Archive for the ‘Microsoft’ category

« noFUD – No Fear Uncertainty or Doubt home page

Baking Security In: A Comic Strip View of SDL

February 19, 2009

So how do you take your average developer who scoffs at security from KevinKevlarrthe careless and brash aka Kevin,  to the poster child  for good development practices aka  Kevlarr. Well, the Microsoft SDL team has the answer for you. The team recently started publishing a series of web comics detailing the travails of the dev team at Contoso who are under attack from the League of Malware. Along the way they battle with foes such as Spam Bot and Social Engineer while getting help from Vigil and Nforcer. Strip 11 of this interesting attempt to socialize security is below:image

Socializing security is essential for organizations to drive culture change from one based on FUD to one based on an understanding of security needs. People are the most complex part of the security puzzle. Most people take the easy way out and will avoid the things they fear or don’t understand. Every CIO should ask the what his/her organizations plans around socializing security are. So what are they?

- Akshay

If you like this post, Subscribe in a reader

Categories: Comics, Microsoft, SDL, Security

Comments: 4 Comments

Microsoft IT Solutions: Full Drive Encryption using BitLocker

February 7, 2009

One of the challenges that I have been focusing my team on this fiscal year has been creating new solutions that leverage the learning that Microsoft IT has had in deploying technology or solving problems. Microsoft IT generally has to deploy new technologies from Microsoft several months before they are generally available for general release in a process known as dogfooding. Often it needs to develop and deploy solutions multiple times as the product cycles through from betas to release candidates to the released version. Customers will find solutions that will leverage this deep expertise and experience useful in speeding up the architecture & deployments of their solutions.

In this series Microsoft IT Solutions, I will be detailing some of this innovation coming out of Microsoft’s InfoSec group. The first of the series is Full Drive Encryption using BitLocker®. I asked Richard Lewis, Security Architect on my team & the creator of this solution kit to describe the BitLocker FDE solution. Here is his description:

The InfoSec team recently created and delivered the BitLocker Service Kit for the Core I/O Service Line under the Security, Identity and Access Management (SIAM) portfolio. SIAM is a portfolio offering from Microsoft Services.  SIAM is divided into six offerings that address particular security IT capabilities – the BitLocker Service Kit was created under the Enterprise Data Security Optimization IT capability.

The BitLocker Service Kit provides Microsoft Services sales and delivery roles with the resources they need to sell and deliver comprehensive Full Volume Encryption solutions based on Windows Bitlocker Drive Encryption. Ultimately this Service Kit helps Microsoft Services accelerate their customer’s BitLocker deployment timeline and therefore Windows Vista deployment, decrease the risk of data loss, and increase customer satisfaction. Overall this kit contains over twenty different documents such as checklists, guides, worksheets, operation guides, architecture and design documents to help our sales and delivery consultants to deploy BitLocker in an optimized manner.

The resource who led creation of this service kit was also involved in the MSIT BitLocker deployment and is currently helping a large financial services organization deploy BitLocker to over 100,000+ desktops. Learning and feedback from the MSIT internal BitLocker deployment were instrumental in creation of this Service Kit and will continue to be used as InfoSec goes in the field and helps Microsoft customers with their BitLocker deployments. This kit demonstrates that IP from MSIT projects add value to our products & ultimately our customers. 

Drop me a note if you would like some additional details on this solution kit or the innovation process within Microsoft.

- Akshay

Categories: Consulting, Information Technology, Innovation, Microsoft, Security

Comments: Be the first to comment

Note to Fannie Mae: Dealing with Logic Bombs

January 31, 2009

Today, it was revealed that a departing contractor left Fannie Mae with a parting gift – a Logic Bomb designed to take 4000 of the financial giants servers & their data. Since this news broke, a number of concerned CIOs have requested my team for some guidance on how to deal with logic bombs. So here is a quick lesson on these malicious attacks.

A Logic Bomb is a malicious piece of code inserted into a software system that executes when certain conditions are met most commonly a set date. A Logic Bomb that goes off on a particular date is called Time Bomb.

