1 Cybersecurity: Cornerstone of a Safe, Connected Society Tyson Storch* Trustworthy Computing Microsoft Corporation March 9, 2012 * This paper benefited from several reviewers who provided substantive comments and helped to shape this paper. Please see Appendix B for a list of contributors.
19
Embed
Cyber Security Conference - Trustworthy computing cybersecurity white paper
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
Cybersecurity: Cornerstone of a Safe, Connected Society
Tyson Storch*
Trustworthy Computing
Microsoft Corporation
March 9, 2012
* This paper benefited from several reviewers who provided substantive comments and helped to shape this paper.
Please see Appendix B for a list of contributors.
2
Contents
Part I: Introduction ................................................................................................................................... 3
Part II: What is Cybersecurity? .............................................................................................................. 3
Part III: Microsoft’s Approach ............................................................................................................... 5
A. Understanding the Threat Landscape .......................................................................................... 6
4. Enhancing Security against Social Engineering .................................................................... 11
Part IV: Emerging National Approaches to Cybersecurity ........................................................... 12
Part V: Collaborative Approaches for Advancing a More Secure Cyberspace ......................... 13
A. Coordinated National Cybersecurity Strategy .......................................................................... 13
B. Flexible and Agile Risk Management ........................................................................................ 14
C. Innovative Information Sharing .................................................................................................. 15
D. International Implications ............................................................................................................. 16
Part VI: Conclusion. ................................................................................................................................ 17
3
Part I: Introduction
Cybersecurity is the cornerstone of a networked world. Over the next few years, the world will
see an unprecedented growth in Internet users, devices and data which will create vast
opportunities and equally daunting challenges. For government policymakers, who are the main
focus of this paper, such challenges include protecting public health and safety, economic
security, and national defense, all of which are core to managing a modern nation.
Microsoft’s experience in managing cybersecurity risks for more than one billion customers has
given us insight and perspective into current and future challenges. As Microsoft marks a ten-
year milestone of Trustworthy Computing, our commitment to greater security, privacy and
reliability continues to emphasize partnerships with governments, enterprises and citizens.
Working together, in a more connected society, we can build a safer, more trusted computing
experience.
This paper 1) discusses Trustworthy Computing’s approach to cybersecurity, 2) makes
observations on emerging national approaches and 3) provides recommendations to
government policymakers on approaches to consider when developing policies and practices to
address key cybersecurity concerns. Central to the success of these efforts will be coordinated
national cybersecurity strategies, flexible and agile risk management, and information sharing in
a global context.
Part II: What is Cybersecurity?
Cybersecurity encompasses many different concepts, from information security to operational
security to computer system security. Cybersecurity also means different things to different
audiences. For individual citizens, it is about feeling safe, and protecting their personal data and
privacy. For enterprises, cybersecurity is about ensuring the availability of critical business
functions and the protection of confidential data by maintaining operational and information
security. For governments, it is about protecting citizens, enterprises, critical infrastructure, and
government computer systems from attack or compromise. While definitions vary, cybersecurity
essentially represents the collective activities and resources that enable citizens, enterprises and
governments to meet their computing objectives in a secure, private, and reliable manner.
4
For government policymakers, such objectives include protecting public health and safety,
economic security and national defense, which are core to managing a modern nation. Today,
Information and Communications Technology (ICT) are essential underpinnings of modern
society and how governments manage public services, economic growth and national security.
For example, in the European Union, the ICT sector is directly responsible for five percent of
gross domestic product.1 Perhaps more important, is ICT’s impact on other sectors, which
accounts for seventy five percent of the overall economic impact of the Internet.2 ICT can help
fulfill key government objectives, such as economic stability, safety, freedom, social stability,
public safety, and education, all of which can lead to improving a nation’s overall well-being and
quality of life for its citizenry.
At the same time, ICT dependence carries with it an evolving set of risks. A wide range of actors
- from nation-states to highly sophisticated and well-funded criminal organizations to loosely
affiliated groups of “hacktivists” - are focusing their energies on exploiting and attacking an
increasingly networked environment. These raise new challenges for policymakers, including the
ability for attackers to strike from afar and to do so anonymously and at the speed of light (a
keystroke takes one hundred fifty milliseconds to travel around the world); a proliferation of
mobile devices, which may lag behind traditional personal computers, and less portable devices
in terms of security; and an increase in the number of worldwide Internet users, who through
their own practices, can create new points of vulnerability.
