Presentation is loading. Please wait.

Presentation is loading. Please wait.

Matt Heller Internet Explorer Microsoft SIA315 Overview Security (15 min) Privacy (45 min) Q&A (15 min)

Published byJune Shelton Modified over 9 years ago

Similar presentations

Presentation on theme: "Matt Heller Internet Explorer Microsoft SIA315 Overview Security (15 min) Privacy (45 min) Q&A (15 min)"— Presentation transcript:

1

2 Matt Heller Internet Explorer Microsoft SIA315

3 Overview Security (15 min) Privacy (45 min) Q&A (15 min)

4 Security

5 Threat Vectors Increasing Severity & Ways of Risk 2003 Browser Exploits in the wild 2005 Social Engineering 2006 Malware IE 7 & Phishing Protection 2008 + Blended Threats Web 2.0 Site Exploits Blended threats shifting from the browser to sites Impact to data governance & regulations Rapid pace of threat innovation Consumer & employee data at risk

6 Web 2.0 - Challenge or Opportunity? Efficiency, economics and expectations Syndicated content and ad business model enables sites and business Growth in ecommerce depends on consumer trust Trust may be undermined by less than transparent collection of data and inadequate protection of privacy Unknown accountability -1st party and 3rd parties Potential backlash & heightened consumer concerns

7 Internet Explorer 8: Trustworthy Browsing Confidently bank, communicate & shop Extended Validation (EV) SSL Certificates SmartScreen® Filter – Blocks Phishing & Malware Domain Highlighting Enhanced Delete Browsing History InPrivate™ Browsing & Filtering Build on a secure foundation Security Development Lifecycle (SDL) Protected Mode ActiveX Controls DEP - Data Execution Prevention Extends browser protection to the web server Http only cookies Group Policies XDomainRequest - Cross Domain Requests XDM - Cross Domain Messaging XSS Filter - Cross Site Scripting Anti-ClickJacking Web Server & Applications Browser Vulnerabilities Social Engineering & Privacy

8 Domain Highlighting More accurately ascertain the domain of the visiting The domain is black vs. other characters which are gray

9 EV SSL Certificates “Look for the Green” Provides consumers added user confidence and brands enhanced protection Implemented by over 10,000 leading commerce, banking and transactional sites

10 Social Engineering Emerging threat vector and diversification Address concerns of Users and Site owners SmartScreen® Filter Integrated Phishing & Malware download protection Examines URL string, preempting evolving threats Blocks 1 million+ weekly attempts to visit phish sites Significant malware site detection volumes ~10 x traffic as compared to phishing, (IE8 beta users). Group Policy support – Key IT requirement 24 x 7support processes and feedback mechanisms

11 SmartScreen Filter

12 Identifies and neuters the attack Blocks the malicious script from executing. IE 8 XSS Filter Web Server & Applications

13 Cross Site Scripting Filter

14 ClickJacking Entices users to click on content from another domain without the user realizing it Evolving server exploit, mitigated by the SmartScreen Filter Impacts all browsers, only IE 8 has integrated protection capabilities Add an X-FRAME-OPTIONS tag in either the HTTP header or the HTTP EQUIV meta tag on page Deny All or allow from same origin hosts

15 ClickJacking

16 Privacy

17 Some Things that are "Creepy" Smile to the cameras – you’re on them about 200 times/day "We're steadily marching to a society where every moment that you leave your home will be monitored and videotaped. And that's creepy.” – Kevin Keenan, ACLU Government online records Mortgage documents, public state records, etc. -- Computerworld, Jan 29

18 Why are they so Creepy? Having records online, using surveillance cameras – not necessarily illegal It’s because “contextual integrity” is violated Information is transferred in context A context has a set of norms When information is transferred from one context to another without notice and consent, contextual integrity is violated.

19 Privacy is all about being in control Control == Notice + Consent

20 Security vs. Privacy Security Core engineering issues Protection from harm Protection from fraud Privacy Control over preferences Control over how information is shared

21 Web Privacy Issues Today – Some Examples

22 IE8 Privacy Goals Put the user in control of the web browser Shared PC Delete Browsing History InPrivate™ Browsing On the Web InPrivate™ Filtering Build, useful, convenient features to make it easy to stay in control Leap ahead of the competition InPrivate Filtering Preserve Favorites data

23 Delete Browsing History Preserve data from Favorites sites Keep the useful stuff, delete the no-so-useful stuff Convenient Checkboxes! Delete browsing history on exit! Group policy!

24 Delete Browsing History

25 InPrivate Browsing Creates a new browsing window that does not record browsing history Some things that are turned off History Cookies (accepted, but downgraded to session-only) Suggested Sites Form data saving Things that are deleted when you exit Temporary Internet Files Compatibility View list ActiveX Opt-In list

26 InPrivate™ Browsing

27 InPrivate Browsing FAQ Parental Controls Disables InPrivate Browsing IT Scenarios InPrivate Browsing can be disabled via GP Does not interfere with proxy servers Proxy servers will record sites browsed Does not provide anonymization Add-ons UI Toolbars, BHOs - not loaded by default APIs are available for ActiveX Controls Suggested sites feature is turned off

28 Third Party Content Serving Over time, users’ history and profiles can unknowingly be aggregated Any third-party content can be used like a tracking cookie There is little end-user notification or control today Syndicated photos, weather, stocks, news articles; local analytics, etc…. Unclear accountability with third party security & privacy policies User Visits Unique Sites msn.comebay.comamazon.comcnn.comcnet.comabout.commsnbc.com Prosware-sol.com 3 rd party Syndicator Web server nytimes.com

29 Some Analogies Creepiest Surveillance camera scenario Less creepy Shopping mall scenario

30 Facts Information exchange is good Both parties get value from behavior data The online economy is fueled by high-tech advertising We also believe in Trustworthy Browsing The user is always in control

31 InPrivate Filtering Helps give you control over which 3 rd -party content providers have a line of sight into your web browsing Keeps a table of 3 rd -party content and the first party sites the content was loaded from Allows you to block content that passes a configurable threshold (10 1 st -party sites by default)

32 InPrivate Filtering

33 InPrivate Filtering FAQ (Short List) If I have a website, what do I do? Will my website break? IE8 includes a javascript-accessible API (bool InPrivateFilteringEnabled()) that lets website owners detect when InPrivate Filtering is enabled Not an ad blocker Some advertisements may be blocked InPrivate Filtering is a privacy tool It can only block content that has a “line of sight” into your browsing history

34 3rdParty.html

35 Preparing for rollout

36 Optimize Enterprise Deployment Preparing for launch 1. Optimize using the IE Desktop Security Guide 2. Turn on SmartScreen Filter by default 3. Disable ability to click through phishing / malware warnings 4. Prevent additions or deletion of sites from Security Zones 5. Do not allow users to change policies from Security Zones 6. Do not allow users ability to turn off Protected Mode 7. Enable Prevent Ignoring Certificate Errors 8. Test compatibility with intranet and internet sites 9. Consider implementing group policies to disable InPrivate Browsing

37 For Publishers and Content Providers Publish “thirdparty.html” page Test all 3 rd party code for XSS Add no-frame tag for CSRF sensitive pages SiteLock your ActiveX controls Leverage InPrivate Filtering session status through the windows.external DOM object Implement EV SSL certificates for ecommerce and transaction related sites Learn more about compatibility, accelerators and Web Slices

38 Internet Explorer Resources Feature Overview - www.microsoft.com/ie8 www.microsoft.com/ie8 Engineering Blog - http://blogs.msdn.com/ie http://blogs.msdn.com/ie IE 8 Desktop Security Guide http://sharepoint/sites/IE/Teams/mktg/security/default.aspx http://sharepoint/sites/IE/Teams/mktg/security/default.aspx Safety & Privacy Features www.microsoft.com/windows/internet-explorer/beta/features/browse-privately.aspx www.microsoft.com/windows/internet-explorer/beta/features/browse-privately.aspx Business Value of IE 8 & EV SSL Certificates www.microsoft.com/ie/ev www.microsoft.com/ie/ev User Control & Privacy Feature Guide www.microsoft.com/ie/privacy www.microsoft.com/ie/privacy Toolkit www.microsoft.com/windows/internet-explorer/beta/tech-resources.aspx www.microsoft.com/windows/internet-explorer/beta/tech-resources.aspx Internet Explorer Administration Kit (IEAK) http://technet.microsoft.com/en-us/ie/bb219517.aspx http://technet.microsoft.com/en-us/ie/bb219517.aspx IE Compatibility Center - http://msdn.com/iecompat http://msdn.com/iecompat

39 Conclusion Privacy and Security are essential components of Trustworthy Browsing IE continues to lead the way in Security with innovative new features, such as the XSS filter and ClickJacking protections The IE team has made a significant competitive investment in privacy tools IE8 is the most trustworthy browser to date

40 Internet Explorer 8 Feedback "Microsoft's announcement is significant not because it's a major technological breakthrough, but because it's a breakthrough into making it easier for users to have real control over their privacy." Ari Schwartz of the Center for Democracy and Technology. CDT Report www.cdt.org/privacy/20081022_browser_priv.pdf www.cdt.org/privacy/20081022_browser_priv.pdf “…Microsoft's next Web browser will be a major update with new usability, security, and developer-oriented features. Unlike the competition, IE 8 is enterprise-friendly…..This is an important browser, and one that all businesses, technical enthusiasts, and other power users should begin evaluating immediately…” Paul Thurrott

41

42 www.microsoft.com/teched Sessions On-Demand & Community http://microsoft.com/technet Resources for IT Professionals http://microsoft.com/msdn Resources for Developers www.microsoft.com/learning Microsoft Certification and Training Resources www.microsoft.com/learning Microsoft Certification & Training Resources Resources Required Slide Speakers, TechEd 2009 is not producing a DVD. Please announce that attendees can access session recordings at TechEd Online. Required Slide Speakers, TechEd 2009 is not producing a DVD. Please announce that attendees can access session recordings at TechEd Online.

