Technology

OPINION

What If Microsoft Got Security Right?

Last week at the RSA conference in soggy California, Microsoft presented the most comprehensive plan I’ve ever seen to address a security problem. Granted, they currently have massive exposure, but it caused me to wonder what would happen if everyone followed their lead and focused on the human aspects of the problem rather than just the technical.

From the Linux folks out there, I can hear the resounding “No” with regard to following Microsoft’s lead in anything, but for those who at least think they have an open mind, let’s explore this idea.

If you’ve been dealing with security as broadly and for as long as I have, you’ve likely come to realize that, done right, it is as much social engineering as it is physical protection or technology. If you haven’t, let’s work off the following example.

Is a person safer in a home with locks or a home without? What if the home with locks is in Baghdad and the home without locks is in the middle of a farm in the middle of a Quaker community? Under many circumstances, attacking the risk — putting the home where there no theft — as opposed to increasing the protection is the more effective path, particularly if you don’t want to spend lots of time locking and unlocking your doors and windows.

Linux Security Myth

For those who believe the myth that Linux is more secure than Windows…. Wait a minute, I’m betting you are one of those people, so maybe I should explain myself before going further. We don’t need to do the “open isn’t more secure than closed” thing again; I’ll leave that to others.

The exploit being used against the Windows platform most often is not technical. In fact, the last set of viruses were distributed primarily by playing off the trusting nature of people. The vast majority of those same people don’t run Linux today and, until they do, the belief that Linux would do better is a myth — possibly true but as yet unproven.

Granted, the same viruses that have wreaked havoc on Windows networks wouldn’t work against Linux, but Linux has security holes. Don’t bet that a smart Linux programmer couldn’t come up with a way to create an executable file that the user might want to run: “Hey, look at this really cool Linux game I found, it’s kind of a pain to install but if you follow my directions….”

In fact, given where Linux and Unix are generally used — hint, it isn’t the desktop — I’ll bet most of the time when their security is penetrated, the penetration isn’t reported. When I did security audits, I found the fastest path into a secure area was to effectively look for the key under the doormat. People simply don’t think about security enough and, without knowing it, will often create exposures in an effort to simplify their jobs. In my experience, people are often the weakest security link, and no platform alone can fully compensate for this.

Now, I’m not even going to suggest that Linux is less secure, but if the exposure is people and people are gullible, then security at a product level might only make you feel more secure. You might not actually be more secure.

So, as far as I can tell, Microsoft is the only large firm really dealing with behavioral issues. They are putting up bounties on the folks who write viruses, putting together programs to fight spam — I’d vote for a candidate in a party I hated if that candidate advocated comprehensive spam-fighting — and they have proposed a personal security solution that goes one step beyond Sun by adding biometrics to the smart card. Passwords are inherently not secure.

Biometric Smart Card Sidestep

Forgive me as I sidestep for a moment and point out that while I was running the security and mobile group as an analyst at Giga, the one thing on which most security folks and e-commerce folks agreed was that neither smart cards nor biometrics alone were good enough. Smart cards could be stolen, and if someone captures biometric data from your finger, getting a new finger tends to be problematic. But if you could use biometrics to authorize the card, the card itself would be more secure, and there is much less likelihood that your biometric data would be compromised.

I figured that IBM or Sun would get this right first. I was fascinated that Microsoft might — and I use the word “might” because it still needs to work in practice — have beaten IBM and Sun to the punch.

OK, enough of this. The card is cool, but is not the major point here. The main question is, what happens if Microsoft got it right? Wouldn’t the implication be that others who aren’t doing similar things have it wrong? If the Linux folks will take their hands away from the keyboards and let me finish, I’ll explain myself.

Approaching Security Methodically

The right way to approach a security problem is first to look at the problem and define it, then look at your resources and create a plan to best match the two to mitigate the problem. Too often, folks start with the product, and the end result isn’t significantly more secure than what they came from because they either don’t have the skills or the product doesn’t really address the actual exposure.

Let’s try a movie example to illustrate this point. I’m a big fan of “The Lord of the Rings.” If you watched the first two movies and were going to advise the folks in Gondor’s embattled city of Minas Tirith about what to do, you might conclude that the soldier and wall defense — comparable to Windows monoculture — really sucked and that what they needed were lots of Gandalfs or lots of tree Ents to come to the defense — which would be comparable to bringing in Unix and Linux.

The only thing is that it takes several centuries to create a Wizard, and to grow a full-sized Ent probably takes a hundred years or more. The solution has to both address the problem and use resources you actually have — including your existing skills inventory. In other words, you have to work your strategy around Minas Tirith — taking into account the strengths and weaknesses of the city’s defenses.

Focusing on the Real Problem

What Microsoft is showcasing is its realization — which happens to concur with my own — that fixing the platform itself isn’t enough. You must address the other parts of the exposure, particularly the human part.

Now I’d like to leave you another what-if. What if, instead of creating an environment in which virus writers flourished and we constantly fought over whose ideology was better, we focused on making malware writers an endangered species along with their spamming cousins? Personally, I’d like a world where I looked at the Linux folks as part of the solution rather than constantly wondering if they are the problem. Instead of fighting Microsoft, why can’t we all just get along?

