Microsoft Secure Blog In-depth discussion of security, cybersecurity and technology trends affecting trust in computing, as well as timely security news, trends, and practical security guidance 2017-07-20T16:02:01Z https://blogs.microsoft.com/microsoftsecure/feed/atom/ WordPress Microsoft Secure Blog Staff <![CDATA[TLS 1.2 Support added to Windows Server 2008]]> http://blogs.microsoft.com/microsoftsecure/?p=69307 2017-07-20T16:02:01Z 2017-07-20T16:00:55Z Read more »]]> This post is authored by Arden White, Senior Program Manager, Windows Servicing and Delivery.

As a follow-up to our announcement regarding TLS 1.2 support at Microsoft we are announcing that support for TLS1.1/TLS 1.2 on Windows Server 2008 is now available for download as of July 18th, 2017. We’re offering this support in recognition that our customers have a strong demand for support for these newer protocols in their environment and in recognition of the extended lifetime of Windows Server 2008 under the Windows Server Premium Assurance offering.

This update for Windows Server 2008 will include support for both TLS 1.1 and TLS 1.2. For application compatibility purposes, these protocols will be disabled by default in a manner similar to the TLS 1.1/TLS 1.2 support that was disabled by default in Windows 7 and Windows Server 2008 R2. After downloading and installing the update these protocols can be enabled by setting the registry keys described in KB4019276.

This update is being made available on the following timeline:

Release Date Channels Classification
July 18, 2017 Microsoft Catalog
August 15, 2017 Windows Update/WSUS/Catalog Optional
September 12, 2017 Windows Update/WSUS/Catalog Recommended
]]>
Microsoft Secure Blog Staff <![CDATA[A commitment to security and transparency at Microsoft Inspire 2017]]> http://blogs.microsoft.com/microsoftsecure/?p=69244 2017-07-17T21:28:40Z 2017-07-17T21:28:40Z Read more »]]>

Microsoft Inspire (formerly Worldwide Partner Conference) gathered 16,000 attendees from around the world last week in Washington DC. At the event, Microsoft reaffirmed its commitment to its partners and its mission to “empower people to be more productive”. To kick off an exciting week, CEO Satya Nadella made five major announcements during the first vision keynote, including the introduction of Microsoft 365.

Commitment to security and transparency

During the vision keynote on day two, President and Chief Legal Officer Brad Smith provided updates and affirmation of Microsoft’s commitment to security and privacy. Smith promised dedication to security, saying, “Technology for technology’s sake isn’t particularly valuable. Applying technology towards solving human problems is where you unlock the value”. Smith presented a four-part integrated approach to confront ever-evolving cybersecurity threats: Platform, Intelligence, Partners, and Policies. With the cloud being bigger than ever before, Smith says every business has a digital opportunity. Microsoft has committed “new energy, new focus, new resources” to responding to security threats faster and better than ever before. These cloud principles and improved security features in Microsoft 365 will give partners better end to end security management. Better security and transparency help Microsoft and its partners build trust, and “move technology forward without leaving people behind”.

Security focused product announcements

Microsoft 365

Microsoft 365 is a new solution that combines software, management, and security options into a single subscription. Partners can choose from two solutions, Microsoft 365 Enterprise and Microsoft 365 Business. Both options provide productivity and security capabilities and a cohesive experience across applications and devices, while simplifying delivery and management for IT.

  • Microsoft 365 Enterprise
    • Includes Office 365 Enterprise, Windows 10 Enterprise, and Enterprise Mobility + Security
    • Available in two plans, as Microsoft 365 E3 and Microsoft 365 E5
    • Available August 1
  • Microsoft 365 Business 
    • Includes Office 365 Business Premium, security and management features for Office apps and Windows 10 devices, upgrade rights to Windows 10, and a centralized IT console
    • For small and medium-sized businesses
    • Available in public preview on August 2

GDPR

Partners can play a vital role in General Data Protection Regulation, or GDPR, by assessing customers’ readiness and helping them adapt to it.

