The European Union is quite active on security and especially cybersecurity issues but is less present in the media for it than for example the US. To raise awareness on current reports and recommendations that I see as relevent please find some links below. We can now debate if this is too much, just raight or not enough but for that discussion knowing more about what actually exists or is in process is a prerequisite of course.
Joint Supervision Tool for Telecom Security
On 9 April, ENISA published a joint framework to supervise the security of services and personal data processing by telecom providers in the EU in accordance with Article 13a and Article 4. Full report is available here.
Electronic Evidence – a Basic Guide for First Responders
On 25 March, ENISA published a report based on past work done in the field of good practices for CERTs and LEAs in the fight against cybercrime. The main aim of the report is to provide a guide for first responders with a special emphasis in evidence gathering.
National/Governmental CERTs – ENISA’s Recommendations on Baseline Capabilities
On 20 March, ENISA published recommendations on baseline capabilities. The document covers ENISA’s updated considerations for capabilities of so called national / governmental CERTs, thus teams who serve the government of a country to protect critical information infrastructure. The primary target audience of this document are these CERTs and those policy-making bodies in the European Union Member States that are responsible for initiating and planning the establishment and operation of a national / governmental CERT. Still quite an interesting reading.
Standardisation in the Field of Electronic Identities and Trust Service Providers
On 24 March, ENISA published a paper that explains why standards are important for cybersecurity, specifically in the area of electronic identification and trust services providers. Additionally, the paper also discusses concrete standardisation activities associated with electronic IDs and trust service providers, providing an overview of standards developed under the mandate from the European Commission and others, related to eIDAS Regulation. It concludes with a proposal of a standard on cryptographic suites for electronic signatures and infrastructures, put forward by ENISA and related to the ETSI TS 119 312. Full report is available here.
Motion for a European Parliament Resolution on Cybersecurity
On 30 March, Italian MEP Nicola Caputo published a motion for resolution on cybersecurity and calls on the Council and the European Commission to strengthen the EU’s response capability to this global threat, to strengthen network and information security and to support Member States in their research and innovation aimed at promoting public and private digital security. steps on the dossier were not disclosed. Interesting though that the security of IoT (Internet of Things) starts to become also a policy topic. I expect that we will see more to come and hope that it will help in addressing the real challenges that we face.
I recently gave two live webinars as part of a security webinar series of Microsoft Switzerland where I covered aspects of cloud resilience and achieving resilience against modern cyberthreats. The webinars are in German and if you are interested you can get access to the recording below.
Webinar 1: Schutz vor Gefahren aus dem Cyberspace
Die heutigen Gefahren aus dem Cyberspace sind immer grösser, Angriffe werden immer ausgefeilter, die Hacker selbst immer professioneller. Traditionelle Schutzmechanismen, wie beispielsweise Virenschutzprogramme und Firewalls, sind angesichts der neuen Entwicklungen nicht mehr ausreichend. Erfahren Sie in diesem Webinar alles über die Vorteile eines dynamischen Sicherheitskonzepts, das Ihre IT-Landschaft basierend auf den Prinzipien Protect – Detect – Respond effektiv vor modernen Cybergefahren schützen kann und für hohe Resilienz sorgt. Das Webinar ist hier verfügbar.
Webinar 2: Resilienz und Cloud Computing
Cloud Computing verändert und beschleunigt die Arbeitswelt; standardisierte Services aus der «Rechenzentrumswolke» entlasten Unternehmen von Investitionen in eigene, teure Server-Infrastrukturen. Dennoch bestehen grosse Vorbehalte hinsichtlich Verfügbarkeit, Sicherheit und Datenschutz – speziell in einem Umfeld, in dem Gefahren durch kriminelle Aktivitäten lauern und NSA-/PRISM-Aktivitäten für Rechtsunsicherheit sorgen. In diesem Webinar dreht sich daher alles um Fragen wie Resilienz mit der Cloud, Resilienz in der Cloud oder Resilienz trotz der Cloud. Das Webinar ist hier verfügbar
The security snippets series highlights some articles that I read recently. I hope they help in keeping up with the raise of security incidents and trends which becomes more and more difficult with the increasing professionalism of cyber attacks.
