Microsoft Security Newsletter - January 2014



Trustworthy Computing | January 2014
Microsoft Security Newsletter



Welcome to January’s Security Newsletter!


We thought we would kick off the new year by providing you with insight into our "Top Cyber Threat Predictions for 2014."This is a topic that continues to garner interest by security professionals and something we thought you all might enjoy. Below are the top predictions for 2014 provided by a wide-range of senior cybersecurity leaders at Microsoft:


-
Prediction #1:Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization


-
Prediction #2:Service-Impacting Interruptions for Online Services Will Persist


-
Prediction #3:We Will See an Increase in Cybercrime Activity Related to the World Cup


-
Prediction #4:Rise of Regional Cloud Services


-
Prediction #5:Dev-Ops Security Integration Fast Becoming Critical


-
Prediction #6:Cybercrime that Leverages Unsupported Software will Increase


-
Prediction #7:Increase in Social Engineering


-
Prediction #8:Ransomware will Impact More People



More information on each of these predictions can be found in the http://blogs.technet.com/b/security/archive/2013/12/12/security-professionals-t op-threat-predictions-for-2014.aspx
Microsoft Security Blog . To summarize, we have seen some significant shifts in the threat landscape and in the industry in 2013, but basic security fundamentals continue to be effective at mitigating the risks. Keeping all software up to date, running anti-malware software from a trusted source, and demanding that the software you use has been developed using a security development lifecycle will continue to be best practices in 2014. Leveraging cloud services will also pay security, privacy and reliability dividends in the new year and beyond.



This month’s newsletter features the top tools and resources to help you protect yourself, your organization, and your customers against some of the threats outlined in these predictions. I hope you find this information helpful and wish you all a happy new year.



Best regards,

Tim Rains, Director

Microsoft
Trustworthy
Computing



Have feedback on how we can improve this newsletter? Email us at mailto:secnlfb@microsoft.com
secnlfb@microsoft.com and share your ideas.



Top Stories



http://blogs.technet.com/b/trustworthycomputing/archive/2014/01/08/suggested-re solutions-for-cloud-providers-in-2014-1-reinforce-that-security-is-a-shared-res ponsibility.aspx
Suggested Resolutions for Cloud Providers in 2014: Reinforce that Security is a Shared Responsibility

When an organization is moving to the cloud, everyone has a role to play when it comes to security. Learn why this is an important new year’s resolution for both cloud providers and their customers in this blog post from Adrienne Hall, General Manager of Microsoft Trustworthy Computing, then explore other suggested resolutions around

http://blogs.technet.com/b/trustworthycomputing/archive/2014/01/10/suggested-re solutions-for-cloud-providers-in-2014-2-be-precise-about-what-the-service-does- and-doesn-t-do.aspx
clearly defining what a cloud service does (and doesn’t) do and

http://blogs.technet.com/b/trustworthycomputing/archive/2014/01/14/suggested-re solutions-for-cloud-providers-in-2014-3-avoid-acronym-soup-when-discussing-clou d-services.aspx
avoiding acronyms when discussing cloud services.


http://blogs.technet.com/b/security/archive/2014/01/16/the-cybersecurity-risk-p aradox-measuring-the-impact-of-social-economic-and-technological-factors-on-cyb ersecurity.aspx
The Cybersecurity Risk Paradox

http://download.microsoft.com/download/E/1/8/E18A8FBB-7BA6-48BD-97D2-9CD32A71B4 34/Cybersecurity-Risk-Paradox.pdf
Download a new report on the impact of social, economic, and technological factors on cybersecurity. This special edition of the Microsoft Security Intelligence Report outlines the challenges in developing countries and offers policy recommendations.


http://blogs.technet.com/b/security/
Drive-by Download Attacks: Examining the Web Server Platforms Attackers Use Most Often

Drive-by download attacks continue to be many attacker’s favorite type of attack. A drive-by download site is a website that hosts one or more exploits that target vulnerabilities in web browsers and browser add-ons. Users with vulnerable computers can be infected with malware simply by visiting such a website, even without attempting to download anything. Explore this trend in more detail and learn how developers and IT pros can take action to manage the risks associated with this type of attack.




Security Guidance



http://blogs.technet.com/b/trustworthycomputing/archive/2013/12/29/translating- geek-speak-into-executive-speak.aspx
Security Tip of the Month: Translate "Geek Speak" into "Executive Speak"

For business leaders and decision makers, it has never been more important to have a regular, open dialogue about security with IT staff. Learn why security professionals should learn to translate "geek speak" into "executive speak" to ensure that their concerns and recommendations are heard.


http://www.microsoft.com/download/details.aspx?id=10985
A Guide to Data Governance for Privacy, Confidentiality, and Compliance

Data governance is an approach that public and private entities can use to organize one or more aspects of their data management efforts, including business intelligence (BI), data security and privacy, master data management (MDM), and data quality (DQ) management. This series of guides aims to answer key questions about how to approach the combined challenges of information security and privacy and the associated regulatory compliance obligations.


