Microsoft's Charney Talks Up Security
Discussing how some have tried to position security efforts as potentially beneficial to the bottom line, Microsoft Chief Security Officer Scott Charney admitted he was cynical. "Security is a cost center. If there were no attacks, no one would bother," he told a few hundred IT professionals at the event.
Charney likened the task of hardening a corporate network's defenses to bolstering airport security. Putting in metal detectors and training personnel is very expensive, "but having said that, you do it because you have to do it," he said.
In outlining Microsoft's efforts to boost security, Charney cited the planned summer release of Windows XP Service Pack 2 and ISA Server 2004. He also discussed Microsoft's initiative to make patch management easier and more automated, including the Redmond, Wash., company's long-term plan to offer a single Microsoft Update experience instead of the current multiple update paths.
Although Microsoft has devoted tons of financial resources and manpower to its two-year-old Trustworthy Computing initiative, the company can't rest on its laurels, Charney noted. People who write worms and viruses typically work backward from patch code as it is issued, and they're getting more efficient at it, he said.
For example, when the Nimda virus struck in the fall of 2001, it happened 331 days after Microsoft unveiled patches to close the vulnerability, Charney said. Likewise, Slammer hit 180 days after its patch, Blaster 25 days after its patch and the recent IIS vulnerability surfaced just 48 hours after patches were made available, he said.
Attendees at the Boston stop of the security road show, most of whom were IT managers or network administrators, said hearing Microsoft reaffirm its commitment to secure computing was helpful, although one attendee termed much of Charney's keynote as "fluff." Others said Microsoft created its own security problems through its loosely controlled development process and that the company's products are hit often because they are so prevalent.
Two IT administrators of Windows-centric shops said they're using Snort, a Linux-based intrusion technology, to secure their infrastructures. Sourcefire, a commercial security offering, also makes use of Snort technology in its offerings.
"There are better tools in the Linux world for this stuff, not just for intrusion detection but also for antivirus," said Vernon Butler, an IT manager at CWCapital, Needham, Mass.
Craig Miller, director of IT at QCMetrix, a Tewksbury, Mass.-based health-care services company, said his company also has deployed Snort. For QCMetrix and other health-care firms, much of the security work is being driven by the need to comply with HIPAA requirements around privacy, he noted.