1 / 20

Trustworthy Computing – One year on

Trustworthy Computing – One year on. Stuart Okin Chief Security Officer – Microsoft UK Microsoft Security Solutions, Feb 4 th , 2003. Agenda. Reminder – Set the scene & What is Trustworthy Computing? What have we done? What are we planning Call to Action Questions?. Leaving Messages.

megan
Download Presentation

Trustworthy Computing – One year on

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Trustworthy Computing – One year on Stuart Okin Chief Security Officer – Microsoft UK Microsoft Security Solutions, Feb 4th, 2003

  2. Agenda • Reminder – Set the scene & What is Trustworthy Computing? • What have we done? • What are we planning • Call to Action • Questions?

  3. Leaving Messages • Microsoft is as committed to Trustworthy Computing = Security, Privacy, Reliability & Business Integrity • Trustworthy computing can only be achieved through partnership & teamwork • Trustworthy Computing is a journey, with a long term vision with highlights and obstacles along the road

  4. Computer Crime and Security Survey 2002 CERT Threat Remains Real • 90% detected computer security breaches • 40% detected system penetration from the outside; up from 25% in 2000 • 85% detected computer viruses • 95% of all breaches due to misconfiguration Source: Computer Security Institute (CSI) Computer Crime and Security Survey 2002 Source: CERT, 2002

  5. An Industry-Wide Problem • Why are Security breaches common? • Microsoft - Windows UPnP • Oracle – Oracle 9i Buffer Overrun • AOL AIM • CDE/Solaris • Apache – Open SSL Buffer • Viruses, Worms • Nimda, Code Red • Slammer • People will have to believe the in technologies, companies and services

  6. Resilient to attack Protects confidentiality, integrity, availability and data Trustworthy ComputingCore Tenets Security • Individuals control personal data • Products and Online Services adhere to fair information principles Privacy • Dependable • Available when needed • Performs at expected levels Reliability • Help customers find appropriate solutions • Address issues with products and services • Open interaction with customers Business Integrity

  7. Trustworthy Computing Security

  8. SD3 + Communications • Secure architecture • Security aware features • Reduce vulnerabilities in the code Secure by Design • Reduce attack surface area • Unused features off by default • Only require minimum privilege Secure by Default • Protect, detect, defend, recover, manage • Process: How to’s, architecture guides • People: Training Secure in Deployment • Clear security commitment • Full member of the security community • Microsoft Security Response Center Communications Security Framework

  9. SD3 + Communications • Security training for 11,000 engineers • Security code reviews of old source • Threat modeling • “Blackhat” test coverage • Buffer overrun detection in compile process Secure by Design • Office XP: Macros off by default • No sample code installed by default • IIS and SQL Server off by default in Visual Studio.NET Secure by Default • Deployment tools: MBSA, IIS Lockdown, SUS, WU, SMS Value Pack • Created STPP to respond to customers • PAG for Windows 2000 Security Ops Secure in Deployment • TAMs call Premier Customers proactively • MSRC severity rating system • Free virus hotline • MSDN security guidance for developers • www.microsoft.com/technet/security Communications Progress To Date

  10. January 2002 to March 2003

  11. April 2002 to June 2002

  12. July 2002 to Sept 2002

  13. Oct 2002 to Dec 2002

  14. SQL Slammer January 2003

  15. Summary • January 2002 Memo, follow up, vision • Steve Ballmer: Company Values of respect, customer focus, transparency • Windows XP SP1, Office XP SP1, Windows 2000 SP3, and 72 security fixes for various products. • AutoUpdate; SUS, SMS Feature Pack; MBSA • 10 week halt in release cycles • Training of 11,000 engineers • Security Pushes for Windows, SQL, Exchange, Visual Studio, ISA, Commerce Server and Office B • MS Internal Privacy tracking and measurement tools suite • MSN 8 Parental Controls and Spam Controls • Windows Media Player 9 privacy first-run experience • IE6 and Privacy Wizard implementations • Windows security - $100+ million • Win2K reliability – $162Million, 500 men year on reliability improvements • Software support: now offers 5 years, plus 2 years of extended service

  16. Where are we planning? • Short to Medium Term • Improve Patch Management • Quality • Reduce Installers • Single Microsoft Update Service • Security Push / Engineering techniques “in a box” • Windows 2003 Server (Secure by default) • Longer term • Integration of Security Products (inc ISVs) into system • Next Generation Secure Computing Base • Self Healing & attack sensitive systems • Move applications to .Net Framewrok

  17. Call to action1. Visit www.microsoft.com/security for current information on security2. Subscribe register.microsoft.com/subscription/subscribeMe.asp?lcid=1033&id=1553. Get the toolkitwww.microsoft.com/uk/security

  18. Leaving Messages • Microsoft is as committed to Trustworthy Computing = Security, Privacy, Reliability & Business Integrity • Trustworthy computing can only be achieved through partnership & teamwork • Trustworthy Computing is a journey, with a long term vision with highlights and obstacles along the road

  19. Questions?

More Related