Views From Microsoft TechEd 2007
Day 1: 6/4/07
The first day of any event like this is always the most – well – hectic. People everywhere! Thousands of computer geeks all trying to go in different directions through a convention center, but at the same time all trying to get to the same place – the place where the food is and the opening keynote speech. Once the keynote was done, things sort of calmed down as people went to the various breakout sessions. This convention center is huge! They could fit a few football practice fields in this one building alone. In the main building where the breakout sessions were held, it is a quarter of a mile from one end to the other. And given that some sessions were on one end, and some on the other, we walked this quarter mile span several times a day. The images of the main expo area don’t begin to do this place justice, insofar as giving a good depiction of the size of this facility. The building we were in was around a million square feet, according to sources we asked. And it was carpeted from wall to wall. Had to be one big, honkin’ vacuum cleaner they use in that place!
There were a number of new tools being introduced and discussed in depth. The problem with this conference is that we geeks were like kids in a candy store – so many presentations, but how to decide which ones to attend was a real challenge. I think I changed my schedule a thousand times!
Day 2: 6/5/07
Two recurring themes are emerging from the sessions so far: User awareness and risk analysis are key elements of the security of any system. Many of the technologies that continue to surface still have the interesting aspect of the “man-to-man” factor. That is to say: no matter how secure any new software code developments have become, the weak link is still the human. For example, if a human still clicks on every email link presented to them, then they are still putting their systems and data at risk.
On a final note, Steve made an interesting point by asking the question: “Is email even useful anymore?” He gave a (not too surprising) statistic that stated that 82% of all email is SPAM - unsolicited email to either sell you something, or just discover if your email address is active. I might even classify the endless forwarding of jokes, hoaxes, and other misinformation in this category as well. I mean really – of the 20 or 30 emails I get at home per day, maybe three of them are information I can use, or are “real” correspondence from a friend or relative. I never really hear from people anymore – I just get forwarded jokes on a daily basis. Oh well – at least I know there are still alive and well, which is a bonus.
Day 3: 6/6/07
One of the most interesting presentations so far: “I Can Hack Your Network in a Day” by Marcus Murray. He gave live demonstrations of the various ways to infect a computer with a Trojan horse, take over a computer, and potentially an entire network. The striking thing about this presentation is that he demonstrated how easy it is to create a Trojan horse program, send it to a gullible user and get them to execute it on their computer. One of the big reasons I harp so much on the dangers of clicking on unknown links in emails, and opening email attachments. This is exactly how these attacks get perpetrated and proliferated. This also made a very heavy argument for patching. There are exploits for everything, and growing by the day. Keep your patches up to date, and stay on top of information about new threats. And quit clicking on unknown email attachments!
A presentation on Microsoft threat research by Vinny Gullotto revealed that 3,700 distinct malicious WMF files exploited the part of Windows fixed by MS06-001 patch. This really puts this in perspective, because I remember the scramble we went through in early 2006 to get this patch deployed as soon as possible. Vinny mentioned that 38 million+ pieces of potentially unwanted programs (PUPs) currently existed, which includes adware, viruses, remote control programs, Trojans, bundled software, and other modifiers. This is staggering, as it really illustrates just how big our job as security professionals has become. Some resource that Vinny mentioned are the Virus Information Alliance (VIA), the “Wildlist” for viruses, and the Anti Spyware Coalition (ASC).
Another extremely interesting and energetic presentation was given by Laura Chappell, using Wireshark for troubleshooting a slow network. Like the Marcus Murray presentation, she ditched the PowerPoint slides and showed live demonstrations of packet trace files and showed how to use the Wireshark packet sniffer to analyze packets to get to the bottom of network and computer communications problems. The presentation was extremely interesting and she did a good job explaining the tools and methodologies. It was amazing to find out how much traffic is being generated in the background by an infected computer, just during the boot-up process. Her methodologies illustrated how looking at TCP/IP traffic can tell a lot about what is causing problems with an individual computer, as well as those on an entire network.