Bank Hackers Steal Millions via Malware
as read in the New York Times
The New York Times writes based on Kaperski information that a group of attackers impersonated bank officers and took over cash machines and transferred millions of dollars from more than 100 banks in Russia, Japan, Switzerland, the United States, and the Netherlands into fake accounts set up in other countries. This brings a new scale to Cybercrime.
Evolution and Adaptation in the Security Jungle
as read in Threatpost
Enterprise security teams need to catch up on understanding the methods that modern attackers use. The article on Threatpost does a good job at giving an overview. Active defense is crucial in that aspect and I described that with the protect, detect, response framework also in my whitepaper on achieving resilience against modern cyberthreats.
Visa Wants to Track Your Smartphone to Prevent Credit Card Fraud
as read in the Hacker News
It seems that Visa plans to release a new location-based feature that will help cardholders update their location via smartphone. With credit card fraud still on the raise that could be a good way to fight that. I just hope that it will be clear to the user that another service performs location tracking.
PlugX Is RAT of Choice for Nation States
as read in eSecurity Planet
The “2014 CrowdStrike Global Threat Intel” report finds that the PlugX Remote Access Tool (RAT) is the most observed malware variant used by nation-state backed threat adversaries. I don’t think that this is necessarily so clear as in my view many nation states have more customized and elaborate capabilities but it shows how far such tools have come.
One Billion Data Records Compromised in 2014 Worldwide
as read in Softpedia
The article writes about a report from the Breach Level Index (BLI) which finds a 49 percent increase in data breaches and a 78 percent increase in number of records that were stolen or lost in 2014. While the absolute number might be even higher the massive increase is something that we observe as well.
Microsoft Achieves Globally Recognized ISO/IEC 27018 Privacy Standard
as read in the Microsoft Cyber Trust Blog
This more on privacy and trust than security although that also plays an important aspect. Microsoft on February 16, 2015, obtained the ISO/IEC 27018 privacy standard for Microsoft Azure, Office 365, and Dynamics CRM Online. Brad Smith’s blog has more information on that and is worthwhile reading in my view.
How to Keep Your Webcam Safe from Hackers [Video]
as read in We Live Security
If you follow the link you will see a video that covers five tips to prevent someone from spying on you through your webcam. Something becoming more important after an anonymous website began posting live streams of the world’s unprotected webcams.
I am now working with Windows 8.1 for a while and I really like it. It enables me to have one device for two work modes. I use the modern Interface when I am more reading/consuming information and then change to the traditonal desktop when I am writing documents, presentations etc.
As a security professional I also like Windows 8.1 because it enables new scenarios in the enterprise. For accessing the most sensitive information I want to be able to know the device that is accessing it and to know the health of the device before letting it so. And with Windows 8 I can now do exactly that for a touch device.
Dustin Ingalls, our Group Program Manager for Windows Security & Identity was attending Black Hat and gave a presentation on the Windows 8.1 security functions and published a blog post about it. I summarize the most important points below and encourage you to read his full blogpost with the details:
The Windows 8.1 update offers a full spectrum of new and improved security capabilities – from features that enable devices to be fully locked down by IT, to remote security options for BYOD devices, to safeguards for personal devices that need to access business resources from home. The main Points are the follow:
#1 Trustworthy Hardware
Trusted hardware is a key investment area for Microsoft in Windows 8.1. Often in a BYOD scenario, if an employee buys a new computer, it can be hit-or-miss as to whether the device will have all the tools baked in that an IT department needs to make sure any data on that device is secure. With Windows 8.1 we take away the guesswork.
#2 Modern Access Control
With Windows 8.1, we’ve focused a lot of attention on the controls that IT departments can place on devices to restrict who can physically access a device. Key Points are here first class biometrics and multi-factor authentication for BYOD.
#3 Protecting Sensitive Data
We’ve also put a lot of thought into how businesses can protect their data even when it resides on employees’ personal devices.
Pervasive Device Encryption: With Windows 8.1, device encryption is now available on all editions of Windows for devices that support InstantGo. In addition we implemented Selective Wipe of Corporate Data: With Windows 8.1, we introduce Remote Data Removal which will allow an IT department to wipe corporate data (e.g. emails, attachments, corporate data that came from Work Folders) off a BYOD device without affecting personal data.
