Microsoft Security Newsletter – August 2012

Welcome to August's Security Newsletter! This month's newsletter theme focuses on security mitigations. Security mitigations are designed to help protect users in situations where vulnerabilities exist in software that could enable an attacker to compromise the integrity, availability, or confidentiality of that software or the data that it processes. The goal with security mitigations is to make it very costly, or even impossible, for an attacker to successfully exploit a vulnerability. With that in mind, Microsoft has created a number of free security mitigation tools designed to help protect customers from attackers seeking to exploit them. Recently, we announced some enhancements that were made to two of our most popular security mitigation tools: Enhanced Mitigation Experience Toolkit – The Enhanced Mitigation Experience Toolkit (EMET) is a free utility that helps prevent vulnerabilities in software from being successfully exploited for code execution. It does so by opting in software to the latest security mitigation technologies. The result is that a wide variety of software is made significantly more resistant to exploitation. A few weeks ago at the BlackHat Conference in Las Vegas, we awarded over $250,000 in prizes to security researchers whose ideas were selected, one of which was incorporated into the latest "tech preview," EMET v3.5. EMET is a popular security tool among chief information security officers and security professionals because it helps them manage security mitigations for applications running in their environments. Security mitigations like address space layout randomization (ASLR) and Data Execution Prevention (DEP) can help make vulnerabilities very hard, or even impossible, to exploit reliably. For more information on EMET, check out our blog post titled "Microsoft's Free Security Tools - Enhanced Mitigation Experience Toolkit." Attack Surface Analyzer – Last year, we released a beta version of our free Attack Surface Analyzer (ASA) tool. The purpose of this tool is to help software developers, independent software vendors (ISVs), and IT professionals better understand changes in Windows systems' attack surface resulting from the installation of new applications. Earlier this month, we announced the end of the beta period and the availability of Attack Surface Analyzer 1.0 for download. This new release of ASA includes performance enhancements and bug fixes to improve the user experience. Through improvements in the code, we were able to reduce the number of false positives and improve graphic user interface performance. This release also includes in-depth documentation and guidance to improve ease of use. For more information regarding the improvements, download the ASA ReadMe document. If you are interested in learning more about security mitigations, I encourage you to follow our blog series on "Microsoft's Free Security Tools." Best regards, Tim Rains, Director Microsoft Trustworthy Computing Top Stories Motivations, Risks and Rewards of the BYOD Trend Bring Your Own Device (BYOD) policies can easily backfire on businesses, unless closely monitored to maintain benefits for employees and the company. In this three-part blog series, TwC Director Jeff Jones takes a close look at the BYOD trend, the forces that are driving it, and the pros and cons of supporting BYOD within an IT organization. Threat Modeling from the Front Lines Threat modeling is a systematic way to find design-level security and privacy weaknesses in a system. In this article, Principal Cybersecurity Architect Michael Howard summarizes the key lessons he has learned while building threat models. Identity and Access Management: Access Is a Privilege Explore why privileged-access lifecycle management is a process and technology framework that can make your access controls more efficient and effective. Security Guidance Security Tip of the Month: Social Engineering Advice for IT Professionals IT professionals are accustomed to thinking about the technical aspects of security. However, as the most recent edition of the Security Intelligence Report has shown, the human element—the techniques that attackers use to trick typical users into helping them—has become just as important for attackers as the technical element. This article outlines effective technical safeguards, programs, and processes you can implement to help defend against social engineering in your organization. Infrastructure Planning and Design Guides for Security Streamline and clarify your security infrastructure design processes with concise planning guidance from IPD Guides for Security. Each guide addresses a unique security infrastructure technology or scenario, provides critical architectural decisions to be addressed, available options, as well as a means to validate design decisions to ensure that solutions meet requirements of both business and IT stakeholders. Threat Modeling and Agile Development Practices Examine how to effectively perform threat modeling for projects that demand rapid development processes. Before we dive into the details on threat modeling, let's briefly review how threat modeling fits into the SDL. The SDL and Threat Modeling Threat Modeling is a core element of the Microsoft Security Development Lifecycle (SDL). Able to plug in to any issue-tracking system, the SDL Threat Modeling Tool makes threat modeling easier for developers of all skill levels by providing guidance on creating and analyzing threat models. Download the tool and check out these tips to help you get started with the tool. Using the BinScope Binary Analyzer The BinScope Binary Analyzer is a free Microsoft