// archives


This category contains 8 posts

New choices on cloud data location and welcome Secure Islands!

This week is pretty packed with security relevant Microsoft announcements and here a quick summary.

Satya Nadella was in the UK yesterday and in Germany today where he announced that Microsoft is expanding the cloud strategy in Europe with two new interesting offerings.

Firstly he disclosed yesterday November 10 the plans to offer commercial cloud services from the UK where Azure and Office 365 will be generally available from local UK-based data centers in late 2016 and Dynamics CRM following shortly thereafter. These services will offer customers data residency in the UK. You can read the blog post with more information here.

Secondly, and maybe more interesting from a Swiss perspective, he announced today November 11 plans to offer cloud services from German datacenters. The main difference between the UK announcement and the German one is that the second is using a trustee model. The services offered will comply with the Microsoft trusted cloud principles on security, privacy, control, compliance and transparency but is combined with a German data trustee model. That means concretely that access to customer data stored in the two new datacenters will be under the control of T-Systems which acts as a data trustee and Microsoft will have no access to this data independently. Cloud services will be made available to customers in the EU and the EFTA and roll-out is planned to begin in 2016. With this Microsoft has a new and unique solution for cuttomers in Germany and the wider Europe that want local control of their data. In my view an important next step in the discussion on data location. You can read more on today’s announcement here.

Independently from the two cloud announcements came the confirmation on Monday November 9 that Microsoft is acquiring Secure Islands. There were lately a few security acquisitions but I am especially excited about this one. I was working often with Secure Islands as their technology to protect customer data using Rights Management technology is second to none and widely adopted especially in the Swiss Financial Services Sector but also with other large customers. Microsoft will now integrate Secure Islands’ technology into Azure Rights Management Service to provide a flexible architecture to meet protetion and compliance requirements. Many of you know that I am a great supporter of Rights Management and this will give new possibilities on-premises, hybrid and cloud. Congratulations to Akie and Yuval Eldar who are the founders of Secure Islands and welcome to the Microsoft Family! You can read the announcement with more information here.


This weeks top of the news in Cybersecurity (week 45)

Information on Cybersecurity is becoming almost overwhelming. The series on “this weeks top of the news in Cybersecurity” is a collection of a few articles that I found noteworthy throughout the week. Perfect Friday or weekend reading to catch up on events if you have missed them or have been too preoccuppied or swamped with the Bond Spectre movies review!


Blackberry Priv. Can an awesome keyboard justify the Blackberry Priv?

It has been a (very) long time since I have used a Blackberry and frankly I am not missing it. I have also not tested the Blackberry Priv and will not do so but I still found the review interesting as I like some of the features that Blackberry built in it. For example I would like to have a notification if an app tries to access something and then bind it back if I don’t like it. But the more interesting and yet also more alarming part is that Blackberry will patch the Android OS on a monthly basis with security updates and in addition hotfixes when things cannot wait a month. More information can be found here but I ask myself if it really needs to be the phone vendor and not the OS vendor that should do that as this way we will never get to a better protected overall mobile phone base.


The Role of Machine Learning in Cyber Security
IT Pro Portal

 I believe that machine learning and big data will have a huge impact on cybersecurity and we will see impactful applications especially of machine learning more and more in the close future. With that in mind I found the Q&A with Garry Sidaway (SVP Security Strategy & Alliances at NTT Com Security) interesting. It is fairly short but gives a few ideas on the topic.


Security Tools’ Effectiveness Hampered by False Positives 

False positives are a significant problem at many enterprises and valuable events get burried under large amount of data. It goes so far that I have talked to large companies who invested substantial money into SIEM’s only to then turn them off again as they could not handle the amount of information. This article takes a look at the problem of false positives and how they distract companies from dealing with legitimate security alerts.


U.S. and U.K. Testing Response Scenarios for FinancialSector Cyberattacks
The Daily Dot

As cyberattacks don’t just target typically one country it makes sense to approach the defense against them with a wider view than most of today’s critical infrastructure protection efforts do. The U.S. and UK have scheduled test response scenarios that will take place later this month in an effort to mitigate the consequences of a large-scale cyberattack again their respective financial sectors.


