS attacks Host Application Unauthenticated access to applications, unchecked memory allocations SystemSecurity Network Data sniffing on the wire, network fingerprinting Compromise of integrity or privacy of accounts Account Trust Unmanaged trusts enable movement among environments External Influences(people, bugs, etc.) Security Ecosystem
The Typical Security Environment Today …hard to manage, to support and ever increasingly complex
exploitcode patch 331 180 151 25 Nimda SQL Slammer Welchia/ Nachi Blaster Exploit Timeline • Days From Patch to Exploit • The average is now nine days for a patch to be reverse-engineered • As this cycle keeps getting shorter, patching is a less effective defense in large organizations Why does this gap exist? Days between patch and exploit
Top information security issues for 2004 • Viruses and worms remain biggest worry • Patch management The patch management issue relates directly to the concern over viruses and worms. “Hybrid threats will drive the need for hybrid solutions” Ed Yakabovicz ISO for Bank One’s Corporate Internet group. “2004 might just be the year that the next big worm carries a destructive payload.” Kevin Beaver, CISSP. Principle Logic.
Top information security issues for 2004,part 2. • Compliance with regulations (HIPPA, GLB) is a growing concern • Is regulation the principal driver for security in your enterprise? Yes (45%). • How will compliance impact your security spending? 15% say “compliance is a big chunk of our budget. source searchsecurity.com 1/14/2004 • “A combination of laws and regulations will push companies and organizations towards more security, but it will still take longer than you would like.” Jonathan Callas, CTO PGP.
Why businesses continue to get attacked by viruses, worms, and frauds? • Failure to recognize that security is a process issue, not an object, requiring risk management & responsiveness • No 100% perfect security • Security is only as strong as the weakest link • When nothing happens, well, nothing happens • No attention translates to zero or limited security budget and investment • No provision equals no security readiness • Feel-safe syndrome – we have not been attacked in the past
Why businesses continue to get attacked by viruses, worms, and frauds? • There are no magic beans, no silver bullets • Fraudsters and attackers exploits the weakest links – it could be your technology, process, and/or people (including employees, partners, and customers)
Awareness alone is not enough “The organizers of the conference Infosecurity Europe 2004 announced that they surveyed office workers at Liverpool Street Station in England, and found that 71 percent were willing to part with their password for a chocolate bar.” Security pipeline April 20, 2004
Usage of Firewalls Source: Microsoft Customer Risk Assessments
Mapping Worms to “User” Days of Risk • Reaction time is critical in preventing viruses and worms, which can cost organizations billions. • Forrester Research said that customers typically required more than 300 days to fully deploy patches for many of these issues after the fix appeared. • The race begins when the technical details of an issue are made public. Source: Microsoft, Forrester
Security Enabled Business Impact to Business Probability of Attack Risk Level ROI Connected Productive • Reduce Security Risk • Assess the environment • Improve isolation and resiliency • Develop and implement controls • Increase Business Value • Connect with customers • Integrate with partners • Empower employees
“Reduce impact of malware” Isolation and Resiliency “Simplify critical maintenance ” Improve Updating “Develop reliable and secure software” Engineering Excellence Authentication, Authorization, Access Control “Give us better access control” ” Deliver Security Guidance, Tools, Responsiveness “Provide betterguidance ”
A computing platform that is more resilient in the presence of security threats Isolation And Resiliency Mitigating risk through innovation • Reduce attack surface and vectors • Proactively deflect and contain threats
Isolation and Resiliencyreducing the modes of attack Network Protection Safer Email and IM Safer Web Browsing Protection Against Buffer Overruns Communicate and collaborate in a more secure mannerwithout sacrificing information worker productivity
Isolation and ResiliencyFuture: Active Protection Dynamic system protection Behavior blocking Application-aware firewalls Intrusion prevention
Isolation And ResiliencyClient Inspection Health Checkup Check update level, antivirus, and other plug in and scriptable criteria Advanced Isolation Clients who do not pass can be blocked and isolated Isolated clients can be given access to updates to get healthy
Simplify the security update process with predictability, reduced downtime and advanced management tools Advanced Updating Lower update costs while increasing efficiency • Fewer installers and smaller update size • Enhanced tools for desktops and servers • Extended across Microsoft technologies