#4 Malware Resistance
As security threats continue to evolve, we continue to step up our built-in malware resistance measures to stay ahead of attackers by improving Windows Defender and enhancements to Internet Explorer.
The points above are only a selection of things and more is in the original post.
Cybersecurity is currently on the top of the mind of many organizations trying to protect their intellectual property, research, customer and employee databases and other valuable information. In almost every discussion that I have on cybersecurity the topic of targeted attacks is put into the center. This is now even encreasing as we see such attacks being used much more commonly than usually assumed and only a small number of organizations have the resources to limit or even detect them.
The question is then often what a targeted attack really is and to answer that we have created the Targeted Attacks Video Series on Advanced Persistent Threats (APTs), or what we at Microsoft call Targeted Attacks by Determined Human Adversaries. These five short informational videos summarizes three security whitepapers, Determined Adversaries and Targeted Attacks, Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques, and Best Practices for Securing Active Directory.
Take the time to look at them below – it is well worth it:
I hope this helps for the next discussion on the topic of targeted attacks – and if you work for an organization that has information with commercial value then that discussion that discussion should start sooner rather than later.
I have heard a couple of times from enterprises that Windows 8 looks great but that it is a consumer product and that adoption in the enterprise does not seem to bring an obvious advantage as most users work on a laptop and desktop and don’t need a metro surface. While I understand this initial reaction I see a large benefit for business to use Windows 8.
The way people work has changed and more work is done mobile. Until now the challenge was to still have the reliability, productivity and security a business needs. This is one of the strong advantages of Windows 8. It integrates seamlessly into the IT infrastructure and provides enterprise class security. And this even in multiple ways. Windows 8 provides an innovative and fun way to work on a slate or tablet in addition to more traditional laptops and desktop PCs. In addition there is the possibility to have Windows 8 on a USB stick with Windows To Go – a fully managed corporate Windows 8 desktop. Travelling light has never been that easy.
Picking some elements to talk about is not easy as the new functionalities are significant but looking at today’s cybersecurity threats I very much like the improvements that were made with the secure foundation. Trusted Boot is a key element. It validates the integrity of the entire boot process – from hardware, boot loader, kernel, boot-related system files to drivers. With antimalware loaded before all non-critical Windows components we achieve a better protection from rootkits. This in combination with Measured Boot Process, BitLocker Drive Encryption, AppLocker, and claim-based access control delivers end-to-end security like never before.
This is only a short overview on some of the Windows 8 features for business. A deeper and broader description was posted today in the Windows Team Blog here. It is worthwhile reading it.
Also check out the short video for an overview of some central aspects of Windows 8:
One of the discussions that I often have with senior IT decision makers is the overall security architecture and how the different layers of security mechanisms work together. In these talks I often see that security in enterprises is approached as a layered approach where, on purpose, security elements and products of different software vendors are used. I call this the best of breed approach as for each security function one can pick the top performer on the market. The main motivation behind this is that if there would be a weakness in a product from one vendor that the same problem will then not be found in the underlaying security layer as it is not from the same origin.
Sounds great? Adds clearly more security? Well yes in theory but maybe no in practice. The reality is that with the financial pressure that is common on todays system’s integrators, operations resources (financial, people and know-how) are sparse and the nicely designed layered approach has suddenly gaps as the complexity is just too high to have it properly handled. This then leaves gaps in the defense. In addition, the interaction of different products is often not well known. What hurts in that regard is that applying security patches can only be done once a thorough testing has occurred – which in turn takes time and resources and means that crucial patches are applied later and the window of opportunity for an attack is open longer.
With this now comes the question. What in practice brings you more security. The best of breed approach that is seldom fully implemented or the end-to-end security stack where your dependence on one supplier is increasing? How much of the dependence do you have already anyway? I observe a move to the second approach – mostly out of lack of operational resources – also in large enterprises with a quite a high security level. I see this even more accelerating in the future when we have more and more security solutions that are offered as cloud or hybrid services where platform compatibility will be a large factor. Does that mean we are having a sort of consumerization of IT also for security?
