San Francisco—"Resiliency" seemed to be the catchword today at the 13th annual RSA Security conference—and not just the resiliency of networks and applications to withstand an increasingly fierce and malicious global computing environment, but the resiliency of companies, of economies, of an industry, and even, arguably, of Microsoft.
Despite an obvious and disquieting increase in disastrous security incidents recently, the conference mood—and the conference numbers—are heartening. RSA told media today that this year's conference had year-over-year increase of 30 percent in attendance, with a robust show floor featuring 200 exhibitors.
As for Microsoft, far from a corporate darling of the security sub-industry, it would be fair to guess that it was not an easy choice to hand over the headline portion of Tuesday's general session to Chairman Bill Gates. With recent critical IE security holes and an embarrassing and potentially damaging leak of portions of the Windows NT/2000 source code not even out of the headlines, Gates delivered a straightforward message that focused on the need for proactive system patching, offered up the three-armed security improvements coming in the SP2 release of Windows XP, and the should-be-but-isn't-quite-reassuring promise of a $6 billion R&D budget that will fund the much-needed growth of a buffer to shield the world's largest operating system (and the world's largest operating system user base) against hackers, thieves, vandals, and spies.
However, with conference host RSA's own major announcement revolving around more robust authentication for Windows users, and Microsoft entering the early stages of an era that will see major attrition to Linux, the choice makes sense, even if many security-savvy attendees cast a cynical eye toward Redmond.
Focus on Patch Management
For many years the security industry has concentrated on three "pillars" of protection: antivirus, intrusion detection, and firewalls. While these remain the foundation, a fourth area, patch management, is steadily growing into a full-fledged pillar of its own, and Microsoft, with help from its OEM partners, is the key instigator behind that growth.
Gates showed a bit of candor in explaining that patch management was one area where Microsoft hasn't always gotten the job done. "Take for example the need to keep software up-to-date," said Gates. "We did not make it absolutely clear to our customers that having and updating services to the latest version was particularly important for Internet-facing systems." Today, he said, "making it very easy for [companies to keep systems up-to-date] is part of our mission.
"The responsibility comes back to us. Until we make it so virtually 100 percent of the customers find it attractive to have that updating in place for those Internet-facing systems, we haven't done our job."
At the lowest level: Free Windows Update. "Turn it on," urges Gates. That's fine for individual home broadband users, but enterprises need more complex tools to fully evaluate risk and manage deployment of system patches. Microsoft's Systems Management Server (SMS) is a superset of Windows Update targeted at enterprises and "it's had a very dramatic increase in deployment."
SMS performs both crucial parts of the patch management process—assessment and deployment—while Microsoft Baseline Security Analyzer (MBSA) is a free tool that enterprises can use to do just the risk assessment portion. MBSA is primarily based on technology Redmond OEMs from Shavlik Technologies, which has a thriving standalone tool of its own, HFNetChk. Shavlik announced this week that it would expand the HFNetChk tool this year to also assess RedHat Linux systems (in Q2), Solaris (in Q3), and SuSE (in Q4).
Version 1.2 of MBSA does configuration checks of Windows systems and reports back on critical protection issues such as firewall configuration, and auto updating. It also performs scans for missing security patches, unnecessary open ports, and unneeded services left running, and reports on those issues..
Updating to SP2
Window XP SP2, Gates explained, is a release that is solely about security, explaining that the company took resources away from the upcoming Longhorn release of Windows to create an interim release of XP that will make it easier for companies and end users to keep Windows patched and prevent accidental exposure to malicious code. Gates characterized SP2 release as "very important and one that we're going to encourage people to install very broadly."
SP2 will have three basic feature enhancements:
- An improved Windows Firewall, enabled by default
- The Internet Explorer "gold bar"
- and Security Center
The Windows Firewall, a successor to Internet Connection Firewall, addresses problems that occur when certain types of applications fail to function properly behind an enabled firewall. The Windows Firewall detects applications that leave "listening" ports open on the network and prompts the user to give permission (exceptions) for these applications to run. When the application completes, the firewall dynamically closes those ports to prevent them from being exploited. Users and administrators can add such exceptions manually. Another mode, called "On with no exceptions," prevents all potentially dangerous activity, which is particularly useful during wireless network operation.
The Internet Explorer "gold bar" is a toolbar-type GUI feature that gives end users a visual cue when pop-ups and ActiveX controls are trying to run. Users can configure, by author, whether Active X controls are trusted and can run automatically, whether to prompt for permission to run the controls, or whether to always block them.
The Security Center, embedded in the Windows toolbar, acts as a backup to users' antivirus program, monitoring whether the A/V program is installed, whether it's on, and whether it's up-to-date. It also monitors for firewall protection and proactive patch management. The Security Center will notify and guide users to higher levels of protected use and offers administrators more management and configuration options; Both the Security Center and the Windows firewall, can be controlled either through Active Directory or via script in non-AD environments.
Spam and Whidbey
Spam was another key target of the Microsoft announcements; Gates discussed an initiative to reduce spam by improving filters, providing rich "safelisting" and reputation services, and the ability for legitimate bulk email providers to prove their legitimacy and prevent unwarranted blacklisting. Gates discussed a "caller ID for email" feature that will prevent domain spoofing. "Firewalls won't just be looking at the ports being used but at who's trying to use those ports," Gates said. That feature will be turned on by default in the SP2 release of Windows XP.
Gates spent only a few minutes discussing tools built into Whidbey that will help developers write more secure, less exploit-friendly code from the ground up, specifically mentioning only the PREfast technology, an analysis tool that checks buffer sizes and ultimately produces more reliable code. However, he said that "quality of engineering" was an inherent part of Microsoft's commitment to security and promised that there are "a lot of things happening in development tools that are going to get that application layer to be as secure as the other layers as they improve."