Last Thursday, November 14 2013, I had the privilege (as it always is) to take part in the Microsoft CIO Forum for large organizations. The opportunity to present to clients, partners and colleagues is one of the most rewarding tasks involved in my work as Technology Officer for this company.
I usually never, or almost never, post the details of this type of content on social networks. The truth is, there's a reason for that. Generally, because as soon you finish this kind of commitment you are already working on the next. But on this occasion I am going to follow the recommendation of some clients and colleagues and take some time to report the content of that meeting via this post. Less than a week on from that day, the messages are still fresh in my mind, and it is not too difficult to reproduce them almost word-for-word, as follows:
"Thank you very much for attending this session on Cybersecurity, which I have decided to call “Microsoft: now more than ever”. We'll talk about the idea encompassed in the title. We will also look at cybersecurity from the intelligence angle, with special focus on the Cyber Threat Intelligence program. Finally, we will talk about the security consequences of ending support for Windows XP, scheduled for April 2014.
1.- Microsoft: now more than ever
Few reflections convey the idea I want to share as well as this: “Experience is not what happens to a man, it is what a man does with what happens to him”. And this applies in the same way to an organization, in this case one like Microsoft. What has happened to us? What have we done with what has happened to us? And, most importantly, what experience have we gathered with what has happened to us?
What "happened to us" had a name. The years 2001-2002 and thereabouts saw the rise of Code Red, Slammer, Blaster, Nimda etc., when an important decision was made by the strong unquestionable leadership of Bill Gates, then Chief Software Architect at Microsoft (in addition to his role of President). The decision was called "Trustworthy Computing" and was intended to redefine the company's priorities, from that point on, with security, privacy, confidentiality and trust as the central focal points of all Microsoft business. "The party's over, folks". Security will always come first, before we even consider a new feature"
I'm not going to use this occasion to go into what Trustworthy Computing is. I am not exaggerating when I say that in 12 years I must have done that 200 times. But I will establish that moment and that date, 2002, as the start of a journey that led us, as a company, to become a leader in security, particularly in developing secure code. With many challenges and rewards along the way, as well as accolades that came from all areas. In 2008 we were even dubbed the "High Priests of Security"
In 2006, Gartner pointed to Microsoft as the undisputed leaders in Secure Code Development.
Trustworthy Computing is the only Microsoft "branding", not belonging to any product, which remains intact over 12 years later, with a structure led by Scott Charney, affecting everyone within the company. This includes the ability to veto the release of any product if it has not been developed with the criteria required by this process, which has done nothing but improve and grow for no less than 12 years. And that's a long time. That's a lot of experience gained. Twelve years of experience, in what is probably the most demanding environment in the world in terms of security means the accumulation of experience that, NOW MORE THAN EVER, is important to emphasize.
I've recently read about the massive security problems of Android environments, the clear target of malware, with a 400% increase in threats affecting Android Apps, including examples as recent as that of BadNews malware being downloaded millions of times. There are also the discoveries presented at the most recent BlackHat conferences indicating that 83% of the 400 most downloaded apps for Android are associated with security problems, and 91% of the apps for iOS, not to mention the most recent information from Karpersky in its latest report indicating that Android is affected by 97.5% of mobile platform attacks, accumulating a total of 120,341 mobile malware modifications on the system, an increase of 20,000 over the previous quarter. Thinking about this, I can't help but recall the dark days of 2002 for Microsoft, which ended up being an example of how to convert a crisis into opportunity.
Twelve years later, we see many manufacturers that need their own variety of "Trustworthy Computing". Of course, big companies like Google or Apple or Oracle (special attention to Java problems) will give security the necessary attention. But Microsoft's head start, with 12 years of experience, is significant, and now, when cybersecurity is such a huge priority, Microsoft's investment is more important than ever.
