Trustworthy Computing – One Trustworthy Computing – One year onyear on

Stuart Okin Stuart Okin Chief Security Officer – Microsoft UKChief Security Officer – Microsoft UK

Microsoft Security Solutions, Feb 4Microsoft Security Solutions, Feb 4thth, 2003, 2003

AgendaAgenda Reminder – Set the scene & What is Trustworthy Reminder – Set the scene & What is Trustworthy

Computing?Computing?

What have we done?What have we done?

What are we planningWhat are we planning

Call to ActionCall to Action

Questions?Questions?

Leaving MessagesLeaving Messages

Microsoft is as committed to Microsoft is as committed to Trustworthy Computing = Security, Trustworthy Computing = Security, Privacy, Reliability & Business Privacy, Reliability & Business IntegrityIntegrity

Trustworthy computing can only be Trustworthy computing can only be achieved through partnership & achieved through partnership & teamworkteamwork

Trustworthy Computing is a journey, Trustworthy Computing is a journey, with a long term vision with highlights with a long term vision with highlights and obstacles along the roadand obstacles along the road

Threat Remains RealThreat Remains Real

90% detected computer security 90% detected computer security breachesbreaches

40% detected system penetration from 40% detected system penetration from the outside; up from 25% in 2000the outside; up from 25% in 2000

85% detected computer viruses85% detected computer viruses

Computer Crime and Security Survey 2002Computer Crime and Security Survey 2002

CERTCERT

95% of all breaches due to 95% of all breaches due to misconfigurationmisconfiguration

Source: Computer Security Institute (CSI) Source: Computer Security Institute (CSI) Computer Crime and Security Survey 2002Computer Crime and Security Survey 2002Source: CERT, 2002Source: CERT, 2002

An Industry-Wide ProblemAn Industry-Wide Problem Why are Security breaches common?Why are Security breaches common?

Microsoft - Windows UPnPMicrosoft - Windows UPnP Oracle – Oracle 9i Buffer Oracle – Oracle 9i Buffer

OverrunOverrun AOL AIMAOL AIM CDE/SolarisCDE/Solaris Apache – Open SSL BufferApache – Open SSL Buffer

Viruses, WormsViruses, Worms Nimda, Code RedNimda, Code Red SlammerSlammer

People will have to believe the in People will have to believe the in technologies, companies and servicestechnologies, companies and services

Trustworthy ComputingTrustworthy ComputingCore TenetsCore Tenets

SecuritySecurity

PrivacyPrivacy

ReliabilityReliability

Business IntegrityBusiness Integrity

Resilient to attackResilient to attack Protects confidentiality, integrity, Protects confidentiality, integrity,

availability and dataavailability and data

DependableDependable Available when neededAvailable when needed Performs at expected levelsPerforms at expected levels

Individuals control personal dataIndividuals control personal data Products and Online Services adhere Products and Online Services adhere

to fair information principles to fair information principles

Help customers find appropriate solutionsHelp customers find appropriate solutions Address issues with products and servicesAddress issues with products and services Open interaction with customersOpen interaction with customers

Trustworthy ComputingTrustworthy Computing

SecuritySecurity

Security FrameworkSecurity Framework

Clear security commitmentClear security commitment Full member of the security communityFull member of the security community Microsoft Security Response Center Microsoft Security Response Center

Secure architectureSecure architecture Security aware featuresSecurity aware features Reduce vulnerabilities in the codeReduce vulnerabilities in the code

Reduce attack surface areaReduce attack surface area Unused features off by defaultUnused features off by default Only require minimum privilegeOnly require minimum privilege

Protect, detect, defend, recover, manageProtect, detect, defend, recover, manage Process: How to’s, architecture guidesProcess: How to’s, architecture guides People: TrainingPeople: Training

SDSD33 + Communications + Communications

Secure by Secure by DesignDesign

Secure by Secure by DefaultDefault

Secure in Secure in DeploymentDeployment

CommunicationsCommunications

Progress To DateProgress To Date

TAMs call Premier Customers proactivelyTAMs call Premier Customers proactively MSRC severity rating systemMSRC severity rating system Free virus hotlineFree virus hotline MSDN security guidance for developersMSDN security guidance for developers www.microsoft.com/technet/securitywww.microsoft.com/technet/security

