Sunday, May 22, 2005

"Security - less about technology, more about processes"

Building the right processes and inculcating the right people may lessen the need for additional security mechanisms, say Microsoft's executives in an exclusive interview with CIOL.

 BANGALORE (21st May): Many would scoff at the idea of the Redmond based software giant, Microsoft, talking seriously about security and trying to advice customers on the strategy that has to be built to ensure better levels of the same. But for Steve Riley, Product Manager, Security Business Unit and Dave Glover, Developer Evangelist, Microsoft-Australia, its all part of the game. In India for the first time to talk about the Unit's products and reach out to enterprises to educate them on security strategy, the duo spoke with Sathya Mithra Ashok on the Unit's functions and how Microsoft aims to change its perception on security among enterprises.

Excerpts.

When was the Security Business Unit formed and what does its functions include

The Unit was formed nearly three years ago. It was formed to address some of the growing security issues within enterprises. Most enterprises, which were having security problems, found it easy to blame the technology alone. But that is not true. Security is less about technology and more about the processes and people built up in the enterprise. In fact, if enterprises concentrate on building the right processes and inculcate the right people, they would find that they might not need all the additional blocking mechanisms that many of them invest in regularly.
This attention to process must stem from basis co-ordination between application development and operations, which will be using the application. Teaching the basics of security to everybody in the organization involved with IT is essential. It's also important to know and trust the people who are involved in IT to a large extent, like your system administrators.
Most security threats for enterprises come from the inside. There is always a human element to security and the person on the inside already knows everything about the organization and therefore has much less to do to harm it. Security is not about he brand, but about systems management. Part of the fault lies with us too, in that we had not taken the initiative to educate enterprises more proactively. The Unit aims to remedy that.
There are around 1000 people in the Unit alone and if you count in the extended people connected to the Unit it would be around 6000. Formerly, whatever number of products Microsoft had, that was the number of ways of update implementation that there was. But now everything has to go through the Unit and if the Unit finds that it lacks in security, it goes back to development, even if there will be a delay in release. That is also part of the Unit's functions.

Was the growing popularity of open source operating systems part of the reason for the formation of the Unit and the propagation of security as a process for Microsoft?

We are a competitive company. And there are a lot of things we take into consideration. This would include IBM's initiatives, Novell's work or open source as a whole. Therefore, open source, along with IBM and Novell and other competitive initiatives would have been a consideration in the formation of the Unit.

Are Indian enterprises'outlook towards security the same as the world over?

We've been meeting CIOs and enterprise IT representatives for over four days now in India. We find that everyone acknowledges the importance of security but many of them don't understand how to go about it. Also, many enterprises lack in properly skilled people to handle their security. This is purely anecdotal but many of them we spoke to opined that most trained people opted to work for the outsourced software service providers rather than enterprises. And that situation is pretty unique to India because there are not very many places where outsourcing is as big an activity as here.

How much is revenue generation a part of the Unit?

We are a for-profit company and its naïve to ignore revenue-generating potentials of technology. Products associated with the Unit generate most of the revenue and it comprises a really small part of the overall revenues. Our products include the Internet Security and Acceleration Server, Windows Rights Management Services and other products or patches bundled with Windows and other MS products. But the fact is that revenues are not as important as the idea of spreading the message of security as processes and people oriented more than technology.

Microsoft has a huge perception issue to battle in the area of security – the perception that its software is open to more attacks than any other. How do you combat that perception?

We talk to enterprises. We try to bring to light the fact that every software has its vulnerabilities that can be exploited. We also point out to them that with each upgrade of its various software offerings Microsoft has steadily reduced the number of vulnerabilities in it. We demonstrate that it is safe to keep even security within the Microsoft umbrella.

We also educate them on the fact that the software or technology cannot be blamed all the time. That with proper processes and people in place, the company would not need to have blocks in place to prevent exploitation of vulnerabilities because the processes will ensure that there can be no exploitation.

All of it boils down to customer satisfaction. If they are not satisfied, they would look elsewhere. It's an uphill battle for Microsoft, but as long as we can pass the message of security I think we have achieved quite a bit.

