I was invited to participate in a cybersecurity roundtable at the US Embassy in Bern to discuss best practices and experiences in cybersecurity policy. Participants were from private as well as public sector and the special guests were the US Ambassador to NATO, Douglas Lute and his wife Dr. Jane Holl Lute, CEO of the Center for Internet Security. At some point Dr. Jane Lute made a comment that too many IT leaders and executives still use dolphin talk. Not familiar with that language? You actually probably are because it is used quite widely by IT professionals. When “we” speak about a technology topic then the non-technology person understands about as much as when a dolphin is communicating with us.
I liked this comparison as much too often that is the reality and I am working on talking about technology and security in a more easily accessible way. One of the things I discovered in last week’s PwC EMEA Cybersecurity leadership meeting also works on improving that type of conversation. It is the PwC / WSJ Cybersecurity and Privacy Hub that you can find at www.pwc-broaderperspectives.com This hub is sponsored by PwC and is created together with the Wall Street Journal custom studios. I like it especially as the articles aim at looking at cybersecurity and privacy in a broader fashion and use a vocabulary that does not require multiple classes in cryptography or equivalent. Why not check it out and let me know what you think?
Information on Cybersecurity is becoming almost overwhelming. The series on “this weeks top of the news in Cybersecurity” is a collection of a few articles that I found noteworthy throughout the week. Perfect Friday or weekend reading to catch up on events if you have missed them or have been too preoccuppied or swamped with the Bond Spectre movies review!
It has been a (very) long time since I have used a Blackberry and frankly I am not missing it. I have also not tested the Blackberry Priv and will not do so but I still found the review interesting as I like some of the features that Blackberry built in it. For example I would like to have a notification if an app tries to access something and then bind it back if I don’t like it. But the more interesting and yet also more alarming part is that Blackberry will patch the Android OS on a monthly basis with security updates and in addition hotfixes when things cannot wait a month. More information can be found here but I ask myself if it really needs to be the phone vendor and not the OS vendor that should do that as this way we will never get to a better protected overall mobile phone base.
The Role of Machine Learning in Cyber Security
IT Pro Portal
I believe that machine learning and big data will have a huge impact on cybersecurity and we will see impactful applications especially of machine learning more and more in the close future. With that in mind I found the Q&A with Garry Sidaway (SVP Security Strategy & Alliances at NTT Com Security) interesting. It is fairly short but gives a few ideas on the topic.
False positives are a significant problem at many enterprises and valuable events get burried under large amount of data. It goes so far that I have talked to large companies who invested substantial money into SIEM’s only to then turn them off again as they could not handle the amount of information. This article takes a look at the problem of false positives and how they distract companies from dealing with legitimate security alerts.
As cyberattacks don’t just target typically one country it makes sense to approach the defense against them with a wider view than most of today’s critical infrastructure protection efforts do. The U.S. and UK have scheduled test response scenarios that will take place later this month in an effort to mitigate the consequences of a large-scale cyberattack again their respective financial sectors.
More Companies Form Data Breach Response Plans
Being prepared for a data breach is critical today as realistically your company will be breached or has been breached and you may or may not know about it. A new study by the Ponemon Institute finds that although more companies are launching new data breach response plans (good!), relatively few have confidence in their effectiveness (bad). Talking to many CISO’s and CIO’s it seems to me that most companies just don’t have the resources for this and in my view will have to more and more use managed security services and work with retainers for such events.
From a european perspective this is just plain silly. I have a few credit cards and only my american one does not have a chip and pin. Looking around there seems to be no problem whatsoever to use pins with credit cards on a quite large scale throughout Europe. Now some US retailers are looking to use PINs (personal identification numbers) on their store-branded credit cards that are embedded with computer chips, but are getting resistance from the banking industry. Really?
A new Android app is claimed to securely make phone calls and send messages , which Edward Snowden says he uses “every day.” I found that a bit a special statement and probably would touch that app even less if I would have an Android phone as now the attack motivation just skyrocketed and I have a hard time seeing how Edward Snowden would have the actual technical capabilities to verify the security of such an app.
ACSC Releases 2015 Threat Report
I always like to look through the different threat reports so will include this one here in my recommended reading list. The Australian Cyber Security Centre (ACSC) has released its 2015 Threat Report. It provides information about threats that Australian organizations are facing, such as cyberespionage, cyberattacks, and cybercrime and conclusions towards other geographies are certainly realistic.
