AOH :: ISNQ5422.HTM

What spooks Microsoft's chief security advisor




What spooks Microsoft's chief security advisor
What spooks Microsoft's chief security advisor



  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

--1457021584-1344003193-1206685981=:11475
Content-Type: TEXT/PLAIN; CHARSET=UTF-8
Content-Transfer-Encoding: QUOTED-PRINTABLE
Content-ID:  

http://www.networkworld.com/news/2008/032608-microsoft-security-concerns.html 

By Bob Brown
Network World
03/26/2008

BOSTON -- Microsoft's U.S. general manager/chief security advisor for 
its National Security Team thinks like a true security professional: In 
every bit of good news, Bret Arsenault wonders what bad news could be 
lurking behind it.

Speaking at the Boston SecureWorld conference Wednesday, the 19-year 
Microsoft veteran whose job includes protecting enterprises, developers 
and Microsoft itself said there actually is plenty of good news on the 
security front. For example, his outfit scans a half million devices 
(with customer permission) per month and in the first half of last year 
saw the first period-over-period decline in new vulnerabilities 
disclosed across Microsoft and non-Microsoft software since 2003.

However, 3,400 new vulnerabilities were discovered and =E2=80=9Cit=E2=80=99s still a big 
number,=E2=80=9D Arsenault says. =E2=80=9CSo if vulnerability rates are down, where are 
they?=E2=80=9D

One trend that pops out is that attackers are increasingly laying off 
operating systems and exploiting applications instead. One reason for 
this, Arsenault says, is that vendors like Microsoft, Apple and Red Hat 
have done a good job in recent years securing the IP stack and operating 
system.

Arsenault pointed out that the first operating system hardening guide 
Microsoft wrote for Windows 2000 came 18 months after shipment of the 
product; the next (for XP Service Pack 2) was within 90 days of product 
shipment. With Vista and other new products, Microsoft ships the 
hardening guide along with the product. =E2=80=9COn the application side, on the 
other hand, we=E2=80=99re very far behind,=E2=80=9D Arsenault said (though he said the 
Office 2007 hardening guide is very solid, even if it did take a 
year-plus to release it).

=E2=80=9CYou have your classic arms escalation race between the hackers and the 
people who are trying to protect [software], so [the hackers] go after 
the easiest target that=E2=80=99s least protected,=E2=80=9D Arsenault said. =E2=80=9CThe 
application space is the next space in the model they=E2=80=99re going after,=E2=80=9D 
and he sees this continuing to be the case for at least the next few 
years. And Arsenault is talking about Office as well as CRM, ERP and 
other programs that contain the sorts of data that financially motivated 
hackers crave.

=E2=80=9CThis is not a problem that people should be thinking is just an Office 
problem,=E2=80=9D he said. =E2=80=9CIt=E2=80=99s anybody who uses file formats that are not XML 
based going forward.=E2=80=9D Adobe, Corel and Google are among others facing 
similar challenges, Arsenault said.

Microsoft has made fixes to older products, such as Office 2003, but 
Arsenault emphasizes that it=E2=80=99s a lot harder to retrofit an old product 
for a new environment than it is to build a newer product, say Office 
2007, more securely. He made an analogy about the tradeoffs of updating 
older software to his desire to add airbags to his 1992 Toyota: He can 
(and will) actually get it done, but it=E2=80=99s going to cost him.

Another thing that worries Arsenault: security issues surrounding Web 
2.0, Web services and software as a service. =E2=80=9CThey all rely on deeper 
trust at the client level and a smarter client to do that trust model,=E2=80=9D 
he said. =E2=80=9CWe can=E2=80=99t assume that the traditional model we are using is 
actually going to work.=E2=80=9D

Danger signs are also emerging when it comes to securing virtualized 
systems.

=E2=80=9CYour CIOs have no clue as to where we are on this,=E2=80=9D he told the 
audience of security pros. =E2=80=9CI think that there=E2=80=99s a lot of things we 
don=E2=80=99t have right on virtualization as an industry=E2=80=A6.We=E2=80=99ve got the ability 
given its nascent state today working with all the folks doing 
virtualization to put some things in hypervisors and other components 
that would allow us not to play catch up like we have over the past 7 
years in security.=E2=80=9D

Microsoft gathers security data in a number of ways and formats, 
including its Security Intelligence Report, now conducted twice a year 
but potentially going quarterly.

Among the most frustrating findings for Arsenault: Just over half of all 
attacks originated from the .edu domain. =E2=80=9C[That=E2=80=99s] a fundamental 
problem,=E2=80=9D he said. =E2=80=9CWe=E2=80=99ve got to do a better job with the university 
systems to stop that.=E2=80=9D

As for geographically where attacks are coming from, all eyes are on 
China, the source of 380% more attacks than a year ago.

In terms of what kind of malware is showing up most often, Trojans are 
on the rise. Rootkits are raising their ugly heads, but fortunately, 
Arsenault said, they=E2=80=99re so hard to write that they probably won=E2=80=99t get 
too much worse.

On a positive note, Microsoft is seeing the amount of publicly 
exploitable code, at least for its own software, shrink. But Arsenault 
does sweat over whether there=E2=80=99s really less exploitable code, or whether 
it=E2=80=99s more a case of such code just being kept secret by nation states 
looking to wage cyberwar.

Microsoft also gets a read on security issues by holding CSO and CIO 
summits (Arsenault is executive host for the company=E2=80=99s annual CSO 
Summit, at which 300 top CSOs, mostly from the United States, partake). 
Microsoft compares data from the two groups to determine whether 
security concerns are being taken seriously by CIOs.

In Microsoft=E2=80=99s latest survey of CSOs, it found that protection is the 
top security issue (62%), followed by identity/access management (57%) 
and compliance (44% and falling in the rankings, a finding consistent 
among CIOs as well). Secure messaging/collaboration is among issues on 
the rise, as is application architecture (=E2=80=9CThe biggest question there is 
how far back you go in your code base,=E2=80=9D Arsenault added). Patch 
management ranked 6th on this list, with 29% citing it, though Arsenault 
says this topic ranked first about years ago.

Arsenault also spent a chunk of his talk discussing why Microsoft makes 
the security investment and partnership and technology decisions it 
does, and steps Microsoft has taken internally to shore up its security 
and protect its own intellectual property and systems. He noted that 
decisions, such as what security products to include in an operating 
system, aren=E2=80=99t always up to Microsoft given certain regulatory 
restrictions. Others, such as how to integrate security and management 
products, are also complex. He also discussed the requirement to weigh 
the needs of enterprises, small businesses and consumers, noting that 
security at the consumer level can have a big impact on enterprise 
security.

Arsenault isn=E2=80=99t your typical Microsoft speaker. He prefaced his talk by 
noting that he has spent his entire career at the company outside of the 
profit and loss side of things and doesn=E2=80=99t really care whether you buy 
Microsoft Forefront security products or technology from someone else 
(he even fessed up to using Quicken rather than MSN Money). =E2=80=9CI have a 
vested interest in reducing security risk in the overall environment so 
we don=E2=80=99t slow down the computing stuff that=E2=80=99s been going on or what 
you=E2=80=99re doing over the Internet.=E2=80=9D

All contents copyright 1995-2008 Network World, Inc.


--1457021584-1344003193-1206685981=:11475
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 
--1457021584-1344003193-1206685981=:11475--

Site design & layout copyright © 1986-2014 CodeGods