Security Partner Playbook

Help your customers protect against breaches, detect breaches, and respond to breaches with a comprehensive security solution. This playbook focuses coverage on Microsoft products and services that play a critical role in securing this environment. Download the playbook here.

Microsoft Introduces the New Secure Productive Enterprise Offer

Microsoft recently announced its new hero offer called Secure Productive Enterprise (SPE). SPE provides the latest technology across Windows, Office 365, and Enterprise Mobility + Security (EMS). Frankly, it couldn’t come at a better time as businesses and consumers are increasingly aware of cybersecurity concerns. Here’s what partners can expect in terms of security capabilities from the innovative Microsoft stack and how they can leverage those capabilities to serve customers.

Conclusion

Inspire was surely an inspiring week for the partners who attended. With continued advances in the cloud and a better way for partners to build a modern, cohesive, and secure work environment with Microsoft 365, it should also be an exciting year.

]]>
Microsoft Secure Blog Staff <![CDATA[Holistic security strategy: how greater integration improves detection and response time]]> http://blogs.microsoft.com/microsoftsecure/?p=69112 2017-07-10T16:00:12Z 2017-07-10T16:00:28Z Read more »]]> Today’s attackers have moved beyond “smash and grab” tactics to more sophisticated methods intended to maintain a long-term presence. These evolving threats complicate detection efforts as many organizations have variety of point solutions that make it difficult to effectively detect advanced threats and attack campaigns.

Piecemeal approaches create challenges and might hamper security. Each new solution deploys unique vendor-specific dashboards, consoles, and logs that don’t always integrate well. Because of these communication blind spots, industry reports indicate that some threats can go undetected for about 100 days.

Rapid detection and response are critical in modern cloud and hybrid environments. Some organizations use Security Information and Event Management (SIEM) solutions to better correlate the information from a variety of tools. SIEM solutions aren’t without shortcomings—they rely on human analysis which can stretch the capacity of a workforce.

So, what can you do to improve security and more quickly respond to threats? To begin, it’s important to develop a security ecosystem around solutions that integrate and provide a holistic view of your environment – across users, data, apps, devices, and infrastructure. By working with technology vendors who create solutions that you can connect and integrate, you can improve your organization’s response times.

Getting—and staying—in front of today’s evolving threats requires more meaningful, comprehensive visibility, regardless of the products or endpoints or vendor partner. This is the kind of holistic view you need to detect and respond to threats with greater speed and accuracy.

We discuss security integration in greater detail in our latest eBook, 7 steps to a holistic security strategyDownload it today to learn more about security integration and other strategies for holistic security.

To learn more about Microsoft’s holistic approach to security, visit Microsoft Secure.

]]>
Paul Nicholas http://blogs.technet.com/Paul-Nicholas-_2D00_-TwC/ProfileUrlRedirect.ashx <![CDATA[Latin America is stepping up to the plate in cybersecurity policy]]> http://blogs.microsoft.com/microsoftsecure/?p=69205 2017-07-06T16:00:38Z 2017-07-06T16:00:59Z Read more »]]> A year ago Inter-American Development Bank (IDB) and the Organization of American States (OAS) asked themselves a question about cybersecurity: “Are We Ready in Latin America and the Caribbean?”. The conclusion of their 200 page report was essentially “No”, raising an alarm about Latin America’s critical situation in the cybersecurity arena. The report showed that Latin America was extremely vulnerable to potentially devastating cyber-attacks. Four in five states did not have cybersecurity strategies or plans for protecting critical infrastructure. Two in three lacked a any sort of command and control center for cybersecurity crises. Enforcement of laws against cyber-attacks was almost universally weak.

The last 12 months have seen the start of what looks like a remarkable turnaround. Take as an example Argentina, which will host the G20 in 2018. Only a few weeks ago, Argentine President Macri met with American President Trump to start bilateral work on cybersecurity, uniting the two states against cybercriminals and aiming to make cyberspace open, reliable and safe. The basis of this cooperation is not novel per se. The two allies are seeking to increase the coordination of their cyber politics, to share information and to foster private-public partnerships in the protection of key infrastructure. It may not be a novel approach but what matters most is that it is happening and that for the Argentine government it is real rather than window-dressing.