And that is it for today and best wishes for the weekend!
The US RSA conference is probably the world’s leading security conference with about 30’000 participants and took place last week in San Francisco. Scott Charney, Microsoft’s CVP Trustworthy Computing, gave a noteworthy keynote on Enhancing Cloud Trust that can be watched here. It is well worth the time.
The announcements made by us and the presence that Microsoft had at the conference was impressive. The main theme was very clearly that we truly live in a mobile first, cloud first world and that with the explosion of devices and apps come new challenges. Security has been a top priority for Microsoft for a long time already and Microsoft is committed to providing customers with transparency and control over their data in the cloud. Here are the highlights that we announced:
More information can be found on Scott Charney’s blog on “Enabling greater transparency and control” that also has further links to more in-detail information on the individual technologies mentioned above.
The European Union is quite active on security and especially cybersecurity issues but is less present in the media for it than for example the US. To raise awareness on current reports and recommendations that I see as relevent please find some links below. We can now debate if this is too much, just raight or not enough but for that discussion knowing more about what actually exists or is in process is a prerequisite of course.
Joint Supervision Tool for Telecom Security
On 9 April, ENISA published a joint framework to supervise the security of services and personal data processing by telecom providers in the EU in accordance with Article 13a and Article 4. Full report is available here.
Electronic Evidence – a Basic Guide for First Responders
On 25 March, ENISA published a report based on past work done in the field of good practices for CERTs and LEAs in the fight against cybercrime. The main aim of the report is to provide a guide for first responders with a special emphasis in evidence gathering.
National/Governmental CERTs – ENISA’s Recommendations on Baseline Capabilities
On 20 March, ENISA published recommendations on baseline capabilities. The document covers ENISA’s updated considerations for capabilities of so called national / governmental CERTs, thus teams who serve the government of a country to protect critical information infrastructure. The primary target audience of this document are these CERTs and those policy-making bodies in the European Union Member States that are responsible for initiating and planning the establishment and operation of a national / governmental CERT. Still quite an interesting reading.
Standardisation in the Field of Electronic Identities and Trust Service Providers
On 24 March, ENISA published a paper that explains why standards are important for cybersecurity, specifically in the area of electronic identification and trust services providers. Additionally, the paper also discusses concrete standardisation activities associated with electronic IDs and trust service providers, providing an overview of standards developed under the mandate from the European Commission and others, related to eIDAS Regulation. It concludes with a proposal of a standard on cryptographic suites for electronic signatures and infrastructures, put forward by ENISA and related to the ETSI TS 119 312. Full report is available here.
Motion for a European Parliament Resolution on Cybersecurity
On 30 March, Italian MEP Nicola Caputo published a motion for resolution on cybersecurity and calls on the Council and the European Commission to strengthen the EU’s response capability to this global threat, to strengthen network and information security and to support Member States in their research and innovation aimed at promoting public and private digital security. steps on the dossier were not disclosed. Interesting though that the security of IoT (Internet of Things) starts to become also a policy topic. I expect that we will see more to come and hope that it will help in addressing the real challenges that we face.
I recently gave two live webinars as part of a security webinar series of Microsoft Switzerland where I covered aspects of cloud resilience and achieving resilience against modern cyberthreats. The webinars are in German and if you are interested you can get access to the recording below.
Webinar 1: Schutz vor Gefahren aus dem Cyberspace
Die heutigen Gefahren aus dem Cyberspace sind immer grösser, Angriffe werden immer ausgefeilter, die Hacker selbst immer professioneller. Traditionelle Schutzmechanismen, wie beispielsweise Virenschutzprogramme und Firewalls, sind angesichts der neuen Entwicklungen nicht mehr ausreichend. Erfahren Sie in diesem Webinar alles über die Vorteile eines dynamischen Sicherheitskonzepts, das Ihre IT-Landschaft basierend auf den Prinzipien Protect – Detect – Respond effektiv vor modernen Cybergefahren schützen kann und für hohe Resilienz sorgt. Das Webinar ist hier verfügbar.
