Detlef Eckert Chief Security Advisor Microsoft Europe, Middle East, Africa The Challenge of Information Security
Agenda The Evolution of Threats Security against attacks – Security of the platform Secure solutions – Security enabled by the platform Management of Security Some Takeaways
The Bright Side: New Era of Computing IT Technology: Huge Asset of Human Connections and the Global Economy
The Dark Side: Cyber Crime The Internet has quickly become a good place to commit crime (anonymity, global connectivity, lack of traceability) Cybercrime is increasing with new forms of attacks (e.g. Phishing, Botnets) and increasingly the target is the application (this is where the ‘money’ is) Computer literacy is both rising (for sophisticated attacks) and less important (hacker tools permit unskilled attacks) Industry has a responsibility to improve security. Law Enforcement is critical to deterrence and prosecution.
Download.ject - new threat model Java script in web site exploits IE; redirects browser in the background - Silent if failed Redirected to Russian server to download: key stroke logger key stroke logger own auto update program own auto update program Malware sends log files to 16 different servers to collect data and receive updated instructions The creators of this virus had specifications, tested to ensure that the virus left no footprint, had redundancies, and left themselves opportunities to update the malware Web server flaw exploited - Java script embedded in multiple websites Random Web site
Botnet Threats Bot application that performs some action or set of actions on behalf of a remote controller installed on a victim machine (zombie) Most are open-source Modular (plug in your functionality/exploit/payload) Botnets Linkage of “owned” machines into centrally controlled armies literally, roBOT NETworks Control channel Method for communicating with an army Herder aka Bot herder, controller, pimp Owns control channel, commands botnet army Motivations – money, power
Attack Methodologies Port Scanning 2Packet spoofing 3Dictionary Attacks 4Elevation of Privilege 5Web defacement 6Data theft 7Clear Audit Trails
Social Engineering Case Study: MyDoom There was no vulnerability Purely Social Engineering Mixed techniques: ZIP file, spoofed icon, “returned SMTP” text, random subjects, source addresses Self-upgrading from A to B Attack SCO.Com and Microsoft.Com B Version tries to block access to WindowsUpdate and AV vendor websites Install “backdoors” – turn into “bots” 66% of all SPAM on the Internet generated by these types of backdoors on home-user PCs Worm families are becoming “learning platforms” for authors
The Spam Problem Spam: Unsolicited (junk mail) which often contains offensive and harmful content. Risk to security and privacy Viruses Phisher scams, ID Theft 40% from zombies Our customers number 1 concern! Junk represents >60% of traffic Up from 8%, just 3 years ago Hotmail blocks 2.7 billion spam messages a day! 14.5 billion spam s sent each day Cost to business several billions Euro per year globally Low cost of entry + High profit + Anonymity All the economics favour the spammer
Security against attacks – Security of the platform
Most attacks occur here Situation When do exploits occur? Product shipped Vulnerabilitydiscovered Fix Made Available Fix deployed by customer
Communicate and collaborate in a more secure manner without sacrificing information worker productivity Isolation and Resiliency XP Service Pack 2
Security Development Lifecycle Product Inception Assign resource Security plan Design Design guidelines applied Security architecture Security design review Ship criteria agreed upon Guidelines&Best Practices Coding Standards Testing based on threat models Tool usage Security Push Security push training Review threat models Review code Attack testing Review against new threats Meet signoff criteria Final Security Review(FSR) Review threat models Penetration Testing Archiving of Compliance Info Security Response Feedback loop -Tools/ Processes -Postmortems -SRLs RTM& Deployment Signoff DesignResponse Threat Modeling Models created Mitigations in design and functional specs Security Docs& Tools Customer deliverables for secure deployment RequirementsImplementationVerificationRelease
Source: Microsoft Security Bulletin Search First Results of SDL