Day 4: 6/7/07
Today started with a presentation to get an insight into how Microsoft deals with IT security internally within their company. With over 500,000 computers and 120,000 to manage, security is not an easy task, but Microsoft appears to have some sound strategies in place to handle it, whereby information security is process driven and based on industry standards. The IT security staff at Microsoft makes up approximately 4% of the entire IT staff. Much of what is done related to IT security within Microsoft revolves around the Enterprise Risk Management Framework and the Trustworthy Computing Initiative. Policies are published, and industry standards are put into place to ensure security. Executive sponsorship of the IT security tenets is very strong at Microsoft as well, which is one leading factor in the success of such programs. In many organizations, IT security is viewed as a “tax to the business.” That is to say that users view the security practices as burdensome and preventing them from doing their jobs.
Technology, such as implementing network access protection (NAP), BitLocker (Windows Vista’s encryption implementation) on laptops, and implementation of two-factor authentication are some of the things that are used at Microsoft to ensure security security. These technologies provide sound and secure methods to keep an environment secure, but still enable people to do their jobs.
What most impressed me about Microsoft’s internal information security stance was that they made their employees sign acceptable use policy acknowledgement statements, and that non-compliant (i.e. un-patched) machines were denied access to the network until they became compliant. If a company like Microsoft can implement these types of processes, then why are so many of our other companies having such a hard time doing it? I think part of the answer rests with the fact that many users are unaware, many users view the IT staff as the “network janitors” and many people simply view IT security as a tax (burden) on business processes.
Mark Russinovich presented a talk on the changes in the Windows Vista kernel. Some of the notable new features in Vista include user access control (UAC) and some features that provide better performance. This includes such things as the ability to delay services so that they don’t all try to start up at once. Many who run current and older versions of Windows can attest to the fact that all the services that try to start up at the same time can really make the boot process painful.
Day 5: 6/8/07
The final day of the conference! On one hand, I want to hurry up and get this over with so I can just go home. I have been on travel a lot lately – three trips (including this one) since the middle of April. Living out of a suitcase and eating at Denny’s is getting old. On the other hand, there were so many presentations I wanted to see, but didn’t get to because of conflicts with other presentations, and wanting to visit the vendor expo. The crowd has really thinned out by now, but there are still quite a few people here. I will be interested to find out how many people were in attendance this year – had to be well into the tens of thousands.
They saved the best for last. I attended a few Mark Russinovich talks on the internals of Windows Vista, and using some of his Sysinternals tools to troubleshoot systems. There are a number of free tools that fall under the former Sysinternals umbrella, but are now distributed by Microsoft. Mark Russinovich’s tools are extremely easy to use and leave a very small footprint on the system because they don’t get installed. By developing some troubleshooting skills and using these tools, the average IT technician should be able to better troubleshoot systems. Troubleshooting is all about investigating and trying to see what should or should not be happening. Process Monitor and Process Explorer give a much more in-depth picture of what processes are running, how much of an impact they are placing on resources, and even what malicious processes are trying to spawn processes that can harm your system. Many of Mark Russinovich’s presentations from past TechEd conferences can be found on the web (see resources at the end of this article. – definitely worth a look.
The Conference in Review:
So what do most computer geeks take away form conferences like this? Well, I took away some very important ideas from this year’s TechEd conference: 1) The attackers, as well as their motivations and methods have changed; 2) Everything in security must be approached from a risk analysis and economic standpoint; 3) People are still security unaware and must be educated; 4) Microsoft is (still) not the problem, as I have indicated in my blogs a number of times.
The attackers have changed: Notoriety and getting attention used to be enough for the bad guys. They just wanted to inflict damage, interrupt people’s lives, and get noticed for it. But they figured out that this kind of deviant behavior pays, so they are out to make a buck by finding vulnerabilities, writing exploit code, and stealing data.
Risk analysis is everything: It isn’t enough to simply say that you want to be secure. It is important to find out how high a priority your risks really are and implement appropriate protections. Security professionals have said it a million times: “Don’t protect a $10 dollar horse with a $50 dollar fence.” And in order to pursue projects to put appropriate protections in place, it is important to illustrate to management to economic benefits of these protections. Otherwise, they will just view security as another expense for which they won’t realize any benefit. As Steve Riley and Jesper Johansen mention in their book “Protecting Your Windows Data From Perimeter to Network”: You are implementing security "so that nothing will happen." Meaning that the goal is for nothing to happen to your data, other than it being safe and accessible.
People are security unaware: It’s not that people are blatantly against doing the right thing, it is mostly a case of them not knowing what the right thing is. Further, they need to know how being secure will benefit them, not just that security is a mandated process. If people have some insights into why they need to be secure, the benefits and consequences to them personally, and how to do it, it will be much easier to get their buy-in.
