Microsoft Security Newsletter - October 2014



Trustworthy Computing | October 2014
Microsoft Security Newsletter



Welcome to October’s Security Newsletter!

This month’s newsletter focuses on security controls in cloud services. Having a rich set of security controls and a defense in-depth strategy helps ensure that should any one area fail, there are compensating controls in other areas to maintain security and privacy at all times. Security should be an ongoing effort that combines experienced and qualified personnel, software and hardware technologies, as well as robust processes to design, build, deploy, operate, and support a cloud service. Security must be vigilantly maintained, regularly enhanced, and routinely verified through testing.



When it comes to the cloud, your cloud provider is an important partner in helping to protect your data. This chart provides a good visual on the shared responsibility of security controls between the cloud customer and cloud provider when it comes to data protection whether you are using Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and/or Software as a
Service (SaaS).


-
Cloud provider controls – Cloud provider controls include technical capabilities, operational procedures, and policies that are enabled for customers using the service. Examples include security best practices like penetration testing and defense-in-depth to help protect against cyber
threats, as well as physical and data security with access control,
encryption, and strong authentication to help prevent unauthorized access.

-
Cloud customer controls – Cloud customer controls include features that enable customers to customize their environments based on the specific needs
of their organizations. Examples include unique customer controls such as Rights Management Service and Data Loss Protection which can help empower customers to protect information.



Of course, of these are just a few examples of security controls and how a cloud provider is an important partner in helping protect data. For more in-depth information on security controls for enterprises, I encourage you to check out the many great resources included in this month’s newsletter.



Best regards,

Tim Rains, Director

Microsoft Trustworthy Computing



Have feedback on how we can improve this newsletter? Email us at mailto:secnlfb@microsoft.com
secnlfb@microsoft.com and share your ideas.



Top Stories


http://blogs.microsoft.com/cybertrust/2014/10/01/trustworthy-cloud-series-mana ging-secure-cloud-operations/

Trustworthy Cloud Series: Managing Secure Cloud Operations

When it comes to choosing a cloud provider, how do you decide who to trust
with your most sensitive information? Learn how Microsoft utilizes the Operational Security Assurance (OSA) framework for its cloud services, which details the approach to security controls such as vulnerability scanning,
patch management, encryption, and more.

http://blogs.microsoft.com/cybertrust/2014/10/22/windows-10-continuing-to-rais e-the-security-bar-for-cybercriminals/

Windows 10: Continuing to Raise the Security Bar for Cybercriminals

Check out some of the highlights from Jim Alkove’s post about the important changes that are coming in Windows with regard to identity
protection and access control, information protection, and threat resistance.

http://blogs.office.com/2014/09/23/microsoft-online-services-bug-bounty-progra m-launches-office-365/

Microsoft’s Perspective on the Cybersecurity Framework: Next Steps for Incentives and International Harmonization

The Cybersecurity Framework issued earlier this year by the U.S. National Institute for Standards and Technology (NIST) offers the opportunity for international collaboration because it is rooted in widely-recognized international and national standards and practices. Read about Microsoft’s recently filed comments in response to NISTÆs Request for Information (RFI) about our experience with the Cybersecurity Framework.




Security Guidance
http://social.technet.microsoft.com/wiki/contents/articles/15530.the-four-pill ars-of-identity-identity-management-in-the-age-of-hybrid-it.aspx

Security Tip of the Month: Identity Management in the Age of Hybrid IT

Get detailed information on the four fundamental pillars of identity—administration, authentication, authorization, auditing—that can be useful in creating a strategic direction for an identity infrastructure in your organization.


http://social.technet.microsoft.com/wiki/contents/articles/3794.cloud-computin g-security-architecture-it-pro-perspective.aspx

Cloud Computing Security Architecture: The IT Pro Perspective

Get comprehensive guidance on planning for security as part of your cloud infrastructure. Start with an http://social.technet.microsoft.com/wiki/contents/articles/3795.cloud-security- overview.aspx

overview of cloud security then move on to:


- http://social.technet.microsoft.com/wiki/contents/articles/security-issues-in-c loud-deployment-models.aspx

Security Implications of Cloud Deployment Models
- http://social.technet.microsoft.com/wiki/contents/articles/security-implication s-of-cloud-service-models.aspx

Security Considerations for Cloud Service Models
-
http://social.technet.microsoft.com/wiki/contents/articles/3798.aspx Identity and Access Management
- http://social.technet.microsoft.com/wiki/contents/articles/security-management- and-monitoring.aspx