Cybersecurity has changed in four or five basic aspects:
ONE, attacks are coming from anywhere. Let's not look only to distant places in the east, but let's pay more attention close at home, where threats might also take us by surprise. And moreover,
TWO, they are aimed at any target. You do not have to be a bank to be the target of an attack. There are many attacks that seek to, for example, capture the intellectual property of a particular industry, and,
THREE, such attacks can be aimed at that industry and that industry only in order to obtain specific information and no other (an algorithm design, etc… ). These are Advanced Persistent Threats (APTs) and
FOUR, it's no longer about "Script Kiddies". Reverse engineering on these attacks has shown they are the product of truly professional development teams, which indicates the level of professionalization and commerce behind these activities. AND
FIVE, technology is vulnerable. Full stop. There is no such thing as 100% invulnerability. It is therefore VERY important that when we are making ICT-related decisions, security is considered in its broadest sense and that we ask questions along the lines of: What are this manufacturer's criteria for safe development, if any? SDL? How agile are its mechanisms for responding to security incidents? Does it have proven systems for fixing problems and "tested" Update distribution? Does it maintain spaces for collaboration with the industry, clients, users on the subject of security? Does it certify security technology and processes with international bodies such as ISO? Common Criteria? Does it maintain a clear willingness to help me meet to my legal obligations in areas such as security and privacy? etc.
Microsoft's answer is affirmative and definitive for every single one of these questions.
2.- Cybersecurity from intelligence. Cyber Threat Intelligence Program
If you were only going to pay attention to one slide, I would choose this one. I've named it Global Telemetry, and it includes different mass information sources that Microsoft analyzes and obtains security intelligence from, which it subsequently shares. Each of them separately would be an amazing source of information in itself. The combination of all of them together means that we are without doubt looking at the largest Security BigData collection that can be accessed today. In fact, it is defined in this way by some CERTS with which we share this information.
We process billions of data points that at the statistical level show us more of a snapshot of reality than just another statistic. We are talking about information pooled from: MSRT (tool present in 600 million PCs throughout the world), on-line Microsoft systems that allow you to analyze patterns of malware distribution, Internet Explorer and anti-phishing info, Anti-malware such as Security Essentials, BING (with billions of pages scanned per week, gives us a snapshot of malicious websites), and Hotmail/Outlook.com, which basically shows us patterns of Spam and other threats.
The sum of this information is simply AWESOME. And with it we do two things. On a quarterly basis, we use it to prepare an excellent report which many of you will be familiar with, called the Microsoft Security Intelligence Report, accessible at www.microsoft.com/SIR, but we have also made this massive amount of data available as a cloud-based service, offered in almost real time (half-hour difference) to CERTS such as INTECO in the case of Spain, encompassing the data relevant for our country. In the words of the CERTS themselves: "Pure Gold". Very particularly for effectively combating botnet networks.
The agreement is called Cloud-Cyber Threat Intelligence program, and was signed by Orlando Ayala, VP of Microsoft Corp. and Victor Calvo Sotelo, Secretary of State of telecommunications and information society (SETSI) in June 2013, having a huge international impact, given the pioneering nature of the agreement.
Some of the data that this Global Telemetry provides us with, included in the above-mentioned Microsoft Security Intelligence Report, gives us very relevant information regarding cybersecurity.
I will not mention more than 2% or 3% of the information gathered in this report. I invite you to consult it at your leisure if I have piqued your interest.
But I thought it seemed relevant to share some data, such as for example: the protection associated with the use of some security software (7.1 times greater) or infection patterns in the most exposed countries such as Iraq, Pakistan, or Korea, or other countries from which to learn security lessons due to their very low infection ratios, such as the case of Finland, Denmark and Japan.
It is equally interesting to watch the evolution of vulnerabilities in technology, and to see how a high percentage of attacks find their way through the applications installed, or how, along the lines of what has been mentioned in this talk, the percentage of vulnerabilities in Microsoft products compared with the ICT industry total is 3.1 %. Believe me,
we have not always been able to "boast" this figure. There is still a lot of work to be done, but there is not the slightest doubt about the huge results obtained by Microsoft's efforts in this area over the last decade.
Also especially interesting is the data pointing to Java and Adobe-type PDF readers as responsible for high levels of infection.
In Spain, someone has been doing a very good job over the last 2 to 3 years. We have gone from being one of the countries with the highest infection rates, clearly leading the European picture, to having very similar rates to our neighbors. Can the public sector take credit? The private sector? Both? The point is that the rate has fallen, and I'll leave a "medal" for anyone who wants to pick it up.