The TechEd experience was unique. Not that I will be anxious to do it again (once is enough), but it was time well spent, and very informative. I got to see live presentations from some well respected names in the computer security biz, and had a chance to see some of the new technologies that Microsoft is producing.
To read the full review, find additional resource links, and see pictures of the convention center, read the full article here.
There were a number of new tools being introduced and discussed in depth. The problem with this conference is that we geeks were like kids in a candy store – so many presentations, but how to decide which ones to attend was a real challenge. I think I changed my schedule a thousand times!
Day 2: 6/5/07
Two recurring themes are emerging from the sessions so far: User awareness and risk analysis are key elements of the security of any system. Many of the technologies that continue to surface still have the interesting aspect of the “man-to-man” factor. That is to say: no matter how secure any new software code developments have become, the weak link is still the human. For example, if a human still clicks on every email link presented to them, then they are still putting their systems and data at risk.
On a final note, Steve made an interesting point by asking the question: “Is email even useful anymore?” He gave a (not too surprising) statistic that stated that 82% of all email is SPAM - unsolicited email to either sell you something, or just discover if your email address is active. I might even classify the endless forwarding of jokes, hoaxes, and other misinformation in this category as well. I mean really – of the 20 or 30 emails I get at home per day, maybe three of them are information I can use, or are “real” correspondence from a friend or relative. I never really hear from people anymore – I just get forwarded jokes on a daily basis. Oh well – at least I know there are still alive and well, which is a bonus.
Day 3: 6/6/07
One of the most interesting presentations so far: “I Can Hack Your Network in a Day” by Marcus Murray. He gave live demonstrations of the various ways to infect a computer with a Trojan horse, take over a computer, and potentially an entire network. The striking thing about this presentation is that he demonstrated how easy it is to create a Trojan horse program, send it to a gullible user and get them to execute it on their computer. One of the big reasons I harp so much on the dangers of clicking on unknown links in emails, and opening email attachments. This is exactly how these attacks get perpetrated and proliferated. This also made a very heavy argument for patching. There are exploits for everything, and growing by the day. Keep your patches up to date, and stay on top of information about new threats. And quit clicking on unknown email attachments!
A presentation on Microsoft threat research by Vinny Gullotto revealed that 3,700 distinct malicious WMF files exploited the part of Windows fixed by MS06-001 patch. This really puts this in perspective, because I remember the scramble we went through in early 2006 to get this patch deployed as soon as possible. Vinny mentioned that 38 million+ pieces of potentially unwanted programs (PUPs) currently existed, which includes adware, viruses, remote control programs, Trojans, bundled software, and other modifiers. This is staggering, as it really illustrates just how big our job as security professionals has become. Some resource that Vinny mentioned are the Virus Information Alliance (VIA), the “Wildlist” for viruses, and the Anti Spyware Coalition (ASC).
Another extremely interesting and energetic presentation was given by Laura Chappell, using Wireshark for troubleshooting a slow network. Like the Marcus Murray presentation, she ditched the PowerPoint slides and showed live demonstrations of packet trace files and showed how to use the Wireshark packet sniffer to analyze packets to get to the bottom of network and computer communications problems. The presentation was extremely interesting and she did a good job explaining the tools and methodologies. It was amazing to find out how much traffic is being generated in the background by an infected computer, just during the boot-up process. Her methodologies illustrated how looking at TCP/IP traffic can tell a lot about what is causing problems with an individual computer, as well as those on an entire network.
Day 4: 6/7/07
Today started with a presentation to get an insight into how Microsoft deals with IT security internally within their company. With over 500,000 computers and 120,000 to manage, security is not an easy task, but Microsoft appears to have some sound strategies in place to handle it, whereby information security is process driven and based on industry standards. The IT security staff at Microsoft makes up approximately 4% of the entire IT staff. Much of what is done related to IT security within Microsoft revolves around the Enterprise Risk Management Framework and the Trustworthy Computing Initiative. Policies are published, and industry standards are put into place to ensure security. Executive sponsorship of the IT security tenets is very strong at Microsoft as well, which is one leading factor in the success of such programs. In many organizations, IT security is viewed as a “tax to the business.” That is to say that users view the security practices as burdensome and preventing them from doing their jobs.
