Robert Hurlbut's Blog

I mentioned last month I was interviewed by John Alexander and Jeff Julian for a podcast at the Heartland Developers Conference 2005. The interview is now live. Here is the description of the show:

Our guest this week is Robert Hurlbut, Microsoft Security MVP. We discuss Security Best Practices, encryption preferences, and Visual Studio 2005 security enhancements. This show was recorded at the Heartland Developers Conference in Cedar Rapids, Iowa.

Dana Epp describes a Threat Modeling talk he recently heard presented by Dan Seller of Microsoft.

One key idea from the talk is that DREAD is dead, according to Dan. If you don't know, DREAD was a way to assign ratings to threats, but this has proven to be too subjective when you have both security experts and business types in the same room trying to decide what rating to give a particular threat.

Now, Microsoft is using something different. According to Dana:

They are using the Microsoft Security Response Center Security Bulletin Severity Rating System . Instead of having a rating system between 0 and 10 where most stuff is ranked as either a 1 or a 10 anyways, it is now broken down into 1 of 4 categories:

1. Critical: A vulnerability whose exploitation could allow the propagation of an Internet worm without user action.
   
2. Important: A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of users data, or of the integrity or availability of processing resources.
   
3. Moderate: Exploitability is mitigated to a significant degree by factors such as default configuration, auditing, or difficulty of exploitation.
   
4. Low: A vulnerability whose exploitation is extremely difficult, or whose impact is minimal.

Dana mentions this information came from Dan's slide deck. The slide deck is probably very similar to what I presented on Threat Modeling recently here and here, as I borrowed some slides and ideas from the talk Michael Howard (with due credit, of course) gave at PDC 2005. In that talk, Michael mentioned DREAD presented the same simple formula.

I especially like this new model as well, as it gets to the heart of what and how security threats should be viewed by your business/company.

I spoke to the New England SQL Server User Group last night in Waltham, MA on SQL Server Security. The group was a good mix of DBAs, wanna-be DBAs, developers forced at times to be DBAs, and developers. I covered the problems with trying to secure SQL Server (various types of attacks, etc.) as well ways to secure SQL Server 2000 and the newest features available in SQL Server 2005. As you can imagine, when I asked how many were still using and supporting SQL Server 2000, nearly every hand went up, compared to minimal number of those running anything on SQL Server 2005.

One method I mentioned to help secure SQL Server (both versions) is to use a least-privileged service account upon installation or change your default LocalSystem account to use a least-privileged account. I typically use a normal user, and restrict certain logon rights and apply other restrictions. Yesterday, I found a couple of interesting webcasts that discuss these same techniques:

Jesper Johansson's What Nobody Told You About Protecting SQL Server 2000 (here, he shows how you can also use a guest account to further restrict the service account for SQL Server 2000 plus other methods to lock down the product).

Chip Andrew's Minimizing SQL Server service, login, and user accounts (you will have to register to hear the webcast).

I placed my slides and code from last night's talk on my own site for download.

Last night, the Boston .NET User Group held a Boston Visual Studio 2005 and SQL Server 2005 Cabana Night in conjunction with the official launch of the world tour of these great products.

I debated about joining the VS2005 or SQL2005 room topics (as I have touched both over the last year or so), but decided on VS2005. There were a lot of great questions on licensing, new ASP.NET features, C#/VB.NET language features, Team System, etc. Unfortunately, there were no direct security questions, but there was a question about WSE 3.0. The concensus was to skip WSE 2.0 (which is really using .NET 1.1 anyway) and go straight to WSE 3.0 (which leverages the new .NET 2.0 features). The good news, which wasn't that clear last night, is that the WSE 3.0 Final was officially released yesterday as well. Go fetch!

I was questioned briefly last week for this article in Computerworld:

Robert Hurlbut, an independent software consultant in Worcester, Mass., said SQL Server 2005's security features are a big improvement over what was in the previous release of the database, especially for government users and companies in the health care and financial services industries. Microsoft has "locked down the ports and turned things on automatically that you used to have to do by hand," Hurlbut said.

Actually, I said "turned things off" but, that's probably the result of a cold I had last week and a flaky service with my cell phone. :)

Among the many features in SQL Server 2005 I like both personally and for my clients are: security (especially built-in encryption), Service Broker, T-SQL enhancements, high availability, and improvements for developer productivity (IDE, debugging, etc.). I am also interested in the SQLCLR features from an almost academic "great to see another CLR hosting solution" perspective, but I am not sure yet how much I will use these features in custom solutions. Either way, it is a very exciting day to see the product I have been beta testing over the last year and a half finally be released!

Today is the day that marks the official start of the Visual Studio 2005 and SQL Server 2005 launch tour.  The tour is coming to Boston on December 15th, but there is also a way to be part of the action tonight. 

There is a special Visual Studio 2005 and SQL Server 2005 Cabana Night, serving as the November meeting of the Boston .NET User Group, at 6:00 pm - 9:00 pm at the Microsoft offices in Waltham, MA: 

Join us for a fun evening of discussion to celebrate the launch of Visual Studio 2005 and SQL Server 2005. This evening is designed to be a fun interactive discussion with your peers about the functionality in these exciting new products. The sessions will organized like the popular "Cabana" session held at TechEd. Each session will have a group of experts that will lead a discussion based upon questions and the interest of the audience. There will be one session on Visual Studio 2005 and another on SQL Server 2005.

Experts attending as discussion leaders so far include:

• Chris Bowen
• Robert Hurlbut
• Richard Hale Shaw
• Jesse Liberty
• Andrew Novick
• Chris Pels
• Thom Robbins

Registration is required.

Hope to see you there!

Last night I spoke to the OWASP (Open Web Application Security Project) Boston Chapter group on Threat Modeling for Web Applications. I presented some of the latest updates in Threat Modeling (in particular, those updates mentioned by Michael Howard at this year's TechEd 2005 and PDC 2005). I covered the process of Threat Modeling, and how it can be applied to Secure Web Application design, along with an interactive demonstration of whiteboarding the process. There were several great questions and discussion points.

One question that was raised at this meeting and at my last talk on the topic is:  How do you get a company or business to buy into the usefulness of threat modeling? I think the value is in showing how threats can affect the very core of your business. For example, if your business deals with e-commerce, and stores credit card information, you would want to make sure that data is stored securely, transmitted reliably and securely, as well as insuring integrity of transactions and collections. There are common threats against all of these issues/vulnerabilities (i.e. the lack of any of these safeguards represents a real vulnerability). When these threats are placed in the light of compromising integrity, reliability, and ability to do business, a company can't help but look seriously at these threats and how to mitigate them.

I have posted slides from the meeting on my site. They will also be available on the OWASP Boston Chapter site as well.

Here are some references used or mentioned in my talk:

Threat Modeling Book

Threat Modeling Tool

Secure Code 2: Second Edition, Threat Modeling chapter

Guerrila Threat Modeling, Peter Torr's excellent article

Threat Modeling Web Applications (there is a nice set of threat modeling templates and common threat trees listed here on the Patterns and Practices site)

Here is a resource that was not mentioned, but it is another interesting source I am looking forward to see evolve:

TRIKE: A Conceptual Framework for Threat Modeling