Presentation is loading. Please wait.

Presentation is loading. Please wait.

Know your enemy..... The Dancing Pig syndrome No amount of self-control can stop someone from clicking on links or running.

Published byPearl Clarke Modified over 9 years ago

Similar presentations

Presentation on theme: "Know your enemy..... The Dancing Pig syndrome No amount of self-control can stop someone from clicking on links or running."— Presentation transcript:

1

2 Peter.Willmot@XpertEase.co.za

3 Know your enemy..... The Dancing Pig syndrome No amount of self-control can stop someone from clicking on links or running attachments when the payoff is the promise of tutu-clad swine parading across the screen! - Steve Riley, Microsoft Immutable Laws of Human Nature Stupidity Selfishness Horniness - Scott Adams, The Dilbert Future

4 Threat Vectors Increasing Severity & Ways of Risk 2003 Browser Exploits in the wild 2005 Social Engineering 2006 Malware IE 7 & Phishing Protection 2008 + Blended Threats Web 2.0 Site Exploits Blended threats shifting from the browser to sites Impact to data governance & regulations Rapid pace of threat innovation Consumer & employee data at risk

5 Web 2.0 - Challenge or Opportunity? Efficiency, economics and expectations Syndicated content and advertising business model enables sites and business Growth in eCommerce depends on consumer trust Trust may be undermined by less than transparent collection of data and inadequate protection of privacy Unknown accountability of 3rd parties Potential backlash & heightened consumer concerns

6 Internet Explorer 8: Trustworthy Browsing Confidently bank, communicate & shop Extended Validation (EV) SSL Certificates SmartScreen® Filter – Blocks Phishing & Malware Domain Highlighting Enhanced Delete Browsing History InPrivate™ Browsing & Filtering Build on a secure foundation Security Development Lifecycle (SDL) Protected Mode ActiveX Controls DEP - Data Execution Prevention Revised process architecture Extends browser protection to the web server HTTP-only cookies Group Policies XDomainRequest - Cross Domain Requests XDM - Cross Domain Messaging XSS Filter - Cross Site Scripting Anti-ClickJacking Web Server & Applications Browser Vulnerabilities Social Engineering & Privacy

7 Domain Highlighting More accurately ascertain the domain of the visiting The domain is black vs. other characters which are gray

8 EV SSL Certificates “Look for the Green” Provides consumers added user confidence and brands enhanced protection Implemented by over 10,000 leading commerce, banking and transactional sites

9 Social Engineering Emerging threat vector and diversification Address concerns of Users and Site owners SmartScreen® Filter Integrated Phishing & Malware download protection Examines URL string, preempting evolving threats Blocks 1 million+ weekly attempts to visit phish sites Significant malware site detection volumes ~10 x traffic as compared to phishing, (IE8 beta users). Group Policy support – Key IT requirement 24 x 7support processes and feedback mechanisms

10 Identifies and neuters the attack Blocks the malicious script from executing. IE 8 XSS Filter Web Server & Applications

11 ClickJacking Entices users to click on content from another domain without the user realizing it Evolving server exploit, mitigated by the SmartScreen Filter Impacts all browsers, only IE 8 has integrated protection capabilities Add an X-FRAME-OPTIONS tag in either the HTTP header or the HTTP EQUIV meta tag on page Deny All or allow from same origin hosts

12 Some Things that are "Creepy" Smile to the cameras – you’re on them about 200 times/day "We're steadily marching to a society where every moment that you leave your home will be monitored and videotaped. And that's creepy.” – Kevin Keenan, ACLU Government online records Mortgage documents, public state records, etc. -- Computerworld, Jan 29

13 Why are they so Creepy? Having records online, using surveillance cameras – not necessarily illegal It’s because “contextual integrity” is violated Information is transferred in context A context has a set of norms When information is transferred from one context to another without notice and consent, contextual integrity is violated.

