// archives


This category contains 26 posts

Whitepaper: Achieving resilience against modern cyberthreats



I have written the whitepaper “Achieving resilience against modern cyberthreats” and looking at how the intensity of cyberattacks is again on the raise it is getting more important to implement a dynamic security framework.

As our use of mobile computing and social media technologies grows, so does our exposure to risk. On the one hand, the widespread adoption of new mobile, social media, cloud services and big data technologies creates unprecedented opportunities for productivity and flexibility. Yet without the right defenses in place, they can also open us to new kinds of vulnerabilities, as attacks that target devices operating outside the enterprise perimeter are quickly growing in volume and sophistication.

Passive protection is no longer sufficient for ensuring the security of information and IT infrastructures. My new Microsoft white paper, Achieving resilience against modern cyberthreats, explores the ways that governments and enterprises can protect their valuable information by creating a holistic security strategy, built on risk management, to achieve resilience against in an era of constant targeted attacks and determined adversaries.

The paper explores Microsoft’s holistic “Protect, Detect and Respond” approach to security strategy, including key principles for organizations, the importance of trustworthy cloud services, and the steps to take for securing an IT infrastructure in today’s threat landscape. This proactive strategy requires that an organization understand its assets and its exposure, and apply appropriate protection throughout the entire IT ecosystem in a continuous process. It also recognizes that enterprises must manage their inevitable risk – absolute security is not possible, so organizations must go beyond just protecting resources and also establish processes for detecting, responding and recovering from incidents when they occur.

If you are interested see my complet blog post, Achieving resilience against modern cyberthreats at Microsoft on Safety and Defense.

When thunderstorms and airtravel meet

It has been a few weeks since I have flown to Atlanta for work and I was lucky to have had smooth travels. If you know the Atlanta airport however that isn’t necessarely a given. On one hand it is the worlds busiest airport serving close to 30 million passengers every year and then it is in a location that has frequent tunderstorms. When I now stumbled over a video that shows what happens when thunderstorms occur over the area I was amazed by the resulting images. While not as nicely presented as the pictures in my earlier post on the beauty of airtravel it shows the beauty of technology being able to adapt and overcome obstacles.



Snipplet: About the ease to hack hospital equipment

From now on I will be blogging about topics that I have read somewhere else and that I find noteworthy. You will find them in my new “snipplets” category. Today I am starting with the keypoints of a WIRED Magazine Threat Level article by Kim Zetter. Here are the keypoints:

In a study spanning two years they found severe security issues with common medical equipment used across a large chain of Midwest health care facilities including:

  1. Drug infusion pumps for delivering morphine drips, chemotherapy and antibiotics could be remotely manipulated to change the dosage for patients.
  2. Bluetooth-enabled defibrillators that can be manipulated to deliver random shocks to a patient’s heart or prevent a medically needed shock from occurring.
  3. X-rays that can be accessed by outsiders lurking on a hospital’s network.
  4. Temperature settings on refrigerators storing blood and drugs that can be reset, causing spoilage.
  5. Digital medical records that can be altered to cause physicians to misdiagnose, prescribe the wrong drugs or administer unwarranted care.
  6. In some instances you can blue-screen devices and restart or reboot them to wipe out the configuration settings, allowing an attacker to take critical equipment down during emergencies or crash all lab test equipment.

Many hospitals are unaware of the high risk associated with these devices. A wide cross-section of devices shared a handful of common security holes, including:

  1. Lack of authentication to access or manipulate the equipment
  2. Weak passwords or default and hardcoded vendor passwords like “admin” or “1234″
  3. Embedded web servers and interfaces that allows an attacker to identify and manipulate devices.

There are very few devices that are firewalled off from the rest of the organization, once you get a foothold into the network, you can scan and find almost all of these devices.

  • The vendors don’t have any types of security programs in place, nor is it required as part of pre-market submission to the FDA. The guidelines for medical devices now place the onus on vendors to ensure that their systems are secure and patched.
  • Vendors often tell customers they can’t remove hard coded passwords from their devices or take other steps to secure their systems because it would require them to take the systems back to the FDA for approval afterward, the FDA guidelines for medical equipment includes a cybersecurity clause that allows a post-market device to be patched without requiring recertification by the FDA.

This reflects unfortunately the discussions that I am having with healthcare Providers across Western Europe. Considering that Cybercrime is only starting to become “mature” (not happy to use this word in a criminal context but it describes it best) then the risks need to be mitigated and hospitals have an important aspect by insisting on secured systems and investing overall into their own IT hygiene.

The original WIRED article can be found here.

The Beauty of Airtravel

I travel a lot for work and it brings me in touch with many different people and cultures. Sometimes when I am sitting in a busy airport I look up from my screen and am watching the planes come and go. My thoughts might then trail towards the security discussions that we need to increase with critical infrastructure, the complexity of the logistics behind such an airport or that it is just beautiful to watch a plane take-off.