Security Management and Monitoring
- http://social.technet.microsoft.com/wiki/contents/articles/compliance-issues-in -the-cloud.aspx

Compliance Issues in the Cloud

https://gallery.technet.microsoft.com/A-Solution-for-Private-67209ab1
A Solution for Private Cloud Security

Download a comprehensive explanation of the process for designing and running security for a private cloud environment. This solution includes a blueprint guide, design guide, and operations guide.

http://social.technet.microsoft.com/wiki/contents/articles/3819.reference-arch itecture-for-private-cloud.aspx

Private Cloud Reference Guide

Find an overview of private cloud architecture and information the principles, patterns, and concepts as well as planning guides for IaaS, service delivery, operations, and systems management.


http://azure.microsoft.com/en-us/support/trust-center/security/
Microsoft Azure Trust Center

Explore the security controls and capabilities delivered by Microsoft Azure, and find information on how to carry out authorized penetration testing for your applications hosted in Azure.




Community Update
http://blogs.microsoft.com/cybertrust/2014/10/22/you-asked-we-answered-askpth- questions-and-answers/

You Asked, We Answered: #AskPtH Questions and Answers

Pass-the-Hash (PtH) refers to a technique that allows an attacker to capture account logon credentials on one compromised computer, and then use those captured credentials to authenticate to other computers across the network. Many organizations who want to protect their networks are particularly interested in this technique so we opened the conversation to @msftsecurity Twitter followers and asked what questions you had about PtH. Check out the first set of short video segments answering some of the questions we’ve received to date.

http://blogs.microsoft.com/cybertrust/2014/10/23/vuln-hunt-find-the-security-v ulnerability-challenge-3/

Vuln Hunt: Find the Security Vulnerability Challenge #3

This particular type of vulnerability is used to attack data-driven applications found across the web.It has been around for over a decade and is one of the top threats today.Do you know what it is?




This Month's Security Bulletins


October 2014 Security Bulletins


Critical

-MS14-056:2987107
https://technet.microsoft.com/library/security/ms14-056

Cumulative Security Update for Internet Explorer

-MS14-057:3000414
https://technet.microsoft.com/library/security/ms14-057

Vulnerabilities in .NET Framework Could Allow Remote Code Execution

-MS14-058:3000061
https://technet.microsoft.com/library/security/ms14-058

Vulnerability in Kernel-Mode Driver Could Allow Remote Code Execution



Important

-MS14-059:2990942
https://technet.microsoft.com/library/security/ms14-059

Vulnerability in ASP.NET MVC Could Allow Security Feature Bypass

-MS14-060:3000869
https://technet.microsoft.com/library/security/ms14-060

Vulnerability in Windows OLE Could Allow Remote Code Execution

-MS14-061:3000434
https://technet.microsoft.com/library/security/ms14-061

Vulnerability in Microsoft Word and Office Web Apps Could Allow Remote Code Execution

-MS14-062:2993254
https://technet.microsoft.com/library/security/ms14-062

Vulnerability in Message Queuing Service Could Allow Elevation of Privilege

-MS14-063:2998579
https://technet.microsoft.com/library/security/ms14-063

Vulnerability in FAT32 Disk Partition Driver Could Allow Elevation of
Privilege


October 2014 Security Bulletin Resources:

- http://blogs.technet.com/b/msrc/archive/2014/10/14/october-2014-updates.aspx

October 2014 Bulletin Release Blog Post "October 2014 Security Updates"
-
https://www.youtube.com/watch?v=qXtDMxgnN50
October 2014 Security Bulletin Webcast
- http://www.microsoft.com/en-us/download/malicious-software-removal-tool-details .aspx

Malicious Software Removal Tool: October 2014 Update



Security Events and Training



http://www.microsoftvirtualacademy.com/training-topics/hybrid-cloud Microsoft Virtual Academy (MVA): Hybrid Cloud

Explore the advantages and flexibility of the hybrid cloud, where you can keep your critical data on-premises and get greater scale for your day-to-day operations. Learn how to optimize your organization’s IT infrastructure with Microsoft hybrid cloud technologies with best practices and detailed implementation guidance.

http://www.microsoftvirtualacademy.com/training-topics/private_cloud_topic_pag e_en MVA: Private Cloud

Learn how to build, deploy, and maintain a private cloud. In these courses,
you will learn about core Windows Server products, and how to use them to
build and support the virtualized and physical resources that are part of your private cloud infrastructure. You will also hear about common cloud computing configuration and management practices, as well as technical details to help you be successful in building a private cloud for your business.


