Rocky Heckman At Tech.Ed Australia 2009 I caught up with Rocky Heckman, Senior Security Architect at Microsoft Australia with the ACE (Assessment, Consulting & Engineering) Team and the Security track owner for Tech.Ed 2009 in Australia and New Zealand. We had a long chat about the latest security features in Windows 7 and Server 2008 R2 which were of greatest interest to business customers and IT pros, and what are the latest trends in the security industry.

Check out the ACE Team’s website here, and Rocky’s blog here.

Disclaimer: I attended Tech.Ed Australia 2009 as a guest of Microsoft.

JB: As a security guy, your perspective on newly-released products is always going to different from the typical product spiel. What are the things about Windows 7 and particularly Server 2008 R2 that interest you and you are pleased with from a security perspective?

RH: The one which is interesting me the most right now is AppLocker. We finally have a good way of locking down applications which can run on the client. There’s always been the kludges, then people tried doing the blacklisting and it doesn’t always work right. With AppLocker you have as much flexibility as you need to be able to do whitelisting, blacklisting, or filtering by publisher, by certificate and it’s all GPO driven so the client doesn’t see it. It works pretty well. I’m also very happy with BitLocker and BitLocker To Go, because it finally gives us a way to service and protect the billions of USB keys that are floating around out there, often with client data on them

With this move to Windows 7 and Server 2008 R2, we’re really focussing on protecting the client. By protecting the client itself, we’re able to enable things like Direct Access, which is a complete change from the way we think about security. Our systems now are set up to protect themselves, so we don’t need to establish an eggshell-type defence any more.

JB: We spoke about Direct Access a while back, and even though the traffic back to the corporate network is totally locked down, at the end of it is still a user, so is the security of these systems still dependent on user capabilities and knowledge?

RH: In a lot of cases they will be, but the idea is to prevent the user from hurting themselves. For example, things like least privilege access and standard accounts – don’t let people run as administrator, and UAC helps enable that. There was a misnomer about UAC that it was designed to be a security measure, but it really wasn’t. UAC is designed to enable people to run in a least privilege account while allowing access to administrative functions on an as-needs basis. In a corporate scenario you still have to have administrator permissions and you have to be an administrator to do it. So if you can put them in a least privilege scenario and train them properly, they shouldn’t be able to do too much damage themselves anymore. Make use of the built-in firewalls, AppLocker and BitLocker and they won’t risk having too much data exposed. We try to do as much as we can without re-wiring a human being.

JB: With BitLocker to Go and AppLocker, what’s the interest from corporate customers been like about those features?

RH: It’s been really positive and huge. A lot of people have been worried about rogue applications floating around the network. They’ll do an audit of their systems and they’ll find all these little rickety applications which people have downloaded and are starting to use, but which nobody knew were there. And then you end up with scenarios where a team have integrated one of these applications to become a core part of the way they work but nobody can support it. AppLocker can prevent users from installing these sorts of applications on their own which at least raises awareness of its existence, as now that request has to go through the IT department who can deploy it properly, watch it, manage it. So it’s allowed customers to get more control over what’s on client machines and as BitLocker offers across seamless data protection on system drives and USB keys, that’s been a real boon to our clients, especially in industries like government where everything needs to be encrypted by default. It’s the best way to go, and having it built into the OS makes it more efficient and seamless.

JB: How about in more hardcore environment like military. Have they been expressing interest?

RH: They have, they’re definitely interested in it. Obviously for it to work in a situation like that with the military or Department of Defence it has to go through certain evaluations and checks. Similar to what Windows Mobile’s gone through – Windows Mobile is now EAL-certified. Previously, governments and defence forces have relied on third party or custom systems to do the data encryption on the drive which, through no fault of their own, by their nature they are cumbersome and slow. But having by having this functionality as part of the OS, it becomes efficient again and as such it’s piqued their interest.

JB: Would there be a future application to extend that technology to say doing a secure data wipe as well?

RH: Well, yeah…there is, and if you can consider now that the secure wipe is sort of a natural thing now. When you format a drive, you can tell the format command to wipe with zeros and ones. It doesn’t do the traditional NSA-style where it will do seven passes of ones and, but you could ask it to do that if you wanted to. Looking at Windows Mobile where you can remote wipe a mobile device, extending that functionality to a client is probably the next logical step, where if someone does report a lost laptop you can issue a remote wipe command. However, unlike a mobile device it’s a lot harder to guarantee that laptop is going to reconnect again with that configuration. When a mobile device comes online it’s easier to detect and guarantee that the remote wipe has taken place.

JB: When looking at security from a more general perspective, you said that it’s always a balancing act between trying to keep that information locked down but still allowing your users to do what they need to do to get their jobs done, and to some extent every security measure comes with a certain level of inconvenience, so is that part of the conversation that you have with corporate customers? For example, BitLocker and AppLocker are great but now there’s a team of users who now have an extra layer of management and control to deal with.

RH: Yes, it’s going to add a cost to the helpdesk as there will be more helpdesk calls when these features are implemented. But after the initial push it should fade away. Taking AppLocker as an example, when you first roll the systems out and they are locked down, all the little teams try to put their own application in there and run into problems. That will happen once in the beginning and once that application has been established as part of the approved set, it won’t happen again. So you will get this problem-hump at the helpdesk but then it shouldn’t be a problem after that.