In this case the attack was successful because the contractor’s authorization to access systems was not revoked after he was let go. In technical identity management systems like ILM this is known as deprovisioning.

Logic Bombs are usually indistinguishable from normal code and are inserted into the system by a programmer who has authority to the system. They are a type of insidious attacks called insider attacks. These are the most difficult class of attacks to detect and mitigate. The CSI/FBI 2005 Computer Crime and Security Survey indicated that 56% of organizations reported some level of security breach from within their organization.  So a note to all you CIOs/CSOs, if you think that only your internet facing assets face a high risk of attack… think again.

What can you do to avoid a fate like Fannie Mae. Sadly your options are limited and dependent on a strict adherence to process. This is what you can do (in order of immediate to long term):

  • Deprovision user accounts for individuals who have been let go while they are on premises or even before you inform them
  • For programmers, create a copy of their files and code before they leave. These can be compared with copies of files and code after a few days to look for changes.
  • After a person with access to critical digital assets including systems and code leaves the org, invest in having a peer double check for logic bombs that may have been left behind
  • Change access credentials to critical systems periodically and consider two factor authentication.
  • Use an identity management system to manage provisioning & deprovisioning user accounts
  • Invest in a multi-tiered logging and auditing systems with separation of duties between the monitored and monitoring parties. This ensures a trail of evidence for prosecution in the case that you are indicted.

Plan ahead to deny the ability to the disgruntled to plant log bombs; failing that defuse the logic bombs,;failing that hit the deck and hope that the script has a bug.

- Akshay

If you like this post, Subscribe in a reader

Categories: Application Security, Finance, Microsoft, Risk, Security, Strategy

Comments: 4 Comments

My BlueHat Talk: Suddenly Psychic

July 15, 2008

Just got word that my talk Suddenly Psychic: Knowing everything about everyone was accepted at Microsoft’s BlueHat Security Conference on October 16-17th. Sometimes when you go blue… you really go blue.

Over the course of the next few months my buddy Nitesh Dhanjani  and I will be presenting our research on how the business, psychological and behavioral aspects of our virtual and real-world personas impact our security and privacy. In particular, I am excited about two aspects of this talk. The first is the opportunity to explore techniques that were previously available only to large corporations or TLAs (three letter organizations) to gain intelligence. The second is to analyze the impact of our findings on the financial value of social networks and propose advances to current business models.

TITLE: Suddenly Psychic: Knowing Everything About Everyone

ABSTRACT:
Imagine a world where you can remotely influence other people’s behavior. This talk will expose how information about people in the physical world, coupled with voluntary information from new communication paradigms such as social networking applications, can enable you to remotely read people’s minds to influence their behavior.

Topics of discussion will include:

  • Techniques on how individuals may be remotely influenced by focused marketing and messaging tactics, and how criminal groups and governments may abuse this capability.
  • Reconnaissance and pillage of confidential information, including intellectual properties owned by businesses.
  • Falsified profiles used to construct undeserved reputation as well as the risk of reputation tarnish.
  • Remote behavior analysis that can be used to construct personality profiles to predict current and future psychological states of targeted individuals, including discussions on how emotional and subconscious states can be discovered even before the target is consciously aware. This topic will be extended to demonstrate the possibility of criminal abuse and the enablement of economic drivers.
  • Decreasing the value of social networks through data poisoning attacks.

The goal of this presentation is to raise consciousness on how the new paradigms of social communication bring with it real risks as well as marketing and economic advantages. Perspectives on negative and positive uses will be presented in addition to academic discussions and thoughts on how to enable the upcoming online social age.