https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032598914 Dimension Data Series – The Hybrid Cloud: A Balancing Act Between Benefits and Security
Thursday, December 4, 2014 – 10:00 AM Pacific Time

Learn how to extend your datacenter to the cloud in a secure and automated
way, how to secure your information in the cloud, how to manage security in a mix of private and public clouds, why a hosted private cloud can be the best solution for sensitive data and mission critical workloads.


https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032602816 Windows 10 for Enterprise
Thursday, November 20, 2014 – 9:00 AM Pacific Time

Be one of the first to take an early look at some of the features and functionality for business users in the next version of Windows including
those that protect against modern security threats.






Essential Tools


-
http://technet.microsoft.com/security/bulletin
Microsoft Security Bulletins

-
http://technet.microsoft.com/security/advisory
Microsoft Security Advisories

-
http://technet.microsoft.com/solutionaccelerators/cc835245.aspx
Security Compliance Manager

-
http://www.microsoft.com/security/sdl/adopt/starterkit.aspx
Microsoft Security Development Lifecycle Starter Kit

-
http://support.microsoft.com/kb/2458544
Enhanced Mitigation Experience Toolkit

-
http://www.microsoft.com/security/pc-security/malware-removal.aspx
Malicious Software Removal Tool

-
http://technet.microsoft.com/security/cc184924.aspx
Microsoft Baseline Security Analyzer


Security Centers


-
http://technet.microsoft.com/security
Security TechCenter

-
http://msdn.microsoft.com/security
Security Developer Center

-
http://www.microsoft.com/security/msrc/default.aspx
Microsoft Security Response Center

-
http://www.microsoft.com/security/portal/
Microsoft Malware Protection Center

-
http://www.microsoft.com/privacy
Microsoft Privacy

-
http://support.microsoft.com/select/default.aspx?target=hub&c1=10750 Microsoft Security Product Solution Centers


Additional Resources


-
http://www.microsoft.com/about/twc/en/us/blogs.aspx
Trustworthy Computing Security and Privacy Blogs

-
http://www.microsoft.com/security/sir
Microsoft Security Intelligence Report

-
http://www.microsoft.com/security/sdl
Microsoft Security Development Lifecycle

-
http://technet.microsoft.com/library/cc162838.aspx
Malware Response Guide

-
http://technet.microsoft.com/security/bb980617.aspx
Security Troubleshooting and Support Resources

-
http://www.microsoft-careers.com/go/Trustworthy-Computing-Jobs/194701/ Trustworthy Computing Careers




microsoft.com/about/twcTrustworthy Computing




This is a monthly newsletter for IT professionals and
developers–bringing security news, guidance, updates, and community resources directly to your inbox. If you would like to receive less technical security news, guidance, and updates, please subscribe to the Microsoft Security for Home Computer Users Newsletter.



(c) 2014 Microsoft Corporation
http://www.microsoft.com/About/Legal/EN/US/IntellectualProperty/Copyright/defa ult.aspx

Terms of Use |
http://www.microsoft.com/About/Legal/EN/US/IntellectualProperty/Trademarks/EN- US.aspx

Trademarks


Microsoft respects your privacy. To learn more please read our online http://go.microsoft.com/fwlink/?LinkId=248681
Privacy Statement .



If you would prefer not to receive the Microsoft Security Newsletter from Microsoft and its family of companies please http://click.email.microsoftemail.com/m_hcp.aspx?qs=0bb7f39debca1b0ad10fb2e924b 6311d344a0079e5cc587f4d16330b7c3cc8e7aa3d48879950d85d33a47e9a9586dfefd285dcac31 618dc80446620fed943942df3ddc0089cb6135b394171347645a317d5b16af3a18bde3&oneClick =newsletter

click here . These settings will not affect any other newsletters youÆve requested or any mandatory service communications that are considered part of certain Microsoft services.



To set your contact preferences for other Microsoft communications http://click.email.microsoftemail.com/m_hcp.aspx?qs=0bb7f39debca1b0ad10fb2e924b 6311d344a0079e5cc587f4d16330b7c3cc8e7aa3d48879950d85d33a47e9a9586dfefd285dcac31 618dc80446620fed943942df3ddc0089cb6135b394171347645a317d5b16af3a18bde3

click here .



Microsoft Corporation

One Microsoft Way

Redmond, WA 98052 USA
---
■ Synchronet ■ Time Warp of the Future BBS - Home of League 10 IBBS Games