Webinar 2: Resilienz und Cloud Computing
Cloud Computing verändert und beschleunigt die Arbeitswelt; standardisierte Services aus der «Rechenzentrumswolke» entlasten Unternehmen von Investitionen in eigene, teure Server-Infrastrukturen. Dennoch bestehen grosse Vorbehalte hinsichtlich Verfügbarkeit, Sicherheit und Datenschutz – speziell in einem Umfeld, in dem Gefahren durch kriminelle Aktivitäten lauern und NSA-/PRISM-Aktivitäten für Rechtsunsicherheit sorgen. In diesem Webinar dreht sich daher alles um Fragen wie Resilienz mit der Cloud, Resilienz in der Cloud oder Resilienz trotz der Cloud. Das Webinar ist hier verfügbar
The security snippets series highlights some articles that I read recently. I hope they help in keeping up with the raise of security incidents and trends which becomes more and more difficult with the increasing professionalism of cyber attacks.
Bank Hackers Steal Millions via Malware
as read in the New York Times
The New York Times writes based on Kaperski information that a group of attackers impersonated bank officers and took over cash machines and transferred millions of dollars from more than 100 banks in Russia, Japan, Switzerland, the United States, and the Netherlands into fake accounts set up in other countries. This brings a new scale to Cybercrime.
Evolution and Adaptation in the Security Jungle
as read in Threatpost
Enterprise security teams need to catch up on understanding the methods that modern attackers use. The article on Threatpost does a good job at giving an overview. Active defense is crucial in that aspect and I described that with the protect, detect, response framework also in my whitepaper on achieving resilience against modern cyberthreats.
Visa Wants to Track Your Smartphone to Prevent Credit Card Fraud
as read in the Hacker News
It seems that Visa plans to release a new location-based feature that will help cardholders update their location via smartphone. With credit card fraud still on the raise that could be a good way to fight that. I just hope that it will be clear to the user that another service performs location tracking.
PlugX Is RAT of Choice for Nation States
as read in eSecurity Planet
The “2014 CrowdStrike Global Threat Intel” report finds that the PlugX Remote Access Tool (RAT) is the most observed malware variant used by nation-state backed threat adversaries. I don’t think that this is necessarily so clear as in my view many nation states have more customized and elaborate capabilities but it shows how far such tools have come.
One Billion Data Records Compromised in 2014 Worldwide
as read in Softpedia
The article writes about a report from the Breach Level Index (BLI) which finds a 49 percent increase in data breaches and a 78 percent increase in number of records that were stolen or lost in 2014. While the absolute number might be even higher the massive increase is something that we observe as well.
Microsoft Achieves Globally Recognized ISO/IEC 27018 Privacy Standard
as read in the Microsoft Cyber Trust Blog
This more on privacy and trust than security although that also plays an important aspect. Microsoft on February 16, 2015, obtained the ISO/IEC 27018 privacy standard for Microsoft Azure, Office 365, and Dynamics CRM Online. Brad Smith’s blog has more information on that and is worthwhile reading in my view.
How to Keep Your Webcam Safe from Hackers [Video]
as read in We Live Security
If you follow the link you will see a video that covers five tips to prevent someone from spying on you through your webcam. Something becoming more important after an anonymous website began posting live streams of the world’s unprotected webcams.
I am now working with Windows 8.1 for a while and I really like it. It enables me to have one device for two work modes. I use the modern Interface when I am more reading/consuming information and then change to the traditonal desktop when I am writing documents, presentations etc.
As a security professional I also like Windows 8.1 because it enables new scenarios in the enterprise. For accessing the most sensitive information I want to be able to know the device that is accessing it and to know the health of the device before letting it so. And with Windows 8 I can now do exactly that for a touch device.
Dustin Ingalls, our Group Program Manager for Windows Security & Identity was attending Black Hat and gave a presentation on the Windows 8.1 security functions and published a blog post about it. I summarize the most important points below and encourage you to read his full blogpost with the details:
The Windows 8.1 update offers a full spectrum of new and improved security capabilities – from features that enable devices to be fully locked down by IT, to remote security options for BYOD devices, to safeguards for personal devices that need to access business resources from home. The main Points are the follow:
#1 Trustworthy Hardware
Trusted hardware is a key investment area for Microsoft in Windows 8.1. Often in a BYOD scenario, if an employee buys a new computer, it can be hit-or-miss as to whether the device will have all the tools baked in that an IT department needs to make sure any data on that device is secure. With Windows 8.1 we take away the guesswork.
#2 Modern Access Control
With Windows 8.1, we’ve focused a lot of attention on the controls that IT departments can place on devices to restrict who can physically access a device. Key Points are here first class biometrics and multi-factor authentication for BYOD.
#3 Protecting Sensitive Data
We’ve also put a lot of thought into how businesses can protect their data even when it resides on employees’ personal devices.
