Digg this story   Add to del.icio.us  
The Reality of Perception
Tim Mullen, 2003-04-07

A new poll finds that seventy-seven percent of security professionals believe Microsoft products are insecure. But a closer look at the survey tells a far more interesting story.

Recently, Forrester Research published an interesting analysis of a survey that polled security experts from 35 different billion dollar-plus companies. The most notable statistic from the paper is that 77% of respondents marked "security" as their main concern "in the deployment of Windows."

Though many of the news rags picked up the analysis, with cursory coverage of the paper, I think it deserves a bit more examination.

For starters, 89% of those security experts went on to say that they deploy critical applications and services on Windows operating systems, despite their supposed security concerns.

Why would someone deploy sensitive application on a platform that they think is insecure? My initial take is that even when it comes to multi-billion dollar businesses, these people just don't care about security -- not to the point where they'll actually do anything about it, anyway.

It all comes down to perception. For instance, the research paper quotes a pharmaceutical company representative as saying "You can't put the words 'Microsoft' and 'security' in the same sentence without laughing. Microsoft is features-oriented, not security-oriented. Security is simply not part of Microsoft's culture or its architecture."

Statements like this really chap my hide, because they are simply ignorant. Microsoft operating systems and software can most definitely be secured; the architecture and structure is there. But somehow the perception that they're inherently and hopelessly insecure still persists.

I think part of this perception is fueled by these companies' own actions -- or inactions, as the case may be. Of the 35 companies polled in the Forrester study, 77% also said they have experienced Windows related security incidents within the last 12 months. When asked if they had any plans to change their deployment process for Windows installations as a result of these breaches, 41% said no.

So let's see if we have this straight: Seventy-seven percent of the hard hitters think Microsoft software is insecure, but don't care and deploy it anyway. Seventy-seven percent also had a security incident within the last 12 months (big surprise there), and even so, almost half say they have no plans at all of changing the way they deploy the software.

And yet all of this is Microsoft's fault.

The real kicker is this: Of those 77% who had an incident in the last year, 60% were hit by Nimda, and 54% by Code Red (which means some got both!).

Here's the deal: These issues date back to 2001, people! It is far too late in the game to play the "Microsoft security sucks because of Code Red" card. And if you are still getting infected with Nimda, then it's your security that sucks. Yes, I know it is crass and insensitive, but the truth is like that sometimes.

Saving the Customers From Themselves
So what is the next step? How can Microsoft fight perceptions that become people's realities? I think the interpretation of the survey by Forrester researcher Laura Koetzle is right on: Microsoft must implement a crack patch management strategy that makes applying a patch as easy as installing the software in the first place.

Regardless of whose fault it is for not patching and maintaining a Windows installation, Microsoft has realized that they must take responsibility for ensuring that patches make their way from the development team to the end-user's system. Before the popular perception of Microsoft's product security can improve, the company will have to move their vulnerability-handling finish line from "the patch is available" to "the patch is installed."

While I have no sympathy for people who don't patch against Nimda and Code Red, I do feel for those who labored through the SQL patch that fixed Litchfield's UDP exploit. It was arduous. Files had to be manually copied, SQL scripts executed, and executables run against instances. The lesson for Microsoft here is that they cannot require more expertise to load a patch than they do to load the application.

To this end, I am excited about what the future of Microsoft's patch management will bring. Word on the street is that Microsoft is already at work on developing a broad strategy and an accompanying set of fully-featured tools and services to provide customers with a road map of how to best meet their patch management needs. And I think it will make all the difference. While there are many current methodologies in place to address patch management, Microsoft sees the need to compile and expand the varied functions of SUS, Windows Update, MBSA, MOM, SMS, Group Policy, etc., into a comprehensive solution that lets customers finally wrap their arms around patch management.

As a security guy, it is easy for me to be critical of those who don't bother to learn how to secure the software they use -- and then complain to pollsters about it. But Microsoft does not have that luxury. The reality is that customers must be saved from themselves, and Microsoft's realization and addressing of that fact is yet another good step in the direction of "Trustworthy Computing."



SecurityFocus columnist Timothy M. Mullen is Vice President of Consulting Services for NGSSoftware.
    Digg this story   Add to del.icio.us  
Comments Mode:
The Reality of Perception 2003-04-07
Anonymous (6 replies)
The Reality of Perception 2003-04-07
Bill Hey <bill.hey@nospam.dsia.com>
The Reality of Perception 2003-04-07
Peter
The Reality of Perception 2003-04-08
R Mortimer
It's not just market share 2003-04-08
Anonymous
Re: AnonymousPeon 2003-04-08
Just a point
Sorry, that's crap 2003-04-08
Anonymous (1 replies)
The Reality of Perception 2003-04-07
AnonymousPeon (2 replies)
The Reality of Perception 2003-04-07
Anonymous
The Reality of Perception - heh 2003-04-07
Anonymous (1 replies)
The Reality of Perception - 2003-04-08
AnonymousPeon (1 replies)
The Reality of Perception - 2003-04-09
Anonymous (1 replies)
The Reality of Perception 2003-04-07
ralf
The Reality of Perception 2003-04-07
Bill Hey <bill.hey@nospam.dsia.com> (1 replies)
The Reality of Perception 2003-04-08
Anonymous (1 replies)
The Reality of Perception 2003-04-09
anonybori
The Reality of Perception 2003-04-07
Scott Sorrentino (1 replies)
Stupid unstable patches 2003-04-08
Anonymous
The Reality of Perception 2003-04-07
Anonymous
The Reality of Perception 2003-04-07
Penguinisto (1 replies)
The Reality of Perception 2003-04-08
Anonymous
The reality of your techs 2003-04-07
Andy Wood
The Reality of Perception 2003-04-07
Anonymous (2 replies)
The Reality of Perception 2003-04-08
Anonymous
The Reality of Perception 2003-04-07
Anonymous
The Reality of Perception 2003-04-08
Anonymous (1 replies)
The Reality of Perception 2003-04-09
Anonymous
The Reality of Perception 2003-04-08
Anonymous (1 replies)
The Reality of Perception 2003-04-09
Gary Fisher
The Reality of Perception 2003-04-08
Anonymous
My look on things 2003-04-08
DC0 (1 replies)
My look on things 2003-04-10
Anonymous
It's easy Tim - listen up! 2003-04-08
Anonymous
The Reality of Perception 2003-04-08
Wisconsin (1 replies)
The Reality of Perception 2003-04-10
blacklight
dont blame MS-blame these stupid poeple 2003-04-10
ab_s0248@yahoo.com
The Reality of Perception 2003-04-10
Anonymous
Patch Management 2003-04-11
mesmer
The Reality of Perception 2003-04-11
Anonymous


 

Privacy Statement
Copyright 2010, SecurityFocus