Dan Griffin's Blog

Comments on security, PKI, smart cards, cryptography, and entrepreneurship.

If you’re running Win 7, you’re okay. If you’re running IE8 on a previous version of Window, you’re okay.

Otherwise, I recommend using Microsoft’s Fix it link for enabling Data Execution Prevention (DEP) in Internet Explorer (choose the one on the left) until a patch is released.

More info can be found here.

Permalink | Comments (0)

From the “something I wish I’d invented” department, GATR makes an inflatable satellite comms system which, including electronics, folds up into “two airline checkable cases”. Pretty cool!

Permalink | Comments (0)

Downloads here.

“Information security is a very dynamic field: legislation keeps changing, technology keeps evolving, and the attacker community continues to be more sophisticated. This turmoil has forced security practitioners to think creatively to address some very difficult problems. Much of this innovation has been locked away within corporations as they have made isolated progress on issues like security metrics, security risk management frameworks, and security policy. In order to address this discrepancy, Microsoft commissioned a whitepaper series to share key security innovations. Whitepaper topics came from participants in Microsoft’s CSO Council - a semi-annual gathering of security executives from leading global organizations who serve as advisors to Microsoft’s Trustworthy Computing group. Our goal is to share practices “from-the-trenches” that address some of the toughest problems in security. After numerous interviews, discussions, and debates with these thought leaders, a collection of effective practices emerged. While much remains to be done, we hope these papers fuel the discussion and help facilitate further sharing in the field of IT security.”

Permalink | Comments (0)

Download here.

“Information security awareness and training is critical to any organization’s information security strategy and operations. People are in many cases the last line of defense against threats such as malicious code, disgruntled employees, and malicious third parties. Microsoft offers the security awareness toolkit to help organizations plan, develop, and deliver a successful security awareness program. The kit includes a planning guide, templates, pointers to material can that can help speed the development of a security awareness program, a sample general security awareness presentation that can be modified and tailored to any organization, material to help articulate the value to peers and managers, and three example awareness campaigns from Microsoft Information Security. ”

Permalink | Comments (0)

Alternative content to RSA, next week in SF. Info here.

Permalink | Comments (0)

Pretty good post here with some security what-if scenarios, such as the above.

The view of someone who was there (regarding the Trustworthy Computing Memo what-if): the Windows security stand-down (aka security push) took place in early 2002, right in the middle of my career at Microsoft. It wasn’t the TwC memo that made 11,000 engineers stop work on the most profitable – and expensive – software project in history; it was the crisis in confidence in the Windows franchise.

The Code Red and Nimda worms had both hit within the preceding six months. There was the perception that Microsoft had not only suffered permanent damage to its reputation, but indeed that its customers were running for the exits and would not be coming back.

Good things came from the situation, however, and the TwC memo was a catalyst. The Windows security stand down was successful inasmuch as it resulted in a massive scrubbing of an enormous legacy code base. This was also the first real-world test of the early Microsoft Security Development Lifecycle processes, including threat modeling, security reviews, and the Secure by Design, by Default, and in Deployment mantra. The benefits of this experience have since been documented, implemented in tools, spread across the company, and made available to Microsoft’s partners and customers.

A frequently overlooked result of the same events which led to the TwC memo: Patch Tuesday. An imperfect solution to a very difficult problem.

Permalink | Comments (0)

A colleague asked a question on this topic last week at a Microsoft briefing: how, as security advocates in our own organizations, can we institute better security training as well as influence developers and other members of the IT organization on the importance of implementing security best-practices?

Answer: SDL content from Microsoft is a good start. They’ve invested big money in this since the XP SP2 days, and have shown good industry leadership. Check out these two resources in particular:

Also check out other stuff on the SDL landing page.

Permalink | Comments (0)

We’ve got all of our servers – and that includes production and test lab ones – virtualized on Hyper-V, and we’re using Restorify to replicate those VM images within our lab. This is good – our lab is getting more efficient and easier to manage.

Next step: move those images offsite. Indeed, Restorify is efficient enough to replicate those images to an offsite server – after all, that’s the whole point of the product.

But here’s the frustrating thing: for a small business, finding an offsite location to park those images is hard. Do we try to find an IT consulting firm to host it for us? It would be wiser, I think, to put that server in a co-location facility, but also more expensive. Worth it?

Permalink | Comments (0)

Anyone used these?

I saw a presentation on the Twitter + CRM integration at the 2009 MS Partner Conference – it looks pretty cool. But the social networking landscape has changed a lot in the past year, and I’m not sure how useful a Twitter-only integration would be. I’d like to see something that can track usage and patterns across Twitter, Facebook, YouTube, blogs, and the main business website.

Permalink | Comments (0)
Newer Posts »