Pervasive Device Encryption: With Windows 8.1, device encryption is now available on all editions of Windows for devices that support InstantGo. In addition we implemented Selective Wipe of Corporate Data: With Windows 8.1, we introduce Remote Data Removal which will allow an IT department to wipe corporate data (e.g. emails, attachments, corporate data that came from Work Folders) off a BYOD device without affecting personal data.
#4 Malware Resistance
As security threats continue to evolve, we continue to step up our built-in malware resistance measures to stay ahead of attackers by improving Windows Defender and enhancements to Internet Explorer.
The points above are only a selection of things and more is in the original post.
Cybersecurity is currently on the top of the mind of many organizations trying to protect their intellectual property, research, customer and employee databases and other valuable information. In almost every discussion that I have on cybersecurity the topic of targeted attacks is put into the center. This is now even encreasing as we see such attacks being used much more commonly than usually assumed and only a small number of organizations have the resources to limit or even detect them.
The question is then often what a targeted attack really is and to answer that we have created the Targeted Attacks Video Series on Advanced Persistent Threats (APTs), or what we at Microsoft call Targeted Attacks by Determined Human Adversaries. These five short informational videos summarizes three security whitepapers, Determined Adversaries and Targeted Attacks, Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques, and Best Practices for Securing Active Directory.
Take the time to look at them below – it is well worth it:
I hope this helps for the next discussion on the topic of targeted attacks – and if you work for an organization that has information with commercial value then that discussion that discussion should start sooner rather than later.
I have heard a couple of times from enterprises that Windows 8 looks great but that it is a consumer product and that adoption in the enterprise does not seem to bring an obvious advantage as most users work on a laptop and desktop and don’t need a metro surface. While I understand this initial reaction I see a large benefit for business to use Windows 8.
The way people work has changed and more work is done mobile. Until now the challenge was to still have the reliability, productivity and security a business needs. This is one of the strong advantages of Windows 8. It integrates seamlessly into the IT infrastructure and provides enterprise class security. And this even in multiple ways. Windows 8 provides an innovative and fun way to work on a slate or tablet in addition to more traditional laptops and desktop PCs. In addition there is the possibility to have Windows 8 on a USB stick with Windows To Go – a fully managed corporate Windows 8 desktop. Travelling light has never been that easy.
Picking some elements to talk about is not easy as the new functionalities are significant but looking at today’s cybersecurity threats I very much like the improvements that were made with the secure foundation. Trusted Boot is a key element. It validates the integrity of the entire boot process – from hardware, boot loader, kernel, boot-related system files to drivers. With antimalware loaded before all non-critical Windows components we achieve a better protection from rootkits. This in combination with Measured Boot Process, BitLocker Drive Encryption, AppLocker, and claim-based access control delivers end-to-end security like never before.
This is only a short overview on some of the Windows 8 features for business. A deeper and broader description was posted today in the Windows Team Blog here. It is worthwhile reading it.
Also check out the short video for an overview of some central aspects of Windows 8:
One of the discussions that I often have with senior IT decision makers is the overall security architecture and how the different layers of security mechanisms work together. In these talks I often see that security in enterprises is approached as a layered approach where, on purpose, security elements and products of different software vendors are used. I call this the best of breed approach as for each security function one can pick the top performer on the market. The main motivation behind this is that if there would be a weakness in a product from one vendor that the same problem will then not be found in the underlaying security layer as it is not from the same origin.
Sounds great? Adds clearly more security? Well yes in theory but maybe no in practice. The reality is that with the financial pressure that is common on todays system’s integrators, operations resources (financial, people and know-how) are sparse and the nicely designed layered approach has suddenly gaps as the complexity is just too high to have it properly handled. This then leaves gaps in the defense. In addition, the interaction of different products is often not well known. What hurts in that regard is that applying security patches can only be done once a thorough testing has occurred – which in turn takes time and resources and means that crucial patches are applied later and the window of opportunity for an attack is open longer.
With this now comes the question. What in practice brings you more security. The best of breed approach that is seldom fully implemented or the end-to-end security stack where your dependence on one supplier is increasing? How much of the dependence do you have already anyway? I observe a move to the second approach – mostly out of lack of operational resources – also in large enterprises with a quite a high security level. I see this even more accelerating in the future when we have more and more security solutions that are offered as cloud or hybrid services where platform compatibility will be a large factor. Does that mean we are having a sort of consumerization of IT also for security?