 

Technorati Tags: ,

Categories: Business, Conference, Microsoft, Privacy, Security, Speaking, Strategy

Comments: Be the first to comment

When the laws don’t keep up: What you should know before using Microsoft HealthVault and Google Health

June 4, 2008

For long, getting access to a common view of all of a patient’s medical records has been a shortcoming of the healthcare system. This is a curious situation since, patient records have been digitized  in several leading hospitals like the Mayo Clinic and the Cleveland Clinic for some years now. The technical mechanisms for transferring this data from one care provider to the next are also readily available. What is promoting (some say preventing) the exchange of medical information from happening is a law known as  Health Insurance Portability and Accountability Act (HIPAA).

HIPAA standards are meant to improve the efficiency and effectiveness of the health care system by encouraging the widespread use of electronic data interchange in the US health care system. The law defines the security and privacy standards for Protected Health Information(PHI). PHI is basically any information about health status, provision of health care, or payment for health care that can be linked to an individual and as is generally interpreted as pretty much anything medical related including name, medical record numbers, biometric data, payment information. Now all of this is great, but what really happens is that the entity holding your medical information will not share it with other entities unless it absolutely has to. This is because the liability to the originating entity from misuse of this data  is high.

Now that we have the background established, let’s get to the point. Recently Microsoft’s  HealthVault  and Google Health offerings have been released with a promise of making this data exchange easier and allowing the individual all the benefits derived from a complete view of their medical histories. Such services are generally known as health record aggregators.

Both market forces and the need for electronic data interchange for health records drive companies like Microsoft and Google to create these services. Users will be able to create health profiles, track prescriptions, track expenses and allow healthcare providers access to their records.  It is my opinion that this innovation is a necessary step in healthcare reform.

However, one very significant downside exists. The information uploaded to these health record aggregators is not currently covered under HIPAA. What this means is that any attack, breach of confidentiality or even potential harm from wrong data is not covered by the law. You are left to the best effort of the service provider. This increases the risk of disclosure of your private medical information. The law , today, is out of step with what technology can provide.

Some practical considerations also heighten this situation. Here are some guidelines that you may want to follow:

  • Create a new Microsoft Live ID or Google account for your health information
  • Do not use your “normal password” for this account. It needs more security
  • Check with your medical service provider as to what information will be available to an aggregator
  • Steer clear of any provider that shows you targeted ads based upon your medical information
  • Opt out of sharing information with any partner sites
  • Do not sign up for newsletters pertaining to your health info if you wish to keep it a secret
  • Ensure that the providers policy states that they delete all your data if you wish to drop out of the service
  • Question whether the healthcare data be sent to any offshore location (read more about this here)
  • Ensure that the privacy statement states that the medical data will never be aggregated with other databases

So in conclusion, it is clear that there are significant benefits to having your medical data aggregated and available to you. Clearly the technology to do so exists. The laws have not kept up with this change in technology, leaving you with one choice to make… Are you comfortable having your medical records stored with minimal legal protection?

Technorati Tags: ,,,

Categories: Microsoft, Privacy
Tags: , ,

Comments: 2 Comments

How Microsoft IT does Secure Application Development: Webcast

May 26, 2008

I will be discussing Microsoft IT’s approach to secure application development, with a special focus on how we integrate security into the IT line-of-business SDLC, in a webcast this Thursday May 29th. This webcast will be part of the Microsoft’s IT Manager Webcast series. This series aims to share deep knowledge focused on Enterprise IT orgs and ISVs.

Title: IT Manager Webcast: How Microsoft IT does Secure Application Development (Level 200)

Register Online 

Audience: Technology Decision Maker.
Duration:60 Minutes
Start Date: Thursday, May 29, 2008 11:00 AM Pacific Time (US & Canada)

Event Overview

Join this webcast to learn how Microsoft IT’s Application Consulting and Engineering (ACE) team secures Microsoft’s internal business applications.  The ACE team will share state of the industry, application security challenges, and how application security fits into the development lifecycle for IT.  Learn about the ACE team’s methodology and processes developed in the areas of application security and performance optimization.

You can find more details here.

Categories: Application Security, Conference, Microsoft, SDL, SDLC, Speaking

Comments: Be the first to comment

Follow

Get every new post delivered to your Inbox.