http://www.microsoft.com/download/details.aspx?id=16048
Privacy Guidelines for Developing Software Products and Services

As the threat landscape escalates, customers are feeling less able to control access to their personal information. As a result, Microsoft has developed a set of privacy guidelines for developing software products and services based on its internal guidelines to help you incorporate privacy into your own development process.


http://www.microsoft.com/download/details.aspx?id=38823
Resilience by Design for Cloud Services

Learn about Resiliency Modeling and Analysis (RMA), a methodology for improving resiliency adapted from the industry-standard technique known as Failure Mode and Effects Analysis (FMEA), and get guidance for incorporating robust resilience design into the development cycle.


http://www.microsoft.com/download/details.aspx?id=35843
Deploying Highly Available and Secure Cloud Solutions

Explore the key principles cloud providers should consider when developing and deploying cloud services and get real-world examples of deploying robust cloud solutions to maintain highly available and secure client connections.


http://technet.microsoft.com/security/jj923069.aspx
How to Mitigate Against Targeted Cyber Intrusion

Sensitive information, corporate intellectual property, financial information, and private personal data is being lost to cyber intrusions targeted at government agencies and private enterprises. Explore some effective protections that you can put in place without a new investment in technology or personnel.


http://www.microsoft.com/download/details.aspx?id=29855
The Compliance Benefits of Better Application Security

At first glance, the overlap between compliance and software security is limited to the specific software security requirements posed in standards such as the Payment Application Data Security Standard (PA DSS). In practice however, software security and IT compliance are deeply intertwined. This paper explains why.


http://technet.microsoft.com/security/dn194322.aspx
End User Education in the Real World

Learn some valuable tips to employ when educating your users about security and privacy, and find out how to create an effective security awareness program. Looking for resources to help you explain social engineering and ransomware to your end users? Check out the Microsoft Safety & Security Center’s

http://www.microsoft.com/security/online-privacy/email.aspx
email and social networking resources and

http://www.microsoft.com/security/resources/ransomware-whatis.aspx
What is ransomware? . For additional guidance for your organization, see

http://www.microsoft.com/download/details.aspx?id=19520
How to Protect Insiders from Social Engineering Threats .




This Month's Security Bulletins


January 2014 Security Bulletins


Important

-MS14-001:2916605 https://technet.microsoft.com/en-us/security/bulletin/MS14-001

Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution

-MS14-002:2914368 https://technet.microsoft.com/en-us/security/bulletin/MS14-002

Vulnerability in Windows Kernel Could Allow Elevation of Privilege

-MS14-003:2913602 https://technet.microsoft.com/en-us/security/bulletin/MS14-003

Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege


-MS14-004:2880826 https://technet.microsoft.com/en-us/security/bulletin/MS14-004

Vulnerability in Microsoft Dynamics AX Could Allow Denial of Service


January 2014 Security Bulletin Resources:

- http://blogs.technet.com/b/msrc/archive/2014/01/14/a-look-into-the-future-and-t he-january-2014-bulletin-release.aspx

Microsoft Security Response Center (MSRC) Blog Post

-
http://www.youtube.com/watch?v=Qbiw-P6JWyo
Security Bulletin Webcast

-
http://blogs.technet.com/b/msrc/p/january-2014-security-bulletin-q-a.aspx

Security Bulletin Webcast Q&A



Security Events and Training



https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032572879 Microsoft Webcast: Information about the February 2014 Security Bulletin Release
Wednesday, February 12, 2014 – 11:00AM Pacific Time

Join this webcast for a brief overview of the technical details of February’s Microsoft security bulletins. Ask questions and get answers from Microsoft security experts.


http://www.rsaconference.com/events/us14/agenda/sessions/1055/a-deep-dive-into- the-security-threat-landscape-of
RSA Conference Session: A Deep Dive into the Security Threat Landscape of the Middle East
Wednesday, February 26, 2014 – 8:00AM Pacific Time, Moscone Center (West, Room 3002), San Francisco, CA

The Middle East has seen a number of high profile targeted attacks in the past few years. If you are attending the RSA Conference this year, be sure to join Microsoft TwC Director Tim Rains for this session as he takes a closer a look at the security threat landscape in several Middle Eastern countries, including Egypt, Iraq, Qatar and Saudi Arabia.


https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032571237 Microsoft Cloud Services – Taking Any App to the Cloud
Wednesday, March 5, 2014 – 10:00AM Pacific Time

Migrating business to the cloud isn’t just a trend anymore, but rather a fundamental business requirement. Learn how the Windows Azure Platform-as-a-Service (PaaS) strategy can help you build and run custom enterprise-grade applications as services with near-infinite scalability and security.


https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032572977 Microsoft Webcast: Information about the March 2014 Security Bulletin Release Wednesday, March 12, 2014 – 11:00AM Pacific Time