tool that can help both developers and IT professionals in auditing the security of applications that they are developing or deploying/managing. Learn how to configure and use BinScope to analyze an application within Visual Studio. Conficker Clean Up Tips Even a conscientious IT department that follows responsible practices for quickly installing security updates, installing and monitoring antimalware and intrusion detection systems, and controlling access to file shares can still encounter outbreaks of a threat such as Conficker. Microsoft provides information to help IT administrators deal with Conficker infections at www.microsoft.com/conficker.This list provides additional tips that may help advanced users who possess a good understanding of computer security and Windows administration find computers that are infected with Conficker in order to minimize their attack surface. Community Update MVP Article of the Month: Virus Infection Prevention Best Practices for Small and Midsize Organizations A surprising number of IT system administrators consider the simple use of antivirus programs and firewalls enough to provide reliable protection from trojans, viruses, and worms. In this article, Microsoft Enterprise Security MVP Peter Gubarevich shares a simple, but effective infection prevention strategy that can work for even the smallest organization. Cloud Security Corner An Inflection Point: Cloud Computing Overview Watch as Microsoft Corporate Vice President of Trustworthy Computing, Scott Charney, discusses a big picture view of cloud computing today and the forces creating change. Private Cloud Jump Start Series Get a high-level overview of the problems that cloud computing can solve and learn how to configure, deploy, monitor, and operate a private cloud infrastructure. This Month's Security Bulletins Microsoft Security Bulletin Summary for June 2012 Critical MS12-052: Cumulative Security Update for Internet Explorer (2722913) MS12-053: Vulnerability in Remote Desktop Could Allow Remote Code Execution (2723135) MS12-054: Vulnerabilities in Windows Networking Components Could Allow Remote Code Execution (2733594) MS12-060: Vulnerability in Windows Common Controls Could Allow Remote Code Execution (2720573) MS12-058: Vulnerabilities in Microsoft Exchange Server WebReady Document Viewing Could Allow Remote Code Execution (2740358) Important MS12-055: Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2731847) MS12-056: Vulnerability in JScript and VBScript Engines Could Allow Remote Code Execution (2706045) MS12-057: Vulnerability in Microsoft Office Could Allow Remote Code Execution (2731879) MS12-059: Vulnerability in Microsoft Visio Could Allow Remote Code Execution (2733918) August 2012 Security Bulletin Resources: Microsoft Security Response Center (MSRC) Blog Post Security Bulletin Overview Video (MP4) – 3000k | 600k | 400k Security Bulletin Webcast Q&A Security Events and Training Microsoft Virtual Academy: Office 365 for the IT Pro Explore the overall value Office 365 provides to modern organizations in terms of productivity, access, familiarity, security, control, and reliability then get specific training around deployment, administration, and federated authentication. Windows 8 Developer Camps Ongoing through December 2012 – Multiple locations worldwide Windows 8 Developer Camps are free, fun, no-fluff events for developers, by developers. Learn from experts in a low-key, interactive way and then get hands-on time to apply what you've learned. Each developer camp is different, but all will cover in-depth the new platform for building Metro-style applications. By the end of the event, you'll have an understanding of the platform design tenets, the programming language choices, and the integration points with the operating system and across Metro-style applications. - August 2012 - In This Issue Top Stories Security Guidance Community Update Cloud Security Corner This Month's Security Bulletins Security Events and Training Essential Tools Microsoft Security Bulletins Microsoft Security Compliance Manager Enhanced Mitigation Experience Toolkit Malware Response Guide Microsoft Malicious Software Removal Tool Microsoft Baseline Security Analyzer Microsoft Security Development Lifecycle Starter Kit Troubleshooting and Support Security Troubleshooting and Support Resources Microsoft Support Security Product Solution Centers Microsoft Support Virus & Security Solution Center TechNet Forums Security Blogs Trustworthy Computing Security and Privacy Microsoft Security Microsoft Malware Protection Center Microsoft Security Development Lifecycle Microsoft Security Research and Defense Microsoft Security Response Center Security and Compliance Solution Accelerators Additional Resources TechNet Security Center Microsoft Malware Protection Center Microsoft Security Response Center Microsoft Security Development Lifecycle Security Demonstrations and Tutorials Security Intelligence Report This is a monthly newsletter for IT professionals and developers—bringing security news, guidance, updates, and community resources directly to your inbox. If you would like to receive less technical security news, guidance, and updates, please subscribe to the Microsoft Security for Home Computer Users Newsletter. © 2012 Microsoft Corporation. All rights reserved. Microsoft, MSDN, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Microsoft respects your privacy. To learn more please read our online Privacy Statement. If you would prefer to no longer receive this newsletter, please click here. To set your contact preferences for other Microsoft communications click here. Microsoft Corporation One Microsoft Way Redmond, WA 98052 USA