trustworthy computing – one year on stuart okin chief security officer – microsoft uk microsoft...
TRANSCRIPT
Trustworthy Computing – One Trustworthy Computing – One year onyear on
Stuart Okin Stuart Okin Chief Security Officer – Microsoft UKChief Security Officer – Microsoft UK
Microsoft Security Solutions, Feb 4Microsoft Security Solutions, Feb 4thth, 2003, 2003
AgendaAgenda Reminder – Set the scene & What is Trustworthy Reminder – Set the scene & What is Trustworthy
Computing?Computing?
What have we done?What have we done?
What are we planningWhat are we planning
Call to ActionCall to Action
Questions?Questions?
Leaving MessagesLeaving Messages
Microsoft is as committed to Microsoft is as committed to Trustworthy Computing = Security, Trustworthy Computing = Security, Privacy, Reliability & Business Privacy, Reliability & Business IntegrityIntegrity
Trustworthy computing can only be Trustworthy computing can only be achieved through partnership & achieved through partnership & teamworkteamwork
Trustworthy Computing is a journey, Trustworthy Computing is a journey, with a long term vision with highlights with a long term vision with highlights and obstacles along the roadand obstacles along the road
Threat Remains RealThreat Remains Real
90% detected computer security 90% detected computer security breachesbreaches
40% detected system penetration from 40% detected system penetration from the outside; up from 25% in 2000the outside; up from 25% in 2000
85% detected computer viruses85% detected computer viruses
Computer Crime and Security Survey 2002Computer Crime and Security Survey 2002
CERTCERT
95% of all breaches due to 95% of all breaches due to misconfigurationmisconfiguration
Source: Computer Security Institute (CSI) Source: Computer Security Institute (CSI) Computer Crime and Security Survey 2002Computer Crime and Security Survey 2002Source: CERT, 2002Source: CERT, 2002
An Industry-Wide ProblemAn Industry-Wide Problem Why are Security breaches common?Why are Security breaches common?
Microsoft - Windows UPnPMicrosoft - Windows UPnP Oracle – Oracle 9i Buffer Oracle – Oracle 9i Buffer
OverrunOverrun AOL AIMAOL AIM CDE/SolarisCDE/Solaris Apache – Open SSL BufferApache – Open SSL Buffer
Viruses, WormsViruses, Worms Nimda, Code RedNimda, Code Red SlammerSlammer
People will have to believe the in People will have to believe the in technologies, companies and servicestechnologies, companies and services
Trustworthy ComputingTrustworthy ComputingCore TenetsCore Tenets
SecuritySecurity
PrivacyPrivacy
ReliabilityReliability
Business IntegrityBusiness Integrity
Resilient to attackResilient to attack Protects confidentiality, integrity, Protects confidentiality, integrity,
availability and dataavailability and data
DependableDependable Available when neededAvailable when needed Performs at expected levelsPerforms at expected levels
Individuals control personal dataIndividuals control personal data Products and Online Services adhere Products and Online Services adhere
to fair information principles to fair information principles
Help customers find appropriate solutionsHelp customers find appropriate solutions Address issues with products and servicesAddress issues with products and services Open interaction with customersOpen interaction with customers
Trustworthy ComputingTrustworthy Computing
SecuritySecurity
Security FrameworkSecurity Framework
Clear security commitmentClear security commitment Full member of the security communityFull member of the security community Microsoft Security Response Center Microsoft Security Response Center
Secure architectureSecure architecture Security aware featuresSecurity aware features Reduce vulnerabilities in the codeReduce vulnerabilities in the code
Reduce attack surface areaReduce attack surface area Unused features off by defaultUnused features off by default Only require minimum privilegeOnly require minimum privilege
Protect, detect, defend, recover, manageProtect, detect, defend, recover, manage Process: How to’s, architecture guidesProcess: How to’s, architecture guides People: TrainingPeople: Training
SDSD33 + Communications + Communications
Secure by Secure by DesignDesign
