MIAMI BEACH–It’s been a decade now since Microsoft began focusing on product security as a top priority and there have been a lot of successes and some failures along the way. But in that time, one of the things that most definitely has changed as a result of the Trustworthy Computing program is how difficult and expensive it’s become for attackers to compromise Windows machines. That’s not to say, however, that the fight has been won. It’s only beginning, in fact, a senior Microsoft security official said.
There are a lot of bits and pieces that comprise Microsoft’s Trustworthy Computing efforts, from developer training to exploit mitigations to outreach to the security researchers who spend their time attacking the company’s products. But the one thing that all of these initiatives have in common is that they’re focused on increasing the time, effort and investment it takes for an attacker to compromise one of their products. Increasing that degree of difficulty and level of spending by even small increments can provide much larger gains on the defensive side.
“For stealthy, reliable exploits, you need a lot of R&D and they’re shorter-lived now. It’s getting harder to find bugs and exploits,” Andrew Cushman, senior director of Trustworthy Computing security at Microsoft, said in his keynote talk at the Infiltrate conference here Friday. “The defender’s ethos is to increase attacker investment. Copy what works and keep plugging away. We’re in this for the long haul.”
Although the famous directive from Bill Gates on Trustworthy Computing went out in 2002, one of the first real watershed moments in the company’s efforts to lock down its products was the release of Windows XP SP2 in 2004. That was the first version of the OS to have the Windows firewall turned on by default, and included some other security upgrades as well. Cushman pointed to that as an inflection point for both Microsoft and the attackers who target its systems.
“Pre-XP SP2 was the golden age for exploits. Things have only gotten harder since then,” he said. “Those were the days. It was then that the executives said, we’re going to take the steps that are necessary to fix this.”
Those changes were not limited to Windows products, though. The company’s IIS Web server was a frequent and easy target for attackers in the early part of the decade, and that fact did not escape senior management at Microsoft.
“One of the low points of my career is when Jim Allchin stood up in a meeting and said IIS was a threat to Windows,” Cushman said.
Things have certainly changed since then, but that doesn’t mean that all is sweetness and light for Microsoft or the Internet at large. Sure, it’s become progressively more difficult to find and reliably exploit vulnerabilities in many platforms, but there are still plenty of other systems out there that haven’t caught up. And though life may be more challenging for the dedicated attackers and offensive teams out there, they’re not out of business by any means.
“Attackers are being squeezed from the top and the bottom. But low-skill exploits never go out of style. There’s lots of low-hanging fruit out there, 1990s technology,” Cushman said. “But for high skill exploits, the barrier to entry is growing. And there’s no shortage of vulnerable technologies that are going to come online in the next few years.”
Despite all of the changes, Cushman said, one thing has remained the same throughout the years.
“Attackers are never going to go away,” he said.