UpdatingWindows 2000+ Generation One update experience Better quality updates Rollback capability for all updates Delta updating for 30-80% smaller update packages 10-30% fewer reboots Windows Update > Microsoft Update SUS > Windows Update Services SMS 2003
Advance the state of the art of secure software development Engineering Excellence Raising the bar for software security • Improved development process • New tools designed to help developers • Guidance and training focused on secure coding
Threat modeling Code inspection Penetration testing Unused features off by default Reduce attack surface area Least Privilege Prescriptive Guidance Security Tools Training and Education Community Engagement Transparency Clear policy Quality & Engineering ExcellenceImproved Development Process
"Critical" and "Important" Security Bulletins 40 30 20 10 0 42 Number of Bulletins 13 0 90 180 270 365 Days After Availability
Quality & Engineering ExcellenceHelping Developers Write More Secure Code .NET Framework 1.1 Cryptographic APIs Integrated PKI Visual Studio .NET 2003 Security Tools Web Services Enhancements Microsoft Security Developer Center Writing Secure Code v2 Developer webcasts Helping Developers Write More Secure Code
Enable business solutions with integrated platform security technologies Authentication, Authorization And Access Control Embracing identity and access management • Integrated secure single sign-on experience • New factors of authentication • Seamless data protection across layers
Authentication, Authorization and Access Control Enabling Security Critical Scenarios Windows IPSec integration SSL, RPC over HTTP ISA Server 2004 Deep Windows integration WPA, 802.1x, PEAP Single sign-on, smartcards, biometrics Provision for multiple credential types Rights Management Services Comprehensive Authorization Infrastructure (AD, EFS, ACLs…)
Help customers through prescriptive guidance, training, partnership and policy Guidance, Tools & Response Customer Education and Partnerships • Seminars and publications • Alliances and information exchanges • Corporation with law enforcement
Law #1: Security Patches are a Fact of Life. Law #2: It Does No Good to Patch a System That Was Never Secure to Begin With. Law #3: There is No Patch for Bad Judgment. Law #4: You Can’t Patch What You Don’t Know You Have. Law #5: The Most Effective Patch is The One You Don’t Have to Apply. Law #6: A Service Pack Covers a Multitude of Patches. Law #7: All Patches Are Not Created Equal. Law #8: Never Base Your Patching Decision on Whether You’ve Seen Exploit Code… Unless You’ve Seen Exploit Code. Law #9: Everyone Has a Patch Strategy, Whether They Know It or Not. Law #10: Patch Management is Really Risk Management. The Ten Immutable Laws of Security Patch Management
Security is not easy... • Security is a journey where you attempt to secure a complex system of many entities: • People (culture, knowledge, skills) • Process (policy, procedures, guidelines) • Product/Technology (hardware, software, networks) • These entities interact in rich and often-times unpredictable ways to cause problems • Security will fall down if you continue to focus on one part of the problem • Products/Technology is not the whole problem nor is it the whole solution • If it were easy, anybody could do it...
Enable business solutions with integrated platform security technologies Simplify the security update process with predictability, reduced downtime and advanced management tools A computing platform that is more resilient in the presence of security threats Advance the state of the art of secure software development Help customers through prescriptive guidance, training, partnership and policy Summary Isolation and Resiliency Advanced Updating Expanded Authentication, Authorization, Access Control Engineering Excellence Security Guidance, Tools, Responsiveness
Extended support Monthly patch releases SMS 2003 Baseline guidance Community investments 2003 Windows XP Service Pack 2 Broad training ISA Server 2004 Windows Server 2003 Service Pack 1 Updating enhancements 2004 Active protection technology Visual Studio “Whidbey” Next generation inspection Future
Learn: Take training, read guidance, help educate users Connect: Participate in community. Subscribe to security newsletters. Manage Risk: Implement a security plan and security risk management process. Defense in depth: Implement multiple countermeasures. Upgrade laptops & remote systems to Windows XP Standardize edge servers on Windows Server 2003 http://www.microsoft.com/security/guidance
Resources • General http://www.microsoft.com/security • Consumers http://www.microsoft.com/protect • Security Guidance Center http://www.microsoft.com/security/guidance • Tools http://www.microsoft.com/technet/Security/tools • How Microsoft IT Secures Microsoft http://www.microsoft.com/technet/itsolutions/msit • E-Learning Clinics https://www.microsoftelearning.com/security • Events and Webcasts http://www.microsoft.com/seminar/events/security.mspx
© 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.