It’s the same thing that if you look at the reaction to UAC, when it first came out in Vista. It was very noisy, but after the initial install and after you’d told it what was what, it quietened down and in Windows 7 that quietening down is greatly improved. So there always will be an impact to users, and unfortunately security and usability are always one of those things that are at opposite ends of the spectrum. Windows, and Microsoft products as a whole, try to find that balance. But there comes a point when one of them has to win. In a corporate environment it’s usually security that wins. In a home environment usability wins.

JB: That’s an interesting point, because what we are seeing is the merging of those two environments, especially with the prevalence, affordability and functionality of consumer technology. There’s an expectation that a mobile worker should be able to work exactly the same wherever they are, and there’s a massive push to have a cloud-based presence for your personal life as well as your work life, so that’s presumably making it even harder to strike a balance. How do you do it in a corporate environment which you control and home environment which you don’t ( in theory you could, but people wouldn’t appreciate it), to the online environment which you definitely can’t control?

RH: Well, there’s two main scenarios. The first one is if they’re in their home environment, but they’re using a corporate asset, for example they take their laptop home, that is still a managed machine. It’s part of the domain, all the group policies are applied to it and providing they don’t have administrator level privileges where they can turn off the polices, it will still behave like a corporate-controlled asset, which it needs to. When it comes to managing the online presence, it’s still difficult to control what they type in their Facebook page, for example. If you can control data on the machine and keep it locked down, you can set group polices to say that users cannot copy to a drive that is not BitLockered, well you can’t copy it to an online system or to a USB stick that’s not protected. We may have to go to that level with corporate machines.

There is always a scenario where you want to enable people to do some brainstorming, or some personal stuff on a corporate asset (which is highly unlikely). They could try to dualboot it to two totally separate operating system – a totally separate OS for their personal needs. With VHD booting, that would now be an easy scenario to support. Another scenario that we look at is consultants. Consultants have situations where they go into different customer sites, and this could be any security consultant, not just ours. They may be able to plug into some secure networks but not others, but they still need corporate access in that environment to do their jobs. Maybe separate VHDs is the way to go in that scenario – if it’s a long term engagement you can use a VHD which has been configured with the SOE for that company. Those are scenarios we can control, but controlling someone’s online personal space…it’s going to be a matter of strictly protecting the data…the best way to do that is probably using rights management. If you RMS all of the corporate documents, even if that document does get uploaded to Facebook for example, no-one else can read it. Even if you left it on a USB key that was not BitLockered, and somebody got hold of it, they still can’t decrypt the RMS document.

JB: So it is a multi-layered approach, and it is really all about risk minimisation and to what extent you’re prepared to go to protect information.

RH: Absolutely. Where are you going to move the slider between security and usability, and you’ll find that the closer you get to Federal Government Department of Defence, the further the slider goes to security. Compare that with Mom and Pop’s Cookie Shop where all they want is a machine to write emails to the grandkids and store their favourite recipes on. The balance is going to be different for each corporation – financial institutions are closer to the defence side, your local video store may be closer to the consumer side.

JB: How much harder is it to have that conversation in environments where it is difficult or impossible to monetise the information being stored? For example in K-12 education, there’s content being generated you can’t put a value on it, so it’s either infinitely valuable, or it’s worthless. But that makes it exceptionally have to have a conversation about steps that you need to take to protect it. It’s very vague, you haven’t signed a contract, so you haven’t dealt with a customer…

RH: Yeah, and in a lot of cases if you look at education, using your example, the data may have value or it may not, but there’s also the other side of that coin which is regulatory compliance. An educational institution must maintain the privacy of their employees as well as students and staff. So you can consider that as the benchmark. Now, let’s say data that is generated by students – theses, reports, research, and so on…that’s between the school and the student. If it’s a ground breaking thesis that may change the way we breathe oxygen, that will obviously have a lot of value and if the institution treats it as such, then they should probably take the same steps that any defence organisation or similar environment would take. So the trick is understanding that value. So when we talk to institutions like that the first step we’re going to say is that PII (Personal and Identifiable Information) always has to be locked down. That sets the groundwork to be able to lock down the stuff that’s a little more intangible or a harder to quantify.

JB: Taking a bit of a step back again, what are some of the security trends that you’ve seen in the market that are or particular interest to you in the next six to twelve months, from both the bad guys’ side and the good guys’ side?

RH: Let’s start with the bad guys’ side. The bad guys are looking for vulnerable websites to launch malware onto client machines. This has been a growing trend since early last year and they’re getting pretty creative with it with banner advertisements – anywhere where they can potentially have a cross-site scripting issue, where they can put content on a website. If they can hijack a website with man-on-the-middle attacks, they’ll use all of these to launch malicious software – malware – onto a client machine. The stuff that ends up on the client machine is usually one of two things. It’s usually there to steal or intercept their personal information or it’s there to create a botnet, which is a growing trend. The idea behind taking over most websites is to create a launching point for malware.

