Real progress was made by Microsoft and its industry partners in 2005.
REDMOND, Wash., Dec. 21, 2005 —
In the ongoing challenge to deliver a safer, more secure computing
experience for PC users, Microsoft and its industry partners in 2005
made considerable progress on the security front with achievements such
as greater customer awareness of the existence of spam, viruses,
spyware and other security threats, as well as the availability of more
effective and powerful software protections against software attacks
and security breaches, which has resulted in improved security for
Microsoft customers.
“At Microsoft, we’re focused on protecting
customers from current and emerging cyber security threats,” says Mike
Nash, corporate vice president of Microsoft’s Security Technology Unit.
“Our strategy is to make the right technology investments, to provide
clear guidance to our customers about how to stay better protected, and
address industry-wide challenges through partnerships in the public and
private sectors.”
In looking at the past year, Nash adds, “The
deep investments we’ve made in technology are resulting in a more
secure computing experience for our customers. More than 250 million
copies of Windows XP Service Pack 2, which includes significant
security enhancements, have been distributed. Windows Server 2003
Service Pack 1, which is more secure by design and default and includes
the security configuration wizard, has been downloaded approximately 4
million times. Over 18 million customers are using the Windows
AntiSpyware beta to help protect themselves against spyware threats.”
Additionally
Nash offers, these new tools, coupled with customers’ better
understanding of security best practices, are paying dividends. “We
look forward to continuing our efforts to build greater trust in
computing in 2006,” he says.
Jon Oltsik, senior analyst on
information security of the Enterprise Strategy Group says in “Could
Microsoft Make Security a Competitive Differentiator?” — “Microsoft has
proven time and time again that its corporate focus equates with
execution excellence somewhere down the line. The company is now
delivering on security in a way that sets it apart from other software
companies.”
Microsoft’s security efforts are focused on three
areas: technology investments; prescriptive guidance and education; and
industry partnerships.
Technology Investments Progress
Microsoft
is making investments to achieve the highest level of quality in
Microsoft software, and to deliver security technology innovations in
the platform, security products and hosted security services. Over the
past 12 months, Microsoft has made significant progress in delivering
technologies across three key areas: fundamentals, threat and
vulnerability mitigation, and identity and access control.
-
Fundamentals:
Microsoft’s Security Development Lifecycle (SDL)—an approach to the
entire software development process that incorporates security
holistically and comprehensively—expanded on the successful security
improvements made in Microsoft Windows XP SP2, with another year of
improved security fundamentals in a variety of products across the
company. By utilizing the SDL process during product development,
vulnerabilities in Microsoft Windows Server 2003 were reduced from 84
to 49 compared to the previous version of the product during the first
two-and-a-half years after shipping. This year also marked a new wave
of shipping products developed under the SDL process. These included
Visual Studio 2005, SQL Server 2005, and BizTalk Server 2006 Beta 2.
Microsoft introduced a series of improved software updating tools
throughout the year, and implemented a Software Update Validation
program that provides rigorous testing of updates before releasing them
to customers. Additionally, it was recently announced that Microsoft
Windows XP Service Pack (SP) 2 and Microsoft Windows Server 2003
Service Pack (SP)1 received Common Criteria Certification, which
includes an evaluation of the broadest set of real-world scenarios of
any operating system platform today, and underscores the company’s
ongoing commitment to improving the security of its software.
-
Threat and Vulnerability Mitigation:
Microsoft began development of several technology tools designed
specifically to defend and mitigate against a broad range of threats.
These included the acquisition of Sybari Software for enhanced
protection against malicious software for enterprise customers; the
announcement of Microsoft Client Protection, which will combine strong
anti-spyware tools, comprehensive virus protection and centralized
management capabilities for laptops, desktops and servers in business
systems; and the acquisition of FrontBridge Technologies to enhance
management and security capabilities for enterprise e-mail
environments. For consumers, Microsoft also delivered a beta version of
Microsoft Windows OneCare Live, a subscription service that takes much
of the work out of online protection, by automatically helping guard
against spyware, phishing attacks and other threats. Also released was
the first beta of Windows AntiSpyware—the most popular download in
Microsoft’s history, which is already helping to protect the computers
of more than 18 million customers. The Microsoft Windows Malicious
Software Removal Tool has been executed by customers 1.8 billion
times—an average of 200 million times per month—to help remove the most
prevalent forms of malware from PCs.
-
Identity and Access Control:
Microsoft’s goal in this area is to help ensure that computing is
trustworthy, that corporate policy can be managed to dictate what
resources users can access, and personal and corporate information is
protected throughout its lifetime—wherever it resides. In 2005,
Microsoft acquired Alacris, a leading provider of strong authentication
solutions for digital certificates and smart card applications.
Microsoft also shipped enhanced identity control capabilities in Active
Directory, as well as Microsoft Windows Rights Management Services
(RMS) Service Pack 1, which offers customers further improvements in
how they protect their sensitive information, no matter where it
travels to, and even in the face of loss.