More Companies Form Data Breach Response Plans  
Business Insurance

Being prepared for a data breach is critical today as realistically your company will be breached or has been breached and you may or may not know about it. A new study by the Ponemon Institute finds that although more companies are launching new data breach response plans (good!), relatively few have confidence in their effectiveness (bad). Talking to many CISO’s and CIO’s it seems to me that most companies just don’t have the resources for this and in my view will have to more and more use managed security services and work with retainers for such events.


U.S. Retailers Push Banks to Use PINs on Credit Cards as Confusion Reigns

From a european perspective this is just plain silly. I have a few credit cards and only my american one does not have a chip and pin. Looking around there seems to be no problem whatsoever to use pins with credit cards on a quite large scale throughout Europe. Now some US retailers are looking to use PINs (personal identification numbers) on their store-branded credit cards that are embedded with computer chips, but are getting resistance from the banking industry. Really?


SnowdenBlessed ‘Signal’ Encrypted Calling, Messaging App Comes to Android
NBC News

A new Android app is claimed to securely make phone calls and send messages , which Edward Snowden says he uses “every day.” I found that a bit a special statement and probably would touch that app even less if I would have an Android phone as now the attack motivation just skyrocketed and I have a hard time seeing how Edward Snowden would have the actual technical capabilities to verify the security of such an app.


ACSC Releases 2015 Threat Report  

I always like to look through the different threat reports so will include this one here in my recommended reading list. The Australian Cyber Security Centre (ACSC) has released its 2015 Threat Report. It provides information about threats that Australian organizations are facing, such as cyberespionage, cyberattacks, and cybercrime and conclusions towards other geographies are certainly realistic.


And that is it for today and best wishes for the weekend!

Verizon 2015 data breach investigations report


I am quite a big fan of Verizon’s data breach investigations reports and am using their analysis regularly in security discussions. Verizon publishes these reports every spring since 2008 and I see them as especially valuable as they are pulling data from 70 contributing organizations covering over 79’000 security incidents, over 2’100 confirmed breaches and from over 60 countries.

The 2015 report was published recently (available here: 2015 Verizon DBIR) and while it isn’t exactly an easy read I agree with Rapid7’s marketing video that credential theft is the biggest takeaway. Patching is another highlight (or rather lowlight) and that detecting breaches still takes much too long (205 days). The latter is something that I can confirm from the experiences of our incedent response and recovery teams and it is very worrying to think what attackers have time to do for such a long time in an ICT infrastructure.

On the patching topic. A colleague of mine – James Kavanagh, the National Security Officer of Microsoft Australia, wrote a good blog post on “If you do only one thing to reduce your cybersecurity risk…” that I recommend to read and further information is then available in the report “Security Patching in Complex Environments”.

Below Rapid7’s video with highlights from the Verizon DBIR

Snippets: Cybersecurity in the Press December edition

Top News

Staples Says Hack May Have Compromised 1 Million-Plus Payment Cards
as read in Computerworld

Staples (a US office supply chain) reported that an earlier data breach which they suffered may have affected 1.16 Million payment cards in the US.


‘Grinch’ Bug May Affect Most Linux Systems
as read in DarkReading

The Linux vulnerability “Grinch” affects most Linux Systems (mobile and desktop).



EU to Demand 2-Factor for Online Payments by August 2015?
as read at Sophos


The European Banking Authority (EBA), which regulates the banking sector, has issued a new set of guidelines regarding the security of Internet payments, one of which recommends two-factor authentication at payment service Providers.


The Beauty of Airtravel

I travel a lot for work and it brings me in touch with many different people and cultures. Sometimes when I am sitting in a busy airport I look up from my screen and am watching the planes come and go. My thoughts might then trail towards the security discussions that we need to increase with critical infrastructure, the complexity of the logistics behind such an airport or that it is just beautiful to watch a plane take-off.

I found by coincidence a visualization of air traffic over Europe that sheds a new scale on the points above. It emphasizes the need to be able to protect our digital command, control and communication systems involved with managing something as complex as airtravel but at this point I suggest you just click on the movie and enjoy the beauty of it.


