Skip to main content

Trustworthy Computing

Microsoft Security Newsletter

Stay up to date with security insights, resources, best practices, and events for IT professionals and developers. Browse past newsletters or subscribe to get the latest news delivered to your inbox.

Subscribe

 

 
 
Welcome to January’s Security Newsletter!

We thought we would kick off the new year by providing you with insight into our “Top Cyber Threat Predictions for 2014.” This is a topic that continues to garner interest by security professionals and something we thought you all might enjoy. Below are the top predictions for 2014 provided by a wide-range of senior cybersecurity leaders at Microsoft:

Prediction #1: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization
 
Prediction #2: Service-Impacting Interruptions for Online Services Will Persist
 
Prediction #3: We Will See an Increase in Cybercrime Activity Related to the World Cup
 
Prediction #4: Rise of Regional Cloud Services
 
Prediction #5: Dev-Ops Security Integration Fast Becoming Critical
 
Prediction #6: Cybercrime that Leverages Unsupported Software will Increase
 
Prediction #7: Increase in Social Engineering
 
Prediction #8: Ransomware will Impact More People


More information on each of these predictions can be found in the Microsoft Security Blog. To summarize, we have seen some significant shifts in the threat landscape and in the industry in 2013, but basic security fundamentals continue to be effective at mitigating the risks. Keeping all software up to date, running anti-malware software from a trusted source, and demanding that the software you use has been developed using a security development lifecycle will continue to be best practices in 2014. Leveraging cloud services will also pay security, privacy and reliability dividends in the new year and beyond.

This month’s newsletter features the top tools and resources to help you protect yourself, your organization, and your customers against some of the threats outlined in these predictions. I hope you find this information helpful and wish you all a happy new year.

Tim Rains Best regards,
Tim Rains, Director
Microsoft Trustworthy Computing


Have feedback on how we can improve this newsletter? Email us at secnlfb@microsoft.comand share your ideas.

 

Top Stories
 
Suggested Resolutions for Cloud Providers in 2014: Reinforce that Security is a Shared Responsibility
When an organization is moving to the cloud, everyone has a role to play when it comes to security. Learn why this is an important new year’s resolution for both cloud providers and their customers in this blog post from Adrienne Hall, General Manager of Microsoft Trustworthy Computing, then explore other suggested resolutions around clearly defining what a cloud service does (and doesn’t) do and avoiding acronymswhen discussing cloud services.

The Cybersecurity Risk Paradox
Download a new report on the impact of social, economic, and technological factors on cybersecurity. This special edition of the Microsoft Security Intelligence Report outlines the challenges in developing countries and offers policy recommendations.

Drive-by Download Attacks: Examining the Web Server Platforms Attackers Use Most Often
Drive-by download attacks continue to be many attacker’s favorite type of attack. A drive-by download site is a website that hosts one or more exploits that target vulnerabilities in web browsers and browser add-ons. Users with vulnerable computers can be infected with malware simply by visiting such a website, even without attempting to download anything. Explore this trend in more detail and learn how developers and IT pros can take action to manage the risks associated with this type of attack.

 

Security Guidance
 
Security Tip of the Month: Translate "Geek Speak" into "Executive Speak"
For business leaders and decision makers, it has never been more important to have a regular, open dialogue about security with IT staff. Learn why security professionals should learn to translate "geek speak" into "executive speak" to ensure that their concerns and recommendations are heard.

A Guide to Data Governance for Privacy, Confidentiality, and Compliance
Data governance is an approach that public and private entities can use to organize one or more aspects of their data management efforts, including business intelligence (BI), data security and privacy, master data management (MDM), and data quality (DQ) management. This series of guides aims to answer key questions about how to approach the combined challenges of information security and privacy and the associated regulatory compliance obligations.

Privacy Guidelines for Developing Software Products and Services
As the threat landscape escalates, customers are feeling less able to control access to their personal information. As a result, Microsoft has developed a set of privacy guidelines for developing software products and services based on its internal guidelines to help you incorporate privacy into your own development process.

Resilience by Design for Cloud Services
Learn about Resiliency Modeling and Analysis (RMA), a methodology for improving resiliency adapted from the industry-standard technique known as Failure Mode and Effects Analysis (FMEA), and get guidance for incorporating robust resilience design into the development cycle.

Deploying Highly Available and Secure Cloud Solutions
Explore the key principles cloud providers should consider when developing and deploying cloud services and get real-world examples of deploying robust cloud solutions to maintain highly available and secure client connections.

How to Mitigate Against Targeted Cyber Intrusion
Sensitive information, corporate intellectual property, financial information, and private personal data is being lost to cyber intrusions targeted at government agencies and private enterprises. Explore some effective protections that you can put in place without a new investment in technology or personnel.