14 Privacy is all about being in control Control == Notice + Consent

15 Security vs. Privacy Security Core engineering issues Protection from harm Protection from fraud Privacy Control over preferences Control over how information is shared

16 Web Privacy Issues Today – Some Examples

17 IE8 Privacy Goals Put the user in control of the web browser Shared PC Delete Browsing History InPrivate™ Browsing On the Web InPrivate™ Filtering Build, useful, convenient features to make it easy to stay in control Leap ahead of the competition InPrivate Filtering Preserve Favorites data

18 Delete Browsing History Preserve data from Favorites sites Keep the useful stuff, delete the not-so-useful stuff Convenient Checkboxes Delete browsing history on exit Group policy

19 InPrivate Browsing Creates a new browsing window that does not record browsing history Some things that are turned off History Cookies (accepted, but downgraded to session-only) Suggested Sites Form data saving Things that are deleted when you exit Temporary Internet Files Compatibility View list ActiveX Opt-In list

20 InPrivate Browsing FAQ Parental Controls Disables InPrivate Browsing IT Scenarios InPrivate Browsing can be disabled via GP Does not interfere with proxy servers Proxy servers will record sites browsed Does not provide anonymization Add-ons UI Toolbars, BHOs - not loaded by default APIs are available for ActiveX Controls Suggested sites feature is turned off

21 Third Party Content Serving Over time, users’ history and profiles can unknowingly be aggregated Any third-party content can be used like a tracking cookie There is little end-user notification or control today Syndicated photos, weather, stocks, news articles; local analytics, etc…. Unclear accountability with third party security & privacy policies User Visits Unique Sites msn.comebay.comamazon.comcnn.comcnet.comabout.commsnbc.com Prosware-sol.com 3 rd party Syndicator Web server nytimes.com

22 Some Analogies Creepiest Surveillance camera everywhere Less creepy Surveillance camera in a shopping mall

23 Facts Information exchange is good Both parties get value from behavior data The online economy is fueled by high-tech advertising We also believe in Trustworthy Browsing The user is always in control

24 InPrivate Filtering Helps give you control over which 3 rd -party content providers have a line of sight into your web browsing Keeps a table of 3 rd -party content and the first party sites the content was loaded from Allows you to block content that passes a configurable threshold (10 1 st -party sites by default)

25 InPrivate Filtering FAQ (Short List) If I have a website, what do I do? Will my website break? IE8 includes a javascript-accessible API (bool InPrivateFilteringEnabled()) that lets website owners detect when InPrivate Filtering is enabled Not an ad blocker Some advertisements may be blocked InPrivate Filtering is a privacy tool It can only block content that has a “line of sight” into your browsing history

26 3rdParty.html

27 Optimize Enterprise Deployment Preparing for launch 1. Optimize using the IE Desktop Security Guide 2. Turn on SmartScreen Filter by default 3. Disable ability to click through phishing / malware warnings 4. Prevent additions or deletion of sites from Security Zones 5. Do not allow users to change policies from Security Zones 6. Do not allow users ability to turn off Protected Mode 7. Enable Prevent Ignoring Certificate Errors 8. Test compatibility with intranet and internet sites 9. Consider implementing group policies to disable InPrivate Browsing

28 For Publishers and Content Providers Publish “thirdparty.html” page Test all 3 rd party code for XSS Add no-frame tag for CSRF sensitive pages SiteLock your ActiveX controls Leverage InPrivate Filtering session status through the windows.external DOM object Implement EV SSL certificates for ecommerce and transaction related sites Learn more about compatibility, accelerators and Web Slices

29 Peter.Willmot@XpertEase.co.za

30 www.microsoft.com/teched International Content & Community http://microsoft.com/technet Resources for IT Professionals http://microsoft.com/msdn Resources for Developers www.microsoft.com/learning Microsoft Certification & Training Resources Resources Required Slide Speakers, TechEd 2009 is not producing a DVD. Please announce that attendees can access session recordings from Tech-Ed website. These will only be available after the event. Required Slide Speakers, TechEd 2009 is not producing a DVD. Please announce that attendees can access session recordings from Tech-Ed website. These will only be available after the event. Tech ·Ed Africa 2009 sessions will be made available for download the week after the event from: www.tech-ed.co.zawww.tech-ed.co.za

31 Required Slide Complete a session evaluation and enter to win! 10 pairs of MP3 sunglasses to be won

32 © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. Required Slide

Download ppt "Know your enemy..... The Dancing Pig syndrome No amount of self-control can stop someone from clicking on links or running."