I found by coincidence a visualization of air traffic over Europe that sheds a new scale on the points above. It emphasizes the need to be able to protect our digital command, control and communication systems involved with managing something as complex as airtravel but at this point I suggest you just click on the movie and enjoy the beauty of it.


Europe 24 from NATS on Vimeo.

The video was created from real flight data, using UK radar data from June 21 and European flight plan information from July 28. If you want to know more check out the original blogpost by Paul Beachamp.

Microsoft increases protection of customer data from government snooping


One topic has been on the top of most discussions I had during the last months – the “NSA/PRISM” data leakages. While some of the points were already known previously and were for example part of Microsoft’s transparency report there were points that were worrysome. Here especially tje recent allegations in the press on a broader and concerted effort by some governments to circumvent online security measures to collect private customer data.

As a result of these concerns were many discussions that I had over the last months where confidence in the security and privacy of online communication was questioned. As a result of these allegations Microsoft decided to take immediate and coordinated action and Brad Smith, General Counsel & Executive VP Legal and Corporate Affairs sketched out in a blog post on Microsofts actions for better protecting customer data from government snooping.

The actions are concentrating on three areas:

· We are expanding encryption across our services.
· We are reinforcing legal protections for our customers’ data.
· We are enhancing the transparency of our software code, making it easier for customers to reassure themselves that our products do not contain back doors.

Please see the original blog post from Brad Smith for more information. From a European perspective it is especially interesting to know that we will open a transparency Center in Europe so that governments have appropriate ability to review Microsoft source code, reassure themselves of ist integrity and confirm there are no back doors.

Windows 8.1 Security Functions – Enabling new Workstyles


I am now working with Windows 8.1 for a while and I really like it. It enables me to have one device for two work modes. I use the modern Interface when I am more reading/consuming information and then change to the traditonal desktop when I am writing documents, presentations etc.

As a security professional I also like Windows 8.1 because it enables new scenarios in the enterprise. For accessing the most sensitive information I want to be able to know the device that is accessing it and to know the health of the device before letting it so. And with Windows 8 I can now do exactly that for a touch device.

Dustin Ingalls, our Group Program Manager for Windows Security & Identity was attending Black Hat and gave a presentation on the Windows 8.1 security functions and published a blog post about it. I summarize the most important points below and encourage you to read his full blogpost with the details:

The Windows 8.1 update offers a full spectrum of new and improved security capabilities – from features that enable devices to be fully locked down by IT, to remote security options for BYOD devices, to safeguards for personal devices that need to access business resources from home. The main Points are the follow:

#1 Trustworthy Hardware
Trusted hardware is a key investment area for Microsoft in Windows 8.1. Often in a BYOD scenario, if an employee buys a new computer, it can be hit-or-miss as to whether the device will have all the tools baked in that an IT department needs to make sure any data on that device is secure. With Windows 8.1 we take away the guesswork.

#2 Modern Access Control
With Windows 8.1, we’ve focused a lot of attention on the controls that IT departments can place on devices to restrict who can physically access a device. Key Points are here first class biometrics and multi-factor authentication for BYOD.

#3 Protecting Sensitive Data
We’ve also put a lot of thought into how businesses can protect their data even when it resides on employees’ personal devices.
Pervasive Device Encryption: With Windows 8.1, device encryption is now available on all editions of Windows for devices that support InstantGo. In addition we implemented Selective Wipe of Corporate Data: With Windows 8.1, we introduce Remote Data Removal which will allow an IT department to wipe corporate data (e.g. emails, attachments, corporate data that came from Work Folders) off a BYOD device without affecting personal data.

#4 Malware Resistance
As security threats continue to evolve, we continue to step up our built-in malware resistance measures to stay ahead of attackers by improving Windows Defender and enhancements to Internet Explorer.

The points above are only a selection of things and more is in the original post.

Targeted Attacks Video Series

Cybersecurity is currently on the top of the mind of many organizations trying to protect their intellectual property, research, customer and employee databases and other valuable information. In almost every discussion that I have on cybersecurity the topic of targeted attacks is put into the center. This is now even encreasing as we see such attacks being used much more commonly than usually assumed and only a small number of organizations have the resources to limit or even detect them.

The question is then often what a targeted attack really is and to answer that we have created the Targeted Attacks Video Series  on Advanced Persistent Threats (APTs), or what we at Microsoft call Targeted Attacks by Determined Human Adversaries. These five short informational videos summarizes three security whitepapers, Determined Adversaries and Targeted Attacks, Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques, and Best Practices for Securing Active Directory.

Take the time to look at them below – it is well worth it:

  • Introduction to Determined Adversaries and Targeted Attacks: Tim Rains, Director, Microsoft Trustworthy Computing, provides background information on these types of attacks and set the context for the rest of the video series.

  • Mitigating Pass-the-Hash Attacks: Patrick Jungles, Security Program Manager, Trustworthy Computing, explains what a Pass-the-Hash attack is and some tested mitigations to help manage the risk associated with credential theft attacks.

