Malicious software code has been around for decades. But only in the last few years have the Internet, high-speed connections and millions of new computing devices converged to create a truly global computing network in which a virus or worm can circle the world in a matter of minutes.
Meanwhile, criminal hackers have become more sophisticated, creating and distributing digital epidemics like Slammer, Blaster, Sobig and Mydoom that spread almost instantaneously, threatening the potential of technology to advance business productivity, commerce and communication.
The kinds of threats are evolving too. Blaster, for example, hijacked individual computers, turning innocent users into unknowing worm propagators. These “swarming” attacks that are coordinated to cause multiplied, cascading effects - change the landscape of security threats. They put new demands on IT professionals and consumers, and on the technology industry to continue to innovate.
Microsoft invests significantly in four areas of security: isolation and resiliency, updating, quality, authentication and access control.
Central to our security efforts is preventing malicious code from being able to exploit a vulnerability. This can be done by isolating such code, providing more effective control over what computer processes can talk to or work with, and making systems more resilient so they can stop suspicious behavior in its tracks.
Until now, software updates have been the primary way of customer protection. Although the evolving nature of threats requires a broader, multi-pronged response, Microsoft is continuing to make significant upgrades to quality. Last fall, we moved to monthly releases of updates to improve predictability and manageability.
Computer networks are no longer closed systems in which a user’s mere presence on the network can serve as proof of identity. There are many potential opportunities for unauthorised individuals to gain access to digital information. In this environment, access control and authentication are critical aspects of ensuring an organisation’s security. Users will increasingly use passwords, smartcards, public key infrastructure, Ipsec to beef up such authentication.
Microsoft has undertaken a rigorous “engineering excellence” initiative so that our engineers understand and use best practices in software design, development, testing and release. The number of “critical” or “important” security bulletins issued for Windows Server 2003, compared to Windows 2000 Server, dropped from 40 to 9 in the first 320 days each product was on the market. Similarly, for SQL 2000, there were 3 bulletins issued in the 15 months after release of Service Pack 3, compared to 13 bulletins in the 15 months prior to its release.
Reducing the impact of viruses and worms to an acceptable level requires fundamentally new thinking about software quality, continuous improvement in tools and processes, and ongoing investments in security technologies designed to block malicious code before it can wreak havoc. It also requires computer users to be proactive about deploying and managing products.