Top 5 things for security What every Microsoft Partner should know Nattorn Jayanama Product Manager Microsoft Thailand
Top 5 Things for Security Know the Threats & Solutions 1. Top 5 Cyber Threats for Thailand 2. Microsoft Solutions Know the Strategy 3. Security Quality 4. Security Management 5. Security Innovation
Top 5 Cyber-Threats st : SPAM 2 nd : Spyware 3 rd : Malware 4 th : Phishing 5 th : SPAM IM
SPAM Problem SPAM or Junk mail refers to unrequested s or advertisements. information gotten from customer databases or war dialing
SPAM Solution Using Anti-SPAM at internet gateway or DMZ Using Anti-SPAM software on client Control usage of corporate and enforce policy
Spyware Threat Advertising companies use spyware to extract personal information Stats on your computer (OS, browser, etc.) Stats on your surfing habits (websites, etc.) Violates Privacy but is completely LEGAL
Spyware Solution Install Anti-Spyware Solution Major ones free of charge (Ad Aware, Spybot, MS Anti-spyware or MS Defender)
Malware Threat Malware is a generic term used to describe any form of malicious software such as virus, zombies, trojans, or any combinations
Example of Malware
Malware Solution Use combination of anti-spyware, anti- virus to scan machine (+ update signatures) If directed to website, check certificate
Malware Solution Run Windows Malicious Software Removal Tool Online for your protection
Phishing Social Engineering
Phishing Example Trust Model – Sender claims to be from respected source Very professional look But notice URL link – usually unknown IP address But even URLs can be faked!
Phishing/Pharming Solution Security policy training and enforcement Use anti-phishing tools for browsers (MSN Anti-phishing tool, IE 7)
SPAM IM (SPIM) Threat Estimated 5% to 8% of all IM today is SPIM Potentially more dangerous that SPAM Pop-up link for Phishing Download/Upload malware via File Transfer
Top 5 Things for Security Know the Threats & Solutions 1. Top 5 Cyber Threats for Thailand 2. Microsoft Solutions Know the Strategy 3. Security Quality 4. Security Management 5. Security Innovation
ISA + Antigen Solution Live Communication Server SharePoint Server Exchange mailbox server Exchange IMC server ISA Server - Firewall SMTP Server Live Communication Server IM and Documents VirusesWorms Antigen Helps block viruses and inappropriate content inbound Helps keep viruses off internal servers Helps prevent confidential information from being sent out ISA Server Firewall on network edge block application layer attacks Pre-authenticate users for network access Antigen AntigenAntigen Antigen AntigenAntigen ISA Server 2004
Top 5 Things for Security Know the Threats & Solutions 1. Top 5 Cyber Threats for Thailand 2. Microsoft Solutions Know the Strategy 3. Security Quality 4. Security Management 5. Security Innovation Microsoft compared to Open Source
Customer *Capabilities that were not backported Value of community patches Use Community Patch ? Manually roll out patch For each new patch: Manually roll out ? Undo with up2date? CAN Wait on Red Hat Patch ? Use Red Hat up2date Official Red Hat patch available 8 months later. (259 days of risk) Vuln disclosed (4/8/2004) + community patch Red Hat Patch (12/23/2004) 28 kernel vulns patched by Red Hat up2date None of them address CAN RHEL3
Customer Linux Distributions Customer Projects Internally Supported Example: Customer wants latest version of Openssl Improvements Post-RHEL3 Cutoff* RHEL3 Snapshot a b c d e Apache Bind Sendmail Openssl Openldap Entire codebase relicensed n/a LDAP recursion, URI Support for MacOSX Support for linux-ia64 S/MIME compat fixes LDAPv3 extensions LDAP C++ API LDAP Sync SASL Enhancements RHEL3 Cutoff Time Disparity between commercial distribution packages and OSS packages (RHEL errata and OSS stable projects as of 9/28/04) Customer wants new functionality in the latest version of Openssl (0.9.7e)Customer wants new functionality in the latest version of Openssl (0.9.7e) Learns distro does not supportLearns distro does not support Decision: Install latest version with fixed S/MIME compat support or continue using distro supported versionDecision: Install latest version with fixed S/MIME compat support or continue using distro supported version Continue to use distro supported version, forgo new functionality Install new functionality & assume support internally *Capabilities that were not backported h Linux Distribution Model
Kernel Apache MySQL Mozilla Glibc Linux Distributions & Security Support e vendor none Component team does not support or distribution has customized Component team recommends against using RHEL 2.1 AS Component team actively supports RHEL 3.0 AS GA: May 17, 2002Oct 23, 2003 RHEL 4.0 AS Feb 15, a Firefox Hundreds of other packages What happens when a component team “moves on” ? What causes a forced upgrade ? How will this affect “time to patch” (aka days of risk) ? How much difference does this make ?
