OPINION
What If Microsoft Got Security Right?

Last week at the RSA conference in soggy California, Microsoft (Nasdaq: MSFT) presented the most comprehensive plan I've ever seen to address a security problem. Granted, they currently have massive exposure, but it caused me to wonder what would happen if everyone followed their lead and focused on the human aspects of the problem rather than just the technical.

From the Linux folks out there, I can hear the resounding "No" with regard to following Microsoft's lead in anything, but for those who at least think they have an open mind, let's explore this idea.

If you've been dealing with security as broadly and for as long as I have, you've likely come to realize that, done right, it is as much social engineering as it is physical protection or technology. If you haven't, let's work off the following example.

Is a person safer in a home with locks or a home without? What if the home with locks is in Baghdad and the home without locks is in the middle of a farm in the middle of a Quaker community? Under many circumstances, attacking the risk -- putting the home where there no theft -- as opposed to increasing the protection is the more effective path, particularly if you don't want to spend lots of time locking and unlocking your doors and windows.

Linux Security Myth

For those who believe the myth that Linux is more secure than Windows.... Wait a minute, I'm betting you are one of those people, so maybe I should explain myself before going further. We don't need to do the "open isn't more secure than closed" thing again; I'll leave that to others.

The exploit being used against the Windows platform most often is not technical. In fact, the last set of viruses were distributed primarily by playing off the trusting nature of people. The vast majority of those same people don't run Linux today and, until they do, the belief that Linux would do better is a myth -- possibly true but as yet unproven.

Granted, the same viruses that have wreaked havoc on Windows networks wouldn't work against Linux, but Linux has security holes. Don't bet that a smart Linux programmer couldn't come up with a way to create an executable file that the user might want to run: "Hey, look at this really cool Linux game I found, it's kind of a pain to install but if you follow my directions...."

In fact, given where Linux and Unix are generally used -- hint, it isn't the desktop -- I'll bet most of the time when their security is penetrated, the penetration isn't reported. When I did security audits, I found the fastest path into a secure area was to effectively look for the key under the doormat. People simply don't think about security enough and, without knowing it, will often create exposures in an effort to simplify their jobs. In my experience, people are often the weakest security link, and no platform alone can fully compensate for this.

Now, I'm not even going to suggest that Linux is less secure, but if the exposure is people and people are gullible, then security at a product level might only make you feel more secure. You might not actually be more secure.

So, as far as I can tell, Microsoft is the only large firm really dealing with behavioral issues. They are putting up bounties on the folks who write viruses, putting together programs to fight spam -- I'd vote for a candidate in a party I hated if that candidate advocated comprehensive spam-fighting -- and they have proposed a personal security solution that goes one step beyond Sun by adding biometrics to the smart card. Passwords are inherently not secure.

Biometric Smart Card Sidestep

Forgive me as I sidestep for a moment and point out that while I was running the security and mobile group as an analyst at Giga, the one thing on which most security folks and e-commerce folks agreed was that neither smart cards nor biometrics alone were good enough. Smart cards could be stolen, and if someone captures biometric data from your finger, getting a new finger tends to be problematic. But if you could use biometrics to authorize the card, the card itself would be more secure, and there is much less likelihood that your biometric data would be compromised.

I figured that IBM (NYSE: IBM) or Sun would get this right first. I was fascinated that Microsoft might -- and I use the word "might" because it still needs to work in practice -- have beaten IBM and Sun to the punch.

OK, enough of this. The card is cool, but is not the major point here. The main question is, what happens if Microsoft got it right? Wouldn't the implication be that others who aren't doing similar things have it wrong? If the Linux folks will take their hands away from the keyboards and let me finish, I'll explain myself.

Approaching Security Methodically

The right way to approach a security problem is first to look at the problem and define it, then look at your resources and create a plan to best match the two to mitigate the problem. Too often, folks start with the product, and the end result isn't significantly more secure than what they came from because they either don't have the skills or the product doesn't really address the actual exposure.

Let's try a movie example to illustrate this point. I'm a big fan of "The Lord of the Rings." If you watched the first two movies and were going to advise the folks in Gondor's embattled city of Minas Tirith about what to do, you might conclude that the soldier and wall defense -- comparable to Windows monoculture -- really sucked and that what they needed were lots of Gandalfs or lots of tree Ents to come to the defense -- which would be comparable to bringing in Unix and Linux.

The only thing is that it takes several centuries to create a Wizard, and to grow a full-sized Ent probably takes a hundred years or more. The solution has to both address the problem and use resources you actually have -- including your existing skills inventory. In other words, you have to work your strategy around Minas Tirith -- taking into account the strengths and weaknesses of the city's defenses.

Focusing on the Real Problem

What Microsoft is showcasing is its realization -- which happens to concur with my own -- that fixing the platform itself isn't enough. You must address the other parts of the exposure, particularly the human part.

Now I'd like to leave you another what-if. What if, instead of creating an environment in which virus writers flourished and we constantly fought over whose ideology was better, we focused on making malware writers an endangered species along with their spamming cousins? Personally, I'd like a world where I looked at the Linux folks as part of the solution rather than constantly wondering if they are the problem. Instead of fighting Microsoft, why can't we all just get along?

Maybe part of this is because it is an election year here, and I'm just getting tired of the negative campaigning that goes on during this period. Maybe I want to live under the illusion that programmers on both sides of the fence are better than this. And maybe I'd like to think that if a firm, even Microsoft, did get it right, a few folks would stop, take a breath, and consider that addressing the broad security problem would make this a better world regardless of what platform they used.