Prescriptive Guidance Progress
Another
area of activity for Microsoft security is educational outreach and
improved security guidance for consumers, IT professionals, software
developers and industry partners. For developers, Microsoft provided
intensive training for third-party developers on secure coding
practices and the SDL at the annual Microsoft Professional Developers
Conference. The company also continued to build on its 35,000 unique
pages of security guidance for developers and IT professionals by
launching a new online security curriculum called Learning Paths for
Security, organized around four key learning paths: Threats &
Vulnerabilities; Identity & Access Control; Regulatory Compliance;
and System Integrity. Microsoft also provided valuable guidance to more
than 30,000 IT professionals and technical decision makers through
Security360, a monthly webcast series focused on security topics that
includes commentary and guidance from security industry experts inside
and outside of Microsoft.
Based on customer feedback, Microsoft
made some major improvements in 2005 to its security communications to
help customers protect their PCs, including providing additional
guidance for customers through 15 security advisories as well as 96
entries on the Microsoft Security Response Center blog. Other new tools
in 2005 include advance notification for monthly bulletins,
notifications through RSS feeds and MSN Messenger Alerts and monthly
technical webcasts. These new offerings have helped address the need
for customers to have timely and prescriptive guidance from Microsoft
on security issues.
For consumers, Microsoft partnered with the
U.S. Federal Trade Commission (FTC) and the National Consumers League
to promote awareness of phishing scams, and with the National Cyber
Security Alliance to increase consumer awareness about security through
National Cyber Security Awareness Month in October 2005. Microsoft
continues to provide additional outreach and educational programs on a
global basis to consumers and to enterprise customers.
Industry Partnership Progress
In
2005, Microsoft continued to expand upon its partnerships with
governments and industry leaders to address the important challenges of
IT, including security, privacy, children’s online safety, phishing and
spam.
In terms of partnerships, one key announcement during 2005
was the creation of the SecureIT Alliance, a group of security partners
that are working together to develop innovative security solutions for
the Microsoft platform for the benefit of common customers. This
announcement was the latest in a number of partnerships Microsoft has
formed with the public and private sectors, including the Virus
Information Alliance, the Global Infrastructure Alliance for Internet
Safety and the Security Cooperation Program for governments.
Additionally, Microsoft is an active member of the Anti-Phishing
Working Group and the National Cyber Security Alliance.
On the
issue of spyware, Microsoft is a founding member of the AntiSpyware
Coalition, which includes some of the country’s largest technology
companies and public interest groups. Microsoft is also working with
the FTC and other agencies using current law to find purveyors of
fraudulent and destructive software.
In 2005, Microsoft
participated in Black Hat briefings and hosted two Blue Hat events,
with the goal of enhancing communications and relationships with the
security researcher community, learning how researchers attempt to find
vulnerabilities, and applying those learnings to developing more secure
software.
Microsoft continued its support of law enforcement
efforts worldwide to deter cyber crime. Major law enforcement activity
during the year included arrests in August by Turkish and Moroccan law
enforcement authorities of the alleged authors of the Zotob and Mytob
worms, less than two weeks after the worms were unleashed. Microsoft
helped law-enforcement agencies by providing technical support in the
investigation. In July, Microsoft announced an award of US$250,000 to
two individuals who helped identify the creator of the notorious Sasser
worm in 2004. The author of the worm, arrested in May 2004, was found
guilty this year by a court in Verden, Germany.
Because data
privacy remains a focal point for any discussion around information
technologies and computer security, in a speech before the
Congressional Internet Caucus in November, Brad Smith, senior vice
president and general counsel for Microsoft, detailed Microsoft’s
support for a “comprehensive” legislation approach to data privacy at
the federal level that would provide meaningful protections for
individuals, focused on preventing actual harm, and set clear
guidelines for businesses while still allowing commerce to flourish.
Microsoft
also worked on a broad range of issues with lawmakers to pursue and
support legislation to protect customers and combat online consumer
fraud, spyware, spam and privacy breaches.
A Look Ahead
Microsoft
plans to continue on the momentum from 2005, with a continued emphasis
on security for the year ahead. This will require continued investments
in technology, educational outreach and work with industry partners to
help increase customers’ trust in computing.
One major technology
element in the 2006 security picture for Microsoft will be the release
of Microsoft Windows Vista. Specifically, customers of the Windows
Vista platform will experience security improvements in everything from
user account control, better support for smartcards, enhanced firewall
protection, and improved security and privacy capabilities in Microsoft
Internet Explorer 7.0. Customers will also benefit from enhanced
information protection functionality in Windows Vista such as BitLocker
Drive Encryption, a hardware-based feature that addresses the growing
concern over corporate and customer data on lost or stolen machines.
Given
the increasingly sophisticated nature of software attacks and security
threats, Nash says that while 2005 was a positive year in terms of
industry advancement in security, there is more work ahead. “The
complexities around security require a broad approach, so we will
continue to enhance solution offerings like Windows OneCare Live and
Microsoft Client Protection," he says. "Microsoft will continue to push
on all fronts towards our goal of trustworthy computing, but it will
take a strong and focused effort from industry partners, government and
law enforcement if we are going to reach our long-term goals of
providing a more safe and secure computing experience for every one of
our customers.”
Source: Microsoft Press Release
Links