Linux Kernel Example 2.6 Kernel Patches Number of Patches REF: bk -R prs -rv2.6.x..v2.6.x -h -d'$unless(:MERGE:){:P:\n}' | sort | wc -l Patches per Hour
Linux Distribution Lag SLES 9 dev pulls from Kernel Patches SLES 9 Product RTM Number of Patches RHEL 4 dev pulls from RHEL 4 Product RTM bk -R prs -cYYMMDD..YYMMDD -h -d '$unless(:MERGE:){:P:\n}' | wc -l
Linux Enterprise Support Commitment Aug 3, RHEL 2.1RHEL 3.0 Oct 23, 2003 May 17, 2002 RHEL 4.0 Feb 15, 2005 RHEL 5.0 Q ? RHEL 6.0 Q ? RHEL 7.0 Q ? Feb 2006 ? Mar 26, 2003 SLES 8 SLES 10 SLES 9 Aug 2007 ? SLES 11 Feb 2009 ? SLES 11 CurrentFuture Red Hat in Enterprise versions in support (times) Hundreds of packages (that have) No support by component teams What are the implications?
Security Training Security Kickoff & Register with SWI Security Design Best Practices Security Arch & Attack Surface Review Use Security Development Tools & Security Best Dev & Test Practices Create Security Docs and Tools For Product Prepare Security Response Plan Security Push Pen Testing Final Security Review Security Servicing & Response Execution Feature Lists Quality Guidelines Arch Docs Schedules Design Specifications Testing and Verification Development of New Code Bug Fixes Code Signing A Checkpoint Express Signoff RTM Product Support Service Packs/ QFEs Security Updates RequirementsDesignImplementationVerificationRelease Support & Servicing Microsoft SDL Security Deployment Lifecycle Threat Modeling Functional Specifications Traditional Microsoft Software Product Development Lifecycle Tasks and Processes
Security Focus Yielding Results Security Development Lifecycle working 200M Windows XP SP2 downloads Windows Server 2003 SP1 1.4M downloads Red Hat adopting our security response ratings Source: Microsoft Security Bulletin Search
Source: Secunia.com as of September 2005 An Industry View Totals: Microsoft = 38 Red Hat = 234 (21 Kernel) Totals: IE 10, FireFox 40 List of vulnerabilities between browsers
Source: Vendor’s Public Security Bulletins as of July 2005 An Industry View Totals: Microsoft = 38 Red Hat = 234 (21 Kernel)
Source: “Security Innovation (March 2005): "Role Comparison Report: Web Server Role" Security InnovationSecurity Innovation Source: “Security Innovation (June 2005): "Role Comparison Security Report: Database Server Role" Security InnovationSecurity Innovation
MicrosoftRedHatDebianMandrakeSoftSUSE High: June 2002 – May 2003* MediumLow Source: “Is Windows More Secure than Linux?”, Forrester, March NIST: US National Institutes of Standards and Technology Microsoft has lowest total 42 less high- severity vulnerabilities than Red Hat All Days of Risk MicrosoftRedHatDebianMandrakeSoftSUSE Microsoft has fastest security response Microsoft SDL is producing results Less total & high severity vulnerabilities Faster fixes for publicly disclosed issues Microsoft SDL is producing results Less total & high severity vulnerabilities Faster fixes for publicly disclosed issues
ICAT Severity Wind ows Serve r 2003 RHEL 3ES Web Minim al RHEL 3ES Web Defau lt High Medium Low078 Net Yet Rated Total Security Quality 1 Source: Security advisories & bulletins from vendor web sites 2 Source: “Security Innovation (June 2005): "Role Comparison Security Report: Database Server Role"Security Innovation Server Vulnerabilities Jan-Jun,
Database vulnerabilities only: SQL 2000 (Zero), Oracle 10g (30) “Fully Loaded” Windows Server 2003 and SQL Server 2000 Oracle recommended configuration on Red Hat Minimal MySQL on Red Hat configuration Public, repeatable methodology Database vulnerabilities only: SQL 2000 (Zero), Oracle 10g (30) “Fully Loaded” Windows Server 2003 and SQL Server 2000 Oracle recommended configuration on Red Hat Minimal MySQL on Red Hat configuration Public, repeatable methodology MySQL Red Hat Enterpris e Oracle 10g Red Hat Enterprise 3 SQL Server 2000 Windows Server 2003 Oracle makes Linux Unbreakable ? ? ?