The IDB and OAS 2016 report noted the importance of legislative frameworks, investigation, the processing of electronic evidence, and the training of judges and prosecutors in the field of cybersecurity. It also urged states to inform public and private sector organizations when vulnerabilities are identified. Fortunately, this call to action did not fall on deaf ears and, within the past year, we have seen accelerating improvements in Latin America’s approach to cybercrime and cybersecurity legislation. The capstone of this was April 2017’s OAS resolution to increase cooperation, transparency, predictability, and stability in cyberspace. As well as aligning themselves with the global approach to cybersecurity outlined by the UNGGE, the OAS decided to establish a working group to drive enhancements to members’ cybersecurity legislation.

This OAS resolution is matched by a range of other actions that prove the good intentions of the different Latin American countries involved. In May, a group of military and government cyber experts from Latin America, the Caribbean, and the United States met at the “Partner Nation Command, Control, Communications, Computers and Cyberspace Symposium” (PNC5S). Their aim was to discuss the different strategies they could adopt in the face of every escalating threats in cyberspace. This type of regional cooperation is essential to tackling cybercrime and also to building up the resilience of cyberspace in the face to ever escalating cyberattacks.

All of this effort by Latin American governments does not matter simply because the United States or the European Union or China or the United Nations think it matters. Nor is the promotion of this agenda simply a convenient way to ensure Latin America isn’t a “weak link” in global approaches to dealing with cyberthreats and cybercrime. No, rather, these steps taken by Latin American governments matter because technology and cyberspace are becoming increasingly central to the interests of Latin America itself. For example, ICT industry revenues in Latin America are expected to increase by 20.3% from 2016 to 2017. Guadalajara, Mexico is being touted as a new Silicon Valley, driving billions in ICT exports and attracting investment from around the world. The International Conference on Software Engineering was held in the region for the first time in 2017 (in Buenos Aires).

The tide of change that has hit Europe, the US and Asia has not missed out Latin America. Governments from this part of the world have come to realize that lagging behind the curve is not an option, and it is reassuring to see those same governments stepping up to the plate. By learning from other parts of the world and from each other, countries across Latin America will assure their citizens, businesses, and public sector organizations can secure the economic, social, and even political benefits of technologies such as cloud, big data, and the Internet of Things. If in a year from now the IDB and the OAS were to ask again if Latin America is ready for this new future, the answer would likely be far more positive.

]]>
Microsoft Secure Blog Staff <![CDATA[Security Data Scientists Without Borders – Thoughts from our first Colloquium]]> http://blogs.microsoft.com/microsoftsecure/?p=69028 2017-06-29T19:20:04Z 2017-06-29T19:00:45Z Read more »]]> The move to the cloud is changing the security landscape. As a result, there is a surging interest in applying data-driven methods to security. In fact, there is a growing community of talented people focused on security data science. We’ve been shedding our respective “badges” and meeting informally for years, but recently decided to see how much progress we might make against some of our bigger challenges with a more structured and formal exchange of ideas in Redmond. The results far exceeded our expectations. Here’s a bit of what we learned.

The first thing to understand is that academia and industry both focus largely on security detection, but the emphasis is almost always on the algorithmic machinery powering the systems. We at Microsoft are transparent with our algorithm research and in fact are the only cloud provider to openly share the machine learning algorithms securing our cloud service. In order to build on that research and learn more about best practices for putting security data science solutions in production, we reached out to our peers in the industry.

