Its Getting Cheaper to
Deal with a Single Platform"> Pescatore said that the debilitating network worm attacks of 2003 and 2004Slammer, Blaster and Sasserforced businesses to think seriously about the monoculture risk but that the combination of Microsoft security improvements, a predictable update release cycle and patch management tools makes it "much cheaper to deal with a single platform." Richard Stiennon, founder and chief research analyst at IT-Harvest, of Birmingham, Mich., said the monoculture issue remains a front-burner topic in his discussions with clients. "I always recommend different platforms for different purposes, even with all the economic considerations associated with that," Stiennon said."We have not done much to heed [Geers] warning other than spend a lot of money to protect the monoculture," he said.However, there are signs of progress. Even today, beyond the desktop operating system, Gartners Pescatore said that there is more heterogeneity in Internet-facing applications. "Firefox continues to gain market share, and the Apache Web server has higher market [share] than [Microsofts] IIS," Pescatore said, arguing that the threat landscape has changed significantly from the days when malicious attackers were launching disruptive network worms. As network administrators ponder the end of the worm era, for-profit malware attacks have grown dramatically. According to information culled from Microsofts MSRT (Malicious Software Removal Tool), the biggest threat on the desktop comes from bots and Trojans that hijack computers for use in botnets. David Cole, a senior director in Symantecs security response unit, in Santa Monica, Calif., said his units virus hunters are seeing about 800 botnet command-and-controls daily, each commandeering as many as 25,000 infected machines. "The order of magnitude of the botnet problem is immeasurable," Cole said in an interview. Microsofts Fathi: Vista security is becoming a reality. Click here to read more. Using Symantecs numbers, Geer estimated that more than 15 percent of all desktop computers are controlled by malicious hackers. "You can look at it two ways. Were not seeing worms because the protections are getting better. Or, the people who were writing worms have figured out they can own the machine forever and make money from it," Geer said. "I think the botnet operators already have all they can eat." Given that businesses have been slow to diversify, security fully rests with Microsofts ability to secure Vista, and the early signs are promising. As part of an ambitious mission to make Vista the "most secure operating system ever," Microsoft made a series of significant tweaks to help thwart the spread of malware. The most important change, called UAC (User Account Control), is a default setting that separates standard user privileges and activities from those that require administrator access, making it nearly impossible for virus writers to execute harmful code in sensitive parts of the operating system. Microsoft also summoned the crème de la crème of the hacking community to its Redmond, Wash., campus to launch simulated attacks against Vista and implemented a new strategy called Windows Service Hardening that aims to reduce the risk of wormable flaws through improved testing and development processes. Independent security researchersincluding some of Microsofts harshest criticshave given Vistas security makeover a big thumbs up. "Theres no doubt that Microsoft is trying to step up to the plate," said Rick Fleming, chief technology officer at San Antonio-based security company Digital Defense. "They made huge strides with [Windows XP] SP2, and I think Vista will push the envelope even more." Dave Aitel, a staunch open-source advocate and vulnerability researcher at penetration-testing company Immunity, of Miami, said he believes the most vital security upgrades will come from advancements in computer hardware. Aitel cited the NX (No eXecute) technology being built into chips from Intel and Advanced Micro Devices that will effectively prevent code execution within data pages such as default heaps, stacks and memory pools. John Quarterman, a risk management expert at InternetPerils who co-wrote the report with Geer in 2003, was dismissive of any suggestion that the Internet has become safer because of Microsofts software security improvements. "We have criminal entrepreneurs doing big, big business on the Internet, using computers that are not secure. This is not rocket science; this is an effect of the monoculture," said Quarterman in Austin, Texas. Rebecca Bace, another co-author of the monoculture warning, said she sees Microsofts aggressive push into virtualization technology and gets the feeling that the company "is coming around." Citing a recent Gartner report that predicted Vista will be the final version of Windows in the current, monolithic form, Bace said its clear that Microsoft understands that virtualization can help to break the monoculture. "Theyre now saying, Perhaps this is a way we can defend ourselves," said Bace in Scotts Valley, Calif. Cyber-insecurity: Then and now Three years ago, a report, "CyberInsecurity: The Cost of Monopoly," was released. Heres a look at what the report concluded and what has changed since.
Then "Most of the worlds computers run Microsofts operating systems, thus most of the worlds computers are vulnerable to the same viruses and worms at the same time."
Status No progress. The world still runs Microsoft, and the malware keeps coming.
Then "Because Microsofts near-monopoly status itself magnifies security risk, it is essential that society become less dependent on a single operating system from a single vendor if our critical infrastructure is not to be disrupted in a single blow. The goal must be to break the monoculture."
Status Slow going. Technology executives are dabbling with Linux, but the monoculture is here to stay.
Then "A monoculture of networked computers is a convenient and susceptible reservoir of platforms from which to launch attacks."
Status Status quo. That convenience of one platform means less management expense. So far, companies are going with lower costs over susceptibility.
Then "Governments must set an example with their own internal policies and with the regulations they impose on industries critical to their societies. They must confront the security effects of monopoly."
Status Little progress. Capitol Hill hearings and studies into "cyber-diversity" havent prodded the government to change its reliance on Windows.
Source: "CyberInsecurity: The Cost of Monopoly"; eWEEK reporting
Check out eWEEK.coms for Microsoft and Windows news, views and analysis.