Microsoft's Katie Moussouris: Humans still the weakest link in security chain

• Despite more advanced use of the Web, users’ lackadaisical attitude to security is still an issue
• Windows 8 will have 'significantly better defense' against cyber-threats to come

AS THE world becomes more interconnected due to the expanding Internet and increasing globalization, software is increasingly becoming a target for exploitation, as it is often the weakest link that can be manipulated by cyber-criminals. And that painted target is going to get worse especially when you’re the world’s largest software company.
 
But for Katie Moussouris, (pic) who leads Microsoft’s security community outreach and strategy team at the Microsoft Security Response Center, having this target painted on Microsoft’s back isn’t her biggest frustration.
 
In an interview with Digital News Asia (DNA), before she comes to town for Malaysia’s premier cyber-security event, HITBSecConf, next week, she shares that getting developers and users to be fully committed to the concept of holistic security is her biggest headache.
 
“The three biggest challenges in my job are: getting developers to use the latest mitigation technology and security enhancements and tools provided in the development framework; getting users to apply the latest security updates; and getting third-party application developers to respond to security vulnerabilities with a thorough investigation and root cause analysis so that they can fix issues comprehensively once they are discovered."
 
When asked what must be done to address such challenges, Moussouris says developer training and communication can help with the first issue, and Microsoft has free tools and templates around the Security Development Lifecycle it uses for its own development process.
 
“For the home user, it’s about enabling Automatic Updates." She says that according to the Microsoft Security Intelligence Report, over 90% of computer compromises occurred via vulnerabilities for which an update was already available.

"If you’re taking care of an enterprise, quickly testing and deploying critical updates can help keep the devices of today safer from known threats,” she said.
 
She adds that large vendors like Microsoft have been refining their vulnerability response processes for years, but most third-party developers still don’t have consistent processes to ensure timely and complete fixes.

 
“Making sure to update all third-party software as well can help. And, if you need extra mitigation from unknown vulnerabilities, or want to enable the strongest mitigations in third-party applications that you didn’t write, then download and configure EMET, the free enhanced mitigation toolkit that you can use to help protect your computer."
 
Moussouris notes that for vendors who need help in implementing a robust vulnerability handling process, they can wait for the ISO standard, due to be published next year.
 
“Or [you can] get a head start by reaching out to me for tips on how to build or improve your own vulnerability response and remediation program,” she adds.
 
The new Windows’ security
 
So that was for the past and present. What about the future, with the impending launch of Windows 8 for desktops, laptops, tablets and phones?
 
According to Moussouris, Windows 8 incorporates a number of new and enhanced security mitigations, making it more difficult to exploit entire classes of vulnerabilities.
 
Among these improved protections are enhanced implementations of Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR), as well as numerous Windows Heap and Kernel hardening measures that will be turned on by default. 
 
“For a detailed look at the new protections, check out Matt Miller and Ken Johnson’s BlackHat 2012 presentation. To try some of these new protections out on older versions of the Windows operating system, download and configure EMET, the free Enhanced Mitigation Experience Toolkit, which allows both end users and developers alike try out the new mitigations on older software or on third-party software,” she says.
 
As for Windows 8 mobile devices that run on ARM, they will have all of the new mitigations enabled by default, Moussouris says.
 
“Enforcement of the latest mitigation features on all applications for Windows 8 running on ARM will help users have more confidence in the security of their devices, she explains. “All of the new Windows 8-style applications on all platforms will have this level of mitigation enabled by default as well.”
 
HITBSecConf will take place from Oct 8-11 at the Intercontinental hotel in Kuala Lumpur. The conference will see over 42 of its most popular speakers over the years return to the stage in celebration of its 10th anniversary, and DNA is one of the official online media for the event.
 
For more stories on HITB, surf here.