Cybersecurity Blog

Cybersecurity researchers from across Georgia Tech and the Georgia Tech Research Institute share their thoughts about emerging threats, trends, and technologies in the constant fight to secure data and information systems. Read what's capturing their attention and new insights they offer about cybersecurity topics in the news.

Blog entires are aggregated monthly into the Source Port newsletter, with additional research and updates from Georgia Tech. Source Port is published on the first business day of the month.

 


Microsoft Document Provides Insight into Tech Giant's Philosophy for Addressing Vulnerabilities
 

June 22, 2018  |  By Joel Odom

Microsoft has published a draft of a six-page document that describes how their security response center decides how to handle vulnerabilities reported by security researchers. The document explains that vulnerabilities that violate certain security boundaries or security features are subject to patching, whereas other vulnerabilities may only be addressed in future versions of their products. The document also clarifies which security features are subject to bug-bounty awards and which are not.

 

IISP Analyst Joel Odom: "A short draft publication like this may not at first seem to be the kind of material that is worth much commentary, but its release in the security research community has stirred interest because of the insight it provides into what security features Microsoft considers most important. It's an educational piece for security managers and for technical persons alike.

According to the paper, there are two questions that Microsoft asks when deciding how to triage a security vulnerability.  The questions can be simplified into: Is the vulnerability dangerous in a security feature that Microsoft is committed to protecting?  If the answer is yes, then Microsoft will patch the vulnerability. It's a common-sense question that balances business costs and security. The meat of the paper explains how Microsoft answers this question.

A large section discusses security boundaries. Most computers have network connections, multiple users, and may be used to run software (including web applications) from different sources. Security boundaries to protect a computer and its data reside at the point of network entry, at the boundary between tabs in a web browser, and at the boundary between user applications and the operating system. The rise of virtualization has created the need to protect virtual computers running on the same host from each other. The Microsoft paper includes an informative list of important security boundaries, every one of which Microsoft indicates they are committed to protecting. Understanding these security boundaries is important to understanding how a modern operating system protects data.

The paper also discusses security features, such as access-control features that authenticate users onto the system and that make decisions about what actions an authenticated user is allowed to take. System cryptography services, which both user applications and the operating system use to perform exceptionally sensitive operations, are also included in the list of security features. As in the case of the security boundaries listed in the paper, Microsoft indicates that they are committed to patching all of the security features described in the paper.

We also learn from this document the kinds of features that Microsoft is not necessarily committed to patching.  In particular, Microsoft notes that defense-in-depth features, which provide extra layers of safety, will not necessarily be patched if a flow is discovered.  For example, User Account Control, which gives a user a visual cue when applications request administrative access to the system, will not necessarily be patched. This is not a problem from a security standpoint. Security is never perfect, and there is always a tradeoff between business requirements and the cost of security. The insight into how Microsoft calculates this tradeoff within the paper should be interesting to security managers and techies alike."

 

Recent Posts


New Malware 'VPNFilter' Takes Advantage of Three Convenient Truths
May 30, 2018

A Top Cyber Post Goes Vacant
May 30, 2018

Georgia Vetoes Hacking Bill... For Now
May 29, 2018

The Lessons Behind an Attack that Decodes Encrypted Email
May 17, 2018

Microsoft Announces Azure Sphere, a Promising Approach to IoT Security
Apr. 27, 2018

Cybersecurity Industry Leaders Sign a Pact To…Be Security Leaders
Apr. 27, 2018

Orangeworm Proves How Cyber Damage Can Be Done to Those Not Using Computers
Apr. 26, 2018

Just Pay the Bad "IT Tax"
Mar. 28, 2018

New Cyber Report a Handy Reference of Govt Directives
Mar. 28, 2018

Lt. Gen. Paul Nakasone to Head NSA/CYBERCOM
Mar. 28, 2018

Nine Iranian Hackers Charged with Stealing Massive Dataset through Spear-phising Attacks
Mar. 26, 2018

About the Analysts

 

Holly Dragoo is a research associate with the Advanced Concepts Laboratory (ACL) at the Georgia Tech Research Institute. Her previous work with the U.S. Department of Defense and Federal Bureau of Investigation give her a unique understanding of intelligence community requirements. Dragoo’s research interests include cybersecurity policy issues, threat attribution, metadata analysis, and adversarial network reconstruction. More By Holly

 

 

Panagiotis Kintis is a Ph.D. student at Georgia Tech's School of Computer Science and a researcher in the Astrolvaos Lab. His research examines new techniques for data analysis and cyber attribution with special focus on clues that can be obtained from the network layer of the Internet, such as bot activity and domain name abuse (combosquatting).

 

 

 

Brenden Kuerbis, Ph.D., is a postdoctoral researcher at Georgia Tech’s School of Public Policy and a former Fellow in Internet Security Governance at the Citizen Lab, Munk School of Global Affairs, University of Toronto. His research focuses on the governance of Internet identifiers (e.g., domain names, IP addresses) and the intersection of nation-state cybersecurity concerns with forms of Internet governance. More by Brenden

 

 

 

Joel Odom leads a team of researchers focused on software security as branch head for the Cybersecurity, Information Protection, and Hardware Evaluation Research (CIPHER) Laboratory at the Georgia Tech Research Institute. He and his team research static and dynamic software analysis, software testing techniques, software reverse engineering, and software vulnerability discovery and mitigation. More by Joel

 

 

 

Chris M. Roberts is a senior research engineer with the Cybersecurity, Information Protection, and Hardware Evaluation Research (CIPHER) Laboratory at the Georgia Tech Research Institute specializing in embedded firmware reverse engineering and hardware analysis.  Mr. Roberts’ technical expertise has expanded to cover radio frequency system design, electronic and cyber warfare, hardware and firmware reverse engineering, vulnerability assessments of embedded systems and assessment of vulnerability to wireless cyberattacks. More by Chris