Do you remember? In January 2002, Bill Gates sent a famous mail to all the Microsoft employees and announced Trustworthy Computing. Since then it became part of our DNA. The interesting thing to me is, that the four pillars of TwC remained the same (except for pillar four, which we had to re-name). Today the diagram still looks like this:

Trustworthy Computing

The key focus of the early years was to get security right within Microsoft. We always stressed, however, that TwC is an industry initiative. Looking at that it was natural that Privacy would be addressed more and more over time.

In parallel we had to learn that the threat landscape changed significantly. A few years ago we had the vandals on the web attacking our systems, bragging about the success of their attacks – today we have the organized crime going for money. To keep it simple, the landscape changed from cool to cash! Our Security Intelligence Report we are releasing today:

• 31.6 million phishing scams in H1 2007 representing 150% increase over H2 2006
• 500% increase in malicious code used to steal passwords / key stroke loggers
• Microsoft's Malicious Software Removal Tool removed infections of Win32/Bancos and Win 32/Banker alone from 615,220 computers in last six months. Both bot programs are used to steal private banking data

So it is pretty clear that Personal Identifiable Information (PII) is today the currency of the criminals.

So, which roles in a company are working with PII? Security people want to protect it. Privacy people want to make sure it is being managed correctly. And the business wants to use it to generate business.

Looking at the intelligence data there is a question that has to be raised: How good is the collaboration between these roles? This is the key question we wanted to get some insights into. Therefore we commissioned a company called The Ponemon Institute, which specializes in privacy research, to survey more than 3,600 security, data protection/compliancy, and marketing executives in the USA, UK and Germany. The research was with companies of various sizes and across many different industry sectors. This study is one of the key announcements Ben Fathi at his keynote he gave at RSA Europe today.

Let me take you briefly through the highlights (lowlights?) of the study.

Collaboration pays off: One of the key questions you will get asked when you look into this is what kind of motivation a manager could have in order to change something to make collaboration happen. The data is pretty clear and significant (we asked the companies whether they had a "significant data breach"):

Relationship between collaboration and one or more reported significant data breaches

This data shows us clearly that a good collaboration seems to lead to significantly less data breaches. The difference between companies with good collaboration and companies with poor collaboration is about 50%! So, you reduce the risk of losing PII significantly and as the CEO is personally liable in a lot of countries this might reduce the risk of the CEO going to jail significantly.

"But the collaboration is not poor": How good is the actual collaboration really? We asked the three groups, whether the business consults security and privacy when they use PII. Look at this:

Is security/privacy asked when PII is used by the business?

If you study this data, it is significant that the security and privacy people think that they are consulted but the business (e.g. marketing) does not really want to talk to us…

Why is this the case? Do you remember that I talked and blogged several times already on the necessity of security to become a strategic value for the business? Security and Privacy is and has to be a business enabler. Is this really true? See the red bar in the following diagram

This shows clearly that the business sees privacy and security as a hindering them to achieve the goals. I have to admit that I understand this. Security and privacy people tend to be paranoid and risk avoiding (do not get me wrong, I am one of these paranoid, risk avoiding people). We do not like to take risks – therefore we tend to say "no" to changes, to new ideas, to new business models… In my personal opinion, IT is here to serve the business and security/privacy is here to help IT to serve the business. There are clearly legal and regulatory boundaries as well as customer expectations to be met. But this is not in contradiction to what I said but definitely in line.

So, how shall we address this problem?

I would love to be able to give you the "silver bullet" just in this section. Before I give you my view on the "solution", let me share a final data point with you. We asked as well whether the combination of the roles would make sense. Here are the results:

This is interesting: If the collaboration does not work, people look for a combination of the roles, where it works, nobody cares of a combination!

This leads to a simple conclusion: There is no silver bullet at all. The solution depends on the culture of the company, the culture of the country and a lot of other requirements around this. The solution to look for is probably pretty individual per company.

Call to action:

There are two things I would like you to do:

• Go to your own company and look (honestly) internally. Ask yourself how the collaboration between security, privacy/compliance, and business actually works. How often did you have data breaches that could have been avoided? After this analysis, go out there and change!
• I was asked several times now, why Microsoft is doing that and whether we can give you a solution. I wish I could! The reason, why we did this study and why we go public with it now is that we want to open a dialogue within the industry at an issue we are convinced that it is evolving and that we have to start working on now – otherwise we will fall behind the criminals again! So, participate in this dialogue and start doing that now – I am looking forward to receiving a lot of feedback and comments!

If you want to get more information on this story, visit our website: http://www.microsoft.com/mscorp/twc/IAPPandRSA.mspx 

Roger

Wow! Ever thought that you are a phishing-expert? Ever tried to train your users? Carnegie Mellon University developed a game which trains you or tests your knowledge (where ever you are). I like it: http://cups.cs.cmu.edu/antiphishing_phil/

Roger

One of the problems I often see with some of our products is that they actually have some great features but not enough people know about them. Sometimes I am meeting a customer and he or she is telling me that they are just running an evaluation for a new piece of software. When you talk with them, they simply do not know that they actually already bought this functionality – with Windows. One of the examples is the Radius server. Often I met customers using Radius and having spent quite some money – without knowing that Windows Server already has one (for those who are looking for it: It is called Internet Authentication Server (IAS) or Network Policy Server (NPS) in Windows Server 2008).

Another example – however newer – is Windows Cardspace. A cool part of the operating system that helps the user to get back control over his or her personal information as well as passwords.

The best starting point for you to understand how Cardspace works is the One-Minute-Demo you will find here: http://channel9.msdn.com/Showpost.aspx?postid=306082

If you like to get more information on Cardspace, the best starting point is: http://cardspace.netfx3.com/

So, get familiar with it – it is a great technology to be used and give the user back control in the Privacy space as well as helps to prevent phishing

Last but not least, if you would like to use Cardspace with your Windows LiveID, there is the how-to: http://winliveid.spaces.live.com/blog/cns!AEE1BB0D86E23AAC!931.entry

Roger

There is an interview on MSNBC with Bill where the readers could actually send the questions. It is all about their foundation and pretty impressive to read: http://www.msnbc.msn.com/id/21212128/site/newsweek/

Roger

I hope you read my yesterday's blog on the RSA story (if not, it is here). I mentioned the Security Intelligence Report there. SIR is actually live in its third version, covering what we saw January to June 2007.

Let me point out some "highlights":

Vulnerability Trends – Unfortunately the trend that high severity keep growing for all software vendors. This is the figure from the report:

Attacks are moving up the stack – obvious, isn't it? We all know that since a long time. We have seen the phishing attacks in the past, we have seen the targeted Trojans, etc. However, in the last 6 months we saw a growth in phishing attacks of 150% compared to the second half of 2006. Targeted Trojans going for Personal Identifiable Information even grew by 500%!

Vista massively less likely to be infected by malware – This is what we expected to see but I am very proud the way it actually turned out. Have a look (this is normalized, so independent of the number of executions of the Malicious Software Removal Tool):

The same view but now by countries in Europe:

So, there is much, much more data in the Security Intelligence Report, where you can even have data on a country level (my friend Ole Tom – the CSA in Norway – showed me the malware in Norway did not grow the last 6 months J). So, go there, download it and have a look. If you want to get insights with webcasts, they will be on our portal as well.

And here is the link: http://www.microsoft.com/security/portal/SIR.aspx

Roger