Q&A: How Microsoft Is Keeping Pace with an Ever-Changing Security Landscape

REDMOND, Wash., Feb. 15, 2005 — It seems quaint to think that just a dozen or so years ago, a PC with a 50-MHz processor and 100 MB of hard-disk drive space was a high-end computer. Most people at that time had not even begun to consider the potential of the Internet or e-mail — which were almost entirely corporate and academic tools — and the biggest threats to secure PC use were disgruntled employees, social engineering and the relatively remote possibility of a simple virus, written by someone more interested in showing off than anything else.

Today, its hard to imagine any part of life that doesnt somehow involve a PC. Nearly 700 million computers worldwide are used by 720 million people, a number that has doubled in four years.

Amid this growth, however, the rise of spam, phishing, identity theft, Trojan horses and other new threats have kept computer users on the defensive and software makers scrambling to fortify products, while still delivering innovative new technologies and further increasing the value that computers bring to our daily lives. Microsoft has countered the increase in criminal activity and security threats by accelerating its dedication to its Trustworthy Computing initiative and security, as reflected in recent accomplishments such as Microsoft Windows XP Service Pack 2 and a number of advances in server security. And more is still to come, including several announcements being made this week at RSA Conference 2005 in San Francisco (today through Feb.18).



Mike Nash, Corporate V.P., Microsoft Security Business & Technology Unit

PressPass recently caught up with Mike Nash , corporate vice president of the Security Business & Technology Unit at Microsoft, to talk about how Microsoft is adjusting to the ever-evolving environment of PC security.

PressPass: What is your view of the computer security landscape currently?

Nash: Just in the last year or so, weve seen a shift in the threat environment in a number of areas. For one, cyber-criminals have advanced from fairly simple virus writing to more clever attacks, sometimes using more than one attack mechanism. This would include tactics such as elaborate phishing scams, which use phony Web sites to steal credit-card numbers and perpetrate identity theft; fraudulent spam that launches viruses or spyware; and malware such as Trojans, which enable bad guys to take remote control over thousands of computers for massive, distributed attacks.

Another shift is in the motive of the typical cyber-criminal. A few years ago, most of the people who launched viruses did so for fame or notoriety. Now, according to the FBI, online fraud and malware attacks are much more oriented toward financial goals, and increasingly appear to involve organized crime. Another new development is that the PC is no longer the only target for online crime — cell phones and other mobile operating systems are new vehicles for viruses, spam and other threats.

PressPass: Many security issues come through the browser. How are you working to improve browser security?

Nash: What I think a lot of people dont realize is that the Internet Explorer we shipped in Windows XP Service Pack 2 incorporates a host of security enhancements that make it very competitive — in terms of security protection — with any other browser. This includes functionality such as add-on management to control spyware, pop-up blockers, greater user control over decisions, tools that allow or block ActiveX objects according to user-assigned security zones, object caching to protect against cross-domain attacks, privilege elevation blocking, and much more.

Internet Explorer with SP2 is not just well-fortified against vulnerabilities. It also offers the greatest extensibility — that is, how it accommodates additional features, functions or applications. It allows easier and better manageability, meaning its ease of deployment, configuration and maintenance. It is also more serviceable, which refers to support and the ease of updating. We know that people have a choice when it comes to Web browsers, and we want people who use Internet Explorer to know they made the best choice. And wed really encourage them to move to Windows XP Service Pack 2 — its the most secure browser weve ever released, and a lot more secure than most people might think.

PressPass: Whats next for Internet Explorer?

Nash: Were very excited to announce at the RSA Conference today that this summer well release a beta of Internet Explorer 7.0 for Windows XP with Service Pack 2, which will have even more enhancements to security and privacy protections. These enhancements align very closely with the three core tenets of Microsofts security approach that I mentioned earlier. Internet Explorer 7.0 will be the most secure browser weve ever released, building on and surpassing the success of the SP2-enhanced Internet Explorer 6.0. We dont plan to ship it until it meets our quality bar, which weve set pretty high.

PressPass: Doesnt this new, more dynamic threat environment make it hard for PC users to keep themselves protected?

Nash: This is precisely why we at Microsoft are committed to making sure our customers have the best possible protection, and, at the same time, to making it easier for them. Our approach to security is generally focused on three key areas:

  • Technology innovation and investment, meaning were continuing to improve our products, develop new technologies and simplify and streamline the updating process

  • Customer guidance and engagement, which means we work with customers and help them maximize the security of their computing experience

  • Industry leadership, which is collaboration and knowledge sharing with the industry, government, law enforcement and academia.

We feel this approach is a strong one and has produced great results, an excellent example of which is Windows XP SP2, which has been distributed to over 170 million customers across 25 languages.

The National Cyber Security Alliance estimates that two-thirds of the home computers in the United States do not have any activated firewall, and the same percentage is operating without current anti-virus software, We think we can do a lot to help protect these customers with guidance and innovation such as that we delivered with Windows XP SP2. Security pressures can be overwhelming, not just for the PC novice, but even for seasoned IT professionals scrambling to protect corporate infrastructures, which can be an extremely complex task. In light of the increasingly sophisticated threats, PC users — both consumer and enterprise — need easier and more effective ways to protect themselves, their computers and their data.