Secure by Secure by DefaultDefault
Secure in Secure in DeploymentDeployment
CommunicationsCommunications
Progress To DateProgress To Date
TAMs call Premier Customers proactivelyTAMs call Premier Customers proactively MSRC severity rating systemMSRC severity rating system Free virus hotlineFree virus hotline MSDN security guidance for developersMSDN security guidance for developers www.microsoft.com/technet/securitywww.microsoft.com/technet/security
Office XP: Macros off by defaultOffice XP: Macros off by default No sample code installed by defaultNo sample code installed by default IIS and SQL Server off by default in Visual IIS and SQL Server off by default in Visual
Studio.NETStudio.NET
Deployment tools: MBSA, IIS Lockdown, SUS, Deployment tools: MBSA, IIS Lockdown, SUS, WU, SMS Value PackWU, SMS Value Pack
Created STPP to respond to customersCreated STPP to respond to customers PAG for Windows 2000 Security OpsPAG for Windows 2000 Security Ops
SDSD33 + Communications + Communications
Secure by Secure by DesignDesign
Secure by Secure by DefaultDefault
Secure in Secure in DeploymentDeployment
CommunicationsCommunications
Security training for 11,000 engineersSecurity training for 11,000 engineers Security code reviews of old sourceSecurity code reviews of old source Threat modelingThreat modeling ““Blackhat” test coverageBlackhat” test coverage Buffer overrun detection in compile processBuffer overrun detection in compile process
January 2002 to March 2003January 2002 to March 2003
JanuaryJanuary FebruaryFebruary MarchMarch
Bill Gate's memo Bill Gate's memo 11000 trained. Code 11000 trained. Code reviews & stand down in reviews & stand down in WindowsWindows
Released “Security Released “Security Operations Guide for Operations Guide for Windows 2000 Server” Windows 2000 Server” GuideGuide
Release intention to Release intention to Federate Passport - Federate Passport - TrustbridgeTrustbridge
Responsible Vulnerability Responsible Vulnerability Disclosure Process draft Disclosure Process draft (placed on IETF)(placed on IETF)
Release “Exchange 2000 Release “Exchange 2000 Server Security Features” Server Security Features” & “A/V Features and & “A/V Features and Strategies for Protecting Strategies for Protecting your Exchange your Exchange Environment” whitepapersEnvironment” whitepapers
MSN announces MSN announces participation in a beta test participation in a beta test of the first e-mail of the first e-mail certification and seal certification and seal programprogram
MS & IBM announce WS-I MS & IBM announce WS-I Set up the Security Set up the Security Business Unit. Set up Business Unit. Set up local security offices. local security offices. Setup EMEA OfficeSetup EMEA Office
PSS Security formed PSS Security formed .Net Framework released.Net Framework released
April 2002 to June 2002April 2002 to June 2002AprilApril MayMay JuneJune
Announce WS-Secure Announce WS-Secure initiative (OASIS Specs for initiative (OASIS Specs for June)June)
Securing the Internet Data Securing the Internet Data Centre workshop completeCentre workshop complete
Palladium Announced Palladium Announced
(Next Generation Secure (Next Generation Secure Computing Base)Computing Base)
Microsoft Baseline Microsoft Baseline Security Analyzer (MBSA) Security Analyzer (MBSA) v1.0 releases v1.0 releases
Join ETSI/CEN Working Join ETSI/CEN Working PartyParty
Release Software Update Release Software Update Services Services
Detailed Privacy Detailed Privacy Handbook distributed Handbook distributed company wide, serves as company wide, serves as basis for Privacy Health basis for Privacy Health IndexIndex
Release Prescriptive Release Prescriptive Architecture Guide for Architecture Guide for “.Net Web Applications”“.Net Web Applications”
Windows security-push Windows security-push stand down endsstand down ends
UK Security assessment UK Security assessment and implementation for and implementation for Manchester 2002Manchester 2002
Scott Charney hiredScott Charney hired MS announces support of MS announces support of SAML (July)SAML (July)
July 2002 to Sept 2002July 2002 to Sept 2002JulyJuly AugustAugust SeptemberSeptember