Join this webcast for a brief overview of the technical details of March’s Microsoft security bulletins. Ask questions and get answers from Microsoft security experts.


https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032575681
MTC LIVE Atlanta Presents – Identity and Security in the Cloud
Thursday, March 27, 2014 – 3:00PM Eastern Time

How do you keep your users mobile and productive while ensuring that your organization’s data and resources are safe? Join this live, interactive session to learn how to: provide access and information protection that allows you to control access to corporate data and resources while offering a seamless end-user authentication experience; manage and federate user identities across the organization and into the cloud in order to provide employees appropriate access to the needed resources; and provide secure and always-available remote access capabilities to ensure corporate resources can be reached from anywhere and yet still controlled and protected.


http://northamerica.msteched.com/
TechEd North America 2014
May 12-15, 2014 – Houston, Texas

In 2014, Microsoft is bringing together the best of TechEd and the Microsoft Management Summit (MMS) to help skilled technology professionals increase their technical expertise, share best practices, and interaction with Microsoft and a variety of industry experts and their peers. Explore the security aspects of data platforms and business intelligence, datacenter and infrastructure management, people-centric IT, Windows (devices and Windows Phone), and much more.

http://northamerica.msteched.com/Register
Register today .






Essential Tools


-
http://technet.microsoft.com/security/bulletin
Microsoft Security Bulletins

-
http://technet.microsoft.com/security/advisory
Microsoft Security Advisories

-
http://technet.microsoft.com/solutionaccelerators/cc835245.aspx
Security Compliance Manager

-
http://www.microsoft.com/security/sdl/adopt/starterkit.aspx
Microsoft Security Development Lifecycle Starter Kit

-
http://support.microsoft.com/kb/2458544
Enhanced Mitigation Experience Toolkit

-
http://www.microsoft.com/security/pc-security/malware-removal.aspx
Malicious Software Removal Tool

-
http://technet.microsoft.com/security/cc184924.aspx
Microsoft Baseline Security Analyzer


Security Centers


-
http://technet.microsoft.com/security
Security TechCenter

-
http://msdn.microsoft.com/security
Security Developer Center

-
http://www.microsoft.com/security/msrc/default.aspx
Microsoft Security Response Center

-
http://www.microsoft.com/security/portal/
Microsoft Malware Protection Center

-
http://www.microsoft.com/privacy
Microsoft Privacy

-
http://support.microsoft.com/select/default.aspx?target=hub&c1=10750
Microsoft Security Product Solution Centers


Additional Resources


-
http://www.microsoft.com/about/twc/en/us/blogs.aspx
Trustworthy Computing Security and Privacy Blogs

-
http://www.microsoft.com/security/sir
Microsoft Security Intelligence Report

-
http://www.microsoft.com/security/sdl
Microsoft Security Development Lifecycle

-
http://technet.microsoft.com/library/cc162838.aspx
Malware Response Guide

-
http://technet.microsoft.com/security/bb980617.aspx
Security Troubleshooting and Support Resources

-
http://www.microsoft-careers.com/go/Trustworthy-Computing-Jobs/194701/ Trustworthy Computing Careers




microsoft.com/about/twcTrustworthy Computing




This is a monthly newsletter for IT professionals and developers–bringing security news, guidance, updates, and community resources directly to your inbox. If you would like to receive less technical security news, guidance, and updates, please subscribe to the Microsoft Security for Home Computer Users Newsletter.



(c) 2014 Microsoft Corporation

http://www.microsoft.com/About/Legal/EN/US/IntellectualProperty/Copyright/defau lt.aspx
Terms of Use |

http://www.microsoft.com/About/Legal/EN/US/IntellectualProperty/Trademarks/EN-U S.aspx
Trademarks


Microsoft respects your privacy. To learn more please read our online http://go.microsoft.com/fwlink/?LinkId=248681
Privacy Statement .



If you would prefer to no longer receive this newsletter, please http://pages.email.microsoftemail.com/page.aspx?QS=38dfbe491fab00ea380afe73db21 804e1836ec2291e123ed&emailid=282324&memberid=10030559&jobid=2739841&listid=8857 87&listname=Subscription_10030559_1109&subscriberkey=lordtime@tds.net&emailaddr =lordtime@tds.net&subscriberid=328026660
click here .



To set your contact preferences for other Microsoft communications http://click.email.microsoftemail.com/m_hcp.aspx?qs=0bb7f39debca1b0ad10fb2e924b 6311d344a0079e5cc587f4d16330b7c3cc8e7aa3d48879950d85d33a47e9a9586dfefd285dcac31 618dc8d7baee8bb726dfab1eabd773d2ca0ced7483bd75dadb8ad6720bda1a27ac17e8
click here


Microsoft Corporation

One Microsoft Way

Redmond, WA 98052 USA



---
■ Synchronet ■ Time Warp of the Future BBS - Home of League 10 IBBS Games