Europe 24 from NATS on Vimeo.

The video was created from real flight data, using UK radar data from June 21 and European flight plan information from July 28. If you want to know more check out the original blogpost by Paul Beachamp.

Time to Change your Password!

You have maybe heard of the recent announcement that Dropbox got hacked and that a “small number” of account names and passwords have been stolen. This will most likely result in many users getting locked out of their personal e-mail during the next few days. What is the connection? Keep reading.

During the last few weeks I have been asked multiple times by friends how it could have happened that spam was sent from their e-mail account. They weren’t aware of it until one of their contacts told them that he/she got spam from the private e-mail address or they found their account locked and had to go through a recovery process to take control over it again. They assumed that their “e-mail got hacked” but what they all had in common was that it occurred shortly after the Linkedin hack and that they used the same password for their personal e-mail than in Linkedin.

Looking at reasons how criminals get access to other people’s mailboxes we see that it isn’t mainly that e-mail accounts get hacked but that the login/password is reused and that one of the sites where it is used had a security issue. This results that spammers – or anybody for that matter – can buy compromised accounts by the thousand. It “only” requires a security breach like it happened with Dropbox or Linkedin and a new wave of accounts are available on the criminal market.

While Microsoft has multiple mechanisms to protect outlook.com, live.com, hotmail.com etc. and is very quick at identifying if spam is sent from your account the most important and simple thing to do is to not re-use your login and password on multiple sites. I know – remembering passwords is not easy but it is the only protection from having your online identity protected.

So it is time to have a separate password for each and every website/service that you are using. Even if a website gets hacked and your login/password gets stolen and then sold and/or published it will prevent that others then can get into your other accounts. And every time you hear that a service has been hacked or you find yourself locked out temporarily – change again your password. If you have too many passwords to remember you can also consider using a password manager. They have advantages and disadvantages and I don’t know them all but you find a review of the top four in this PC World article.

And now we have seen so many hacks and leaks of login/password information that it is time to change your password!


Microsoft Flight Simulator released

Everybody is (rightly so) talking about the availability of Windows 8 Consumer Preview. I will write about that a bit later but today I want to raise awareness on something that is “almost” as fun as our new operating system. With all the talk about Win8 the availability of the new release of the Microsoft Flight Simulator has almost been overlooked. It is in my view one of the coolest flight simulators and best of all – the basic version is completely free! You can get your own copy at http://microsoftflight.com 

Microsoft Flight Simulator Screenshot

Microsoft Flight Simulator Screenshot

A bit on the history. The Flight Simulator is one of the oldest PC games and exists since 1982. Microsoft then acquired it in 1984 and the last update was in 2006 as the Flight Simulator X. It was one of my first games that I played and I am excited to see it make a comeback. While commercial flying lost for me it’s charm a while ago fly with the flight simulator is still as much fun as it always was. Check it out!

Security Development Lifecycle – New Tools

One aspect that is getting more and more recognition is that the key to secure and private software that actually does what it is intended to do lays not in “good testing” but is a process that starts with the training of the developers and ends with an institutionalized response. Microsoft has developed the Security Development Lifecycle SDL that is used for developing software and services. This lifecycle is made available free in order to support a safer computing environment. With this, the Microsoft SDL has become the industry-leading software security assurance process. It is a Microsoft-wide initiative and a mandatory policy since 2004 and has played a critical role in improving the security and privacy of Microsoft’s software and services with the goal of reducing customer risk. Combining a holistic and practical approach, the SDL embeds security and privacy throughout the development process and consequently reduces the total cost of secure development.

In order to be able to better show the scope of how and where the SDL is already being implemented the SDL team launched a new wall called “Industry Talk”. I find it worthwile and if you are interested check it out here.


About the Author

Reto is partner at PwC Switzerland. He is leading the Cybersecurity practice and is member of PwC Digital Services leadership Team. He has over 15 years work experience in an information security and risk focused IT environment. Prior to working at PwC he was Microsoft's Chief Security Officer for Western Europe and also has work experience as group CIO, Chief Risk Officer, Technical Director and Program Manager.

more about me and contact info

replica Rolex