Technology, such as implementing network access protection (NAP), BitLocker (Windows Vista’s encryption implementation) on laptops, and implementation of two-factor authentication are some of the things that are used at Microsoft to ensure security security. These technologies provide sound and secure methods to keep an environment secure, but still enable people to do their jobs.
What most impressed me about Microsoft’s internal information security stance was that they made their employees sign acceptable use policy acknowledgement statements, and that non-compliant (i.e. un-patched) machines were denied access to the network until they became compliant. If a company like Microsoft can implement these types of processes, then why are so many of our other companies having such a hard time doing it? I think part of the answer rests with the fact that many users are unaware, many users view the IT staff as the “network janitors” and many people simply view IT security as a tax (burden) on business processes.
Mark Russinovich presented a talk on the changes in the Windows Vista kernel. Some of the notable new features in Vista include user access control (UAC) and some features that provide better performance. This includes such things as the ability to delay services so that they don’t all try to start up at once. Many who run current and older versions of Windows can attest to the fact that all the services that try to start up at the same time can really make the boot process painful.
Day 5: 6/8/07
The final day of the conference! On one hand, I want to hurry up and get this over with so I can just go home. I have been on travel a lot lately – three trips (including this one) since the middle of April. Living out of a suitcase and eating at Denny’s is getting old. On the other hand, there were so many presentations I wanted to see, but didn’t get to because of conflicts with other presentations, and wanting to visit the vendor expo. The crowd has really thinned out by now, but there are still quite a few people here. I will be interested to find out how many people were in attendance this year – had to be well into the tens of thousands.
They saved the best for last. I attended a few Mark Russinovich talks on the internals of Windows Vista, and using some of his Sysinternals tools to troubleshoot systems. There are a number of free tools that fall under the former Sysinternals umbrella, but are now distributed by Microsoft. Mark Russinovich’s tools are extremely easy to use and leave a very small footprint on the system because they don’t get installed. By developing some troubleshooting skills and using these tools, the average IT technician should be able to better troubleshoot systems. Troubleshooting is all about investigating and trying to see what should or should not be happening. Process Monitor and Process Explorer give a much more in-depth picture of what processes are running, how much of an impact they are placing on resources, and even what malicious processes are trying to spawn processes that can harm your system. Many of Mark Russinovich’s presentations from past TechEd conferences can be found on the web (see resources at the end of this article. – definitely worth a look.
The Conference in Review:
So what do most computer geeks take away form conferences like this? Well, I took away some very important ideas from this year’s TechEd conference: 1) The attackers, as well as their motivations and methods have changed; 2) Everything in security must be approached from a risk analysis and economic standpoint; 3) People are still security unaware and must be educated; 4) Microsoft is (still) not the problem, as I have indicated in my blogs a number of times.
The attackers have changed: Notoriety and getting attention used to be enough for the bad guys. They just wanted to inflict damage, interrupt people’s lives, and get noticed for it. But they figured out that this kind of deviant behavior pays, so they are out to make a buck by finding vulnerabilities, writing exploit code, and stealing data.
Risk analysis is everything: It isn’t enough to simply say that you want to be secure. It is important to find out how high a priority your risks really are and implement appropriate protections. Security professionals have said it a million times: “Don’t protect a $10 dollar horse with a $50 dollar fence.” And in order to pursue projects to put appropriate protections in place, it is important to illustrate to management to economic benefits of these protections. Otherwise, they will just view security as another expense for which they won’t realize any benefit. As Steve Riley and Jesper Johansen mention in their book “Protecting Your Windows Data From Perimeter to Network”: You are implementing security "so that nothing will happen." Meaning that the goal is for nothing to happen to your data, other than it being safe and accessible.
People are security unaware: It’s not that people are blatantly against doing the right thing, it is mostly a case of them not knowing what the right thing is. Further, they need to know how being secure will benefit them, not just that security is a mandated process. If people have some insights into why they need to be secure, the benefits and consequences to them personally, and how to do it, it will be much easier to get their buy-in.
The TechEd experience was unique. Not that I will be anxious to do it again (once is enough), but it was time well spent, and very informative. I got to see live presentations from some well respected names in the computer security biz, and had a chance to see some of the new technologies that Microsoft is producing.
To read the full review, find additional resource links, and see pictures of the convention center, read the full article here.