We started by meeting with some friends at Google to swap ideas for keeping our cloud services and mutual customers secure. That one-time exercise proved so valuable that it soon turned into a recurring meeting wherein we learned that despite different approaches to data modeling, we face similar challenges. Last week, we opened the doors at Microsoft to the broader community. At first, we weren’t sure if companies would take us up the offer to discuss security data science issues in the open – nothing could have been farther from the truth. We quickly had delegates from Facebook, Salesforce, Crowdstrike, Google, LinkedIn, Endgame, Sqrrl, the Federal Reserve and researchers from the University of Washington. What was supposed to be an hour-long meetup, morphed into a full-blown conference – so much so, we had to give it a name – “Security Data Science Colloquium”.

The goal of the colloquium was simple: share learnings of how different cloud providers/services secure their systems using machine learning. No NDAs, no complicated back and forth paperwork. Our only constraint: keep it technical and be honest. This way, we could ensure that that the 300+ applied Machine Learning (ML) engineers, security analysts, and incident responders who signed up, had a collaborative environment to discuss freely!

Security Data Science > Security + Data Science

Operationalizing security and machine learning solutions is tricky, not only because security data science solutions are inherently complex from both fields, but also because their intersection poses new challenges. For instance, compliance restrictions that dictate data cannot be exported from specific geographic locations have a downstream effect on model design, deployment, evaluation, and management strategies (a data science constraint). As Adam Fuchs, CTO of Sqrrl, pointed out in his lecture, this complicated machinery requires a variety of actors to land an operational solution: threat hunters, data scientists, computer scientists and security analysts, in addition to the standard development crew of program managers, developers and service engineers.

Security Data Scientists ❤ Rules

To quote Sven Krasser (@SvenKrasser), Chief Scientist at Crowdstrike, “Rules are awesome”. This may come as a surprise to machine learning puritans who have long berated rules as futile tools. But as Sven noted in his talk, rules are very good at finding known maliciousness and we as a community must not shy away from them. During our smaller brainstorm discussions, we discussed various ways to combine rules and machine learning. For instance, at Microsoft, we have had success in using Markov Logic Networks to combine the domain knowledge of our security analysts and model them into probabilistic graphs.

Adversarial Machine Learning is Mainstream and We Don’t Know How to Solve It

Hyrum Anderson (@drhyrum) and Robert Filar’s (@filar) riveting talk on how adversaries can subvert machine learning solutions made defenders in the room uncomfortable (in a good way!). They showed different ways that attackers can successfully manipulate machine learning models, from partial to no access to the system. While instances of such attacks have been known since spammers have tried to evade detection, or when adversaries attempt to dodge antivirus systems, the biggest takeaway here is the Machine learning current system, like any system, is susceptible to attacks. For instance, attackers can use the labels alert outputs, or the decision label (such as malware or not), and work around these defenses. While this has been happening for some time, the game changer is that this feedback is instantaneous: the data that was designed as a way for defenders to act swiftly is now exploited by attackers. Research in this area is nascent, and we still don’t know how to bridge this gap.

Call for standardization and benchmarks

At our breakout sessions, we heard the need for a standardized benchmark dataset à la ImageNet – for instance, how do we know if the newest detection for anomalous process creation performs under various test cases. An interesting observation made by the “Security Platform” discussion group, was the need for something along the lines of “GitHub for feature engineering”. They reckoned that many teams waste time managing feature pipelines and sometimes re-computing the same feature, and wanted an effective management system that will make teams more efficient and code more maintainable.

The colloquium, thanks to the enthusiastic participation of our peers, ended up as a marketplace of security data science ideas – we discussed, agreed, and challenged one another with the intention of learning. My favorite quote about the conference, comes from a Salesforce participant, who remarked “we are all batting for the same team”. It particularly resonated with me, because despite our organizational boundaries, we all have a common goal: protect our customers from adversaries.

This is our commitment to share what we have learned – success and failures, so that you don’t have to waste time going down the wrong path. Given the overwhelming support from the security analytics community, my colleagues have already started planning on the next edition of the colloquium. If you are interested in participating, have ideas to make it better, or want to lend a helping hand in organizing, drop a note at ramk@microsoft.com or reach out to me on Twitter – @ram_ssk.

