• United States



Microsoft shares 2 cybersecurity papers to protect infrastructure and supply chain

May 12, 20145 mins
Critical InfrastructureCybercrimeData and Information Security

Microsoft released two cybersecurity papers with insights gained by 'defending one billion users from cyber-threats.'

And they say crime doesn’t pay…did you know cybercrime kingpins recruit new employees with incentives like a Ferrari and glamorous female assistants? This might be a good time to review if your company has the best safeguards in place. 

On the Microsoft Security blog, Kevin Sullivan, Principal Security Strategist, mentioned that Microsoft released an updated 24-page white paper titled, “Toward a Trusted Supply Chain: A Risk Based Approach to Managing Software Integrity” and an updated cybersecurity paper titled, “Critical Infrastructure Protection: Concepts and Continuum.” The latter is interesting considering newly released stats on critical infrastructure like 72% of energy and financial firms expect cyberattacks within the next 12 months.

Microsoft says both of the white papers “draw on our policies and practices that involve regular assessments of the security challenges facing our customers and our operations, as well as ongoing learnings gained through our experiences defending more than one billion users from cyber-threats.”

“Toward a Trusted Supply Chain: A Risk Based Approach to Managing Software Integrity” discusses Standard Correlation and Business Process Model approaches. After giving an overview of Microsoft’s framework, the paper details different approaches to assessing the risks to supply chains and suggests specific policies and procedures as security controls and where to apply them in order to protect the software’s integrity.  

The Business Process Model approach includes graphics that techies and non-techies can easily understand. Additionally, “Microsoft has found that using the Business Process Model has made it easier to analyze software integrity attack scenarios to define areas of risk, and develop or strengthen corresponding controls to mitigate those risks.”

The six phases of Business Process Model approach are planning, discovery, assessment, development, validation and implement. Under assessment, Microsoft identified and analyzed attack scenarios against weaknesses in the software development or delivery process.

For example, an actor could intentionally insert malware into a product during the development or delivery of software products, through either a process or a technology weakness. Another example could involve a network administrator intentionally replacing part of the service with code that is malicious in nature during the deployment of an update to an online service. Another possible threat could result from a developer with full access to the production hardware who tries to exploit weakness within the production environment to reduce the security of the production system.

After the attack scenarios are defined, Microsoft suggested controls to lessen the risks such as preventive and forensic. “Preventive controls are designed to stop violation of policies and procedures before any damage can be done.” If preventative controls don’t stop a violation before it occurs, forensic controls kick in. Microsoft explained:

Common forensic controls include logging of individual activity, verifying the identity of individuals who develop or deploy software or services, and ensuring that changes to software are traceable to an individual. Forensic controls have a benefit beyond holding attackers responsible for their misdeeds: they also serve as a deterrent by making it clear to potential attackers that their actions are likely to be detected.

You might be inclined to read the entire document and double-check if your organization is doing its best to stay protected. Especially since threats may continue to increase as global cybercrime syndicates compete for new “unscrupulous employees” by offering incentives that most businesses can’t offer…like a Ferrari or a Porsche.

According to Troels Oerting, the head of the European Cybercrime Center (EC3), “Europe faced a two-tier system of justice where the rich could afford to protect themselves and take the cyber fight to organized hackers, while the poor faced spiraling bank charges and rampant identity theft because of their inability to pay for online protection.” Granted that’s in Europe, but the internet knocks down international walls.

Oerting said cybercrime kingpins are recruiting; he mentioned a recruitment video posted on the deep web promising a Ferrari or a Porsche to the hacker who comes up with the best scam.

The Independent reported:

The gift – made on a professionally produced video hidden in a dark recess of the internet – formed the basis of a bizarre “employee of the month” competition for the organized crime gang. On the tape, a presenter is pictured in a car showroom alongside a Porsche, a Ferrari and glamorous female assistants who offer the prize for the most successful hacker.

Oerting didn’t mention poaching employees when he warned that “criminal gangs were actively recruiting young programmers from universities and were talent-spotting online to identify creative programmers.” But it likely wouldn’t hurt to review Microsoft’s white papers since the company is sharing insights learned after “defending more than one billion users from cyber threats.”

Like this? Here’s more posts:

  • Judge to Microsoft: Hand over cloud data no matter where in the world it is stored
  • Targeted ads that track how and where you drive are coming to connected cars
  • Data breach report: 9 attack patterns describe 92% of 100,000 security incidents
  • Record and rewind: Cops quietly test aerial surveillance to track crime
  • Smart toilet spying on health is a hoax, but is there privacy in a public potty?
  • No reasonable expectation of privacy when third parties cross the creepy line?
  • USA world rankings: #1 for sending spam, #8 for Netflix streaming speeds

Follow me on Twitter @PrivacyFanatic

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.