Guest editorial by George Stathakopoulos
In the first half of 2008, Microsoft Corp. released its latest Security Intelligence Report. One of the most interesting statistics involved the results from Microsoft's Malicious Software Removal Tool (MSRT). Each second Tuesday of every month, the tool examines hundreds of millions of unique computers worldwide and looks for the most common families of malware. It found one infection for every 123 machines it touched.
In the last few years, we’ve all heard similar numbers and reports, not just from Microsoft but other security vendors as well. But what is really behind those numbers?
Each piece of malware in those statistics is a piece of code, a set of instructions that when executed results in a lot of grief for Internet users. The statistics are always interesting, but the real problem is the effect of the malware: the loss of personal data, the fraudulent use of a stolen identity, the lack of confidentiality and integrity of some systems. As the Internet evolves to make our lives easier and bring our world closer, so does the creativity of the attackers.
The worldwide presence of malware based on data from Microsoft's malicious software removal tool
Every year, I continue to be amazed at how the threats evolve. For each move that we, the industry, take in order to safeguard our customers, malware writers adapt by making the attacks more complex, stealthier and increasingly more targeted, combining every available technology. This past May, for example, we responded to a situation where users who had downloaded Apple's Safari Web browser for Windows were exposed to the possibility of code being executed remotely on their PC without prompting. This didn't happen because of how Safari or Windows worked by themselves; rather, it was how the technologies worked together to create a complex and blended threat.In addition, there is the age-old tactic of social engineering, which targets the traditionally weakest link in the security equation — people. Attackers are quick to exploit human nature by masking their threats through convincing facades such as current events like the Olympics or the presidential election, seemingly legitimate deals from recognized brands, or supposed interactions with friends and family. In fact, our most recent Security Intelligence Report found that during the second half of 2007, there was a 300 percent increase in the number of Trojan downloaders and droppers — malicious code used to install files on users' systems — that were detected and removed by the MSRT. The prevalence of rogue security software continues to increase, with many common families delivered by trojan downloaders and other malware, as well as by conventional social engineering methods.
So, how have I learned to defend myself? As you likely have, I've learned to ignore people who ask me to advance money to their bank account or who offer me a great-paying job or cheaper prescription medication. As a security professional, I also understand how to secure my computer by using a firewall and an anti-virus program, and finally by installing the monthly security updates that are produced in my corridor at work.
At work, I face the additional challenge of being a user in a complex environment. I also have to know what other software is running on my computer and what its security state is. Are those applications secure and up-to-date? Like our customers, Microsoft shares similar security challenges, such as how to manage identities and integrate firewalls and line-of-business applications. We must deal with mobile workers who travel around the world and integrate their devices back with the corporate network safely and securely. We have to consider how we integrate the network of a company we may have recently acquired.
In this environment, security becomes increasingly complex, and it is common knowledge among security and privacy professionals that complexity is the root cause of insecurity. In an average day, we look at multiple places to find information to do our jobs better. We have to know about the latest threats and defenses out there. We also know that it would be better to have a place where the industry comes together to offer authoritative information and collective guidance. However, as security professionals we also know that to achieve an acceptable level of security today is beyond what one company can do alone.
It is time we come together and use the combined strength of the industry, partners, customers and public organizations, and act in unison to build a more secure environment for everyone.
It is time for industry to adopt a community-based defense approach. We believe there are three main components of this:
No. 1: Collaboration
More than any issue in recent memory, the current Domain Name System (DNS) situation has reinforced the need for broad collaboration, driving home the impact that industry can have together when it comes to effective response. The threat has serious potential to harm the Web and e-mail ecosystems, but a new, collaborative approach has brought together a coordinated release from multiple vendors.
The situation has required new levels of coordination and new tactics for communication -- across and all vendors. This is a stake in the ground for our industry. Community-based defense asks us to collectively commit our skills and strengths to defend beyond our boundaries to protect our common customers. In this case, we collectively did that, meeting to discuss approaches to protect the Internet, systems and computers together.
The new pan-industry organization Industry Consortium for Advancement of Security on the Internet is a good example and a great start in formalizing this kind of collaboration. Microsoft will be doing more to help facilitate the necessary dialogue, not only across our industry, but with government, academia and law enforcement as well.
No. 2: Sharing Development Best Practices
We need to be able to share best practices, to ensure that the code we develop around the industry is secure from the ground up. This concept has redefined our work at Microsoft. After years of responding to attacks on our software, we created the Security Development Lifecycle (SDL), which brought focus to building security into code at a foundational level.
We know it has helped make Windows Vista a better product, and we continue to work very hard to constantly improve the security of our products. Through books, blogs, conferences and partnerships, we have shared what we've learned, and our processes for developing secure code and responding to security issues.
No. 3: Investments in Security and Defense Knowledge
It doesn't matter how much effort you put into making secure code if your network password is "pizza." Once secure code is developed and released, we must work to help everyone who uses, implements and deploys it to understand and better manage their risk in this continually evolving threat environment. Two goals are as follows:
We're making these resources available to the broader tech community as a way to share what we've learned, in the hope that the industry can now build upon it. In today's environment, countless technologies communicate and interoperate, each one a potential source for the next attack.
Six years after the Blaster worm, Microsoft is still working with the same focus and vigor today as it did then. We will continue to work to make our products better. And because no company can tackle the challenge alone, we are sharing with the community the lessons we've learned the hard way.
This week at the Black Hat conference, Microsoft will release a new set of programs that will share more of that information with the industry, in an effort to help better secure the broader ecosystem by delivering best practices, partnerships and guidance. Now it's time for the industry to come together, to build the next generation of defenders and to innovate in the security space.
It's time for community-based defense.
* George Stathakopoulos is the general manager of Microsoft product security for the Security Engineering and Communications Group, working to help make Microsoft products and services more secure and help protect the company’s customers from online threats.