]]>
Paul Nicholas http://blogs.technet.com/Paul-Nicholas-_2D00_-TwC/ProfileUrlRedirect.ashx <![CDATA[What are Confidence building measures (CBMs) and how can they improve cybersecurity?]]> http://blogs.microsoft.com/microsoftsecure/?p=68953 2017-06-29T16:00:21Z 2017-06-29T16:00:45Z Read more »]]> Cyberspace security is too often viewed through a prism of technological terms and concepts. In my experience, even supposedly non-technical discussions of cyberspace quickly devolve into heated debates about “vulnerability coordination”, “the latest malware”, “the best analytical tools”, “threat information sharing”, and so on. While these are interesting and important topics, it is ultimately people and their personal perspectives – not technology – that largely shape governments’ political, diplomatic and military choices in cyberspace.

At the heart of government’s “human” decision-making in cyberspace are understanding and trust. The two are not the same. It’s possible for one state to understand another’s capabilities in cyberspace but not to trust their intentions. The reverse is also true, with trust existing outside of understanding another’s capabilities. But, by and large, some level of understanding about what another state can and can’t do in cyberspace should at least reduce distrust. And that can help governments make rational judgments about each other’s behaviors as well as de-escalate tensions between and among states.

One significant complication in building understanding and diffusing distrust is the fact that many systems useful in cyber-defense can also be used in cyber-offense. When a state invests in cyber to defend itself, its rivals might instead see a growth in offensive capabilities. This is not a question of technical understanding but rather of reading the intent of others. A very human response to someone seemingly gearing up for conflict is to build at the very least one’s own defenses (and to, potentially, even increase one’s offensive as well as retaliatory capabilities). Such a move is, however, equally liable to misinterpretation by others. Thus, escalation spreads, trust evaporates, and distrust balloons, leaving cyberspace, on which so much of modern life depends, akin to a powder keg, ready to explode. The potential for a cyber arms race is as real as it is dangerous.

An essential response to this critical challenge is the use of confidence building measures (CBMs) between states. Today, CBMs are still generally seen as vectors for instilling good cybersecurity practices, especially during a country’s early entry into cyberspace. Certainly, CBMs can help such countries counter the threat of cybercrime, and can also help promote international consistency in cybersecurity approaches, which is an essential part of combating cybercrime. However, CBMs are much more than this.

Coming of age under the threat of Cold War nuclear annihilation, CBMs enable states to minimize exactly the kind of misunderstandings that fuel distrust and exacerbate tensions. In many ways, they are akin to pressure valves for states to use before a situation escalates into conflict. CBMs can help states step back from thinking, “We need to get our cyber-retaliation in first”. They may not lead directly to trust but what they provide is manifestly better than its absence. They have a manifest role to play in ensuring the safety and stability of cyberspace by reducing the risk of cyberwar from breaking out. As such, they can be a necessary prerequisite to building trust.

CBMs are already being built into critical state-to-state cyberspace agreements. The UNGGE 2015 (voluntary) norms placed CBMs at the core of responsible state behavior in cyberspace. In the UNGGE’s words, they “allow the international community to assess the activities and intention of States”. That assessment of actions and intent is absolutely essential to addressing the human perspective. The UNGGE leveraged previous work done in the framework of the Organization for Security and Co-operation in Europe (OSCE), namely its 2013 CBMs. In this respect, it is significant that just last year the OSCE expanded on its CBM work precisely because, “events in cyberspace often leave room for ambiguity, speculation and misunderstanding. The worry is that miscalculations and misperceptions between states arising from activities in cyberspace could escalate, leading to serious consequences for citizens as well as for the economy and administration, and potentially fueling political tensions.”