Given these dynamics, cybersecurity will continue to be a necessary cornerstone for the ICT
sector overall to maintain its role as an engine of innovation, growth, jobs and social
development. As cyberspace continues to evolve, and as ICT influence on every sector of the
economy continues to grow, so too must cybersecurity as new environments and threats
emerge. Indeed, because threats and technologies have the potential to evolve much faster
than the regulatory processes, government and industry must work together to develop
appropriate frameworks that will allow cybersecurity solutions to keep pace with the dynamic
threat environment, while also enabling innovation. One important way to keep pace with the
changing threat environment is to ensure that government and industry are focused on
outcome-based results, in addition to the process to deliver them. In short, it is about
advancing risk-based security rather than “check-the-box” compliance.
1 See the European Commission Communication: A Digital Agenda for Europe COM (2010) 245 2 See the McKinsey Global Institute’s report: Internet matters: The Net’s sweeping impact on growth, jobs and prosperity (2011)
5
Part III: Microsoft’s Approach
We recommend policymakers consider Microsoft practices, discussed in this Part III, as they
develop their own policies and practices for their citizens. As Microsoft recently marked a ten-
year milestone of Trustworthy Computing, we recognize that our commitment to greater
security, privacy and reliability3 in our products and services is more important than ever. Our
experience in managing cybersecurity risks has given us perspective and insight into current and
future challenges that government policymakers face as they work to build strategies, plans, and
regulations related to cybersecurity. For example, we have developed methodologies and tools
such as the Security Development Lifecycle (SDL), which helps reduce vulnerabilities in our
products, and defensive capabilities, like those developed by the Microsoft Security Response
Center, which help ensure we can respond efficiently when new vulnerabilities or attack vectors
are identified. These efforts have had measureable, positive impact on the security profile of our
products and services. Microsoft works across the security industry and IT ecosystem. We
collaborate with policymakers, technical and business leaders, standards bodies and advocacy
groups, such as SAFECode,4 to champion security innovation and improve computing
experiences for everyone.
What follows below is a brief overview of Microsoft’s risk management approach, including
understanding the evolving threat landscape and applying this knowledge to help reduce the
attack surface of our products and services. While risk may never be completely eliminated, it
can be managed (e.g., accepted, transferred or mitigated). Even though risk management may
not be new to governments, cybersecurity presents significantly different challenges and many
of our experiences and practices can benefit governments, enterprises and citizens as they seek
to better understand and manage their respective cybersecurity risk.
3 While this paper does not specifically address privacy or reliability, they are also core Trustworthy Computing pillars. For more
information on privacy and reliability see Trustworthy Computing site. 4 See Software Assurance For Excellence in Code at www.safecode.org.
1. Enhancing Secure Product Development to Address Product Vulnerabilities
From the inception of a product at Microsoft, we apply rigorous processes and tools to reduce
vulnerabilities. Our Security Development Lifecycle (SDL) is applied to every product during
development and has proven its ability to increase the security of software. We have made the
SDL process and many of our tools available for others, downloadable at
http://microsoft.com/SDL.7
The SDL has delivered results by reducing product vulnerabilities and raising the costs of an
attack. Indeed, we see attackers moving away from Microsoft products as they get harder to
attack. In the August 2011 edition of the IT Threat Evolution report,8 none of the top 10 software
vulnerabilities involved Microsoft products. Many governments and enterprises are now
applying the SDL to their in-house software and services development efforts.9
We also invest in mitigations so that if an attacker discovers a software vulnerability, it is much
more difficult for an attacker to use. These mitigations, such as Address Space Layout
Randomization,10 included in Windows Vista and later product versions, are built in and most are
enabled within the operating system by default. While one may not notice them when using a
computer, they help to limit the attack surface.
Finally, it is important to apply software updates to quickly respond to issues and decrease the
likelihood of attacks against known vulnerabilities. Microsoft works hard to make these updates
timely, easy to install and reliable.
2. Enhancing Security for the Supply Chain
Taking efforts to secure Microsoft’s supply chain is a part of our approach to risk management,
and should be a standard practice for governments as well. The amazing global transformation
of the last few decades is the product of global free trade and ICT innovation. However,
governments worldwide have begun to express concerns about the threat to their ICT systems
from the global supply chain for ICT products. These concerns are based on the risk that an
adversary might tamper with products during their development, manufacture, production or
7 For a selected list of Microsoft resources, see Appendix A. 8
See “IT Threat Evolution: Q2 2011,” Kaspersky Labs, August 11, 2011. 9 See “Defense Information Systems Agency Application Security and Development Security Technical Implementation Guide (STIG)
(version 2, REL. 1) (24 JUL 2008); See also Microsoft Whitepaper, “MidAmerican Energy Holdings Company uses Microsoft SDL to
make its Software More Secure,“ March 2011. 10 For a general definition of ASLR, see https://secure.wikimedia.org/wikipedia/en/wiki/Address_space_layout_randomization