1. Stuart Aston Chief Security Advisor Microsoft UK stuart.aston@microsoft.com

2. Cloud

4. Virus Web Defacement Worms Botnets Targeted Attack Personal Gain Expert Agenda Hacker Curiosity Hobbyist National Interest Specialist Personal Fame Hacker Blended Attack

5. Reduce Security RisksImprove efficiency Save investments in existing infrastructure Reduce planning and deployment cost Decrease number of support calls due to hardware or software incompatibilities or recovery of corporate information Enable New Scenarios More Securely Secure shipping of hardware Efficient and non-intrusive protection of corporate data Control over removable storage devices Compliance with data protection regulations Reduce intellectual property (IP) theft or system breach Loss of Sensitive Data through stolen computers, lost removable media and when decommissioning old hardware Integrity checking of early boot components

6. £162,500,000 £650,000,000 £27,000,000,000 £162,500,000

8. Austria3.83.03.53.3 Finland3.72.13.82.3 Germany5.54.65.65.3 Japan5.14.44.63.3 United Kingdom7.96.77.48.7 Worldwide10.89.69.98.7

10. o Comparatively Small Market 5.5m potential victims o Bigger “Phish” next door o Close CERT/ISP ties o Many employees from local ISP’s leading to close collaboration o Strong ISP Cyber Security Polices o Residential customers disconnected if a persistent malware is detected o Low Piracy Rates (24%, 6 th lowest in the world) o Windows Update

11. o Situational Awareness o actively provided by CERT-FI to Network Admins to inform them of breach events on their networks o Cultural imperative to treat infection & education of Administrators o It’s bad to be breached! o Pragmatic Legislation o Empowers and obliges Admins & ISP’s o Requires ISP’s to provide security and threat information to customers o End user Education o National Security Day has run for 8 years!

12. o Large Co-Ordinated CERT Community o CERT - ISP Collaboration o Owners of infected computers informed and or isolated o Community Education and Awareness o Warnings to Government Stakeholders, Private Sector and Individual Citizens o Reactive as Well as proactive engagement o Suspicious Traffic Collected – Cross Referenced – Contacted!

13. o Strong Public Private Partnership o Cyber Clean Center (www.ipa.go.jp)www.ipa.go.jp o METI - Virus Consultation Service (est. 1990) o Culture of Technical Improvement o Improve the Developer reduce the Risks o IPA - How To Secure Your Website (http://www.ipa.go.jp/security/vuln/documents/webs ite_security_en.pdf)http://www.ipa.go.jp/security/vuln/documents/webs ite_security_en.pdf o Free Analysis Tool to detect known vulns in protocols

14. Cyber-Law Cloud Computing Web Modernization 64-bit Computing Architectures of Safety Robust Mitigations Vulnerability Disclosure Smart Devices Everywhere

15. o No SEH records on stack (breaks SEH hijack techniques) o SEHOP compensates for this on 32-bit o Data Execute Protection (DEP) is permanently enabled o Apps must opt-in on 32-bit o Heap “Terminate on Corruption” enabled by default for 64-bit apps o Will see great revamping of exploit toolkits for 64bit

16. o Goals o Compartmentalize a system so a compromise doesn’t result in a full system break o Increase attacker requirements (multiple vulns) o A history with Windows… o Windows NT 3.1 introduced securable objects, DACLs, and access tokens o Windows 2000 introduced Job Objects and Restricted Tokens o Windows Vista introduced UI Privilege Isolation (UIPI) and integrity levels

17. Stack Heap / Pool Executable Code /GS 1.0 /GS 1.1 Heap 1.0 DEP ASLR DEP IE8 20072006200520042003 /GS 2.0 2008 /NXCOMPAT Heap 2.0 HeapTerm EH4 SEHOP /GS 3.0 DEP+ATL Safe Unlinking 2009 DEP O14 17 Robust Mitigations o Microsoft has delivered a number of defenses since the beginning of Trustworthy Computing o Goal is to make exploits brittle

18. o Richer Targets o More connected o Authenticated Devices o Credentials o Location o Full featured OS o How many operating systems now? How many chips? o Do they update? o Do they use mitigation technology? o Are they ready for attacks?

19. 19

20. o Governments recognize: o The opportunity cyber brings to civil society (healthcare, economic prosperity, etc.) o Need for better identity systems and trust mechanisms o The dependence of national economies on information infrastructures o The asymmetric risks of cyber threats o Approximately 50 countries pursuing legislation on: o National cyber incident reporting systems & info sharing o Critical infrastructure protection o Increasing security of government systems o Certification and training of cyber-security professionals o Increased criminal penalties

21. 20102009 2008 MS08-067 (Oct 2008) XML Tags (Dec 2008) Excel (April 2009) PowerPoint (June 2009) Media Player (July 2009) IE EventObj (Jan 2010) IE #userdata (Mar 2010) Shell LNK( Aug 2010) Spooler ( Aug 2010) Win32k.sys ( Aug 2010) Task scheduler ( Aug 2010) Help Ctr ( July 2010) OWC AX (June 2009) The Internet as a unique “battlefield” Rich targets, Anonymity, Global connectivity, Lack of traceability.. Low barriers to downstream appropriation

22. o Stay up to date, move to x64, stay patched o Drive genuine Public Private Partnerships – with positive measurable outcomes o IA Community actively monitor, communicate and act on threats o Cultural Change, Administrators need to be encouraged to mitigate threats o Enforcement Policies & Active Remediation of Threats o Education Campaigns and Media Focus on improving public awareness to what can be done to mitigate the threats o Drive Down Low Piracy o Keep all software up to date, modernise where practical, isolate where not o EMET