A failure to mature and refine CBMs globally adds to distrust and militarization in cyberspace, i.e. the aforementioned cyber arms race. The consequences of the “miscalculations and misperceptions” that the OSCE warned of can easily move from the virtual world to the real one. For example, 2010’s so-called “Pakistan-India cyberwar” saw “cyber armies” from each country vandalizing official websites, exacerbating serious diplomatic and military tensions after the 2008 Mumbai terror attacks. Furthermore, recent tensions between parts of the West and Russia, North Korea or even China all feature strong elements of “cyber-distrust”. The danger, of course, is that once there is “cyber-distrust” among states it is likely spread into other spheres, if left unchecked, and vice versa.

So, if the human perspective matters at least as much as the technology when it comes to government decision-making about cyberspace, all parties should take every opportunity to promote understanding and reduced distrust between states. We should use whatever tools seem most appropriate to do so, . CBMs are essential in this regard. They are and remain a key tool in the cyber peacebuilder’s toolkit.

 

]]>
Microsoft Secure Blog Staff <![CDATA[Tips for protecting your information and privacy against cybersecurity threats]]> http://blogs.microsoft.com/microsoftsecure/?p=68839 2017-06-28T18:32:00Z 2017-06-27T16:00:21Z Read more »]]> This post is authored by Steven Meyers, security operations principal, Microsoft Cyber Defense Operations Center.

Introducing a new video on best practices from the Microsoft Cyber Defense Operations Center

In 2016, 4.2+ billion records were stolen by hackers. The number of cyberattacks and breaches in 2017 have risen 30 percent.

The business sector leads in the number of records compromised so far, with more than 7.5 million exposed records in 420 reported incidents. These cybercrimes are often intended for financial gain, such as opening a fraudulent credit card or accessing a company’s financial records. Today, a growing market exists in the dark web for selling credentials and sensitive information to other cybercriminals.

To help Protect your information and privacy against cyberthreats, the Microsoft Cyber Defense Operations Center has published a series of best practices videos that will help consumers, businesses and organizations enable a safer online environment. This video shares some of the policies and practices that can be used to better protect information and privacy inside and outside of your operational perimeters.

Protection starts with classifying information and then putting appropriate protections in place based on its value. Some information is meant to be public, some data is sensitive but not highly valued to outside entities, but some data is mission critical and/or could cause tremendous financial hardship if shared externally.

Cybersecurity technologies and policies such as multifactor authentication, the principles of least privilege access, just-in-time-and just-enough administrator access, and Microsoft’s cybersecurity products and services can help safeguard access to data and applications.

Some cybersecurity tips discussed include:

  • Classifying emails and data according to their level of sensitivity
  • Employing multifactor authentication for access to sensitive information
  • Only providing administrator access to individuals for the time needed to complete a task
  • Restricting access to only the information needed for the task
  • Keeping your software up-to-date

Please take a few minutes to watch the video and share it with your colleagues, friends and family. We all need to be diligent in the face of this growing and ever-more sophisticated threat.

Also, be sure to watch part one of the video series, Protecting your identity from cybersecurity threats. Check back next week for our third video, Protecting your devices from cybersecurity threats.

Additional resources:

]]>
Microsoft Secure Blog Staff <![CDATA[Tips for securing your identity against cybersecurity threats]]> http://blogs.microsoft.com/microsoftsecure/?p=68734 2017-06-23T22:26:27Z 2017-06-21T16:00:45Z Read more »]]> This post is authored by Simon Pope, Principal Security Group Manager, Microsoft Security Response Center.

Introducing new video on best practices from the Microsoft Cyber Defense Operations Center

Ask any CISO or cybersecurity professional about their greatest security challenge, and it’s a good chance the answer will be “the actions of our people.”

While virtually all employees, contractors, and partners have the best of intentions, the fact is that protecting their online credentials, identifying and avoiding phishing scams, and evading cybercriminals is getting more difficult each day. More of our time each day is spent online, and as more financial transactions and social activities are conducted online, adversaries are becoming ever-more sophisticated in their cyberattacks.

