Archive for the Cyber Security Category

Cyber Security Snake Oil

Posted in Cyber Security on 1 May 2012 by Stuart Aston

magic magicianA friend of mine uses the phrase “Pixie Dust” a lot when he looks at security products; that and a phrase along the lines of “My granny could break into that…” but essentially it is  vendor making a classic “snake oil” sales pitch, upgraded for the cyber-security-age.

I have really only recently begun to encounter this in volume, I used to encounter small pockets of it here and there with specific customer engagements over the years, but it does seem to be in growth.

Some top tips for spotting the "Cyber Snake Oil” Salesman: 

-My product is unique … well ok , this one might be true, but chances are it isn’t .

-My product is invulnerable … no it isn’t, it software built by humans ergo it is vulnerable and not knowing where it is vulnerable, is not the same as being invulnerable.

-My product cures all known and unknown malware/vulnerabilities … err… ok lets just think about that for a couple of Pico-seconds… no still sounds like nonsense to me.

-My product is secure even if the client is compromised, or it is impossible to compromise the client … this is very popular and at best usually comes from a failure to understand how a secure channel can work … “but I have a secure tunnel” “yes, and the end of it is already pwn3d so it can see all the way into the tunnel" … “but, it uses ‘military grade’ encryption” … sighs and breaks out the clue stick…

-My Product is completely non-invasive … if it is prompting me to do anything then its not really non-invasive, perhaps you meant it has zero client foot print, you did? and you still want claim its secure even if the client is pwn3d… I see… actually with a good 2FA this is possible (or at least limits the compromise to the current ‘session’), something I have and something I know is good, if the thing you have is the thing that’s pwn3d then not so much…

In many cases this is done by people who are well meaning; they actually believe the “snake oil” works; which just goes to show that social engineering is alive and well …

The reality is that some of these products might actually add some value to make the attackers job more difficult, but only if you have done basic hygiene first:

-use strong passwords; we may not like passwords as a security token but they are here to stay for the time being so you might as well use a strong one…

– apply security updates regularly; for all the software on your computer, it’s not sexy, it doesn’t feel like “cyber”  but it does make it much more difficult for the bad guy when he doesn’t get a free pass …

– use a good AV product and firewall … if you are using Windows you can get them for free…

– Invest in new products… well you would say that wouldn’t you … look, at best the security model of any given bit of software is as robust as the day the product ships, more realistically built or designed. But, the attacks that it receives evolve over time, unlike the architecture of a given bit of software. Newer versions of software typically have more and more defences built into them, so the newer a bit of software is the more difficult it is likely to be for an attacker to overcome it’s defences.

It’s not that “cyber security products” wont make you more secure Secure PC computer securitymany of them will, but if you haven’t done the basics then it really will not make any difference.

So… do the basics, then have a look and see if a specific technology can add value to your specific scenario, who knows it might just work .. or it could still be snake oil, but one things for certain if you don’t do the basics it makes the bad guys job trivial.. and no snake oil on the planet will save you then.  


10 years of building trust

Posted in Cyber Security, Security, Security Development Lifecycle, TWC on 12 Jan 2012 by Stuart Aston


When I joined Microsoft  the world was a different place, we were not always connected and always on, and computer threats were a curiosity for the majority.  That started to evolve rapidly and  10 years ago today Bill Gates published his memo on Trustworthy Computing; he laid out the  change of direction we would take as a company placing security and trustworthiness  as integral component of the way in which we build software and delivers services to our customers. 

Over that 10 years we have changed and have evolved, SDL is not only an integral component of developing software inside Microsoft, but many  partners and developers around the world. We have made significant contributions to improve Security but also in Privacy, Reliability and Business Practices.  Newer software continues to be safer software as we have shown in our Security Intelligence Reports as a result of our efforts in SDL.  Microsoft Security Essentials is freely available to those who desire to use it to protect their computers.

In the last 10 years we have learnt a lot and built a trust with many of our customers, and trust is one of the greatest assets that a company can have. But to maintain that trust, Trustworthiness must continue to evolve and grow to deal with the changing environment, as people place a greater reliance on computing and it becomes entwined with every aspect of our daily lives, we must continue to advance trust in technology.

TWC NextBut, this is not something that anyone technology or individual or  company can accomplish alone; we will continue to work with government and industry partners, on combating cyber criminals through the work of the Digital Crimes Unit a their work on botnet takedowns and PhotoDNA, but, it is only achievable by working with partners and working together to make the internet a safer place.

How can you celebrate it ?  I think that we can best celebrate an event by embracing it:

-Moving to x64 based architectures as part of a defence in depth strategy

-Moving to the most recent version of software that you can and keeping it patched and up to date

-Employing SDL in your development practices, or looking for behaviours like SDL in software you procure for your business

-Educate your users and developers about best practice for them, and acceptable risk for you

-Educate your family on how to be safe online.        

Trustworthy computing is more important today than it was 10 years ago, and we remain committed to delivering it, with our partners.

Tell a friend…

Posted in Cyber Security, Fraud, Security, SIR, UK on 4 Nov 2011 by Stuart Aston

GSO FriendSo, in our latest SIR report we note that about 50% of attacks we see require some form of user interaction, more and more criminals are using confidence tricks either online or the telephone to target “us” and get our money.  

The reality is that the best defence to these type of attacks is personal awareness that the problem exists; sure IE9 and other modern browser can help protect you as can AV, having a strong password and staying current on all your software and keeping them updated all help, but, all those defences are not present when a criminal phones you up claiming to be from reputable company offering you support, just to be clear we will not phone you and nor will any of our partners offering support for a fee.

If you are a consumer and you think you have a security problem use this link:

or to contact us more generally look here:

cut and paste them into your browser. 

Next week is Get Safe Online week, it’s about promoting awareness of these issues, helping people, and business be “safer online”. Be aware, tell a friend and get them to go and read , who knows if we can get our friends to be safe online maybe we can get our businesses to be safe as well…

SEC == Security

Posted in Cyber Security, Government, Security, SIR on 23 Oct 2011 by Stuart Aston


CF Disclosure Guidance: Topic No. 2 – Cybersecurity

600px-US-SecuritiesAndExchangeCommission-Seal_svg_-325x325I would have completely missed this if it wasn’t for a colleague who spotted it; she described it as “This is the single largest announcement in cyber security in 10 years”…

And she is right to do so; this fundamentally changes the behaviour of companies in relationship to security.

By getting companies to report incidents and assert a value associated with the loss it puts Cyber Security on the agenda of the board, which is where it should have been for the last decade at least.

It enables investors to make choices based upon reported incidents, and determine if a company is a wise investment as a result in comparison to it’s peers. 

Well done SEC… now maybe the customers will do security updates in a timely fashion, and take user education about security seriously as an investment in investor confidence. 

sir_infographic_poster_MM_v11_updateIt will be interesting to see how they report and what mitigations they start to take; in our latest Security Intelligence Report we note that of the most common attacks we see most do not use an 0-day and can be mitigated with simple maintenance and that just under half require some level of user interaction, hopefully this will put both of patch management and user training on the board agenda of all publically traded companies. 

%d bloggers like this: