Microsoft Security Newsletter - December 2013



Trustworthy Computing | December 2013
Microsoft Security Newsletter



Welcome to December’s Security Newsletter!


This month our newsletter focuses on security considerations for cloud adoption. When choosing a cloud provider, you want a provider you can trust with your organization’s data and information. As a cloud provider to over a billion customers in 76+ markets worldwide, Microsoft understands the importance of building trust. There are three key areas Microsoft focuses on in building trust with our customers:


Development – We know that you want products and services built with security, privacy and reliability in mind. In 2004, Microsoft made secure development a mandatory process for all products by implementing the

http://www.microsoft.com/sdl
Microsoft Security Development Lifecycle (SDL) . The Microsoft SDL is a holistic and comprehensive approach for writing security, privacy and reliability-enhanced code.


Operations – To provide secure operations for our customers, Microsoft has invested billions of dollars in designing our datacenters to internationally recognized standards that comply with regional laws, as well as our own stringent security and privacy policies. Our datacenters are designed with a detailed set of security controls across multiple layers so that should one layer of defense fail, there are multiple other compensatory layers. More recently, at RSA Europe in October, General Manager for Trustworthy Computing at Microsoft Mike Reavey delivered a keynote that discussed

http://blogs.technet.com/b/trustworthycomputing/archive/2013/10/29/rsa-europe.a spx
Microsoft’s methodology for Operational Security Assurance (OSA) as it relates to online services. A secure operations methodology is part of Microsoft’s ongoing commitment to enable trustworthy computing in all aspects of our online services and OSA represents the next evolution of these efforts.


Incident Response – No matter how secure and reliable services are, unexpected situations may occur– from natural disasters to emerging security, privacy or reliability threats. That’s why it’s critical that a cloud provider has a comprehensive incident response process in place. If an issue emerges at Microsoft that threatens the cloud services provided to our customers, our incident response teams such as the

http://www.microsoft.com/security/msrc/default.aspx
Microsoft Security Response Center (MSRC) mobilize resources around the world to investigate and address reports. Our incident response teams operate 24X7 across multiple locations around the world with failover capabilities in the event of a disaster. They create timely updates, provide customer guidance and workarounds to remediate and restore service for customers around the globe.



How a cloud provider handles development, operations and incident response are important security considerations when choosing a cloud provider. You should look for a cloud provider that will demonstrate a commitment to these areas through transparency and compliance. If you are ready for the cloud, assess your readiness by taking the Microsoft’s free

https://roianalyst.alinean.com/msft/AutoLogin.do?d=563612287085088525
Cloud Security Readiness Tool today! To help you better understand how to adopt and deploy secure cloud solutions for your organization, we've assembled a variety of resources and tools in this month’s newsletter. I hope you find this information helpful and wish you all a happy and safe holiday season.



Best regards,

Tim Rains, Director

Microsoft
Trustworthy
Computing



Have feedback on how we can improve this newsletter? Email us at mailto:secnlfb@microsoft.com
secnlfb@microsoft.com and share your ideas.



Top Stories



http://blogs.technet.com/b/security/archive/2013/12/18/enterprise-threat-encoun ters-scenarios-and-recommendations-part-1.aspx
Enterprise Threat Encounters: Scenarios and Recommendations – Part 1

Read the first installment in a multi-part series that will detail common security incidents faced by organizations today and provide recommended mitigations based on guidance from Microsoft’s Security Support team. Topics covered in this post include entry points, gaining administrator control, establishing roots, credential theft, and data theft.


http://blogs.technet.com/b/mmpc/archive/2013/12/15/be-a-real-security-pro-keep- your-private-keys-private.aspx
Be a Real Security Pro – Keep Your Private Keys Private

One of the many unusual characteristics of the Stuxnet malware that was discovered in 2010 was that its files were distributed with a valid digital signature, created using authentication credentials that belonged to two unrelated legitimate software companies. In the past month or so, the use of stolen certificates has become more common. Learn about this trend and the steps you can take to better secure your code-signing keys.


http://blogs.technet.com/b/security/archive/2013/12/12/security-professionals-t op-threat-predictions-for-2014.aspx
Security Professionals: Top Cyber Threat Predictions for 2014

Get a quick recap of recent security events, the state of the industry today, and a glimpse into the future with how Microsoft anticipates the threat landscape to evolve in 2014.




Security Guidance



http://www.microsoft.com/industry/government/guides/cloud_computing/3-security. aspx
Cloud Basics: Security in the Cloud

While designed for the government industry, this quick guide provides a high-level overview of the basic pros and cons of adopting cloud computing as well as quick checklist on what to consider when looking for a cloud provider.


http://social.technet.microsoft.com/wiki/contents/articles/4509.security-issues -in-cloud-deployment-models.aspx
Security Issues in Cloud Deployment Models

Explore common security issues for the three basic models of cloud-based computing:

http://social.technet.microsoft.com/wiki/contents/articles/4511.security-issues -in-the-public-cloud.aspx
public cloud (software, infrastructure, or platforms offered as a service by third parties over the Internet),

http://social.technet.microsoft.com/wiki/contents/articles/4510.security-issues -in-the-private-cloud.aspx
private cloud (cloud technologies where you control the entire stack, from hardware to software, and can be located on-premises, or at a hosting provider that manages the servers dedicated to your private cloud solution), and

http://social.technet.microsoft.com/wiki/contents/articles/4512.security-issues -in-the-hybrid-cloud.aspx
hybrid cloud (the combination of public and private cloud).


http://technet.microsoft.com/magazine/dn271884.aspx
Common Cloud Vulnerabilities

The manner in which you architect your cloud computing infrastructure can have a direct impact on its resistance to failure. Public and private clouds can be affected by both malicious attacks and infrastructure failures such as power outages. This article outlines a few common challenges (and possible solutions) involved with implementing a secure and reliable cloud infrastructure for your organization.


http://social.technet.microsoft.com/wiki/contents/articles/6642.a-solution-for- private-cloud-security.aspx
A Solution for Private Cloud Security

Access a comprehensive explanation of the process for designing and running security for a private cloud environment including planning considerations, step-by-step design guidance, and guidance on how to facilitate ongoing, effective operations. Not sure how the private cloud differs from other mechanisms for delivering cloud services? Read the

http://social.technet.microsoft.com/wiki/contents/articles/4670.overview-of-pri vate-cloud-architecture.aspx
Overview of Private Cloud Architecture .


http://social.technet.microsoft.com/wiki/contents/articles/3808.security-consid erations-for-infrastructure-as-a-service-iaas.aspx
Security Considerations for Infrastructure as a Service (IaaS)

In terms of security requirements, IaaS must implement security effectively at the level of the host, virtual machine, compute, memory, network and storage. Explore these considerations in detail to help you better determine whether IaaS is right for your organization and, if it is right, to select an appropriate IaaS provider.


http://www.microsoft.com/download/details.aspx?id=18990
Security Guidelines for SQL Azure

SQL Azure Database is a cloud database service from Microsoft. SQL Azure provides web-facing database functionality as a utility service. This document provides an overview of security guidelines for customers who connect to SQL Azure Database, and who build secure applications on SQL Azure.


http://www.microsoft.com/download/details.aspx?id=38193
Identity and Authentication in the Cloud: Office 2013 and Office 365

This downloadable technical poster illustrates and explains the new world of identity and authentication in Office 2013 and Office 365 including how identities are provisioned and how those identities are authenticated completely in the Microsoft cloud or in a hybrid (on-premises and Microsoft cloud) topology. Looking for more information on how Office 365 delivers enterprise-grade security? Download the

http://www.microsoft.com/download/details.aspx?id=26552
Security in Office 365 white paper and visit the

http://office.microsoft.com/en-us/business/office-365-trust-center-cloud-comput ing-security-FX103030390.aspx
Office 365 Trust Center .


http://www.microsoft.com/download/details.aspx?id=40872
Operational Security for Online Services Overview

Download an overview of how Microsoft makes its networks more resilient to attack and increases the security of its cloud-based services by extending the foundation of Microsoft cloud-based services to protect against Internet-based security threats and by incorporating best practices and methodology to continuously update services to improve security and resolve incidents as quickly as possible.




This Month's Security Bulletins


December 2013 Security Bulletins


Critical

-MS13-096:2908005 https://technet.microsoft.com/en-us/security/bulletin/ms13-096

Vulnerability in Microsoft Graphics Component Could allow Remote Code Execution


-MS13-097:2898785 https://technet.microsoft.com/en-us/security/bulletin/ms13-097

Cumulative Security Update for Internet Explorer

-MS13-098:2893294 https://technet.microsoft.com/en-us/security/bulletin/ms13-098

Vulnerability in Windows Could Allow Remote Code Execution

-MS13-099:2909158 https://technet.microsoft.com/en-us/security/bulletin/ms13-099

Vulnerability in Microsoft Scripting Runtime Object Library Could Allow Remote Code Execution

-MS13-105:2915705 https://technet.microsoft.com/en-us/security/bulletin/ms13-105

Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code Execution


Important

-MS13-100:2904244 https://technet.microsoft.com/en-us/security/bulletin/ms13-100

Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution

-MS13-101:2880430 https://technet.microsoft.com/en-us/security/bulletin/ms13-101

Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege

-MS13-102:2898715 https://technet.microsoft.com/en-us/security/bulletin/ms13-102

Vulnerability in LRPC Client Could Allow Elevation of Privilege

-MS13-103:2875783 https://technet.microsoft.com/en-us/security/bulletin/ms13-103

Vulnerability in Windows Ancillary Function Driver Could Allow Information Disclosure

-MS13-104:2909976 https://technet.microsoft.com/en-us/security/bulletin/ms13-104

Vulnerability in Microsoft Office Could Allow Information Disclosure

-MS13-106:2905238 https://technet.microsoft.com/en-us/security/bulletin/ms13-106

Vulnerability in a Microsoft Office Shared Component Could Allow Security Feature Bypass


December 2013 Security Bulletin Resources:

- http://blogs.technet.com/b/msrc/archive/2013/12/10/omphaloskepsis-and-the-decem ber-2013-security-update-release.aspx

Microsoft Security Response Center (MSRC) Blog Post

-
http://www.youtube.com/watch?v=9vWpJ1p1ZIE
Security Bulletin Webcast

-
http://blogs.technet.com/b/msrc/p/december-2013-security-bulletin-q-a.aspx

Security Bulletin Webcast Q&A



Security Events and Training



https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032572876 Microsoft Webcast: Information about the January 2014 Security Bulletin Release

Wednesday, January 15, 2014

Join this webcast for a brief overview of the technical details of January’s Microsoft security bulletins. Ask questions and get answers from Microsoft security experts.


https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032571357 Modernizing and Mobilizing your Clinical Desktop
Wednesday, January 22, 2014

If you are running Windows XP or Windows 7, are concerned about the use of iPads in your environment and want to give your users an alternative, and want to address secure and HIPAA compliant mobile workflows, this webcast is for you. Learn about non-compliance with the HIPAA Security rule for Windows XP users beyond April 8, 2014 including how threats and vulnerabilities and risks to Protected Health Information will make the Windows XP platform the target of cyber-attacks and open to malware and virus intrusion.


https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032572879 Microsoft Webcast: Information about the February 2014 Security Bulletin Release
Wednesday, February 12, 2014

Join this webcast for a brief overview of the technical details of February’s Microsoft security bulletins. Ask questions and get answers from Microsoft security experts.


http://northamerica.msteched.com/
TechEd North America 2014
May 12-15, 2014 – Houston, Texas

In 2014, Microsoft is bringing together the best of TechEd and the Microsoft Management Summit (MMS) to help skilled technology professionals increase their technical expertise, share best practices, and interaction with Microsoft and a variety of industry experts and their peers. Explore the security aspects of data platforms and business intelligence, datacenter and infrastructure management, people-centric IT, Windows (devices and Windows Phone), and much more.

http://northamerica.msteched.com/Register
Register by December 31, 2013 to get early-bird pricing on the conference as well as pre-conference seminars, which include a special workshop on "Hacking and Hardening Windows Infrastructure."






Essential Tools


-
http://technet.microsoft.com/security/bulletin
Microsoft Security Bulletins

-
http://technet.microsoft.com/security/advisory
Microsoft Security Advisories

-
http://technet.microsoft.com/solutionaccelerators/cc835245.aspx
Security Compliance Manager

-
http://www.microsoft.com/security/sdl/adopt/starterkit.aspx
Microsoft Security Development Lifecycle Starter Kit

-
http://support.microsoft.com/kb/2458544
Enhanced Mitigation Experience Toolkit

-
http://www.microsoft.com/security/pc-security/malware-removal.aspx
Malicious Software Removal Tool

-
http://technet.microsoft.com/security/cc184924.aspx
Microsoft Baseline Security Analyzer


Security Centers


-
http://technet.microsoft.com/security
Security TechCenter

-
http://msdn.microsoft.com/security
Security Developer Center

-
http://www.microsoft.com/security/msrc/default.aspx
Microsoft Security Response Center

-
http://www.microsoft.com/security/portal/
Microsoft Malware Protection Center

-
http://www.microsoft.com/privacy
Microsoft Privacy

-
http://support.microsoft.com/select/default.aspx?target=hub&c1=10750
Microsoft Security Product Solution Centers


Additional Resources


-
http://www.microsoft.com/about/twc/en/us/blogs.aspx
Trustworthy Computing Security and Privacy Blogs

-
http://www.microsoft.com/security/sir
Microsoft Security Intelligence Report

-
http://www.microsoft.com/security/sdl
Microsoft Security Development Lifecycle

-
http://technet.microsoft.com/library/cc162838.aspx
Malware Response Guide

-
http://technet.microsoft.com/security/bb980617.aspx
Security Troubleshooting and Support Resources

-
http://www.microsoft-careers.com/go/Trustworthy-Computing-Jobs/194701/ Trustworthy Computing Careers




microsoft.com/about/twcTrustworthy Computing




This is a monthly newsletter for IT professionals and developers–bringing security news, guidance, updates, and community resources directly to your inbox. If you would like to receive less technical security news, guidance, and updates, please subscribe to the Microsoft Security for Home Computer Users Newsletter.



(c) 2013 Microsoft Corporation. All rights reserved. Microsoft, MSDN, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.



Microsoft respects your privacy. To learn more please read our online http://go.microsoft.com/fwlink/?LinkId=81184
Privacy Statement .



If you would prefer to no longer receive this newsletter, please http://pages.email.microsoftemail.com/page.aspx?QS=38dfbe491fab00ea380afe73db21 804e1836ec2291e123ed&emailid=279794&memberid=10030559&jobid=2704233&listid=8857 87&listname=Subscription_10030559_1109&subscriberkey=lordtime@tds.net&emailaddr =lordtime@tds.net&subscriberid=328026660
click here .



To set your contact preferences for other Microsoft communications http://click.email.microsoftemail.com/m_hcp.aspx?qs=0bb7f39debca1b0ad10fb2e924b 6311d344a0079e5cc587f4d16330b7c3cc8e7aa3d48879950d85d33a47e9a9586dfefd285dcac31 618dc87a00736473e02133a3a303e175563c7bac5e9f8cbc80ba87103609fae2b4ca3c
click here .



Microsoft Corporation

One Microsoft Way

Redmond, WA 98052 USA






---

Rob Starr
Lord Time SysOp of
Time Warp of the Future BBS
Telnet://Time.Darktech.Org:24 or Telnet://TimeWarpFuture.dyndns.org:24 or Telnet://Time.Synchro.Net:24 (qwk or ftn & e-mail)
ICQ # 11868133 or # 70398519 Jabber : lordtime2000@gmail.com
Yahoo : lordtime2000 AIM : LordTime20000 MSN : Lord Time
Astra : lord_time X-Box : Lord Time 2000 oovoo : lordtime2000

---
■ Synchronet ■ Time Warp of the Future BBS - Home of League 10 IBBS Games