  • Anatomy of a Cyber-attack Part 1: Sean Finnegan, CTO of the Microsoft Consulting Services Cybersecurity Practice, walks through a typical targeted attack, step by step, describing how attackers perpetrate these attacks.

  • Anatomy of a Cyber-attack Part 2: Sean Finnegan finishes his briefing on how determined adversaries commit targeted attacks.

  • Importance of Securing Active Directory: Bret Arsenault, Microsoft CISO, discusses the importance of protecting your Active Directory in the context of target attacks.


I hope this helps for the next discussion on the topic of targeted attacks – and if you work for an organization that has information with commercial value then that discussion that discussion should start sooner rather than later.

Microsoft phases out MSN Messenger – Cybercriminals try to profit

Microsoft informed a while ago that Skype and Messenger are coming together. That means that millions of Messenger users will be able to reach their Messenger friends on Skype. By updating to Skype, Messenger users can instant message and video call their Messenger friends. This good news seems to being used now cybercriminals for attacking new systems. The criminals approach is fairly simple – they take advantage that MSN Messenger is still popular. Microsoft now promotes the download of Skype on the former MSN Messenger page and informs that the Messenger contacts will be available in Skype. There are then people that then still want to download MSN Messenger and this is the window of opportunity that cybercriminals exploit. They are registering malicious domains, buy advertising links on search engines and try to trick the user to download and install malware that masquerades as the MSN Messenger. With this they then get access to the computers of the victims and from there on the computer of the victim is under their control.

Don’t fall into that trap! Take steps to protect your computer (I wrote earlier a blog post about this that I now updated) and only download software from official sources which in this specific case download Skype from the official Microsoft site or from skype.com and you will be able to merge your messenger and skype contacts.


Migrate to Skype

Migrate to Skype


Empfehlungen zum Säubern eines Computers

Normalerweise schreibe ich meine Blogposts auf Englisch aber da ich viele Anfragen auf Deutsch erhalte was jemand machen kann wo sich ein Cyberkrimineller (z.B. ein falscher “Microsoft Supporter”) Zugang zu einem Computer erschlichen hat poste ich mein empfohlenes Vorgehen auf Deutsch.

Die Frage was auf einem Computer während einer falschen “support session” gemacht wurde kann man leider nicht generell beantworten, da das Vorgehen nicht immer gleich ist. Wenn Sie jemandem Zugriff auf das Gerät gegeben haben oder ein Programm heruntergeladen und ausgeführt haben dann kann grundsätzlich alles „passiert“ sein. Sehr Wahrscheinlich haben es die Kriminellen auf Ihre Bank- und Kreditkarteninformationen abgesehen. Das Ziel können sie auf verschiedene Weise erreichen – sei es dass Sie direkt einen falschen Virenschutzservice bezahlen oder indem ein Spionageprogramm auf Ihrem Computer installiert wird.

Bezüglich des weiteren Vorgehens schlage ich das Folgende vor: • Schliessen Sie Ihren PC nicht mehr ans Internet an bevor dieser „gereinigt“ wurde • Ändern Sie alle Passwörter • Lassen Sie den PC von einem Fachmann untersuchen ob er Spionageprogramme oder ähnliches installiert hat. Wenn Sie dies selber machen wollen/können dann ist ein gutes Hilfsmittel dazu unter http://www.retohaeni.net/2012/04/windows-defender-offline/ aber leider bietet auch dies keine 100% Sicherheit. Ich würde empfehlen, dass ein Computerspezialist den Computer untersucht. Alternativ ist es wohl das Sicherste das Betriebssystem von Grund auf neu aufzusetzen (Windows und alle Applikationen neu installieren – nicht update oder upgrade) und anschliessend den Computer wieder so zu sichern wie ich es in meinem Blogpost dazu aufzeige. Hier vergessen Sie bitte nicht alle Daten etc vorher zu sichern. • Nehmen Sie Kontakt mit Ihrer Bank auf und beschreiben Sie den Vorfall um abzuklären ob zB Kreditkarten ausgetauscht werden müssen oder ähnliches.

Als Microsoft sind wir hier auch Opfer und können gegen kriminelle Handlungen wenig unternehmen da wir nur indirekt betroffen sind. Entsprechend müssten Sie gegebenenfalls Anzeige erstatten. Melden können Sie den Fall zB unter http://www.cybercrime.admin.ch/kobik/de/home.html. Dies ist noch keine Anzeige aber KOBIK wird Ihnen dann ein weiteres Vorgehen empfehlen.

Ich hoffe, dass dies als Ausgangspunkt hilft.

On Privacy: Things might not be what they appear

I got this forwarded at work and thought I share it with you. It is a video promoting safe internet banking but it is valid for all online topics. Be cautious what you put at any point online – it might be used in a way you did not intend it.


About the Author

I am Microsoft's Chief Security Officer and Advisor for Western Europe and have over 15 years work experience in an information security and risk focused IT environment as program manager, technical director, Chief Risk Officer and group CIO.

more about me and contact info


Chinese (Simplified)EnglishFrenchGermanItalianPortugueseRussianSpanish