Microsoft: Defence in depth is not enough

Defence in depth is simply not enough to create a secure computing environment, according to Microsoft's vice president of its Trustworthy Computing group, Scott Charney.

Defence in depth is simply not enough to create a secure computing environment, according to Microsoft's vice president of its Trustworthy Computing group, Scott Charney.

Kicking off the 15th annual AusCERT conference on the Gold Coast today, Charney said that the Internet largely remains an unsafe place to be — despite Microsoft's best effort to make it safe.

"When you think about defence in depth in the computer world, we've turned on firewalls, run antivirus, run anti-spyware, done user education, yet people sometimes get infected anyway, which tells you those things are not enough," Charney told ZDNet.com.au.

"A classic example is malware. We turned on the firewall on [Service Pack 2] by default to block the connection. We tell people to run antivirus in case they let something through the firewall, and anti-spyware. And then we do consumer education and remind them not to click on attachments from unknown sources. And then they click on attachments from unknown sources and get infected anyway. So when they come to us we run the Malicious Software Removal Tool, and for things that we recognise, we actually clean it up. It's classic defence in depth," said Charney.

And while pushing patches out to consumers has helped secure home users, businesses remain exposed.

"Automatic updates are great — getting upgrades to people quickly is great. But in the enterprise environment, bad guys can launch bad code far faster than good guys can test patches and deploy them. And with an increase in zero day vulnerabilities, you're not patching your way out of this."

Two ways to overcome the challenges posed by the Internet in a world where there are thousands of independent software vendors, said Charney.

"We've done a lot of defence in depth against malware or against phishing schemes, but you can still do more. To enable more, you need better authentication, so that users can better decisions about what's running on your machine," he said.

Charney also sees a major shift by software vendors to tie software more tightly to hardware to solve the problem of authentication.

"You need operating systems that are bound to the hardware, so that if it is tampered with you have a better chance of knowing, detecting and remediating the problem."