Microsoft faces these same threats, and we have made deep investments in training our people to be more aware and diligent in the face of such dangers. Our cybersecurity success depends on our customers’ trust in our products and services, and their confidence that they can be safe on the internet. To help keep our customers and the global online community safe, we want to share some of our Cyber Defense Operations Center’s best practices for Securing your identity against cybersecurity threats in this video.

In this video, we discuss some best practices around securing your identity, such as avoiding social engineering scams that trick people into giving up their most sensitive secrets, recognizing phishing emails that falsely represent legitimate communications, and how to spot false impersonations of your trusted colleagues or friends. We also discuss some of the types of information you don’t want to share broadly (i.e. credentials, financial information and passwords), and tips for protecting your sensitive data.

Some cybersecurity tips that we discuss include:

  • Be vigilant against phishing emails
  • Be cautious when sharing sensitive information
  • Don’t automatically trust emails from people you know, it may not be from them
  • Keep your software up-to-date

Please take a few minutes to watch the video and share it with your colleagues, friends and family. We all need to be diligent in the face of this growing and ever-more sophisticated threat. And check back next week for our second video on Protecting your devices from cybersecurity threats, and in two weeks, we will share more on Protecting your information and data from cybersecurity threats on the Microsoft Secure blog.

Additional resources:

]]>
Microsoft Secure Blog Staff <![CDATA[TLS 1.2 support at Microsoft]]> http://blogs.microsoft.com/microsoftsecure/?p=68785 2017-06-19T21:22:58Z 2017-06-20T16:00:46Z This post is authored by Andrew Marshall, Principal Security Program Manager, Trustworthy Computing Security.

In support of our commitment to use best-in-class encryption, Microsoft’s engineering teams are continually upgrading our cryptographic infrastructure. A current area of focus for us is support for TLS 1.2, this involves not only removing the technical hurdles to deprecating older security protocols, but also minimizing the customer impact of these changes. To share our recent experiences in engaging with this work we are today announcing the publication of the “Solving the TLS 1.0 Problem” whitepaper to aid customers in removing dependencies on TLS 1.0/1.1. Microsoft is also working on new functionality to help you assess the impact to your own customers when making these changes.

What can I do today?

Microsoft recommends customers proactively address weak TLS usage by removing TLS 1.0/1.1 dependencies in their environments and disabling TLS 1.0/1.1 at the operating system level where possible. Given the length of time TLS 1.0/1.1 has been supported by the software industry, it is highly recommended that any TLS 1.0/1.1 deprecation plan include the following:

  • Application code analysis to find/fix hardcoded instances of TLS 1.0/1.1.
  • Network endpoint scanning and traffic analysis to identify operating systems using TLS 1.0/1.1 or older protocols.
  • Full regression testing through your entire application stack with TLS 1.0/1.1 and all older security protocols disabled.
  • Migration of legacy operating systems and development libraries/frameworks to versions capable of negotiating TLS 1.2.
  • Compatibility testing across operating systems used by your business to identify any TLS 1.2 support issues.
  • Coordination with your own business partners and customers to notify them of your move to deprecate TLS 1.0/1.1.
  • Understanding which clients may be broken by disabling TLS 1.0/1.1.

Coming soon

To help customers deploy the latest security protocols, we are announcing today that Microsoft will provide support for TLS 1.2 in Windows Server 2008 later this summer.

In conclusion

Learn more about removing dependencies on TLS 1.0/1.1 with this helpful resource:
Solving the TLS 1.0 Problemwhitepaper.

Stay tuned for upcoming feature announcements in support of this work.

]]>
Microsoft Secure Blog Staff <![CDATA[Cybercrime and freedom of speech – A counterproductive entanglement]]> http://blogs.microsoft.com/microsoftsecure/?p=68707 2017-06-12T23:43:28Z 2017-06-14T16:00:56Z Read more »]]> This post is authored by Gene Burrus, Assistant General Counsel.

