Rich Trouton On Twitter: Deploying Sophos Anti-virus For Mac

10 Years of Trustworthy Computing: The Current State of Windows Security A decade after launching its Trustworthy Computing initiative, Microsoft has come a long way but faces new challenges. By.

Rich Trouton On Twitter: Deploying Sophos Antivirus For Mac Free

Bill Gates was famous for sending e-mails when he was in command at Microsoft. Most were minutia. Some were game changers such as the message he sent Jan. 15, 2002, pledging to spend the next 10 years making Microsoft products as secure as possible.

Critics scoffed. After all, Microsoft software was a powerful magnet and open target for hackers who spread malicious worms and viruses, and the company was more known for features than lock down. Windows clients and servers, Office, Exchange and SQL Server and all the rest regularly succumbed to vicious attacks. Users and pundits felt Microsoft just didn't do enough about it. Gates' 10-year deadline has recently passed, and by most accounts Microsoft software today is far more secure and trustworthy.

That said, the company remains the No. 1 target of hackers. Microsoft has done a lot.

When it builds software, security is job one. It also releases patches on the now famous Patch Tuesday, more frequently if need be. It has its own free software through Defender and Security Essentials, funds research through its labs, works with keys organizations and third parties, and supports law enforcement. Law enforcement efforts are paying public dividends.

The recent takedown of command and control servers in Scranton, Pa., and Lombard, Ill., set up by a ring spreading the Zeus botnet, is evidence Microsoft software is still a key target, but also that cyber criminals can at least be stymied. But while Microsoft led the FBI to shut down the command and control servers for the fourth time, security experts agree it's only a matter of time before the Zeus botnet or variants resurface. Experts say Microsoft has made remarkable strides in improving the safety of its software, and many now regard the company as a leader in security-related initiatives. Nonetheless, it faces numerous challenges, such as:. Increased number of cyber criminals who have more sophisticated skills and can build on the past work of others. Growth of attack points such as smartphones, tablets and cloud services. Users who continue to engage in unsafe practices.

The pending release of new client and server platforms including Windows 8 and Windows Server 8. In assessing Microsoft's progress over the past decade, it's important to recall how terribly insecure its software used to be. String of Malicious Attacks Six months before Gates' directive, the Code Red worm wreaked havoc on more than 300,000 hosts running Microsoft IIS. Code Red, which exploited an IIS vulnerability, caused buffer overflows that overwhelmed the memory in the servers. It also unleashed distributed denial of service (DoS) attacks on its targets. Among its notable victims: the server farm running the White House Web site. Another variant of the worm, Code Red 2, surfaced a month later.

Code Red worms were so massive experts worried such attacks threatened the very stability of the Internet. The Code Red worms followed a string of attacks in prior years, including Melissa in 1999, a worm that took advantage of flaws in Microsoft Word and Outlook and erased files. Another one, the ILOVEYOU virus, spread by e-mailing an executable Visual Basic program to the first 50 addresses in a victim's Outlook address book. The final straw came in 2001, a week after the September 11 attacks, when the Nimda exploit struck.

Like Code Red, it also took advantage of vulnerabilities in IIS, and not only was it able to spread itself via e-mail but it also infected files via open network shares and back doors left open from prior worms. Some at the time wondered if Nimda was unleashed by terrorists, a myth that was quickly dispelled. Nimda left Microsoft's reputation at an all-time low as the attacks left some of the world's largest corporations and government agencies hamstrung. 'Their software was full of holes from a security standpoint,' notes Philippe Courtot, chairman and CEO of Qualys Inc., a provider of malware detection, policy compliance and vulnerability assessment tools. With so many flaws in Microsoft's software, critics had no faith the company could ever change its stripes. Among those fed up was Alan Levine, chief information security officer at Alcoa Inc., a large industrial provider of aluminum with $23 billion in revenues at the time.

'I made no bones about the fact I thought they were failing in their mission. They were putting out software that contained exploitable vulnerabilities,' Levine recalls. 'They were causing lots of large companies like mine to go through lots of work and rework and more rework.

Every time Microsoft identified a problem, they appeared to be identifying it a day late and a dollar short. And when they issued a patch to fix a vulnerability, it was bad, so they had to come out with a patch to fix the bad patch, which was costly. It left us in a mode where we were less secure.' The Gates Ultimatum After the September 11 attacks and the Nimda outbreak, Gates knew Microsoft and customers could no longer stand for the status quo. 'Computing is already an important part of many people's lives. Within 10 years, it will be an integral and indispensable part of almost everything we do,' Gates wrote in his January 2002 memo.

'Microsoft and the computer industry will only succeed in that world if CIOs, consumers and everyone else sees that Microsoft has created a platform for Trustworthy Computing.' No one would say Gates went out on a limb predicting computing would be ubiquitous by now. But few believed Microsoft's software would be dramatically more secure 10 years later, or that the company would be seen as a true leader in security.

