Microsoft on Security: Actions Speak Louder than Words

• By Jabulani Leffall
• June 21, 2010

In his latest book, "Cyber War: The Next Threat to National Security and What to do About It," former White House security adviser Richard A. Clarke goes in hard on Microsoft, asserting that its dominance in the OS market is a key component to "weaknesses" in national security.

Why has the response to IT security been so lax? Well, in his book, the software giant comes in at reason number five. Clarke uses Redmond's relationship with NASA to drive the point home

Microsoft's software products, Clarke suggests, weren't originally intended for critical networks. "(Microsoft's) original goal was to get the product out the door and at a low cost of production. It did not originally see any point to investing in the kind of rigorous quality assurance and quality control process that NASA insisted on for the software used in human space-flight systems."

Despite his rigidity on all things security-related, Clarke's next edition of the book will likely need some revising where Microsoft is concerned.

As it has demonstrated with this Security Development Lifecycle program and other calls to arms across the tech ecosystem, Microsoft is actually using its position in the marketplace to lead the discussion on security issues.

 Here are three recent examples of threat response, product innovation and community collaboration:

Microsoft reacts swiftly to SharePoint patch issue
Jerry Bryant, a spokesman for Redmond's Security Response Center, said Monday that Microsoft is currently investigating new public claims of a possible installation issue involving a bulletin (MS10-039) issued in the June update.

This comes after early reports this week that the "important" patch, intended to snuff out and curtail three bugs affecting SharePoint Server 3.0, was causing systems to brick after they were installed.

Other than outright system crashes, there were instances of installation that resulted in error messages reading, "Unable to connect to the configuration database," and a system freeze.

"We will make further guidance available if necessary once our investigation is complete," Microsoft's Bryant added in a prepared statement.

Microsoft helps admins comb security network with NAP
The latest tangible example of Microsoft taking security seriously from a product standpoint is the recently-released Network Access Protection product (NAP).

 NAP is made specifically for Windows enterprise pros with a Windows-only client environment, combining endpoint security functions along with optional authentication. Under the system, the NAP client uses Windows Security Center as a barometer for integrity of the network. This includes endpoint security checks, anti-viruses, anti-spyware, firewalls and automatic patching. Even though the program is Windows-specific, the NAP client "health check" is interoperable with any third-party system health checker (provided that the app is NAP compatible).

According to Redmond, NAP allows network administrators to "define granular levels of network access based on who a client is, the groups to which the client belongs and the degree to which that client is compliant with corporate governance policy."

Microsoft spearheads Identity Theft Clearinghouse
Microsoft recently got together with the National Cyber-Forensics and Training Alliance (NCFTA), the American Bankers Association, global payment routing provider Accuity, the Anti-Phishing Working Group, eBay, PayPal, the Federal Trade Commission and the National Consumers League to form the Internet Fraud Alert center.

The center will serve as an incident-reporting hub. Per the collaboration, stolen payment card numbers and online banking account logons will be routed to the issuing banks as a form of faster notification. Those banking institutions would then (in theory) be able to faster contact their own customers, suspend the accounts or pursue legal remedies.

In the end, the issue with mentioning a company or organization as an aside to illustrate a larger security issue - as Clarke did - is that the overall threat landscape is constantly evolving and changing with each login, each page load, each server message.

Even though that more pragmatic reality doesn't sell books or garner mention in blogs, security experts (such as Clarke) should probably factor that into their critiques.