Office XP: Macros off by defaultOffice XP: Macros off by default No sample code installed by defaultNo sample code installed by default IIS and SQL Server off by default in Visual IIS and SQL Server off by default in Visual

Studio.NETStudio.NET

Deployment tools: MBSA, IIS Lockdown, SUS, Deployment tools: MBSA, IIS Lockdown, SUS, WU, SMS Value PackWU, SMS Value Pack

Created STPP to respond to customersCreated STPP to respond to customers PAG for Windows 2000 Security OpsPAG for Windows 2000 Security Ops

SDSD33 + Communications + Communications

Secure by Secure by DesignDesign

Secure by Secure by DefaultDefault

Secure in Secure in DeploymentDeployment

CommunicationsCommunications

Security training for 11,000 engineersSecurity training for 11,000 engineers Security code reviews of old sourceSecurity code reviews of old source Threat modelingThreat modeling ““Blackhat” test coverageBlackhat” test coverage Buffer overrun detection in compile processBuffer overrun detection in compile process

January 2002 to March 2003January 2002 to March 2003

JanuaryJanuary FebruaryFebruary MarchMarch

Bill Gate's memo Bill Gate's memo 11000 trained. Code 11000 trained. Code reviews & stand down in reviews & stand down in WindowsWindows

Released “Security Released “Security Operations Guide for Operations Guide for Windows 2000 Server” Windows 2000 Server” GuideGuide

Release intention to Release intention to Federate Passport - Federate Passport - TrustbridgeTrustbridge

Responsible Vulnerability Responsible Vulnerability Disclosure Process draft Disclosure Process draft (placed on IETF)(placed on IETF)

Release “Exchange 2000 Release “Exchange 2000 Server Security Features” Server Security Features” & “A/V Features and & “A/V Features and Strategies for Protecting Strategies for Protecting your Exchange your Exchange Environment” whitepapersEnvironment” whitepapers

MSN announces MSN announces participation in a beta test participation in a beta test of the first e-mail of the first e-mail certification and seal certification and seal programprogram

MS & IBM announce WS-I MS & IBM announce WS-I Set up the Security Set up the Security Business Unit. Set up Business Unit. Set up local security offices. local security offices. Setup EMEA OfficeSetup EMEA Office

PSS Security formed PSS Security formed .Net Framework released.Net Framework released

April 2002 to June 2002April 2002 to June 2002AprilApril MayMay JuneJune

Announce WS-Secure Announce WS-Secure initiative (OASIS Specs for initiative (OASIS Specs for June)June)

Securing the Internet Data Securing the Internet Data Centre workshop completeCentre workshop complete

Palladium Announced Palladium Announced

(Next Generation Secure (Next Generation Secure Computing Base)Computing Base)

Microsoft Baseline Microsoft Baseline Security Analyzer (MBSA) Security Analyzer (MBSA) v1.0 releases v1.0 releases

Join ETSI/CEN Working Join ETSI/CEN Working PartyParty

Release Software Update Release Software Update Services Services

Detailed Privacy Detailed Privacy Handbook distributed Handbook distributed company wide, serves as company wide, serves as basis for Privacy Health basis for Privacy Health IndexIndex

Release Prescriptive Release Prescriptive Architecture Guide for Architecture Guide for “.Net Web Applications”“.Net Web Applications”

Windows security-push Windows security-push stand down endsstand down ends

UK Security assessment UK Security assessment and implementation for and implementation for Manchester 2002Manchester 2002

Scott Charney hiredScott Charney hired MS announces support of MS announces support of SAML (July)SAML (July)

July 2002 to Sept 2002July 2002 to Sept 2002JulyJuly AugustAugust SeptemberSeptember

SQL Server, Exchange, Office SQL Server, Exchange, Office complete security pushescomplete security pushes

Notification process Notification process launched by Steve B & BillGlaunched by Steve B & BillG

