Advancing Security Progress and Commitment John Wylder CISSP, CHS Strategic Security Advisor

Advancing Security Progress and Commitment Agenda Update on current security Issues Comments on threats and vulnerabilities Microsoft’s response Suggestions and guidance Questions and (hopefully) answers

Breaking news…. Microsoft update full of tests “The biggest Windows security upgrade walks a fine line between making things safe and making things work” The Oregonian Monday, July 19, 2004

Breaking news part 2…. Mobile device virus Antivirus researchers have discovered the first bug to target Microsoft's Pocket PC Russian-based antivirus firm Kaspersky Labs said Duts was created by Ratter, the pseudonym of a virus writer who is an active member of the international group 29A. The group is famous for its proof-of-concept viruses, like the mobile phone-targeting Cabir and Rugrat, the first known virus capable of attacking 64-bit Windows files. search security.com July 19, 2004

System Security Security Ecosystem Host Application Account Trust Network External Influences (people, bugs, etc.) Exploit of misconfiguration, buffer overflows, open shares, NetBIOS attacks Unauthenticated access to applications, unchecked memory allocations Compromise of integrity or privacy of accounts Data sniffing on the wire, network fingerprinting Unmanaged trusts enable movement among environments

The Typical Security Environment Today …hard to manage, to support and ever increasingly complex

Exploit Timeline Days From Patch to Exploit The average is now nine days for a patch to be reverse- engineered As this cycle keeps getting shorter, patching is a less effective defense in large organizations Why does this gap exist? Blaster Welchia/ Nachi Nimda 25 SQL Slammer exploit code patch Days between patch and exploit

Top information security issues for 2004 Viruses and worms remain biggest worry Patch management The patch management issue relates directly to the concern over viruses and worms. “Hybrid threats will drive the need for hybrid solutions” Ed Yakabovicz ISO for Bank One’s Corporate Internet group. “2004 might just be the year that the next big worm carries a destructive payload.” Kevin Beaver, CISSP. Principle Logic.

Top information security issues for 2004,part 2. Compliance with regulations (HIPPA, GLB) is a growing concern Is regulation the principal driver for security in your enterprise? Yes (45%). How will compliance impact your security spending? 15% say “compliance is a big chunk of our budget. source searchsecurity.com 1/14/2004 “A combination of laws and regulations will push companies and organizations towards more security, but it will still take longer than you would like.” Jonathan Callas, CTO PGP.

Why businesses continue to get attacked by viruses, worms, and frauds? Failure to recognize that security is a process issue, not an object, requiring risk management & responsiveness No 100% perfect security Security is only as strong as the weakest link When nothing happens, well, nothing happens No attention translates to zero or limited security budget and investment No provision equals no security readiness Feel-safe syndrome – we have not been attacked in the past

Why businesses continue to get attacked by viruses, worms, and frauds? There are no magic beans, no silver bullets Fraudsters and attackers exploits the weakest links – it could be your technology, process, and/or people (including employees, partners, and customers)

Awareness alone is not enough “The organizers of the conference Infosecurity Europe 2004 announced that they surveyed office workers at Liverpool Street Station in England, and found that 71 percent were willing to part with their password for a chocolate bar.” Security pipeline April 20, 2004

Usage of Firewalls Source: Microsoft Customer Risk Assessments

Mapping Worms to “User” Days of Risk Reaction time is critical in preventing viruses and worms, which can cost organizations billions. Forrester Research said that customers typically required more than 300 days to fully deploy patches for many of these issues after the fix appeared. The race begins when the technical details of an issue are made public. Worm Number of days from release of exploit to worm appearance Scalper (2002, FreeBSD) (*early disclosure) 11 days Blaster (2003, Windows) 16 days Code Red (2001, Windows) 24 days Lion (2001, Linux) 53 days Slapper (2002, Linux) 58 days Melissa (1999, Windows) 64 days Nimda (2001, Windows) 172 days Slammer (2003, Windows) 180 days Ramen (2001, Linux) 208 days Source: Microsoft, Forrester

Security Enabled Business Reduce Security Risk Assess the environment Improve isolation and resiliency Develop and implement controls Increase Business Value Connect with customers Integrate with partners Empower employees Risk Level Impact to Business Probability of Attack ROI Connected Productive

Give us better access control” “ Give us better access control” ” Develop reliable and secure software “ Develop reliable and secure software ” Simplify critical maintenance “ Simplify critical maintenance ” “Reduce impact of malware” Improve Updating Engineering Excellence Authentication, Authorization, Access Control Isolation and Resiliency Provide better guidance “ Provide better guidance ” Deliver Security Guidance, Tools, Responsiveness

Isolation And Resiliency Mitigating risk through innovation Reduce attack surface and vectors Proactively deflect and contain threats A computing platform that is more resilient in the presence of security threats