43 Related Content WUX 301 - Advanced Cross Browser AJAX Applications with Windows Internet Explorer 8 Hands-on Labs (session codes and titles) Required Slide Speakers, please list the Breakout Sessions, TLC Interactive Theaters and Labs that are related to your session. Required Slide Speakers, please list the Breakout Sessions, TLC Interactive Theaters and Labs that are related to your session.

44 Complete an evaluation on CommNet and enter to win! Required Slide

45 © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. Required Slide

Download ppt "Matt Heller Internet Explorer Microsoft SIA315 Overview Security (15 min) Privacy (45 min) Q&A (15 min)"

Similar presentations

Why should my organisation move to Internet Explorer 9? An upgrade guide for IT professionals.

Why should my organisation move to Internet Explorer 9? An upgrade guide for IT professionals.
®® Microsoft Windows 7 for Power Users Tutorial 7 Enhancing Your Computers Security.

®® Microsoft Windows 7 for Power Users Tutorial 7 Enhancing Your Computers Security.
Agenda Customer pain points and how data classification can help Ecosystem Windows Server 2008 R2 for file Classification Infrastructure Demos Customer.

Agenda Customer pain points and how data classification can help Ecosystem Windows Server 2008 R2 for file Classification Infrastructure Demos Customer.
Faith Allington Program Manager Microsoft Corporation Session Code: WSV304.

Faith Allington Program Manager Microsoft Corporation Session Code: WSV304.
Virtual techdays INDIA │ 9-11 February 2011 Safe Browsing Experience for your Home & Office M.S.Anand │ MTC Technology Specialist │ Microsoft Corporation.

Virtual techdays INDIA │ 9-11 February 2011 Safe Browsing Experience for your Home & Office M.S.Anand │ MTC Technology Specialist │ Microsoft Corporation.
WCL 319. fast clean trusted interoperable IT friendly.

WCL 319. fast clean trusted interoperable IT friendly.
Internet Explorer Opportunities For Partners Margaret Cobb Product Manager IE Group Microsoft Corporation.

Internet Explorer Opportunities For Partners Margaret Cobb Product Manager IE Group Microsoft Corporation.
Ashish jaiman architect evangelist Microsoft

Ashish jaiman architect evangelist Microsoft
Michel Barnett Architect Microsoft WCL201 Session Objectives and Takeaways Session Objectives: Explain deployment options Demonstrate key deployment.

Michel Barnett Architect Microsoft WCL201 Session Objectives and Takeaways Session Objectives: Explain deployment options Demonstrate key deployment.
With Internet Explorer 9 Getting Started© 2013 Pearson Education, Inc. Publishing as Prentice Hall1 Exploring the World Wide Web with Internet Explorer.

With Internet Explorer 9 Getting Started© 2013 Pearson Education, Inc. Publishing as Prentice Hall1 Exploring the World Wide Web with Internet Explorer.
Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.

Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.
Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor.

Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor.
Securing Web Applications. IE 7 significantly reduced attack surface against the browser and local machine…

Securing Web Applications. IE 7 significantly reduced attack surface against the browser and local machine…
CN1176 Computer Support Kemtis Kunanuraksapong MSIS with Distinction MCT, MCTS, MCDST, MCP, A+

CN1176 Computer Support Kemtis Kunanuraksapong MSIS with Distinction MCT, MCTS, MCDST, MCP, A+
Know your enemy..... The Dancing Pig syndrome No amount of self-control can stop someone from clicking on links or running.

Know your enemy..... The Dancing Pig syndrome No amount of self-control can stop someone from clicking on links or running.
Robert LevyDoug Kramer Program ManagerDevelopment Lead DTL337.

Robert LevyDoug Kramer Program ManagerDevelopment Lead DTL337.
Samantha Durante Program Manager Microsoft Corporation WUX305.

Samantha Durante Program Manager Microsoft Corporation WUX305.
Ram Cherala Principal Program Manager Microsoft Corporation DTL320.

Ram Cherala Principal Program Manager Microsoft Corporation DTL320.
Siddharth Bhatia Senior Program Manager Microsoft Session Code: DTL301.

Siddharth Bhatia Senior Program Manager Microsoft Session Code: DTL301.
Nik Kalyani Co-founder DotNetNuke Corporation WUX312.

Nik Kalyani Co-founder DotNetNuke Corporation WUX312.

Similar presentations

Ads by Google