The Trustworthy Computing The Trustworthy Computing Academic Advisory Board is Academic Advisory Board is chartered to review Microsoft chartered to review Microsoft product and policy issues product and policy issues

Updated Trustworthy Updated Trustworthy Computing White Paper and Computing White Paper and Bill G mail to ExecutivesBill G mail to Executives

UK Train 7 partners in UK Train 7 partners in Security Assessment Security Assessment ServicesServices

Windows XP SP1 releases Windows XP SP1 releases

Computer Security Resource Computer Security Resource Centre release draft - Centre release draft - "System Admin Guidance for "System Admin Guidance for Windows 2000" - Windows 2000" -

MS Showcase on: MS Showcase on: Smartcards, Secure wireless Smartcards, Secure wireless and ISA business case and and ISA business case and deploymentsdeployments

MSN 8 launches with new MSN 8 launches with new advanced parental and spam advanced parental and spam control. MSN awarded Truste control. MSN awarded Truste privacy policy cert from EU privacy policy cert from EU

A series of new training A series of new training courses available courses available

SQL Hardening training SQL Hardening training workshop completeworkshop complete

Windows Media Player 9 Windows Media Player 9 Series beta releases with new Series beta releases with new privacy and security privacy and security

Draft NSA Windows XP GuideDraft NSA Windows XP Guide New EFS whitepaper New EFS whitepaper releasedreleased

MS acquires XDegrees, a MS acquires XDegrees, a maker of security softwaremaker of security software

Release of “Pocket PC Release of “Pocket PC Security" WhitepaperSecurity" Whitepaper

MOF Operation Assessment MOF Operation Assessment v2 releasedv2 released

Organisation for Internet Organisation for Internet Safety FormedSafety Formed

Oct 2002 to Dec 2002Oct 2002 to Dec 2002OctoberOctober NovemberNovember DecemberDecember

Announce RSA partnershipAnnounce RSA partnership System Management Server System Management Server (SMS) Feature Packs (SMS) Feature Packs

Microsoft Baseline Security Microsoft Baseline Security Analyzer (MBSA) v1.1 Analyzer (MBSA) v1.1 releases releases

Support IAAC delivery of Support IAAC delivery of Benchmarking Information Benchmarking Information AssuranceAssurance

Severity rating system Severity rating system changedchanged

"Writing Secure Code" "Writing Secure Code" Second Edition publishes Second Edition publishes

Support ISF in review of Support ISF in review of Windows 2000, .Net security Windows 2000, .Net security guidelines for members guidelines for members (industry) (industry)

Distributed over 4800 Distributed over 4800 security tool kits to small security tool kits to small businessbusiness

Microsoft Solution Microsoft Solution Management Service Offering Management Service Offering releasedreleased

Windows 2000 reaches Windows 2000 reaches Common CriteriaCommon Criteria

HP & Microsoft UK launch HA HP & Microsoft UK launch HA servicesservices

WS-I releases WS-SecurityWS-I releases WS-Security

Security Resource Toolkit Security Resource Toolkit version 2 releasedversion 2 released

MSA EDC v1.5 provides MSA EDC v1.5 provides guidance for designing guidance for designing Enterprise DataCentre Enterprise DataCentre environmentsenvironments

MS Showcase Case Study: MS Showcase Case Study: Securing Remote UsersSecuring Remote Users

Microsoft Audit Collection Microsoft Audit Collection System Beta releasedSystem Beta released

Release of “Building Secure Release of “Building Secure ASP.NET Applications” ASP.NET Applications” GuideGuide

Complete first phase of 4E – Complete first phase of 4E – CPE UK ProgramCPE UK Program

January 2003January 2003January 2003January 2003

ISA Feature Pack releasedISA Feature Pack released

Release of “Operating .NET-Based Applications” guideRelease of “Operating .NET-Based Applications” guide

Microsoft completes OpenHack 4 Competition - the Microsoft completes OpenHack 4 Competition - the Microsoft solution withstood over 82,500 attack and Microsoft solution withstood over 82,500 attack and emerged from OpenHack 4 unscathedemerged from OpenHack 4 unscathed

