Today I was the keynote speaker for Microsoft Ireland’s IT Professional Security Training Event. It was an interesting event for me from many aspects. Firstly it gave me a chance to get up to speed on a number of Microsoft Technologies such as their Intelligent Application Gateway Server 2007 and also to get an update on the progress thus far Microsoft have made with their Trustworthy Computing Initiative.
While I found the talks quite informative and very interesting, what really struck me was the attitude of the Microsoft employees towards security. It was clear from those that I met and talked to that security was not simply a cynical marketing ploy but was something ingrained into their approach and mindset. I have long talked about how we cannot simply rely on technology alone to make us secure but we must also ensure that we have the appropriate processes and importantly the people in place. From what I saw today Microsoft have taken many strides along the road to security. One of those people that I met was Dave Northey who has the interesting job in Microsoft as “IT Pro Evangelist”. I have known Dave for quite a number of years and it was good to bump into him again. Dave has a pretty good blog and i suggest you wander over and have a look at it to get an interesting insight into what goes on in Microsoft.
This leads me onto the other Microsoft security issue that is prevalent today. Various security lists have been abuzz with talks about how systems running Windows XP or Windows Server 2003 and IE 7 can be compromised by how IE7 handles/mishandles URIs. I am not going to go into the details of it here but if you wish more information then Microsoft have issued a security bulletin (Microsoft Security Advisory 943521) and additional information is available on the Microsoft Security Response Blog while Brian Krebs also covers it in his Security Fix Blog.
What this issue does highlight is how more complex our systems are becoming as we demand more and more usability, flexibility and interoperability. While this brings many benefits to us it also adds huge complexity to our systems. Complexity is the enemy of security. The more complex a system the more points of potential failure and attack. So what is the answer, do we forego the benefits we so desperately seek or do we keep our systems simple yet secure? That is a debate I think will run for a long time.
But as we wait for Microsoft to resolve this particular issue lets take this as an opportunity to review how we mitigate the risks posed by our ever more complex systems. Do we have the right firewall architecture in place? Are you monitoring the right devices and systems for unusual behavior? When was the last time you updated your security awareness program to ensure it is up to date and in line with current threats? Have you got a tried and tested incident response process in place to minimise the impact of the inevitable breach?
You will never be able to provide 100% security but as the old saying goes ” you don’t need to worry about outrunning the lion that is after, just make sure you outrun the guy beside you”. Making your network a tougher nut to crack than your neighbours might be just enough to keep you far enough ahead of the lion.