Thursday, May 15, 2014
That said, MS decided to release the big Internet Explorer patch and include XP. This is a particularly big bug and would be devastating to the web, if left unpatched.
I am curious how those who are paying millions for XP support feel about the rest of us getting this for free.
Thank you Satya Nadella for saving the web. I look forward to the next XP security update. I know you will do the right thing when the next big bug comes.
Sunday, February 23, 2014
Enter Caradigm a joint venture between Microsoft and GE! From the press release, this seems to be all about real-time healthcare data. They are talking about interoperability and collaboration with patient data. Done right, this is great stuff, however, we are talking about highly sensitive personal data in a very regulated space, in terms of data security.
Microsoft and GE are two of America's largest companies. I'm sure they have thought this all through... Caradigm is hiring the Information Security Manager. Copy here. While this role sounds like the manager of all InfoSec at Caradigm, surely they mean Manager in Information Security. The top InfoSec role at a company of this stature, with its hands in or on so much highly regulated data, must be a VP or maybe even a C level role. Then again, maybe they didn't think it all through and don't think security is important enough to pay a high salary for.
Security covers a lot of ground; policy, risk management, governance, vendor management, architecture, hands on techy stuff around hosts, network stuff, app layer stuff. The top role would cover all that.
And here is are a few of the job requirements... That looks like the whole list to me. Did we leave anything for the CISO to do?
• Participates in the architecture governance process. Provides technical guidance to project teams and vendors as appropriate.
• Implement Enterprise Information Security Standards
• Plans and supervises the support and maintenance for the enterprise information security including:
- Environment administration of all access rights to the overall network and applications within the network
- Vulnerability scanning
- Firewall administration
- Risk assessments
- Penetration testing
• Plans, supervises and participates (either personally or through team members or vendors) in every project within the environment to assure that security standards are maintained while meeting the business requirements
• Coordinates all audit requirements related to Information Security across all platforms and projects working directly with process owners and vendors to ensure compliance
• Sponsors the teams, which analyzes all vulnerability and patch requirements and assess their impact to the Security environment. Integrate this team’s strategic roadmap into the overall IT strategy to ensure a plan to protect its information assets into the future.
• Maintains accountability for responsible information security program governance through formal reporting
• Develops and implements an information security risk profile that prioritizes risk and the investment and financial strategy required to mitigate those risks
• Creates and maintains security architecture for the enterprise and participate in the solution selection and process development
• Develops security requirements for information technology infrastructure initiatives, selected enterprise applications and, as appropriate, reviews and approves security design of initiatives
• Understanding of appropriate leading-edge security technologies and services
• Matrix managing large virtual, remote, and global project teams (15+ members)
• Hiring, developing, leading, motivating, performance managing, and coaching a cross-section of security and technology professionals and managers
• Understanding of emerging technologies and their impact on security architectures: Service Orientated Architecture, Enterprise Frameworks, Message Based information exchange, etc.
• Project managing in the security arena in a healthcare customer facing role
• Information Security Architecture technologies and concepts: Firewalls, intrusion detection, assessment tools, encryption, certificate authority, etc.
• Information systems security, including such areas as identity and access management, security program policies, processes, and procedures
• Understanding of information security and the relationship between threats, vulnerability and information value in the context of risk management
• Excellent vendor management skills with demonstrated experience. Comprehensive understanding of the physical security discipline, focusing on operations. Strong cross-team and cross-group collaboration skills.
Friday, February 21, 2014
I've decided to start posting some of these with commentary. The one that finally made this decision for me is from Amazon.com . A copy can be found here. I've added bold for emphasis.
The almost certainly illegal and super ageist posting title is what caught my eye: "Systems Engineer - AWS Simple Storage Service (S3) -University Candidate: May 2014 Grads Only".
It was the wonderful nonsequitur requirements for job experience that really hooked me.
- Experience running and maintaining a 24x7 Internet-oriented production environment, preferably across multiple data centers, involving (preferably) at least hundreds of machines.
- Demonstrable expertise around specifying, designing, and/or implementing system health, performance monitoring tools, and software management tools for 24x7 environments.
- Experience with very large distributed systems such as multi-terabyte storage farms, and/or horizontally scaled request processing fleets
Sunday, February 9, 2014
If you have worked for Microsoft, or any huge company, this will be no surprise; Microsoft has many groups working against each other or at least spending dollars in one department that could save or make millions in another. It’s not easy to align everything in a large company, especially when it has been run by the worst CEO in America for so long. Microsoft is regularly in the news “shutting down botnets” and doing other great pro-bono work to make the web safer. I applaud this!
Yet, in the core operating systems orgs, they have let Windows XP, still the second most used desktop OS, lag behind in security and will stop issuing patches in April of 2014. There is nothing wrong with XP, even the MS page on its retirement makes it clear that they don’t have to support it, by law, so they won’t. There are no claims related to it not being good or safe. I read it as, “There is no money in it for us, so we will spend the resources in a money making area”. If you add no context, this is a totally rational business decision. I won’t pretend to have all the data on the financial and opportunity costs of patching XP and enhancing it. I have no idea how much money it costs Microsoft to fund the groups that take down botnets. I also don’t know who the users of XP are, but I expect they are those who can’t afford to upgrade. This may be due to the cost of the OS, lack of skills to safely upgrade, or in the case of businesses, economy of scale making it very expensive.
Figure 1 All OSs on the Web
Figure 2 Windows OS Breakdown
Here is what I do know. MS will continue to support Server 2003 until July 2015. XP and Server 2003 are mostly built on the same code base, so patching XP isn’t a complete diversion from their business. If MS stops patching the OS that is nearly 30% of the desktop market, XP will become the most researched and exploited OS on the web in fairly short order. The MS team that is taking down botnets will sure have their hands full then. Maybe MS thinks that the fear of no patches will finally get users to upgrade. In the case of the enterprise, I would think so. In the case of small businesses and individuals, I expect this to be a boon for little IT shops; removing viruses and selling cheap fixes like host based firewalls, more anti-virus, anti-malware, and Advanced Persistent Controls.
Considering that Microsoft has zero legal or contractual obligations to improve or maintain XP, perhaps they can write off the cost of not turning the internet into a XP infested filthy virus zone. OK, intentional hyperbole aside, I vehemently urge Mr. Nadella to throw his predecessor under the bus and take up the cause of keeping XP healthy. This doesn’t just mean patching; it means a few basic enhancements that are needed.
OK, when I say, “there is nothing wrong with XP”, I know, it doesn’t have Address Space Layout Randomization and User Account Control, and many other benefits of post-XP OSs. Let’s not confuse the “need” for the next best OS for an actual need to get off a dangerous OS. I guess XP will be that OS soon, if Mr. Nadella doesn’t reconsider.
My in-depth focus on security is mainly around applied cryptography and identity management, so I welcome other suggestions in the comments. Below is my wish list for XP enhancements.
Upgrade to schannel. XP does not support Server Name Indication and TLS 1.2 with AES cipher suites. There are some patches for 2003 that add AES cipher suites, but with TLS 1.1 and below are vulnerable to BEAST attacks, as the added cipher suites use CBC mode. Make all these changes part of critical updates, not hotfixes. No one applies hotfixes unless they know about the issue.
Saturday, January 11, 2014