Maybe part of this is because it is an election year here, and I’m just getting tired of the negative campaigning that goes on during this period. Maybe I want to live under the illusion that programmers on both sides of the fence are better than this. And maybe I’d like to think that if a firm, even Microsoft, did get it right, a few folks would stop, take a breath, and consider that addressing the broad security problem would make this a better world regardless of what platform they used.


Rob Enderle, a TechNewsWorld columnist, is the Principal Analyst for the Enderle Group, a company founded on the concept of providing a unique perspective on personal technology products and trends.


12 Comments

  • First off I would like to say that I do NOT usually get involved in Flame-wars, but this begs for a reply. Yes the most comment "exploit" as you call it here is the user. "My virus-scanner, firewall, whatever will catch it", How often I’ve heard that phrase is second only to "but I don’t give anybody else my password". The problem here, and dare to deny it, when your system treats you like, and assumes you are an idiot… You are most likely to remain just that. Yes it is very possible that linux developers, just as windows developers can write unsecure code. The differance, however, is that open code can be more quickly fixed. How many users out there gleefully set thier passwords to "12345678" etc… . Would it not be possible, as it is on linux to check a password-list for the password chosen, and reject it if found in that list? But then that would, of course reduce userfriendlyness.

    • My sorely misled friend, if I objected to the notion that "People are flawed" I would have posted "I object to the notion that people are flawed." I AM also quite aware that there were MANY words used prior to the invention of computers, and do not appreciate your condescension.
      I also do not appreciate your evasion of my argument.
      Firstly, I understand your use of the word "exploit" in the context as a refrence to the countless people who have been "exploited" into believing that they should download some attachment and or run a program.
      I was pointing out that in the history or microsoft there have been infinitely more very disctinct exploits that have been abused by thousands of worms and thousands of hackers millions of times than malicious programs that require user activation. Your statement, which you may have forgotten already, "The exploit being used against the Windows platform most often is not technical." is wrong. And therefore you are wrong. I will cheerfully field any arguments you have with the above statements.
      I take personal offence to your attempts to label me as a coder of malicious programs, a conclusion that you based on an assumption that you extrapolated from my post. I never attacked the end user. I made my statement because you needed a clearer differentiation between exploiting a person and exploiting an OS. A differentiation that you failed to make in the only statement that I questioned. I never made any refrence to your article, nor did I question its over-used, and unoriginal thesis: "People are the weak link in the security chain." the shared thesis of countless articles written by the likes of people far more poisoned, and angry than even yourself.
      I’ve never used linux or unix before. But I AM aware of countless forums onwhich hundreds of posts abound with name-calling argue in circles about linux vs windows. I thought that your linux bashing was a clear attempt to call out these (as you call them) "linux zealots" and move focus from your flawed "article" to another topic entirely. Furthurmore I find YOUR name-calling and (yes, they are) personal attacks childish and unprofessional.
      I think that if you were truly interested in the open discussion of securities (regardless of OS)that you would field these comments with straight answers and or return questions, instead of just pulling hair and biting.
      Now that you are done "reading" my responce, please read it once more before you continue polishing the brass on the titanic. Admit that your statement was wrong, or tell me… LUCIDLY… why I AM incorrect.

      • Personally, I like this article for an objective view and the expressed hope that all OS’s be treated as tools. We run AIX, LINUX and MS and each has it’s place. I AM a Microsoft Administrator that is also expected to be knowlegeable about Oracle on AIX and Linux. Niether of which help me to centralize security and management of my workstations, at which MS excels. Sure, I have beefs with MS. They could borrow some good ideas from RedHat…such as when running as a restricted user in Linux, and opening a root program, I AM prompted for root password. Microsoft only has the "runas" command which is essentially useless except for certain tasks. Since this is one reason so many users are allowed to run as administrator accounts, this is in itself a major problem with implementing security. Oh, how many Linux users here actually run thier Linux boxes other than root. Huh? Pretty vulnerable then.

        • "Oh, how many Linux users here actually run thier Linux boxes other than root. Huh? Pretty vulnerable then. "
          .
          Actually I normally run as a normal user. I only su or log in as root when I have a reason to.
          .
          Oh, and I’m not a systems admin or anything that requires much working knowledge or responcibility.

          • I would like to first off comment about your last statement "How many linux users here actually run thier Linux boxes other then root. Huh?". I personally do not know anybody who does run thier linux box as root. I teach people how to use linux and so do my friends and the first thing we emphasize to them is to never run as root. For the people who decide to try linux and with no instruction (i.e. doesn’t read documentation , etc..) run thier box as root. This is because the misconception they get from running windows they think that running as root is totally exceptable. Not to just say users who try linux come from using windows maybe they used Mac OS 9.X or earlier where it just boots up with no concern of creating a user to log into the machine with.
            Also I have no problem with people using windows if they want I prefer to use linux I find that it fits my needs better then windows does. I AM a Network admin and I admin about 150 windows and Mac computers. MS excels at centralized security and management for windows machines. Windows has some support for Macs and really no support for linux machines. If "MS" really wants to excel in centralized management and security maybe they need to work on interoperating with other OSs. MS needs to imporve the interoprobility with Macs. Microsoft may have SFU (services for unix) but give me a break unix utilities running on top of windows really no use and I have to say I have used them and they suck. So in my opinion the only interoprobility between linux and windows is because of the open source community.
            Also I agree with the point in the article about the human factor. The human factor is the biggest risk to security in my opinion. People don’t always think before they do something which is why it doesn’t matter what OS you run its not going to be secure because of the human factor. That is something I learned while working with users.