As cybercrime becomes ever more pervasive, the need for states to devote law enforcement resources to battling the problem is apparent. However, states should beware using cybercrime legislation and enforcement resources as a vehicle for restricting speech or controlling content. Doing so risks complicating essential international cooperation and will risk de-legitimizing cybercrime legislation and enforcement. With the growing need for enforcement to thwart cybercriminals, without which the economic and social opportunities of the Internet may well flounder, using “cybercrime” as a label for attacking speech and controlling content may only serve to dilute support, divert resources, and make international cooperation more difficult.

At present over 95 countries either have or are working on cybercrime legislation. This is a good thing, as the more states that have cybercrime laws, especially laws that are largely harmonized to better enable international cooperation, the better for everyone (except the criminals). Cybercrime thrives across borders and between jurisdictions, relying on the internet’s global reach and anonymity, but if cybercriminals are based in a country without adequate cybercrime laws, it becomes even harder to bring them to justice. But defining cybercrime properly is important.

Cybercrime is a word we have all encountered more of in recent years. It tends, rightly so, to bring to mind “hackers”, infiltrating computer systems and disrupting them or stealing from them. However , most cybercrime statutes are actually broader than that. They also cover a whole slew of criminal activity mediated by information communication technology (ICT). They deal with the theft of personal information, from credit card details to social security numbers, which can be used for fraud. It includes acts against property, albeit virtual property, from simple vandalism to sophisticated ransomware. (If “virtual property” sounds too abstract to be a concern, bear in mind that this is the form in which many of our most valuable ideas, from patented designs and trade secrets to copyrighted creative material, are now to be found.) It will increasingly bleed into the real world too, thanks to devices connected to the Internet (will cybercriminals soon be stealing self-drive cars through the Internet of Things?) and due to attacks on critical infrastructures such as power grids (which will also affect issues of national security).

This broad swathe of cybercrime is widely accepted to be “a bad thing” by most governments and on that basis, cooperation among and between governments in pursuing cybercriminals is possible.

However, many countries’ cybercrime legislation also categorizes publishing or transmission of illegal content in a particular country via computer networks or the internet as “cybercrime”. And on this, countries are not in wide agreement. When state’s laws criminalize content that other countries don’t recognize as criminal, and then devote cybercrime enforcement resources to chasing this kind of “crime” rather than what people generally think of as cybercrime, it complicates or prevents international cooperation, discredits cybercrime legislation and enforcement efforts, and diverts resources from solving the serious problem of cybercrime. While there is certainly content that is universally reviled, i.e. child pornography, there are many disagreements about the creation and dissemination of other content, e.g. political materials or art work. For some states, free speech is an exceptionally important principle. For others, the control of offensive or dangerous content is essential. Achieving agreement on how to approach these differences is, frankly, going to be a challenge. Once again the Budapest Convention provides a salient example. In 2006, the Convention was added to by a Protocol that criminalized acts spreading racist and xenophobic content. Even some states that signed up to and ratified the original Convention have proved reluctant to add themselves to the Protocol. This is almost certainly not because of they approve of racist or xenophobic content, it’s simply a complicated issue in the context of their own laws or their perspectives on free speech or legal sovereignty.

If these kinds of disagreements are expanded across other types of content and then brought into the heart of global cooperation against cybercrime, the whole process runs a serious risk of breaking down. States may well be unwilling to cooperate in cybercrime investigations, fearing they might expose people whose actions are in no way criminal by their own standards. And, once again, the only ones to benefit will be the cybercriminals who can play off jurisdictions against one another, ducking and diving across borders and through gaps in legal enforcement.

In many ways, the “cyber” in these “content crimes” is just about distribution and they do not have to be included in cybercrime statutes and enforcement efforts. Because states have different types of speech they want to regulate and different levels free speech they are willing to tolerate, these issues need to be kept separate from efforts to address what everyone agrees on as cybercrime: attacks on data, on property, on infrastructure. Crimes of content creation and distribution, beyond the most universally reviled such as child exploitation, should be dealt with outside of the essential cooperation on cybercrime itself. This will allow governments to work together globally to protect citizens, businesses and their own national security from cybercriminals.

]]>