Microsoft Security Czar Issues Call To Arms, Launches New Security Certification

Scott Charney, Microsoft's chief security strategist, said Tuesday that he is working to adapt the company's corporate culture to make patch application more uniform and rational.

"Microsoft today has eight different installer technologies. Some patches register with the operating system, some don't. Some patch DLLs, some binary code," he said. "Every patch should have an installer and an uninstaller--a way to back out of the fix gracefully if needed."

A whopping 95 percent of hacking exploits occur after patches are published, so Microsoft and others want to make patch application easier so companies don't wait to apply them. The infamous SQL Slammer worm, for example, wreaked its havoc shortly after a patch for it was made available.

To bolster security efforts, Microsoft at TechEd 2003 launched a Microsoft Certified Systems Administrator security specialist designation and an analogous certification for Microsoft Certified System Engineer.

The MCSA designation requires two additional exams in addition to the four existing MCSA testing skills in core skills. The MCSE certification adds three additional tests. The exams are available now.

Microsoft also announced a partnership with Mountain View, Calif.-based VeriSign to integrate VeriSign's Managed PKI Services with Windows Server 2003 to provide what the companies described as a next-generation public-key infrastructure (PKI) platform later this year. The platform aims to address enterprise security needs, such as strong authentication for remote access, they said.

Microsoft clearly has something to prove when it comes to secure computing. At a Microsoft-hosted customer panel Monday, several IT professionals acknowledged that the perceived insecurity of Microsoft products has caused huge problems, and it really doesn't matter to a company CEO if the problems result from faulty software or from risky IT practices. SQL Slammer, for example, shut down many web servers a year into Microsoft's much-touted security initiative.

"It's Microsoft's fault and it's our fault also," said Gafar Lawal, director of architecture at Merrill Lynch. "We were vulnerable [because] our process did not handle the number of patches. We also took very seriously that our partner [Microsoft] had such a flaw in their code."

But Lawal and others said Microsoft is not unique in its vulnerabilities. "We have a Linux server that has three times the critical updates as our Windows server," said Nathan Hanks, managing director at Continental Airlines.

"All the guys hacking Windows are Linux guys." Continental was hit hard by SQL Slammer and "our CEO said we'd failed," Hanks said.

"We cannot have undocumented servers that are responding to anonymous queries ... that allow buffer overruns," Hanks said. "CIOs need people in place to figure out why port 1434 is open on publicly exposed firewalls."

Lawal said all companies need to have proper processes and personnel in place to deal with potential breaches.

He also said he was impressed with Microsoft's response to the problems. Gordon Mangione, vice president of SQL Server, hosted a conference call with all the affected CTOs, and within a day Microsoft was mobilizing resources, he said. "We don't get that from Microsoft competitors," Lawal said. "Having said that, we said some bad words."

Having one vendor throat to choke is helpful in crisis situations,and the Linux/open source alternative does not offer that, Hanks said. An IT pro can't go to the CEO and say that a server is down, "and hopefully some guy in Amsterdam" will get to a fix when he gets back from the "dope house," he said.