Similar presentations

Why should my organisation move to Internet Explorer 9? An upgrade guide for IT professionals.

Why should my organisation move to Internet Explorer 9? An upgrade guide for IT professionals.
®® Microsoft Windows 7 for Power Users Tutorial 7 Enhancing Your Computers Security.

®® Microsoft Windows 7 for Power Users Tutorial 7 Enhancing Your Computers Security.
Shyam Pather Development Manager Microsoft Session Code: DTL402.

Shyam Pather Development Manager Microsoft Session Code: DTL402.
Name: Mornay Durant Title: Sales & Marketing Director Company: The IT Department.

Name: Mornay Durant Title: Sales & Marketing Director Company: The IT Department.
Faith Allington Program Manager Microsoft Corporation Session Code: WSV304.

Faith Allington Program Manager Microsoft Corporation Session Code: WSV304.
Virtual techdays INDIA │ 9-11 February 2011 Safe Browsing Experience for your Home & Office M.S.Anand │ MTC Technology Specialist │ Microsoft Corporation.

Virtual techdays INDIA │ 9-11 February 2011 Safe Browsing Experience for your Home & Office M.S.Anand │ MTC Technology Specialist │ Microsoft Corporation.
Internet Explorer Opportunities For Partners Margaret Cobb Product Manager IE Group Microsoft Corporation.

Internet Explorer Opportunities For Partners Margaret Cobb Product Manager IE Group Microsoft Corporation.
Ashish jaiman architect evangelist Microsoft

Ashish jaiman architect evangelist Microsoft
Eric Harlan Principal Architect Sogeti LLC USA Session Code: OFC311.

Eric Harlan Principal Architect Sogeti LLC USA Session Code: OFC311.
With Internet Explorer 9 Getting Started© 2013 Pearson Education, Inc. Publishing as Prentice Hall1 Exploring the World Wide Web with Internet Explorer.

With Internet Explorer 9 Getting Started© 2013 Pearson Education, Inc. Publishing as Prentice Hall1 Exploring the World Wide Web with Internet Explorer.
Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.

Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.
1 Brett Roberts Director of Innovation | Microsoft NZ | 28 Aug 07 Technology and Privacy.

1 Brett Roberts Director of Innovation | Microsoft NZ | 28 Aug 07 Technology and Privacy.
Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor.

Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor.
Securing Web Applications. IE 7 significantly reduced attack surface against the browser and local machine…

Securing Web Applications. IE 7 significantly reduced attack surface against the browser and local machine…
Robert LevyDoug Kramer Program ManagerDevelopment Lead DTL337.

Robert LevyDoug Kramer Program ManagerDevelopment Lead DTL337.
Marcius Tribelhorn Premier Field Engineer Microsoft South Africa WCL401.

Marcius Tribelhorn Premier Field Engineer Microsoft South Africa WCL401.
Matt Heller Internet Explorer Microsoft SIA315 Overview Security (15 min) Privacy (45 min) Q&A (15 min)

Matt Heller Internet Explorer Microsoft SIA315 Overview Security (15 min) Privacy (45 min) Q&A (15 min)
Marcius Tribelhorn Premier Field Engineer Microsoft South Africa WCL307.

Marcius Tribelhorn Premier Field Engineer Microsoft South Africa WCL307.
Alan Schmarr Consultant BUI Session Code: 303 Agenda Forefront Overview TMG Value Proposition The deep dip Deployment and Management Web client protection.

Alan Schmarr Consultant BUI Session Code: 303 Agenda Forefront Overview TMG Value Proposition The deep dip Deployment and Management Web client protection.
J. Michael Palermo IV Director of Development Interface, USA WUX203.

J. Michael Palermo IV Director of Development Interface, USA WUX203.

Similar presentations

Ads by Google