Internet security

Ken Olson, founder of DEC, famously said in 1977 that there is “no reason anyone would want a computer in their home.” We have come a long way since Olson made that statement. Hundreds of millions of people around the globe now use a computer in the workplace as well as at home for a multitude of tasks, ranging from banking and entertainment to keeping in touch with friends and family. The basis for the personal computing phenomenon we take for granted today was the launch of Windows 95.

But the possibilities Windows 95 offered to developers also inspired a generation of hackers and virus writers. Whilst the skinhead yob was spray painting walls, his geeky counterpart was programming viruses. And he was good at his hobby – in 1996, the number of computers infected with a virus was 10 per 1,000, but by 2000  the number had risen to 91 per 1,000 computers. The virus writer of the late 90s caused more damage than physical graffiti ever did. Businesses suffered financial losses and damaged corporate images whenever IT systems had to be repaired, and lost or corrupted data recovered. Not that the antivirus companies minded. The virus explosion was good business. Leading consumer antivirus company Symantec saw its revenue almost double from $578.4m to $1.071bn  between 1998 and 2002.

Soon, viruses like ‘Melissa’, ‘I love you’, and ‘Kournakova’ were making headlines around the world and consumers flocked to the shops to buy antivirus software. Microsoft and the innovative Windows 95 platform was now perceived by many as the root cause of what was termed the ‘Internet security issue.’ Windows 95 was superseded by Windows 98, then Windows 2000, but the virus phenomenon showed no sign of stopping. Any hopes that the problem would simply disappear like any other fad or anti∞establishment protest were short-lived and Microsoft continued to be the scapegoat. In January 2002, a memo from Bill Gates announced the formation of the Trustworthy Computing (TwC) division, a group charged with ensuring that all Microsoft products, not just Windows, would be developed with security as a paramount requirement. Gates was making a statement. He saw that security and Microsoft’s connection with the issue, be it real or perceived, was a major threat to the company’s future success. He wanted to get serious and he wanted employees, and the outside world, to know. Driving almost instant cultural change across a 60,000-plus company was a huge challenge for the company’s leadership and began with a decision to suspend work on all products, including the already delayed Windows Vista, whilst developers and engineers underwent extensive training on how to develop more secure code. Today, ensuring secure engineering practices company∞wide remains a core responsibility for TwC.

The result of training its engineers was the creation of the Security Development Lifecycle (SDL), an engineering process which all Microsoft products go through and is still the foundation of the company’s security strategy. The SDL system demands regular security reviews throughout the development process and a final assessment that determines whether a product can ship or not. Windows Vista was the first operating system to go through SDL from day one, and since then, every internet∞facing or enterprise∞class product must do the same. In 2008 Microsoft shared the SDL process with developers outside the company so they could also develop more secure code.

Graham Titterington, principal analyst at Ovum agrees with the practice. “Microsoft’s approach to the problem of producing secure IT systems is a good model that shows the necessity to build in security across every activity,” he says. However, despite Microsoft’s decision to re∞train its developers and implement processes such as the SDL, critics initially dismissed TwC as Microsoft’s attempt to deflect blame. Seven years on and many of those critics now acknowledge the impact of Microsoft’s efforts through TwC and agree with the company’s assertion that security is an industry issue and not the exclusive preserve of Microsoft. Eric Domage, research manager, Security Products & Services at IDC EMEA Software Group, says: “It is amazing how much Microsoft has changed.In the early 90s, it was a world-first class provider of vulnerabilities and software breaches. Today, Microsoft has become a major IT safety player, from threat and vulnerability detection to investing its own money in educating local law enforcement agencies.

“Whatever your opinion of Microsoft, and mine is not always positive, you must think about the global effort made by the company and look at the effects. Because of Microsoft, antivirus and advanced security tools (MSRT, Windows Defender.) are almost free in the home. Browsers are safer, browsing is safer, operating systems are robust, spammers are sued and sentenced and global security on internet has got better. “A lot more has to be done. The pervasive nature of IT in the world makes hacking really attractive for many criminals as well as non-criminals looking for revenge on something important. Microsoft will never solve the deep issues of IT weaknesses on its own. But its contribution to a safer Internet is real.”

The report shows that in the second half of 2008, nearly 90 percent of disclosed vulnerabilities affected applications – those software programmes that sit on the operating system – which suggests that as Microsoft makes Windows more secure, hackers are shifting their focus to attack third∞party software vendors, Web services providers and original equipment manufacturers. Figures like these point to the way that security has evolved and is a bigger issue today than ever – despite Microsoft putting its own house in order. Developing more secure software is only part of the answer and Microsoft has expanded the focus of Trustworthy Computing. One example is the creation of the Microsoft Security Research and Response Centre, a global security response team created to protect against vulnerabilities discovered in Microsoft products. Once a vulnerability is identified, the Centre assesses its impact and develops and delivers software security updates on a regular, predictable monthly schedule to deal with them. The updates are tested with the different operating systems and applications it affects, then localised for markets and languages across the globe. “Researching vulnerabilities, engineering and testing resolutions for them and distributing them to a regular and predictable calendar is a huge undertaking,” says Roger Halbheer, Microsoft’s chief security advisor, EMEA. “Despite the industry’s best efforts, vulnerabilities in software code will always exist and, unfortunately, so will criminals looking to exploit them.

All major software companies produce and distribute security updates. We have chosen to be very transparent, predictable and open about our process. We tell our customers that every second Tuesday in the month they can expect to receive security updates from us so they can plan ahead to implement them.” He adds: “I can understand why some people think ‘here we go again, another Microsoft security problem’ but the reality is that all companies are distributing security updates. Our approach is to actively promote the update process and make it predictable so that our customers can plan to install them and ensure their networks or home PCs are secure. The important element to focus on is whether companies are investing in identifying vulnerabilities and being proactive and effective in dealing with them.”

Through Trustworthy Computing, Microsoft’s efforts deserve to be acknowledged. And yet, despite all this, the security issue persists. Microsoft is no longer the soft target for hackers and virus writes. However,  perhaps as a consequence of the company’s secure engineering efforts cybercriminals have shifted focus instead to exploiting weaknesses in human nature, using scams and other crimes of deception that have nothing to do with flaws in technology. Fifteen or 20 years ago misguided computer enthusiasts were the source of the problem, but today’s cybercriminal has no interest in technology at all. The Internet is simply a tool to be used for committing fraud and identity theft.

With such a complex, ever-evolving landscape of online threats, it is clear that one organisation, even one as big as Microsoft, cannot have all the answers and solutions. Microsoft has made progress in addressing security since Bill Gates’ TwC Memo in 2002, and the approach has undoubtedly been successful. However, to ensure a safer online experience for all, both the private and public sectors must continue working together, whether by sharing technological innovations, entering partnerships, educating consumers or a combination of all three.