Isolation and Resiliency reducing the modes of attack Communicate and collaborate in a more secure manner without sacrificing information worker productivity Protection Against Buffer Overruns Network Protection Safer and IM Safer Web Browsing

Isolation and Resiliency Future: Active Protection Application-aware firewalls Application-aware firewalls Intrusion prevention Intrusion prevention Dynamic system protection Dynamic system protection Behavior blocking Behavior blocking

Advanced Isolation Clients who do not pass can be blocked and isolated Isolated clients can be given access to updates to get healthy Isolation And Resiliency Client Inspection Health Checkup Check update level, antivirus, and other plug in and scriptable criteria

Advanced Updating Simplify the security update process with predictability, reduced downtime and advanced management tools Lower update costs while increasing efficiency Fewer installers and smaller update size Enhanced tools for desktops and servers Extended across Microsoft technologies

One update experience Windows Update > Microsoft Update SUS > Windows Update Services SMS 2003 Delta updating for 30-80% smaller update packages Better quality updates Rollback capability for all updates 10-30% fewer reboots Updating Windows Generation

Engineering Excellence Raising the bar for software security Improved development process New tools designed to help developers Guidance and training focused on secure coding Advance the state of the art of secure software development

Quality & Engineering Excellence Improved Development Process Threat modeling Code inspection Penetration testing Unused features off by default Reduce attack surface area Least Privilege Prescriptive Guidance Security Tools Training and Education Community Engagement Transparency Clear policy

42 13

Quality & Engineering Excellence Helping Developers Write More Secure Code.NET Framework 1.1 Cryptographic APIs Integrated PKI Visual Studio.NET 2003 Security Tools Web Services Enhancements Microsoft Security Developer Center Writing Secure Code v2 Developer webcasts Helping Developers Write More Secure Code

Authentication, Authorization And Access Control Embracing identity and access management Integrated secure single sign-on experience New factors of authentication Seamless data protection across layers Enable business solutions with integrated platform security technologies

Authentication, Authorization and Access Control Enabling Security Critical Scenarios Windows IPSec integration SSL, RPC over HTTP ISA Server 2004 Deep Windows integration WPA, 802.1x, PEAP Single sign-on, smartcards, biometrics Provision for multiple credential types Rights Management Services Comprehensive Authorization Infrastructure (AD, EFS, ACLs…)

Guidance, Tools & Response Customer Education and Partnerships Seminars and publications Alliances and information exchanges Corporation with law enforcement Help customers through prescriptive guidance, training, partnership and policy

Law #1: Security Patches are a Fact of Life. Law #2: It Does No Good to Patch a System That Was Never Secure to Begin With. Law #3: There is No Patch for Bad Judgment. Law #4: You Can’t Patch What You Don’t Know You Have. Law #5: The Most Effective Patch is The One You Don’t Have to Apply. Law #6: A Service Pack Covers a Multitude of Patches. Law #7: All Patches Are Not Created Equal. Law #8: Never Base Your Patching Decision on Whether You’ve Seen Exploit Code… Unless You’ve Seen Exploit Code. Law #9: Everyone Has a Patch Strategy, Whether They Know It or Not. Law #10: Patch Management is Really Risk Management. The Ten Immutable Laws of Security Patch Management

Security is not easy... Security is a journey where you attempt to secure a complex system of many entities: People (culture, knowledge, skills) Process (policy, procedures, guidelines) Product/Technology (hardware, software, networks) These entities interact in rich and often-times unpredictable ways to cause problems Security will fall down if you continue to focus on one part of the problem Products/Technology is not the whole problem nor is it the whole solution If it were easy, anybody could do it...

Summary A computing platform that is more resilient in the presence of security threats Advanced Updating Expanded Authentication, Authorization, Access Control Security Guidance, Tools, Responsiveness Engineering Excellence Enable business solutions with integrated platform security technologies Advance the state of the art of secure software development Help customers through prescriptive guidance, training, partnership and policy Simplify the security update process with predictability, reduced downtime and advanced management tools Isolation and Resiliency

Extended support Monthly patch releases SMS 2003 Baseline guidance Community investments Windows XP Service Pack 2 Broad training ISA Server 2004 Windows Server 2003 Service Pack 1 Updating enhancements Active protection technology Visual Studio “Whidbey” Next generation inspection Future

Learn: Take training, read guidance, help educate users Connect: Participate in community. Subscribe to security newsletters. Manage Risk: Implement a security plan and security risk management process. Upgrade laptops & remote systems to Windows XP Standardize edge servers on Windows Server 2003 Defense in depth: Implement multiple countermeasures.

Resources General Consumers Security Guidance Center Tools How Microsoft IT Secures Microsoft E-Learning Clinics Events and Webcasts

© 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.