Work Safe, Play Safe
Securing your Workstation in a dangerous World
Adam Taylor, Business Marketing Officer, Microsoft Japan
Contrary to many peoplefs perceptions, software development and fighting spam are not Microsoft Corporationfs top priorities. Security is the number one issue in the sights of the software giant formed by Bill Gates and Paul Allen almost 30 years ago.
Even though improving security for users is at the top of the Do List, there is no silver bullet, admitted Adam Taylor, Business Marketing Officer for Microsoft Japan at the Tokyo PC Users Group presentation held on 5 February in Tokyo.
gThere are a lot of issues with hackers and people doing illegal things with viruses and infecting computers worldwide,h he said. gHackers are becoming much faster and using more sophisticated means to attack Microsoft programs and because the internet is connected around the world, it impacts everybody.h
Adam outlined a number of key points -
l Patches are proliferating and many larger companies are having major problems deploying them all
l Times to exploit are decreasing
l Exploits are becoming more sophisticated
l The current approach is insufficient
gNow we just want to get what we have right,h he said, gand that is why we are slowing down the development of Longhorn (the code name for the next version of Microsoft Windows) and working on versions of XP and Windows Server 2003. We have a lot of people back in Redmond redesigning how we engineer software from the specifications stage to the release stage and building in security checkpoints along the way. The company believes change requires lots of innovation and Microsoft is going to work very closely with the software industry and are actively pursuing efforts along those lines,h he said.
Current perceptions among customers are that the quality of the patching process is low and inconsistent. gThe way different patches work is inconsistent. The way you download them is inconsistent. The documentation with them is inconsistent and Microsoft is on its back feet trying to deal with all of this,h he explained. gIT managers of large companies are struggling to keep up with the large number of patches being released and people are asking, eCanft you just do something to fix your software?fh
Pointing out an interesting difference in perceptions, Adam mentioned gIn Japan, for some reasons, people think of Windows as being flawed, as opposed to the U.S. where they think of hackers as doing bad things.h
To bring about change in the right direction, Microsoftfs action plan involves:
l Improving the patching experience
l Providing guidance and training
l Mitigating vulnerabilities without patches
l Continuing to improve quality
In the consumer space, Microsoft realizes there is end user interest and concern about security, but consumers are not nearly as interested or sophisticated about the same issues as an IT manager.
gSo there is an awareness level the industry needs to help end users understand what they need to do to protect their PCfs if they are connected to the internet,h he said. gEnd users are unclear on what steps to take and consumers want the industry to take action.h
Microsoftfs Security Initiative is a significant investment for the company, Adam explained.
gThis initiative will be progressive, with both long and short term objectives.h
To help make computers easier to use, Microsoft has two broad phases:
Phase I Objectives:
Improve immediate customer security
Demonstrate progress
Engage law enforcement
Phase II Objective:
Drive new protection technologies
Microsoft is embarking on a huge Global Education Program that will impact end users in Japan.
The program includes:
Security seminars
Monthly security webcasts
The target is 500,000 people in one year worldwide including 20,000 people in Japan. The education will be free and the aim is to train people to enable them to protect their systems and software.
Beyond Patching
Patching is extremely short term and reactionary, Adam explained. So how can we move beyond it? How does Microsoft make customers resilient to attacks, even when patches are not installed?
gWe have a broad goal: to make it so that seven out of 10 patches can be installed when you want them to be installed,h Adam said. gThis means Microsoft makes them available, but it is not this urgent thing that it is today. But beyond that, how do we improve Windows to make it so that even though there is a vulnerability out there, you are still protected?h
Subsequently there is a notion of Client Attack Vectors. gPeople are really clever in sending viruses, especially attached to innocent looking e-mails. How do we protect an e-mail attachment? These are some of the issues the guys in Redmond are thinking about - memory protection, network, safer web downloads and protecting clients from any attacks,h he explained. gIn terms of mitigating vulnerability, Microsoft is building a lot of depth into its operating systems to eliminate the fear of viruses and other issues that can hurt you.h
gTrustworthy Computingh is a rally cry for Microsoft internally and for Microsoft to deal with customers and say, eHey, trust us!fh
When it comes to security however, there is an element of the Trustworthy Computing Release Process Adam finds very interesting.
gMicrosoft is now building a security review into their software development process. The company is hiring ex-hackers and letting them use future versions of Windows and saying, ebust into our system, take it apart. Where is it vulnerable? - find the holes!f Midway through the process, Microsoft tells all the developers to stand down for a couple of days to lets the hackers do their work. This process flushes out a lot of the vulnerabilities,h Adam said.
How to protect your PC:
Use an internet firewall
Get computer updates
Use up-to-date antivirus software
Windows Update
See: www.microsoft.com/security/protect/default.asp
For more information: www.microsoft.com
Text: Jonathon Walsh
@