As evidenced by the latest Microsoft Security Intelligence Report cyber attacks and cyber crime are constantly evolving, and while cyber crime isn't new, the scale and complexity of several recent events have stirred the interest of governments and enterprises alike. These are very interesting times to be a security and/or IT professional. While there is no silver bullet to solve global Internet crime, at Microsoft we believe that if we work together with our customers, partners, the information technology industry, governments, and other important constituencies, we can make progress towards a safer more trusted Internet. To this end, Microsoft published a paper in April of 2008 outlining a way forward. We presented this vision at the 2008 RSA Conference and again at the RSA Conference in 2009. This vision is called "End to End Trust" and relies on three areas of focus: security and privacy fundamentals; technology innovations; and social, economic, political, and IT alignment. This month's newsletter highlights resources you can use to strengthen your security fundamentals. I also invite you to learn more about End to End Trust by visiting www.endtoendtrust.org and to think about how you can help make the Internet a safer place for everyone. Best regards, Tim Rains, Group Product Manager, Microsoft Trustworthy Computing Top Stories | Check out the Security, Identity, and Access Track at Tech•Ed North America 2010 for the latest guidance and demonstrations of Microsoft Forefront products, identity-based access technologies, Windows security technologies, and more. Save $200 when you register by February 28. | | Experience fast and effective protection against malware and spam with multiple scanning engines from industry-leading security partners. Download the trial software and learn more with an introductory webcast and technical demonstration. | | The Security Compliance Manager provides centralized baseline management for Windows client and server operating systems, and Microsoft applications. Sign up for the upcoming Beta program and help us build a tool that best meets your needs. As a Beta participant, you'll be able to give us your feedback on the security settings database, customization capabilities, and security baseline export flexibility. | | Find out how they can help you implement the Microsoft Security Development Lifecycle (SDL) in your organization. | Security Guidance | The Microsoft Assessment and Planning (MAP) Toolkit is a powerful inventory, assessment, and reporting tool that can securely assess IT environments for various platform migrations and virtualization without the use of any software agents. Download this free toolkit today and generate a customized PC security assessment, security readiness proposal, and secure readiness report. | | Learn the communication that flows between the features in Windows 7 and Windows Server 2008 R2 and sites on the Internet, and then find steps you can take to limit, control, or prevent that communication in an organization with many users. | | Learn how to effectively use both Encrypting File System (EFS) and BitLocker technologies to help address your organization's requirements to protect data on mobile PCs. This toolkit also provides you with software tools and scripts to help you centrally configure, deploy, and manage encryption settings on all your mobile PCs. | | While there is no single recommended method to deploy Windows 7 with BitLocker, this guide describes the various aspects of the process and includes best practices for successful deployment. | | Use this guide to help you assess the threats and vulnerabilities in your Systems Management Server (SMS) environment and prioritize the actions you can take to reduce your risk. | | Learn how to properly outfit your Forefront TMG servers with the correct hardware configuration according to deployment scenario and user base. | | Learn how to integrate the SDL into your Agile Development project. | | Get familiar with the core concepts of the SDL and the individual security activities that should be performed to be compliant with the process. | Security Checklists: This Month's Security Bulletins | This security update resolves seven privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The more severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | Critical: Important: Moderate Security Bulletin Overview for February 2010 The Business of Security Effective Practices in Security: A Call to Action By Herbert H. Thompson, Ph.D. Fields like structural engineering have had years of trial and error working under some pretty consistent laws of physics to get things right. They have standards, rules, laws, axioms, and procedures that can truly be called "best practices." By contrast, the field of information security is very young. The rules keep changing, technology keeps evolving, and the adoption of technology has far outpaced our ability to understand the potential risks. In this climate, we as information security professionals need to share more data and move from "speculative practices," based on intuition and hunches, to "effective practices," based on results and data.
A new awareness of security has made businesses more open to sharing their security practices. We've seen some significant security innovation within corporations -- for example, the SDL work Microsoft is doing. As we move into 2010, a few areas have surfaced where we need even more information sharing to unearth some of these effective practices. Here's a partial list of areas where we can (and must) make significant progress:
Security Metrics (specifically justifying security spend) Figuring out the "Return" part of a Return on Investment (ROI) calculation requires one to accurately assess the benefit accrued. A lack of good IT security metrics has made this exceedingly difficult for security professionals. We need innovative approaches to better measure IT security risk and express the benefits of security investments in monetary terms.
Risk Management Frameworks Driven by a wave of legislation and regulations, many IT risk management frameworks have surfaced over the past few years. These frameworks attempt to help the enterprise identify, prioritize, and manage risk, and identify processes and tools to help defend the enterprise. In theory, these frameworks are versatile and facilitate business-oriented risk decisions. In practice, they can be awkward, opinion-driven, and limited in scope. We need better information sharing about what works and what doesn't.
Cloud Security Moving some internal processes to the cloud initially looks appealing: lower capital costs, more centralized management and control, and the ability to leverage shared resources and expertise. For corporations, some important questions remain fuzzy: How are enterprises managing security in cloud migrations today? How are businesses crafting Service Level Agreements (SLAs) with cloud providers? How are enterprises reconciling cloud-based deployments with the rigors of audit? While the cloud is not new, there are many new opportunities and options. Sharing information about effectively managing cloud security will be critical.
Security and Social Networks The rise of social networking has brought with it a new crop of challenges for CISOs and security professionals. One looming concern is that employees may be revealing too much of their professional lives online. This has become an important corporate security issue as tools and technologies are now available to correlate and visualize this data to infer confidential information. We need to better understand the new threats, the state of data-mining technologies, and how businesses are battling those threats through education and policy.
Security and "Consumerization" Employees want to bring their home devices into the workplace, and the economic downturn has given some companies the incentive to say yes. Many issues remain unresolved, and more tension between security and "consumerization" is on the horizon. Technology can solve part of the problem -- many businesses require the ability to remotely wipe mobile phones that contain corporate data in case they are lost or stolen -- but we need to understand more about effective policies. What's worked in corporate environments? What's the risk?
We've got a lot of ground to cover but there has never been a more exciting time to make progress. We're seeing more datacentricity in industry organizations like Safecode and the Cloud Security Alliance. We're seeing data-rich sessions -- real case studies where security has been put into practice -- at big industry events like RSA Conference. We all have some data on and experience with what works and what doesn't. Now it's time to share that data with the security community. Microsoft Product Lifecycle Information Security Events and Training | Learn how to make the business case for data governance with this special webcast for IT, privacy, security, risk management, and compliance professionals. | | Learn about technologies intrinsic to the operating system that help make computers more resilient to attacks and provide the foundation upon which you can build your other technology investments. | Upcoming Security Webcasts | Tuesday, February 23,11:00 AM - Noon Pacific Time | | Upcoming security webcasts in a dynamic, interactive format. | For IT Professionals For Developers Now On Demand |