Updated monthly to remove prevalent malware Targeted at consumers without antivirus Enterprise deployable as part of a defense-in-depth strategy Available through: Windows Update Auto Update Online interface MS Download Center Distributed to over 125M PCs Complements traditional Antivirus technologies by providing one tool that removes prevalent viruses and worms from a PC
Global SpyNet™ community helps identify new spyware Automatic signature downloads keep you up-to-date Spyware removal reduces PC slow down, pop-up ads, and more Scheduled scans help maintain PC security and privacy Continuous protection guards 50+ ways spyware gets on a PC Intelligent alerts handle spyware based on your preferences
Secure solutions – Security enabled by the platform
Defense in Depth Threat Modeling is one part of a Defense in Depth strategy Helps design other measures Supplement at other layers Policies, Procedures, & Awareness OS hardening, patch management, authentication, HIDS Firewalls, VPN quarantine Guards, locks, tracking devices Network segments, IPSec, NIDS Application hardening, Antivirus ACL, encryption User education Physical Security Perimeter Internal Network Host Application Data
Enabling Security Critical Scenarios Windows IPSec integration SSL, RPC over HTTP ISA Server 2004 Deep Windows integration WPA, 802.1x, PEAP Single sign-on, smartcards, Provision for multiple credential types Rights Management Services Comprehensive Authorization Infrastructure (AD, EFS, ACLs…)
The Protocols – 1970’s The Challenges – 21 st Century IPv4 is not designed for Security ! The Internet used to require Security clearance to use – physical access to it was restricted – no need for protocol level security- so none evolved Ports were used to signal application, intent. So evil people start putting stuff through ports that Firewalls Open Internally – There were no Firewalls No checking of host before network access
Access Control Technologies Protocols, Kerberos, NTLM, Winlogon, Logon providers, smartcard authentication, LSA, IAS (RADIUS), LDAP, AD/AM, IIS (web SSO), Host Integration Server (HIS) Authentication Certificate Server, smartcard deployment, Credential Manager, OCSP, DIMS, auto-enrollment, MIIS, BizTalk Credential Management Audit, Distributed Audit Collection Service, Common Criteria, FIPS evaluations Audit Authorization, Authorization Manager (AzMan), Access Control Lists, XrML 1.2, ISO REL, RMS, Limited User Access (LUA), ASP.Net Roles
The Complexity of Today’s Network Pain points ComplexityCostAgilitySecurity Router Internet Intranet Unmanaged Device New PC Internet Perimeter Network Branch Offices Remote Workers Home Users Unmanaged Devices Router Branch Offices Desktops Laptops Servers Extranet Servers Router Network Infrastructure Unmanaged Devices Perimeter Network Servers Trends shaping the future SecurityWireless/mobilityIPv6VoIP Internet as WAN
Windows XP Service Pack 2 Windows Server 2003 Service Pack 1 Microsoft Windows AntiSpyware Software Restriction Policies Future: Network Access Protection
Windows XP SP2 Windows Server 2003 Windows 2000 Server Lab Unmanaged guest
ISA Server 2004 Exchange Server Sybari Antigen Lab Unmanaged guest
Security Management
Tools & Technologies Technologies RepeatableProcesses Trained People Elements of a Security Policy
One update experience One update experience Delta updating for 30-80% smaller update packages Delta updating for 30-80% smaller update packages Better quality updates Better quality updates Rollback capability for all updates Rollback capability for all updates 10-30% fewer reboots 10-30% fewer reboots Updating Windows Generation Windows Update > Microsoft Update SUS > Windows Update Services SMS 2003 Reduce Complexity Reduce Size Reduce Risk Reduce Downtime
Today Future Windows, SQL, Exchange, Office… Windows, SQL, Exchange, Office… Office Update Download Center SUS SMS “Microsoft Update” (Windows Update) VS Update Windows Update Windows only WindowsUpdateServices Windows, SQL, Exchange, Office… AutoUpdate
Some Takeaways
Consider following actions Develop integrated security strategy Think holistically, act proactively Build internal security expertise via training and certification Adopt secure software development principles for writing applications Establish security policy and compliance process Manage effective updates and incidence response Give priority to information protection and data governance Develop data governance policy Drive training and compliance Work with us and our partners, send your feedback!
© 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.