“Microsoft has significantly improved the security of its shipping products since the adoption of its security development life cycle. The first OS product to ship since Microsoft adopted its SDL was Windows Server 2003 (with IIS 6). Windows 2003 has had sufficient operational testing to be suitable for security-critical applications” Neil McDonald Group Vice President and Research Director Gartner, Inc (From Gartner Symposium May 2005)
Windows or Linux for Security? Security Quality Microsoft Linux SDL-driven progress Ongoing process improvement No SDL-like program IN DENIAL
Top 5 Things for Security Know the Threats & Solutions 1. Top 5 Cyber Threats for Thailand 2. Microsoft Solutions Know the Strategy 3. Security Quality 4. Security Management 5. Security Innovation
Directory Usage Anchoring in Active Directory Most widely used Directory Single sign-on Group policy Smartcard and 2-factor authentication Secure wireless and remote access Vast ecosystem with >1,000 AD enabled apps ADFS and WS-* extend to other systems Managing Security
3 rd -Party Evidence “Total Cost of Security Patch Management” The average time required to successfully deploy critical patches to Microsoft PCs is 56% lower than the equivalent OSS PCs The average cost to successfully deploy a patch to a single Microsoft system is lower than deployment to an equivalent OSS system: The average annual cost to patch a single Microsoft system is 14% lower than patching the equivalent OSS system There is also evidence to support the hypothesis that the patching of many OSS systems is being neglected. Security Management
Microsoft Baseline Security Analyzer 2.0 Microsoft Update Automatic Updates
Windows or Linux for Security? Security Quality Security Management Microsoft Linux SDL-driven progress Ongoing process improvement No SDL-like program IN DENIAL AD/Group Policy Cert Services Advanced Updating Which directory? Certs ? CATCH UP MODE
Top 5 Things for Security Know the Threats & Solutions 1. Top 5 Cyber Threats for Thailand 2. Microsoft Solutions Know the Strategy 3. Security Quality 4. Security Management 5. Security Innovation
Direct customer connection to Microsoft support Unique value for technical beta feedback Drives up reliability and security of products Unique capability not available on Linux/OSS Direct customer connection to Microsoft support Unique value for technical beta feedback Drives up reliability and security of products Unique capability not available on Linux/OSS Direct feedback from users to benefit all Helps distinguish spyware from software Unique capability not available on Linux/OSS Direct feedback from users to benefit all Helps distinguish spyware from software Unique capability not available on Linux/OSS Prefast and FxCop source code security analysis Safe C-Runtime Libraries, Stack overflow protection Source code Annotation Language (SAL) Security capabilities not available on Linux/OSS Prefast and FxCop source code security analysis Safe C-Runtime Libraries, Stack overflow protection Source code Annotation Language (SAL) Security capabilities not available on Linux/OSS Customer Focused Innovation – Only on Microsoft Spynet
Powerful X.509 CA integrated into Windows Server Active Directory & Group Policy integration OpenLDAP lacks key management capabilities Powerful X.509 CA integrated into Windows Server Active Directory & Group Policy integration OpenLDAP lacks key management capabilities Policy driven CERT deployment capability Automatic, silent user experience Capability unique to Microsoft customers Policy driven CERT deployment capability Automatic, silent user experience Capability unique to Microsoft customers Single provisioning of multiple credentials Single sign-on, roaming profiles, smartcard support Unique integration advantage over Linux/OSS Single provisioning of multiple credentials Single sign-on, roaming profiles, smartcard support Unique integration advantage over Linux/OSS Manageable PKI – Only on Microsoft Dual-use AD for ID credentials and security policy Enables auto-enrollment and easy CERT renewal DeFacto standard even supported by OSS/Samba Dual-use AD for ID credentials and security policy Enables auto-enrollment and easy CERT renewal DeFacto standard even supported by OSS/Samba Autoenrollment Integrated Cert Server
Full 802.1x+WPA support in client and server Secure, transparent roaming between access points Manageability, ease-of-use not available on Linux Full 802.1x+WPA support in client and server Secure, transparent roaming between access points Manageability, ease-of-use not available on Linux Smartcard-enabled secure, private remote RAS/VPN Network Access Protection capabilities Unique options leveraging RPC over HTTPS Smartcard-enabled secure, private remote RAS/VPN Network Access Protection capabilities Unique options leveraging RPC over HTTPS User mobility within the network Single sign-on Unique capability in Microsoft clients User mobility within the network Single sign-on Unique capability in Microsoft clients Active Directory & Group Policy integration Silent, transparent user experience Linux/OSS options lack policy & PKI manageability Active Directory & Group Policy integration Silent, transparent user experience Linux/OSS options lack policy & PKI manageability Secure, Private Networking – Only on Microsoft SecureWireless Encryption RoamingProfiles Secure Remote Access
Keep Executive off the Internet Reduce forwarding of confidential information Templates to centrally manage policies Keep Executive off the Internet Reduce forwarding of confidential information Templates to centrally manage policies Safeguard financial, legal, HR content Set level of access: view, print, export View Office 2003 rights protected info Safeguard financial, legal, HR content Set level of access: view, print, export View Office 2003 rights protected info Control access to sensitive plans Set level of access: view, change, print, etc. Determine length of access Control access to sensitive plans Set level of access: view, change, print, etc. Determine length of access Rights Management Services – Only on Microsoft Do Not Forward ProtectSensitiveFiles SafeguardIntranetContent
Windows or Linux for Security? Security Quality Security Management Security Innovation Microsoft Linux SDL-driven progress Ongoing process improvement No SDL-like program IN DENIAL AD/Group Policy Cert Services WUS / MU Which director? Certs ? CATCH UP MODE Secure Wireless RMS Feasible PKI SELinux Roles What else?
© 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.