Risk
1/12/2012
02:21 PM
50%
50%

Microsoft Trustworthy Computing Turns 10: What's Next

10 years after Bill Gates famously declared a security emergency within Microsoft, the stakes are much higher. 'TWC Next' will include a focus on cloud services such as Azure.

Windows 8 Upgrade Plans: Exclusive Research
Slideshow: Windows 8 Upgrade Plans: Exclusive Research
(click image for larger view and for slideshow)
Gartner's Pescatore said the changes inspired by Gates' memo have largely worked. "You cannot say today that Apache Web server is more secure than IIS; before the memo it was easy to say that."

In his e-mail Thursday, Microsoft's Mundie acknowledged that the threats facing the computer industry have changed in the past decade and that the stakes are higher, given IT's ubiquity in almost every facet of daily life. Massive amounts of data are now stored in the cloud and accessed through mobile devices. "'TWC Next,' the ensuing decade-plus of Trustworthy Computing, will focus on the new world of devices and services. Everyone at Microsoft and the entire computing ecosystem has a role to play," said Mundie.

A big part of TWC Next is securing cloud services like Azure, said Microsoft Trustworthy Security director Jeff Jones, in an interview. "The computing environment today is drastically different than it was 10 years ago," said Jones. Among other things, Microsoft is formulating secure development lifecycles "specifically related to cloud services," Jones said.

[ What should be tops on CEO Steve Ballmer's to-do list? See 5 Moves Microsoft Must Make In 2012. ]

Microsoft also is developing technologies and practices to guard against the changing nature of security threats. At the time of Gates' memo, worms that could infect hundreds of thousands of PCs in days were the big danger. Today's cybercriminals are more focused on stealing valuable data from individual users and corporate PCs.

"The threats have evolved. Now you have professional criminal organizations targeting credit card numbers and other data through methods like phishing. As exploits get technically harder, attackers have turned to social means," said Jones. "The idea that you can keep people out completely when you have persistent and well funded attackers--that's something the community has to think about."

Protecting against the newer threats has meant adding features that can limit the damage if a user is exposed to an attack. Internet Explorer 8 and IE9 defend against unauthorized Active X executions, and on the client side there's the addition of barriers such as BitLocker in Windows 7 and Secure Boot in Windows 8, which guards against BIOS level attacks.

"We have to keep raising the bar. We have to be as committed today as we were 10 years ago," said Jones.

InformationWeek is conducting our third annual State of Enterprise Storage survey on data management technologies and strategies. Upon completion, you will be eligible to enter a drawing to receive an Apple iPad 2. Take our Enterprise Storage Survey now. Survey ends Jan. 13.

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Janice, I think I've got a message from the code father!
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.