'Microsoft's reputation for security was best classified as a laughingstock; their security was simply not respected at all,' remembers Jeremiah Grossman, founder and CTO of WhiteHat Security, a Santa Clara, Calif., consulting firm that works with large enterprises to combat Web site attacks. 'Most people were skeptical when the whole notion of Trustworthy Computing came out,' recalls Art Coviello, who was CEO of RSA Security Inc. At the time and is now executive chairman of the EMC Corp. Division that manages RSA assets. 'I remained relatively unconvinced until I saw what they were doing.' Coviello recalls when Gates gave a keynote address at RSA's widely followed annual conference in early 2004. 'If anyone ever went into a hostile environment and showed a lot of courage, it was Bill,' Coviello says.

'He did a very credible job helping people understand what Microsoft was attempting to do. It was at that point that people started to give Microsoft a little bit more of the benefit of the doubt.' When Gates issued his Trustworthy Computing initiative, Microsoft invited Alcoa's Levine and a few dozen other top IT pros to join the Microsoft Security Council, which still gathers in Redmond twice a year. Levine agreed to join but admits he didn't think it would do much. 'I was worse than skeptical - I was their worst critic. I thought it was mostly public relations,' Levine says, adding he was later surprised at Microsoft's progress. 'Over the last 10 years the change has been dramatic, remarkable and unbelievably positive.

They took on the really important job of fixing what was wrong.' At RSA's most recent annual conference in San Francisco in February, Scott Charney, Microsoft corporate VP for Trustworthy Computing, said the company had set out to reduce vulnerabilities in code by developing and adopting its Security Development Lifecycle (SDL), a blueprint for the development of all software from cradle to grave to ensure vulnerabilities wouldn't be introduced anywhere along the process. 'We knew we weren't going to get vulnerabilities down to zero, so we had to think about, 'How do you make a user safe, even if there are vulnerabilities in products?' ' Scott Charney, Corporate VP, Trustworthy Computing, Microsoft 'We did threat models at design time, and coded and tested to remove vulnerabilities in a systematic way across our products,' Charney said in his RSA keynote address. 'We knew we weren't going to get vulnerabilities down to zero, so we had to think about, 'How do you make a user safe, even if there are vulnerabilities in products?'

So we started to focus on defense-in-depth and reducing exploitability.' In the ensuing years, Microsoft realized it had to become more granular in addressing security across its entire stack. In 2008 it issued new tools that would help partners and customers build end-to-end trust into software using the principles of the SDL. This new approach of striving to build bug-free code was critical in making Microsoft software impervious to actions that would compromise security, experts say. 'Compilers and developer tools all really changed with regard to pushing developers to create better code,' says Philip Lieberman, president and CEO of Lieberman Software Corp., a provider of security and systems management software. 'They provided gentle but relentless pressure, saying you should do certain things in your code. And they changed out the libraries, and the insecure versions aren't there anymore.'

While many third-party ISVs and partners have utilized the Microsoft SDL tools and best practices, many have not, warns analyst Rich Mogull, CEO of security research and advisory firm Securosis LLC. 'Honestly, the biggest issue Microsoft faces is getting all the third-party developers to spend more time not only hardening their code, but fully leveraging the tools Microsoft provides to do that,' Mogull says. The next big milestones came in 2004, first with the launch of Patch Tuesday: the company's methodical approach to issuing fixes - some critical, some minor - with an eye toward adding predictability around the release of security updates for all of its products on the second Tuesday of each month. The patches come from the Microsoft Security Response Center (MSRC), the company's 24-hour security alerting service. Security vendors and customers have come to rely on the MSRC and Patch Tuesday, and laud Microsoft's emphasis on its approach to providing updates and bulletins. Another important highlight that year was the release of Windows XP SP2, when Microsoft turned on the firewall by default and likewise turned on auto update by default, enabling the near-touchless installation of patches.

The service pack also introduced Data Execution Prevention (DEP), a feature also found in Linux and the Mac OS, designed to protect memory from malicious executable code. How Windows Vista Changed PC Security Many think of Windows Vista as a failure because of compatibility problems. But Windows Vista was the first Microsoft OS to implement the SDL, and also introduced several key security features. Among them were PatchGuard, which prevents malware from overwriting the OS kernel; address space layout randomization, which blocks buffer overruns by randomly shuffling the location of code and data in memory to make attacks more difficult to pull off; BitLocker Drive Encryption, which, as the name implies, encrypts data on the drive; Windows Defender, the Microsoft anti-malware scanning program built into the OS (it was also made available as a download for Windows XP); and User Account Control (UAC), requiring user permission before allowing a process that requires administrator privileges.

UAC was not a welcome addition to Windows Vista, as users were constantly badgered by prompts for permission to allow application changes. In Windows 7, Microsoft addressed UAC complaints by extending the tasks that a typical user might conduct without prompting for administrator permission, letting users with admin privileges configure UAC parameters in the Control Panel and offering expanded local security policies that let IT pros reduce UAC messages sent to users.