SQL Server, Exchange, Office SQL Server, Exchange, Office complete security pushescomplete security pushes
Notification process Notification process launched by Steve B & BillGlaunched by Steve B & BillG
The Trustworthy Computing The Trustworthy Computing Academic Advisory Board is Academic Advisory Board is chartered to review Microsoft chartered to review Microsoft product and policy issues product and policy issues
Updated Trustworthy Updated Trustworthy Computing White Paper and Computing White Paper and Bill G mail to ExecutivesBill G mail to Executives
UK Train 7 partners in UK Train 7 partners in Security Assessment Security Assessment ServicesServices
Windows XP SP1 releases Windows XP SP1 releases
Computer Security Resource Computer Security Resource Centre release draft - Centre release draft - "System Admin Guidance for "System Admin Guidance for Windows 2000" - Windows 2000" -
MS Showcase on: MS Showcase on: Smartcards, Secure wireless Smartcards, Secure wireless and ISA business case and and ISA business case and deploymentsdeployments
MSN 8 launches with new MSN 8 launches with new advanced parental and spam advanced parental and spam control. MSN awarded Truste control. MSN awarded Truste privacy policy cert from EU privacy policy cert from EU
A series of new training A series of new training courses available courses available
SQL Hardening training SQL Hardening training workshop completeworkshop complete
Windows Media Player 9 Windows Media Player 9 Series beta releases with new Series beta releases with new privacy and security privacy and security
Draft NSA Windows XP GuideDraft NSA Windows XP Guide New EFS whitepaper New EFS whitepaper releasedreleased
MS acquires XDegrees, a MS acquires XDegrees, a maker of security softwaremaker of security software
Release of “Pocket PC Release of “Pocket PC Security" WhitepaperSecurity" Whitepaper
MOF Operation Assessment MOF Operation Assessment v2 releasedv2 released
Organisation for Internet Organisation for Internet Safety FormedSafety Formed
Oct 2002 to Dec 2002Oct 2002 to Dec 2002OctoberOctober NovemberNovember DecemberDecember
Announce RSA partnershipAnnounce RSA partnership System Management Server System Management Server (SMS) Feature Packs (SMS) Feature Packs
Microsoft Baseline Security Microsoft Baseline Security Analyzer (MBSA) v1.1 Analyzer (MBSA) v1.1 releases releases
Support IAAC delivery of Support IAAC delivery of Benchmarking Information Benchmarking Information AssuranceAssurance
Severity rating system Severity rating system changedchanged
"Writing Secure Code" "Writing Secure Code" Second Edition publishes Second Edition publishes
Support ISF in review of Support ISF in review of Windows 2000, .Net security Windows 2000, .Net security guidelines for members guidelines for members (industry) (industry)
Distributed over 4800 Distributed over 4800 security tool kits to small security tool kits to small businessbusiness
Microsoft Solution Microsoft Solution Management Service Offering Management Service Offering releasedreleased
Windows 2000 reaches Windows 2000 reaches Common CriteriaCommon Criteria
HP & Microsoft UK launch HA HP & Microsoft UK launch HA servicesservices
WS-I releases WS-SecurityWS-I releases WS-Security
Security Resource Toolkit Security Resource Toolkit version 2 releasedversion 2 released
MSA EDC v1.5 provides MSA EDC v1.5 provides guidance for designing guidance for designing Enterprise DataCentre Enterprise DataCentre environmentsenvironments
MS Showcase Case Study: MS Showcase Case Study: Securing Remote UsersSecuring Remote Users
Microsoft Audit Collection Microsoft Audit Collection System Beta releasedSystem Beta released
Release of “Building Secure Release of “Building Secure ASP.NET Applications” ASP.NET Applications” GuideGuide
Complete first phase of 4E – Complete first phase of 4E – CPE UK ProgramCPE UK Program
January 2003January 2003January 2003January 2003
ISA Feature Pack releasedISA Feature Pack released
Release of “Operating .NET-Based Applications” guideRelease of “Operating .NET-Based Applications” guide
Microsoft completes OpenHack 4 Competition - the Microsoft completes OpenHack 4 Competition - the Microsoft solution withstood over 82,500 attack and Microsoft solution withstood over 82,500 attack and emerged from OpenHack 4 unscathedemerged from OpenHack 4 unscathed