Microsoft announce the Government Security ProgramMicrosoft announce the Government Security Program

Release of “Using Windows XP Professional with Release of “Using Windows XP Professional with Service Pack 1 in a Managed Environment: Controlling Service Pack 1 in a Managed Environment: Controlling Communication with the Internet” whitepaper Communication with the Internet” whitepaper

Microsoft completes PKI challengeMicrosoft completes PKI challenge

Join Information Assurance Advisory CouncilJoin Information Assurance Advisory Council

CISO US, CISO Finance, CISO UK councilsCISO US, CISO Finance, CISO UK councils

Release of the Secure Windows 2000 Server Solution Release of the Secure Windows 2000 Server Solution GuideGuide

SQLSlammer

SummarySummary January 2002 Memo, follow up, visionJanuary 2002 Memo, follow up, vision Steve Ballmer: Company Values of respect, customer focus, Steve Ballmer: Company Values of respect, customer focus,

transparencytransparency Windows XP SP1, Office XP SP1, Windows 2000 SP3, and 72 Windows XP SP1, Office XP SP1, Windows 2000 SP3, and 72

security fixes for various products.security fixes for various products. AutoUpdate; SUS, SMS Feature Pack; MBSAAutoUpdate; SUS, SMS Feature Pack; MBSA 10 week halt in release cycles10 week halt in release cycles Training of 11,000 engineersTraining of 11,000 engineers Security Pushes for Windows, SQL, Exchange, Visual Studio, Security Pushes for Windows, SQL, Exchange, Visual Studio,

ISA, Commerce Server and Office BISA, Commerce Server and Office B MS Internal Privacy tracking and measurement tools suiteMS Internal Privacy tracking and measurement tools suite MSN 8 Parental Controls and Spam ControlsMSN 8 Parental Controls and Spam Controls Windows Media Player 9 privacy first-run experienceWindows Media Player 9 privacy first-run experience IE6 and Privacy Wizard implementationsIE6 and Privacy Wizard implementations Windows security - $100+ millionWindows security - $100+ million Win2K reliability – $162Million, 500 men year on reliability Win2K reliability – $162Million, 500 men year on reliability

improvementsimprovements Software support: now offers 5 years, plus 2 years of extended Software support: now offers 5 years, plus 2 years of extended

serviceservice

Where are we planning?Where are we planning? Short to Medium TermShort to Medium Term

Improve Patch ManagementImprove Patch Management QualityQuality Reduce InstallersReduce Installers Single Microsoft Update ServiceSingle Microsoft Update Service

Security Push / Engineering techniques “in a Security Push / Engineering techniques “in a box”box”

Windows 2003 Server (Secure by default)Windows 2003 Server (Secure by default) Longer termLonger term

Integration of Security Products (inc ISVs) Integration of Security Products (inc ISVs) into systeminto system

Next Generation Secure Computing BaseNext Generation Secure Computing Base Self Healing & attack sensitive systemsSelf Healing & attack sensitive systems Move applications to .Net FramewrokMove applications to .Net Framewrok

Call to actionCall to action

1. Visit 1. Visit www.microsoft.com/securitywww.microsoft.com/security for for current information on securitycurrent information on security

2. Subscribe 2. Subscribe register.microsoft.com/subscription/register.microsoft.com/subscription/subscribeMe.asp?lcidsubscribeMe.asp?lcid=1033&id=155=1033&id=155

3. Get the toolkit3. Get the toolkitwww.microsoft.com/uk/securitywww.microsoft.com/uk/security

Leaving MessagesLeaving Messages

Microsoft is as committed to Microsoft is as committed to Trustworthy Computing = Security, Trustworthy Computing = Security, Privacy, Reliability & Business Privacy, Reliability & Business IntegrityIntegrity

Trustworthy computing can only be Trustworthy computing can only be achieved through partnership & achieved through partnership & teamworkteamwork

Trustworthy Computing is a journey, Trustworthy Computing is a journey, with a long term vision with highlights with a long term vision with highlights and obstacles along the roadand obstacles along the road

Questions?Questions?