PressPass: What steps has Microsoft taken to address this threat environment?

Nash: The best security protections are layered, for what we call a
“defense-in-depth”
approach. When you think about securing your house, you lock doors and windows, trim the hedges a certain way, think about lighting, and maybe have an alarm system as well, depending on your individual need. Security to protect against online threats is similar.

I think Windows XP SP2 was a very strong step, developed with a focus on addressing vectors or modes of attack, including having the firewall in Windows on by default, which is a simple but very powerful protection. For business customers we have Internet Security and Acceleration Server 2004 (ISA), which can play a major role in protecting a network at its perimeter by identifying and blocking threats before they reach critical systems.

We released a beta of Microsoft AntiSpyware in early January, and currently have seen more than 6 million copies downloaded. This product has helped customers remove more than 27 million spyware and other potentially unwanted software programs from their machines — just another example of how were helping to protect more customers by providing technologies that contribute to a greater depth of security.

Similarly, for over a year, weve been releasing cleaner tools for malicious software, which have been run by around 200 million customers. And of course, we just announced our intent to acquire Sybari to help us bring stronger antivirus protections to a broader range of business customers.

PressPass: Does Windows XP SP2 really make computers more secure?

Nash: Most definitely. Windows XP with SP2 is easily the most secure version of Windows that we have shipped. SP2 was designed to reduce the number of critical vulnerabilities and at the same time help make the software more resilient to attack. In addition, many vulnerabilities are mitigated by the default settings and changes in the underlying architecture of SP2. For example, SP2 includes fixes that would have prevented infection from worms such as Blaster or Sasser.

Beyond that, SP2 would have addressed these specific threats through that
“defense-in-depth”
strategy I mentioned. First, SP2 encourages customers to enable Automatic Updates. For both Blaster and Sasser, the update that would have fixed the vulnerability these attacks exploited was available before the attack — and SP2 would have made it easier and simpler to get those updates so customers would have been protected. But even if Automatic Updates had not been on, SP2 enables the Windows firewall by default, which would have protected against both Blaster and Sasser. Even if the firewall had not been turned on, there have been underlying code and technical changes that would have prevented these kinds of attacks.

PressPass: What has Microsoft done in the security realm for enterprises?

Nash: Our work in server security is making great progress in enterprise protection. Microsoft Internet Security & Acceleration (ISA) Server 2004 is the latest version of our firewall, VPN and Web-caching security product, and includes a full-featured, application-layer-aware firewall that protects organizations of all sizes from attacks by both external and internal threats. Microsoft Windows Server 2003 got a lot of attention for being the first Microsoft operating system developed under a formal system of security processes and stringent tests, such as penetration testing, threat modeling, code reviews and more. In the first year Windows Server 2003 was available, there was a 63-percent decrease in the number of critical or important security bulletins issued, as compared to the first year Windows 2000 was available. Microsoft SQL Server 2000 Service Pack 3, Microsoft Exchange 2003 Service Pack 2, and the .NET Framework have achieved similar improvements.

Were about to make Windows Server 2003 even stronger with its Service Pack 1, which is currently at the Release Candidate 2 stage. It will reduce server attack surface even more with tools such as the Security Configuration Wizard, has even stronger default settings, centralizes Windows firewall management and limits network access over virtual private networks (VPN) to machines without current security updates. It will also use data execution prevention (DEP) technology to help protect against system exploitation caused by malicious code.

As Bill Gates said in his keynote today, were seeing a dramatic uptake in SP2 deployments in enterprise environments. For example, Holland + Knight, one of the 15 largest law firms in the world, deployed SP2 across 3,500 PCs [see Video Case study link, right]. Merrill Lynch, one of the world’s leading financial management and advisory companies, will deploy SP2 across 50,000 PCs by the end of the summer. And during a recent survey of 800 enterprise customers, we received commitments from 77 percent to deploy Service Pack 2 over the next six months. Im particularly adamant about recommending that business customers migrate their laptops and Internet-facing machines to Windows XP SP2 first.

PressPass: Do you feel Microsoft is keeping ahead of threats?

Nash: There is no such thing as absolute security in life or in computing, but getting as close as possible is a top priority at Microsoft. For that reason, we put strong focus on the security innovation we develop into our products, the processes by which those products are designed and developed. So our best efforts to stay ahead of the threats are reflected in our current products. Anti-spam technologies we’ve developed in our Internet-facing products have made a tremendous difference. MSN Hotmail and MSN e-mail customers have 90 to 95 percent of the spam blocked — thats actually 3.2 billion spam e-mails that Microsoft blocks for these customers each day. MSN employs advanced technology across the network and MSN communication services, including Parental Controls, Pop-Up Guard, Junk E-mail Guard and more. Microsoft has even taken much of the work out of keeping up with monthly security updates through the Automatic Updates feature in SP2. This lets users keep their PC current with minimal effort, and using the latest version of a software program will always provide the best security.

So, although we feel like were making good progress, were not going to rest. Malicious and other unwanted software threats will continue to evolve, making security an ongoing effort for the industry to work together to improve on behalf of our mutual customers. Microsoft will continue to invest in improving security in multiple fronts, including technology innovation, developing prescriptive guidance for customers, and partnering with other industry leaders.

Related Posts