Tech Notes

THE ART OF COMPUTER VIRUS RESEARCH AND DEFENSE

 

By Peter Szor
Published by Addison-Wesley Professional
ISBN: 0321304543   Buy Now!
Published:February, 2005
Pages:744

 About the author

Peter Szor graduated from the University of Veszprem Hungary in 1991. He is best known as the author of the popular Hungarian virus scanner called Pasteur, which he developed between 1990 and 1995. Szor.s interest in computer viruses began in 1990. He worked on various anti-virus scanning engines over the last decade including F-PROT, AVP, and Norton AntiVirus. Szor was invited to join CARO (Computer Anti-virus Researchers' Organization) in 1997. He is a frequent speaker at Virus Bulletin, EICAR, and ICSA conferences, and a regular contributor to Virus Bulletin magazine.

In 1999 Szor joined Symantec, where he designs and develops anti-virus technologies for the Norton Anti-virus product line. He is the author of several U.S. patents that are pending.

Free Chapter:
      9.1 Introduction

This chapter discusses the generic (or at least "typical") structure of advanced computer worms and the common strategies that computer worms use to invade new target systems. Computer worms primarily replicate on networks, but they represent a subclass of computer viruses. Interestingly enough, even in security research communities, many people imply that computer worms are dramatically different from computer viruses. In fact, even within CARO (Computer Antivirus Researchers Organization), researchers do not share a common view about what exactly can be classified as a "worm." We wish to share a common view, but well, at least a few of us agree that all computer worms are ultimately viruses1. Let me explain.

The network-oriented infection strategy is indeed a primary difference between viruses and computer worms. Moreover, worms usually do not need to infect files but propagate as standalone programs. Additionally, several worms can take control of remote systems without any help from the users, usually exploiting a vulnerability or set of vulnerabilities. These usual characteristics of computer worms, however, do not always hold. Table 9.1 shows several well-known threats.

Table 9.1 Well-Known Computer Worms and Their Infection Methods

Name / Discovered

Type

Infection

Execution Method

WM/ShareFun February 1997

Microsoft Mail dependent mailer

Word 6 and 7 documents

By user

Win/RedTeam January 1998

Injects outgoing mail to Eudora mailboxes

Infects Windows NE files

By user

W32/Ska@m (Happy99 worm) January 1999

32-bit Windows mailer worm

Infects WSOCK32.DLL (by inserting a little hook function)

By user

W97M/Melissa@mm March 1999

Word 97 mass-mailer worm

Infects other Word 97 documents

By user

VBS/LoveLetter@mm2 May 2000

Visual Basic Script mass-mailer worm

Overwrites other VBS files with itself

By user

W32/Nimda@mm September 2001

32-bit Windows mass-mailer worm

Infects 32-bit PE files

Exploits vulnerabilities to execute itself on target


Table 9.1 suggests that infection of file objects is a fairly common technique among early, successful computer worms. According to one of the worm definitions, a worm must be self-contained and spread whole, not depending on attaching itself to a host file. However, this definition does not mean that worms cannot act as file infector viruses in addition to network-based propagators.

Of course, many other worms, such as Morris3, Slapper4, CodeRed, Ramen, Cheese5, Sadmind6, and Blaster, do not have file infection strategies but simply infect new nodes over the network. Thus defense methods against worms must focus on the protection of the network and the network-connected node.


1 2 3 4 5 6 7 8 9  Next page >> 
 

" Worm: n., A self-replicating program able to propagate itself across network, typically having a detrimental effect."

—Concise Oxford English Dictionary, Revised Tenth Edition.

Friday, May 20, 2005

How to enable SSL on Windows XP SP2

 These tips comes from Sahil Malik and it's too much interesting for not bookmarked it:

XP SP2 has SSL disabled, and if you want to enable it, these are the steps:

  • Enable to HTTP SSL Service.
  • Download IIS resource kit for IIS 6.0 (Even though XP has IIS 5.1)
  • Run SelfSSL.Exe /N:CN=Sahil /V:30 /S:1

Now your SSL is enabled!

For more accuracy, remember that the above are instructions to enable an SSL website, and install a development environment certificate, on Windows XP SP2.

via: Stefano

Wednesday, May 11, 2005

Microsoft Security Week (MSDN)

>> Session 1: Building Secure Applications

This session will cover building standards based secure "Service Orientated Architecture" solutions and we'll look at the tools and the technologies to help make this a reality.

 

>> Session 2: Microsoft IT Application Software Assurance Program (ASAP)

The Microsoft Information Technology organization (Microsoft IT) developed the Application Software Assurance Program (ASAP) to inventory, assess, and—when necessary—help resolve potential security and privacy vulnerabilities found in line-of-business applications. The program defines the standards and best practices for providing security and confidentiality for all applications currently in production, and for those under development.

 

Venue: Viceroy, Hyderabad May 13th 9:00 AM!

Click here for other cities in India.