By Gemma Simpson, 24 October 2007 12:08
NEWS
Security threats continue to evolve as hackers find new targets for malware - and businesses have been urged to improve their internal communications to combat threats.
Speaking at the RSA Conference Europe 2007, Ben Fathi, corporate vice president of development for the Windows Core Operating System Division at Microsoft, said: "It shouldn't come as any surprise that as we improve the security of the operating systems and the infrastructure on the internet, the attacks are moving to applications and social engineering, including phishing scams."
There has been a 500 per cent increase in Trojan incidents, from one million in the second half of 2006 to more than five million in the first half of 2007, according to research sponsored by Microsoft and conducted by the Ponemon Institute.
The survey found three-quarters of companies that admitted to poor comms and collaboration between their marketing, privacy and security divisions had suffered from a data breach - whereas fewer than a third of companies that thought they had good inter-departmental communication reported breaches.
Fathi said IT security is not just about technology. "It's about people and processes too... We need to have the privacy folks talking to the security folks and the marketing folks to have good protection from data breaches."
The keynote also contained some details of the forthcoming Windows Server 2008, which is due to be released on 27 February.
Fathi said the code will be Microsoft's "most secure yet" and will not be released until it is secure. "That has affected our release cycle but it was the right thing to do for our customers," he added.
Comments
There are 3 comments. Join the discussion
1. Graham Coles
So they're saying Microsoft Server 2008 won't be released.
When will these muppets at Microsoft understand that you can't have 'the most secure code yet' without releasing it.
Security is, as they say, a process. Security of a product is not determined before release, but afterwards when people get to look at it, use it and try exploiting it. A lot of products released as 'secure' or 'the most secure' are broken shortly afterwards. Give it a year or two of real-life testing, then decide if it is secure or not.
This is just the typical bunch of M$ spin-doctors and salesmen talking. Like when they said Windows 2000 was their most reliable yet but suffered all manner of problems when people started using it.
2. Haydn Rees
I disagree fundamentally.
Microsoft has done the one thing the industry has been begging it to do for years, and this body of code is, at time of writing, absolutely secure.
We've been pleading with M$ to stop distributing apallingly bad software that is not fit for purpose, for beta test on paying customers.
Of course, the moment they release it, this ceases to be the case, probably rather catastrophically. I'm for one applaud this new and very welcome code control protocol from M$.
3. Graham Coles
Absolutely Secure?
Adi Shamir's first law of security states clearly:
'Absolutely secure systems do not exist.'
Therefore to talk of the code being 'absolutely secure' at this time is more to do with wishful thinking than reality.
I have no problem with M$ holding back a release until they *think* they have made it secure (which I agree is good practice), but this 'snake oil' language of making it seem the most secure OS on earth is utter nonsense (just as it was when they said it previously about XP).
Remember Vista? Microsoft claimed this was secure, they had even rewritten the network stack from scratch. Unfortunately, despite being new, recent, 'secure' code, it suffered a vulnerability that had previously been fixed in previous versions of windows. Also consider the buffer overflow in the animated cursor attack on Vista. This is what happens when you get marketing people telling you their code is secure.
Any good security researcher knows there is only one true test for security, it's called time. New code is not secure, it may be believed secure by those who write it, (or analysts who would like it to be :-) but until its been out there for a while, it's all just PR (like Oracle's 'unbreakable' database).