  • First-Analogies like having a house in downtown bagdag versus having one in an omish community, or whether to use troops to protect a mythical city versus wizards does not tell anyone anything. They are simply stupid. Its a way of writing alot and saying nothing. Its easy to hide behind vast generalities, especially when they are silly generalities.
    Second- So the writter points out viruses and worms use social engineering as well as technical engineering. Really!!!???? No kidding!!!??? Why, I would never have known this if microsoft would not have pointed this out!!!! But seriously now, everyone knows this and has known it for a long time. I don’t need microsoft to point it out for me. Microsoft is blaming everyone else for its very own failures. That is typical of microsoft and their mouth pieces (which this writter is one). No kidding we need to better educate computer users. No kidding we need to enact better legislation against spammers, hackers, etc. We also need to WRITE SECURE CODE!!! My company goes to great lengths to ensure we understand proper security procedures and impliment them. My company has been doing that for years before microsoft made its presentation. My company NEEDS more secure products from microsoft.
    Sorry but it is ridiculous to try to put this all on the end user…of course it is also ridiculous that microsoft writes such code that is so easily breached. Probably even more ridiculous that writters like this one defend louse code!

  • Ok, first and foremost I disagree that MS shouldn’t just focus on the technical aspacts of security. They write software and as such should take responcibility for their shortcomings. I DO agree that this is not an MS centered problem and will probably always plague all software writers. However, known problems need to be fixed and fixed properly. No more buggy patches and no more excuses about it being the end users fault.
    Yes, end users need to be educated about their actions but other precautions need to be in place since it’s impractical to turn every computer user into a security expert.
    What if MS did get it right? Great! we’d all benefit if they came up with some new (and SIMPLE) ideas on how to help tackle security. I wouldnt go out and buy their products since they don’t seem to suit my taste but I wouldn’t shun them just for getting it right. Especially if they let others use their ideas.

  • You noted that Linux could have an e-mail worm that could be made to spread by social engineering, like Windows worms, and that is a human problem, not technical.
    I don’t dispute the possibility, but note that Linux *already* effectively has safeguards that seriously slow down the spread of such worms: To execute an attachment, a Linux user must save it to a file, then set a protection bit marking it executable, then run it from the saved location. Three steps, and at least the middle one is not a one-click operation (at least not in any Linux installation I have seen).
    By contrast, running an e-mail attachment in Windows is typically one or two mouse clicks away. This explains why these social engineering worms can spread faster than countermeasures against them can be mounted.
    As long as no popular Linux e-mail client makes misguided extensions to simplify running attachments, I think we are safe. And by now the people writing such programs are aware of Microsoft’s mistake and know to avoid it.

  • Easy. Vendors worldwide would receive a rush order for a few billion pairs of ice skates. Btw, many have noticed that a) "The Enderle Group" seems to consist entirely of .. Rob Enderle, b) the majority of his published work seems to be either gushing PR-bunny fluff or Pavlovian attack-dog pieces, and c) that far too many of his stated-as-gospel "facts" have been easily proven false with a simple Google search. He is thus generally considered to have negative credibility, tho sometimes worth reading for the comic relief provided by his stereotype blatantly ignorant sycophant persona. Some seem to believe this (comedy) is his true goal.

  • "The exploit being used against the Windows platform most often is not technical."
    Mr. Enderle: an "exploit" (which is a word microsoft has avoided like the plague) is a security flaw that allows privelage escalation withOUT user interface. This means, that no user has to click OK or execute the program, he just has to have his computer ON. These are things like buffer overflows that allow arbitrary command execution.
    If you are talking about the lastest viruses that people have to download and execute then they are NOT security flaws, they are simply malicious applications that users CHOOSE to download and run that their own personal detrement. They might as well be downloading little desktop-traversing animals to AM use themselves.
    To say that Microsoft doesn’t have an abundance of exploits (keyword: exploits) is ludicrous, and requires NO furthur explaination.
    And you would think that a professional columnist would have enough sense NOT to take sides (and bash the opposition) in the linux vs windows war.
    Perhaps in the future you should take more time on security pages and forums and less time at dictionary.com

  • What if the moon is green? What if aliens come to get us tomorrow? Man I just love it. Now we have gone from Microsoft is secure to what if it was… and as far a Linux. Linux or the unix OS do not have the inherent security issues that would allow gullible people to infect there machine like Microsoft and if this author know anything about Unix (linux) he would have known this. Man what a joke!

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Technewsworld Channels