The Compliance Benefits of Better Application Security
At first glance, the overlap between compliance and software security is limited to the specific software security requirements posed in standards such as the Payment Application Data Security Standard (PA DSS). In practice however, software security and IT compliance are deeply intertwined. This paper explains why.

End User Education in the Real World
Learn some valuable tips to employ when educating your users about security and privacy, and find out how to create an effective security awareness program. Looking for resources to help you explain social engineering and ransomware to your end users? Check out the Microsoft Safety & Security Center’s email and social networking resources and What is ransomware?. For additional guidance for your organization, see How to Protect Insiders from Social Engineering Threats.

 

This Month's Security Bulletins
 

January 2014 Security Bulletins

Important

 
MS14-001:2916605 Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution
 
MS14-002:2914368 Vulnerability in Windows Kernel Could Allow Elevation of Privilege
 
MS14-003:2913602 Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege
 
MS14-004:2880826 Vulnerability in Microsoft Dynamics AX Could Allow Denial of Service
 

January 2014 Security Bulletin Resources:

 
Microsoft Security Response Center (MSRC) Blog Post
 
Security Bulletin Webcast
 
Security Bulletin Webcast Q&A
 

Security Events and Training
 
Microsoft Webcast: Information about the February 2014 Security Bulletin Release
Wednesday, February 12, 2014 – 11:00AM Pacific Time
Join this webcast for a brief overview of the technical details of February’s Microsoft security bulletins. Ask questions and get answers from Microsoft security experts.

RSA Conference Session: A Deep Dive into the Security Threat Landscape of the Middle East
Wednesday, February 26, 2014 – 8:00AM Pacific Time, Moscone Center (West, Room 3002), San Francisco, CA
The Middle East has seen a number of high profile targeted attacks in the past few years. If you are attending the RSA Conference this year, be sure to join Microsoft TwC Director Tim Rains for this session as he takes a closer a look at the security threat landscape in several Middle Eastern countries, including Egypt, Iraq, Qatar and Saudi Arabia.

Microsoft Cloud Services – Taking Any App to the Cloud
Wednesday, March 5, 2014 – 10:00AM Pacific Time
Migrating business to the cloud isn’t just a trend anymore, but rather a fundamental business requirement. Learn how the Windows Azure Platform-as-a-Service (PaaS) strategy can help you build and run custom enterprise-grade applications as services with near-infinite scalability and security.

Microsoft Webcast: Information about the March 2014 Security Bulletin Release
Wednesday, March 12, 2014 – 11:00AM Pacific Time
Join this webcast for a brief overview of the technical details of March’s Microsoft security bulletins. Ask questions and get answers from Microsoft security experts.

MTC LIVE Atlanta Presents – Identity and Security in the Cloud
Thursday, March 27, 2014 – 3:00PM Eastern Time
How do you keep your users mobile and productive while ensuring that your organization’s data and resources are safe? Join this live, interactive session to learn how to: provide access and information protection that allows you to control access to corporate data and resources while offering a seamless end-user authentication experience; manage and federate user identities across the organization and into the cloud in order to provide employees appropriate access to the needed resources; and provide secure and always-available remote access capabilities to ensure corporate resources can be reached from anywhere and yet still controlled and protected.

TechEd North America 2014
May 12-15, 2014 – Houston, Texas
In 2014, Microsoft is bringing together the best of TechEd and the Microsoft Management Summit (MMS) to help skilled technology professionals increase their technical expertise, share best practices, and interaction with Microsoft and a variety of industry experts and their peers. Explore the security aspects of data platforms and business intelligence, datacenter and infrastructure management, people-centric IT, Windows (devices and Windows Phone), and much more. Register today.

 
 

Essential Tools

 
Microsoft Security Bulletins
 
Microsoft Security Advisories
 
Security Compliance Manager
 
Microsoft Security Development Lifecycle Starter Kit
 
Enhanced Mitigation Experience Toolkit
 
Malicious Software Removal Tool
 
Microsoft Baseline Security Analyzer
 

Security Centers

 
Security TechCenter
 
Security Developer Center
 
Microsoft Security Response Center
 
Microsoft Malware Protection Center
 
Microsoft Privacy
 
Microsoft Security Product Solution Centers
 

Additional Resources

 
Trustworthy Computing Security and Privacy Blogs
 
Microsoft Security Intelligence Report
 
Microsoft Security Development Lifecycle
 
Malware Response Guide
 
Security Troubleshooting and Support Resources
 
Trustworthy Computing Careers
 
 
 
 
 microsoft.com/about/twcTrustworthy Computing 
 
 
 Microsoft respects your privacy. To learn more please read our online Privacy Statement.

If you would prefer not to receive the Microsoft Security Newsletter from Microsoft and its family of companies, please click here. These settings will not affect any other newsletters you’ve requested or any mandatory service communications you’ve requested that are considered part of certain Microsoft services.

To set your contact preferences for other Microsoft communications, click here.