And finally we arrive at some of the other most interesting statistics (I prefer to call them "snapshots of reality" when we are analyzing billions of samples) regarding Operating Systems.
The chart is self-explanatory. But focusing on the data, I can tell you with this amount of data in hand that NOWADAYS YOU ARE 14 TIMES MORE LIKELY TO BE INFECTED BY SOME TYPE OF MALWARE FROM A SUPPORTED XP WINDOWS PC THAN FROM WINDOWS 8.
And this relates to the final part of this presentation:
3.- End of Support for Windows XP
On April 8, 2014, Microsoft will stop providing support for the latest supported version of Windows XP, which is Windows XP SP3. This means, among many other things, that Microsoft will not develop any more hotfixes or security updates for this operating system.
The National Cryptologic Center itself (CCN-CERT) already issued an alert about this situation in February 2013, classifying the level of risk associated with staying with an unsupported system as very HIGH.
What a nuisance. But… Do we really realize how much time has passed, especially in the technological sphere, since 2001, the release date for Windows XP?
Is it a long time? A short time? Let's think about that year. These images can help us to realize how much time has elapsed. We paid for the first Windows XP computers in PESETAS . Some of us even connected to the Internet using Infovia Plus (and the only real "voice over IP" I remember is the one my family used to "hang up" the Internet, because somebody had to talk on the phone ). The cell phones in the photo were the bricks we had at the time and, of course, that was the last pledge of allegiance. The last year of military service. In short… A whole lot of time has passed… We all also remember what we were doing and where we were that fateful September 11, 2001.
Do we really expect to confront the present security challenges with technology from the year 2001? I don't think so. In fact, look how technology has responded over time to the security challenges that have arisen in each era.
In fact, the biggest advances from one Operating System to the next come in the form of security. In view of this image… Do we really believe that we will be able to contend with the threats of 2013 equipped with technology from 2001?
But this is not the only problem. Think about it. From that moment in April 2014, the "attackers" will have full advantage over the "defenders". Let me explain: when Microsoft fixes a security issue that affects multiple operating systems, the update is published for each of the OSs affected by the same vulnerability. Fine.
From that time, when Microsoft publishes the solution to a vulnerability, and distributes the corresponding Updates to supported operating systems (Windows 7, 8, Vista, etc.), the first thing an attacker will do is check (using reverse engineering) whether this update fixes a problem that would also exist in Windows XP. And if so, they will have all the clues in the world to develop an exploit of this vulnerability, with the certainty that this exploit could operate for ever and ever, given that Microsoft will not be developing any more Updates. This is what is known as a ZeroDay, but forever.
It didn't take too much effort on my part to find pages such as this with the title: "XP's retirement will be hacker heaven". In fact, the article delves into the real business surrounding exploits of Windows XP, reporting prices from $50,000 to $150,000 for a ZeroDay exploit (i.e., an exploit that is distributed when the manufacturer is aware of its existence, giving a time window of use of between 15 days and two months, the time that the manufacturer takes to develop the update).
So, if you were a hacker and you were looking for vulnerabilities in Windows XP... Would you publish them now, knowing that Microsoft is going to correct them quickly or rather would you wait until April 9 knowing that Microsoft will not correct it and you will therefore have a "ZeroDay" forever? Let's not kid ourselves. It is pure business. And this exploit will probably have a higher price.
Therefore, failure to make a decision about Windows XP is already a decision… and I'm afraid a very risky one, because if today we have detected that you are 14 times more likely to be infected with a supported Windows XP OS than with Windows 8…how many times more likely are you to be infected with an UNSUPPORTED Windows XP system than with Windows 8.1? I'm afraid the likelihood could be in the triple digits.
And frankly, from a security perspective, I can think of no measure as effective as migrating from Windows XP to Windows 8, 8.1, or even 7. This measure alone can increase IT security in many, many respects.
No wonder Windows 8 is probably the most secure operating system that has ever been developed. Basically because it is clear that we know what we are talking about when we talk about security. Which brings me back to the title of this talk: Cybersecurity: Microsoft, now more than ever!