Microsoft announce the Government Security ProgramMicrosoft announce the Government Security Program
Release of “Using Windows XP Professional with Release of “Using Windows XP Professional with Service Pack 1 in a Managed Environment: Controlling Service Pack 1 in a Managed Environment: Controlling Communication with the Internet” whitepaper Communication with the Internet” whitepaper
Microsoft completes PKI challengeMicrosoft completes PKI challenge
Join Information Assurance Advisory CouncilJoin Information Assurance Advisory Council
CISO US, CISO Finance, CISO UK councilsCISO US, CISO Finance, CISO UK councils
Release of the Secure Windows 2000 Server Solution Release of the Secure Windows 2000 Server Solution GuideGuide
SQLSlammer
SummarySummary January 2002 Memo, follow up, visionJanuary 2002 Memo, follow up, vision Steve Ballmer: Company Values of respect, customer focus, Steve Ballmer: Company Values of respect, customer focus,
transparencytransparency Windows XP SP1, Office XP SP1, Windows 2000 SP3, and 72 Windows XP SP1, Office XP SP1, Windows 2000 SP3, and 72
security fixes for various products.security fixes for various products. AutoUpdate; SUS, SMS Feature Pack; MBSAAutoUpdate; SUS, SMS Feature Pack; MBSA 10 week halt in release cycles10 week halt in release cycles Training of 11,000 engineersTraining of 11,000 engineers Security Pushes for Windows, SQL, Exchange, Visual Studio, Security Pushes for Windows, SQL, Exchange, Visual Studio,
ISA, Commerce Server and Office BISA, Commerce Server and Office B MS Internal Privacy tracking and measurement tools suiteMS Internal Privacy tracking and measurement tools suite MSN 8 Parental Controls and Spam ControlsMSN 8 Parental Controls and Spam Controls Windows Media Player 9 privacy first-run experienceWindows Media Player 9 privacy first-run experience IE6 and Privacy Wizard implementationsIE6 and Privacy Wizard implementations Windows security - $100+ millionWindows security - $100+ million Win2K reliability – $162Million, 500 men year on reliability Win2K reliability – $162Million, 500 men year on reliability
improvementsimprovements Software support: now offers 5 years, plus 2 years of extended Software support: now offers 5 years, plus 2 years of extended
serviceservice
Where are we planning?Where are we planning? Short to Medium TermShort to Medium Term
Improve Patch ManagementImprove Patch Management QualityQuality Reduce InstallersReduce Installers Single Microsoft Update ServiceSingle Microsoft Update Service
Security Push / Engineering techniques “in a Security Push / Engineering techniques “in a box”box”
Windows 2003 Server (Secure by default)Windows 2003 Server (Secure by default) Longer termLonger term
Integration of Security Products (inc ISVs) Integration of Security Products (inc ISVs) into systeminto system
Next Generation Secure Computing BaseNext Generation Secure Computing Base Self Healing & attack sensitive systemsSelf Healing & attack sensitive systems Move applications to .Net FramewrokMove applications to .Net Framewrok
Call to actionCall to action
1. Visit 1. Visit www.microsoft.com/securitywww.microsoft.com/security for for current information on securitycurrent information on security
2. Subscribe 2. Subscribe register.microsoft.com/subscription/register.microsoft.com/subscription/subscribeMe.asp?lcidsubscribeMe.asp?lcid=1033&id=155=1033&id=155
3. Get the toolkit3. Get the toolkitwww.microsoft.com/uk/securitywww.microsoft.com/uk/security
Leaving MessagesLeaving Messages
Microsoft is as committed to Microsoft is as committed to Trustworthy Computing = Security, Trustworthy Computing = Security, Privacy, Reliability & Business Privacy, Reliability & Business IntegrityIntegrity
Trustworthy computing can only be Trustworthy computing can only be achieved through partnership & achieved through partnership & teamworkteamwork
Trustworthy Computing is a journey, Trustworthy Computing is a journey, with a long term vision with highlights with a long term vision with highlights and obstacles along the roadand obstacles along the road
Questions?Questions?