Microsoft: Defence in depth is not enough

Defence in depth is simply not enough to create a secure computing environment, according to Microsoft's vice president of its Trustworthy Computing group, Scott Charney.

Kicking off the 15th annual AusCERT conference on the Gold Coast today, Charney said that the Internet largely remains an unsafe place to be — despite Microsoft's best effort to make it safe.

"When you think about defence in depth in the computer world, we've turned on firewalls, run antivirus, run anti-spyware, done user education, yet people sometimes get infected anyway, which tells you those things are not enough," Charney told ZDNet.com.au.

"A classic example is malware. We turned on the firewall on [Service Pack 2] by default to block the connection. We tell people to run antivirus in case they let something through the firewall, and anti-spyware. And then we do consumer education and remind them not to click on attachments from unknown sources. And then they click on attachments from unknown sources and get infected anyway. So when they come to us we run the Malicious Software Removal Tool, and for things that we recognise, we actually clean it up. It's classic defence in depth," said Charney.

And while pushing patches out to consumers has helped secure home users, businesses remain exposed.

"Automatic updates are great — getting upgrades to people quickly is great. But in the enterprise environment, bad guys can launch bad code far faster than good guys can test patches and deploy them. And with an increase in zero day vulnerabilities, you're not patching your way out of this."

Two ways to overcome the challenges posed by the Internet in a world where there are thousands of independent software vendors, said Charney.

"We've done a lot of defence in depth against malware or against phishing schemes, but you can still do more. To enable more, you need better authentication, so that users can better decisions about what's running on your machine," he said.

Charney also sees a major shift by software vendors to tie software more tightly to hardware to solve the problem of authentication.

"You need operating systems that are bound to the hardware, so that if it is tampered with you have a better chance of knowing, detecting and remediating the problem."

• Related stories

• Alerts

Add your opinion

windows genuine disadvantage Anonymous -- 20/05/08

Funny only windows machines suffer from those problems. CURE: change your OS and make sure it is not made by Microsoft

• Reply to comment
• Reply to story
• Report offensive content

Not enough Bill Caelli -- 20/05/08

Yes - Scott - they are not enough because the Windows OS - upon which this all depends - IS NOT ENOUGH. Who said so? Microsoft - with the "Palladium" project of almost 5 years ago! The USA's National Security Agency in 2000 - with the background to its Secure LINUX project. Oh, and Steve Ballmer - who in the 1990s clearly set the scene with the following attitude- we don't do security because the market.
isn't there.
The key element IS the OS - a secure OS - not one that puts device drivers into the heart of security control and then wonders why rootkits occur! Intel solved that in the early 1980s with its 4-ring security design for the x86 CPUs - Microsoft and UNIX/LINUX did nothing with it!!
The home-end user systm today needsa "flexible" mandatory access control system with all parts clearly labelled and controlled - in an easy and flexible manner. Micorosft was on the right wavelength with "Palladium"/NGSCB but - well - nothing happened!! That's the rweal problem.
Policy makers and politicians need to look at the ICFT industry itself - just like they do with cars, air services, pharmaceuticals and most other industries and fulfill their duty of carer to their citizens by exerting regulatory control over the ICT industry when it comes to safety and security - NOT blame the poor old end-user.

• Reply to comment
• Reply to story
• Report offensive content

The Only Cure Anonymous -- 04/08/08

The only cure would be mandatory death penalty worldwide for anyone who creates a virus or malware. Otherwise it's much to lucrative and we will forever be stuck in a cold war with the malware and virus propagators. That'll never happen and so we are at an impasse. (as a side note, people who propagate spam should be huddled into a room and forced to watch Ron Popeil infomercials as punishment for their crimes)

• Reply to comment
• Reply to story
• Report offensive content

• Just In

• Most Popular

• Most Discussed

Reader Services

Popular Topics

Essentials