Did you notice that you got fewer spam e-mails today? All in all there were about 3.8 Billion fewer spam mails sent out. Why? Because there is one less Botnet in operation. Today Microsoft annaounced that we have taken down the Kelihos botnet in an action codenamed “Operation b79”. This is the third botnet takedown in Microsoft’s Project MARS (Microsoft Active Response for Security), a program driven by the Microsoft Digital Crimes Unit in close collaboration with the Microsoft Malware Protection Center (MMPC) and the Trustworthy Computing team to annihilate botnets and advance the security of the Internet for everyone. Why does it matter? Because it is one step further in making cybercrime more expensive and it is the first time Microsoft has named a defendant in its fight against botnets making suddenly cybercrime much less anonymous.
Microsoft has a very interesting unit in the fight against Cybercrime – the Digital Crimes Unit. I had the opportunity to spend last week at their premise in Redmond, to have interesting discussions and get our efforts in regard to child abuse and digital crimes aligned. With our ever increased dependance on our computers, smartphones and networks at home, on the road and at work, it becomes more and more crucial to keep this infrastructure safe, secure and private. To achieve this we are working in close cooperation with local law enforcement agencies, government CERTs, Internet Providers and other organizations and agencies. From a personal perspective it is highly interesting to have the opportunity to work at national level as a facilitator and sponsor between these Swiss entities and the different units of Microsoft Redmond and to be able to participate in the fight against child abuse and cybercrime.
The fight against botnets will continue. There are still tens of thousands of computers infected that regularely try to connect to the three botnets Microsoft took down. The following video gives an impression of the state of two botnets as of 21. September 2011.
What now needs to be done is to clean up the infected computers. To aid in this I started working together with Government, Internet Service Providers and Community Emergency Response Teams so that we can also take advantage in Switzerland of the work that is done in Redmond. More on that in a later post once the initiative has advanced and all partners are on board. In the meantime – please keep your computers safe and private. With that you are participate in the global fight against cybercrime and you keep your privacy protected. You can find information on “how-to” in this earlier blogpost.
Interested to know more about the botnet takedown? Read here the official Microsoft Blog.
I often get asked how Microsoft provides over 200 cloud services and what security measures are in place. There is a good video available that addresses how Microsoft delivers cloud services to more than a billion customers and 20 million businesses in over 70 countries. It is also a fascinating view onto the evolution of modern datacenters and their energy efficiency.
Here it goes:
I just read an article in the New York times on Suspected Hackers, a Sense of Social Protest. It made me think of the often quoted “One man’s terrorist is another man’s freedom fighter“.
For me the facts are clear. Nobody should attack the infrastructure or privacy of somebody else. Full stop. I cannot see that attacks can lead to anything positive and we have had plenty of examples showing that peaceful protest in the end works best to initiate change. However, other people see it different. They see it as a kind of social protest if they direct attacks at targets that they see as “evil”. Might these targets be individuals, corporations or governments. And then there are the ones that don’t think at all. That just follow a “cool” call for action. Have you ever seen the youtube video where an anonymous branch calls for attacking Telefonica? Pretty cool I must say. If I would be bored that weekend and looking for something to do – anything really – to fit into a group…. I can see why kids are tempted to point their Low Orbit Ion Cannons pretty much anywhere.
The part that worries me is not so much the individual person that might or might not participate in an attack. What worries me is that we as a society don’t have an understanding what is acceptable behaviour and what not. Sure – we might have a legal definition in some countries – but then does that help much? What we need to come to is a social value of what is acceptable and what not. What is a terrorist – and what is a freedom fighter. What differentiates them from eachother. Only then we can sit down and talk to our kids, our friends, our employees about values. Only then we can blog about it – about making people think about what they are doing. Make them aware of the line that they are crossing when they tinker with other people’s privacy and with intellectual property of enterprises, governments etc.
I don’t have the answer. But I am putting this out as a starting point to talk about it. Do the first step, take this and start talking about it and hopefully make some people think about values. Talk to somebody and lets start a snowball effect. Lets take this as a start to accept other’s privacy and values and use our right of free speech and social protest where we have them – and with that help others to achieve what we already have . Freedom of expression. But it comes with a price – and the price is responsibility and values – and we need to get better in accepting our responsibility.