It's No Joke, Microsoft Got This Security Question Right

Kachina Shaw

There are two schools of thought on the intersection of computer security and computer users.


Some say that IT should be left to the IT pros -- that's why they're called pros -- so that end users can focus on business activities. The successfully configured system is implemented and maintained by a constantly vigilant IT team that uses layers of security to create a reliable and safe work environment for end users. Period.


Others counter that there's no need for ignorant end users. Indeed, the less they know, the more problems they cause, so better to keep them involved in some way, lest they become too comfortably oblivious of how difficult it actually is to protect their digital lives and how easily it can all go downhill because of some clueless move. Or because of a more sinister or at least deliberate user move -- some users need to be clued in to how their actions are being monitored by the security pros, too.


Apparently, last week at the RSA Conference Microsoft's David Cross told an audience that the much-maligned User Account Control (UAC) feature in Windows Vista was actually designed to "annoy users," reports Information Age.


Well, of course it was. And it surely did. Thus the whining and protesting during beta OS testing and after that the feature was ... highly annoying.


But the larger goal here was to raise users' awareness level, along with the focus from independent software vendors on making their applications more secure -- and thus less annoying to users dealing with the UAC's pop-up warnings when those apps didn't adhere to requirements set by the OS.


Was it successful? Cross says initially 80 percent of those UAC prompts were caused by 10 applications and the total number of sessions containing prompts is falling, according to PC Retail Magazine.


Further, says Cross, 88 percent of users have not disabled UAC, as critics predicted they would, and they are not just clicking away without reading and taking in the warnings.


And it's not just the users who are embracing the knowledge foisted upon them by the UAC. Kaspersky Labs, after dissing the feature a year ago, has joined security firms like Symantec, that said all along that it was a necessary inconvenience.


As much as many of us would love to avoid responsibility for any aspect of protecting our own work, data or hardware, aside from a password here and there, we as users just can't remain in the dark much longer. IT knows it, too, but often is in as much denial as the rest of us. Postive Networks' Evan Conway told IT Business Edge blogger Carl Weinschenk in a February interview that when his firm surveyed IT security pros at small companies and enterprises, 20 percent had experienced a personal data breach -- and 20 percent had also experienced a data breach in their companies. The consensus among those IT pros was that stronger security, specifically two-factor, was necessary but not present within their IT departments. And the breaches just keep happening.


Looking forward at RSA conference, Microsoft officials spoke of layering old-school (but effective) offensive tactics like whitelisting applications, as well.


In a world of rapidly evolving malware, a shift toward SaaS, and organized criminals who need not fear breaking a sweat whether they're after personal data records by the millions or government secrets, we're a long, long way from "most people don't even know what a rootkit is," and Microsoft is on the right side of keeping both IT professionals and end users aware of security.

Add Comment      Leave a comment on this blog post
Apr 17, 2008 12:04 PM Lisa Lisa  says:
OK, so this addresses the MAC commercial!!! MAC doesn't have this because it is all proprietary and since no one else can make anything for a MAC, you loose the free enterprise and all the jobs!!! security is going to be a risk when you open up the playing field! Reply
Apr 25, 2008 3:11 AM Danny Lieberman Danny Lieberman  says:
KachinaKudos on a thoughtful post on Microsoft UAC feature as a way to increase user awareness. You quote Carl Weinschenk in a Feb interview:"when his firm surveyed IT security pros at small companies andenterprises, 20 percent had experienced a personal data breach and 20percent had also experienced a data breach in their companies. Theconsensus among those IT pros was that stronger security, specificallytwo-factor, was necessary but not present within their IT departments.And the breaches just keep happening."There are number of painful vendor-sponsored quotes in the post that didnot receive critical analysis:1) "The data breaches just keeep happining". The data breaches keep onhappening because data vulnerabilities continue to be unmitigated.Most security breaches are due to attacks by insiders and most insiderattacks are made possible by people that exploit software applicationvulnerabilities. UAC is an arguable step in increasing awareness but itis not countermeasure to software vulnerabilities.2)"two-factor, is necessary"Two-factor authorization is not a relevant countermeasure for internallylaunched threats when performed by authorized users (employees,outsourcing contractors and authorized agents of the company).It is understandable that vendors tout their wares at a vendor-sponsoredconference like RSA - and lest we forget, RSA has two-factor securityproducts and a vested interest in attempting to link these products tocustomer pain.As a matter of fact - the economics of the current security productmarket are inverted to the needs of the customer organizations. RSA hasno economic incentive in reducing data breaches and mitigatingvulnerabilities, since that would reduce their product and servicerevenue.3) "white listing applications is an effective tactic"At the RSA conference, Microsoft officials spoke of layering old-school(but effective) offensive tactics like white-listing applications, aswell.How is white-listing a vulnerable application supposed to reduce theprobability of authorized user using the application to steal data?For example - an Oracle user organization would certainly white list theOracle Discover application since Oracle is a trusted ISV. However -users with privileges to use Oracle Discover can access the database andsteal data. Application/database firewalls like Imperva do not have thetechnical capability to detect or mitigate this exploit and thereforeare not an effective security countermeasure.Vendor marketing collateral and FUD, riding the compliance bandwagon,attempts to build a franchise around PCI DSS etc are simply notreplacements for identifying your vulnerabilities (human, technical andsoftware), identifying the threats to your most sensitive assets andmitigating the threats with the right, cost-effective countermeasuresdictated by practical threat analysis - not by quotes from vendorsponsored conferences.Sincerely,Danny Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.