Is Microsoft ignoring the biggest source of security threats? --- Peter H. Gregory --- Online Security

Online Security, a global provider of computer forensics and information technology risk mitigation since 1997

Original Source: http://computerworld.com/securitytopics/security/story/0,10801,90466,00.html?SKC=security-90466

Is Microsoft ignoring the biggest source of security threats?
Author: Peter H. Gregory

We've seen it in several years' worth of FBI surveys: Most security incidents are "inside jobs" perpetrated by employees, former employees, contractors, vendors and others with inside knowledge, privileged access or a trusted relationship with other insiders.

What do the insiders do that constitutes a security incident? They steal, alter or corrupt information assets. In other words, they take source code, customer lists, plans or specifications; they deface Web sites; they defraud the organization or embezzle funds; and they damage critical-information systems, which consequently threaten ongoing operations, at least for a time.

Gates emphasizes external threats

Bill Gates, chairman and chief software architect of Microsoft Corp., gave the keynote speech at the annual RSA Conference in San Francisco yesterday (see story). In his address, he touted the many improvements in Microsoft products that are coming in 2004, 2005 and beyond. He demonstrated a few of the improvements that we'll see in Windows XP Service Pack 2 later this year.

Nearly all of the software improvements cited address external threats. For instance, two-factor authentication using smart cards, tokens and biometrics will improve credential security and virtually eliminate the opportunity for hackers to use brute force to make their way into user accounts.

Also demonstrated was the new firewall component that will be turned on by default. It has some nice features that are reminiscent of other firewall products that have been around for a while. Perhaps Microsoft is getting this one right, and this will be a good thing.

Gates also demonstrated Active Protection Technology, where a security module in the operating system blocks the browser from loading ActiveX content from a Web site until the user can install an ActiveX-related security patch. This too was a nice feature.

Gates also discussed long-term improvements such as additional features in Visual Studio intended to help developers write more secure software and software that can be installed and run in nonprivileged mode.

These improvements are welcome, since they will help to reduce the external threats that are making headlines today. But both the short- and long-term initiatives seem to be ignoring the biggest threat: insider malfeasance.

Insider threats ignored?

Let me get back to insider threats. I mentioned common occurrences such as stealing, altering and corrupting information. This is largely done by people who already have credentials or by people with inside knowledge of strategic or tactical weaknesses. For those who have credentials, two-factor authentication will have no effect. If someone wants to steal information, he can load it onto his thumb drive, e-mail it to his home account or upload it to his Internet-based briefcase. Likewise, someone who wants to corrupt or damage information can do so using all of the tools that the organization has provided.

Stopping insider-related security incidents is certainly more difficult than external threats. It's not making headlines all that often, and much of the time the blame could be placed on the organization rather than on Microsoft. But Microsoft isn't talking about any short- or long-term improvements in order to curb insider abuse. Is this because it hasn't figured out how to solve this yet, or because it's not making headlines? I'm not sure, but I hope that in the company's $6 billion R&D budget, some energies are being put into smarter and easier-to-manage information systems that can automatically sense changes in the access patterns performed by trusted insiders and either block those accesses or generate alarms that can be acted upon while the suspicious action is still taking place and while the perpetrator can be questioned about it.

Squeaky wheels

Insider security incidents have been with us for as long as there have been businesses with employees who are entrusted to do the right thing by performing their job functions correctly and not by abusing their privileges and acting inappropriately. Microsoft and other companies have perfected smart computing and nice gadgets that seem to consume an ever-greater number of CPU cycles. If I had a choice, I would give up some of those features if my systems could do a better job of monitoring and enforcing employee behavior.

But there are no headlines and mentions on the evening television news about insiders who steal information from computers. They put viruses and worms in the spotlight instead. Sure, this is a big problem that needs to be solved, and Microsoft needs to work on this in future releases of its products.