Another trend we are seeing is spear-phishing. People are familiar with a lot of phishing attacks, for example where you get an email from your “bank” prompting you change your password, when in actual fact you’re being sent to the bad guys’ website. Previously you could easily tell when it was a phishing email, right down to the poor grammar and spelling. I think that bad guys have learned how to use a spell checker, and they’re getting much more creative with it. They are figuring out ways to create domain names for their sites that work. For example, if xyz.com is the real organisation you are after, and you create security.xyz.com.co, from a user perspective it looks like what they expect to see, when in actuality it’s a completely separate domain. There are people that will even go so far as to register SSL certificates to give the little security lock in the bar and that is a legitimate SSL certificate for that website. It just doesn’t happen to be the website you think it is.

They will create very targeted emails which include legitimate information. They will use your Facebook page (or pick your favourite social networking site) to discover information about you – where you work, what school you go to, what your schedule is. Then they will send you an email with related information so that it looks legitimate to you, after all, how else would anybody know this? Then you say, “Oh, well I must be able to trust this.” So you click on the link and you’re back to the same traditional phishing attack at that point.

To combat these kind of things, it all starts with the application base – in the first instance the website itself and secure application development. The trend now is that somewhere over 95% of attacks are happening at the application layer. People don’t attack the TCP/IP stack, they don’t attack the operating system as much anymore (they still do, but not as much). They are attacking the applications that people are deploying on the web. With everything going to the web, there is this tendency for them to farm all of this information on social networking sites and use that for spear-phishing attacks to take over your machine to create a botnet. Then these botnets are used in extortion activities against other corporations. You know, “Great big online retailer, we’re going to take your site offline for four hours unless you pay us $2 million.” For some great big online retailers, four hours is millions of dollars to them.

So, with that trend we have to look at making sure we don’t put these vulnerable applications on the web. How do we stop them from being taken over out there? If they do get taken over, how do we react? How do we respond? So emergency response procedures are also incredibly important. I think one of the things that the good guy industry has yet to do well is information sharing. The bad guys share information – they would be the ultimate model for an information sharing scheme. If one person finds a certain exploit that could be used for a website to launch these attacks, they instantly tell everybody. If we shared information as much as they do we wouldn’t have these problems.

JB: Is that a result of the siloing effect of proprietary software?

RH: It is. It’s kind of the nature of the beast. Developers creating commercial software want to keep their secrets secret so they can maintain their competitive advantage. Fair enough, Let people make their buck, that’s fine. But I feel that security information needs to be public domain. In my personal opinion if it comes down to security, it’s got to be shared, it’s got to be put out there, it’s got to be distributed. We’ve got to establish a method where we all band together if it’s security. Hey, if you’ve got a proprietary algorithm which creates the next best piece of asphalt then go for it, but if there’s a hole in something share the information.

JB: Presumably that’s because of the potential impact of when that hole gets exploited, which again comes down to risk minimisation – it could have been minimised. It’s counter-intuitive to corporate thinking but if you extended that counter-intuitiveness, being open would probably benefit corporations, giving them to the ability to say that we really are open – we discovered a problem, and this is it. Rather than being afraid to have exposed it.

RH: Yeah, and I think overall a lot of corporations still have that approach. They are still too worried about the public embarrassment factor, to admit that they’ve made a mistake. We (Microsoft) have tried to change that, and we’ve established a very consistent way of announcing vulnerabilities and patches. “Patch Tuesday” is the premium example. We ask people, “Hey if you find something wrong with us, come to us, tell us.”

In a lot of cases, it’s not always that somebody’s trying to hide something – software is very huge and it’s complex, and despite everybody’s best efforts, if we were to stop and examine every little tiny detail until we were absolutely positive there was no possible flaw in it, it would never get released. Which is a shame and it’s a problem at the same time, but we do the best we can. But it doesn’t mean things won’t slip through the cracks accidentally. There’s a lot of bad guy organisations out there – the Russian business network is one of them – where they get paid by other people to have people that sit there and reverse engineer software to find vulnerabilities in it. If we could dedicate the same amount of people to do the same thing, where we just got one piece of software and we go through it until there is nothing left to go through, we probably wouldn’t end up with any holes either.

I think that unless a fundamental thing is changed in the way software works, there will always probably be vulnerabilities of some sort in software, stuff that we haven’t even thought of today. People who want to protect their proprietary information and who don’t want to share their source code or don’t want to allow access to it – there’s always going to be that problem. Now, I’m not a subscriber of the ten thousand eyes philosophy. If you look at a lot of open source projects they say, “Well, we’ve got ten thousand people looking at this open source code.” What actually happens is ten thousand people download the open source application, about five thousand of them may download the source code, about a thousand of them will look at it, about ten of them know what they are looking at. Those numbers aren’t exact, obviously, but ten thousand trained eyes….that would really be something. That would produce a lot of results. If we could do that, get a team together for the good guys who did nothing but look at people’s code for vulnerabilities, it would be great. It’s kind of what my team does for Microsoft. We go out to other customers and do code reviews and things for them, like we do internally. I think we need some industry teams like that. It would be pretty cool. That’s a long answer to a short question!