I’ve been at the excellent Interop show in New York and have attended most of the Information Security and Risk Management sessions that have been delivered by a truly impressive line-up of speakers from all the big security firms.
It’s not that surprising, but the common themes coming through are that cyber criminals are getting sneakier, threats are more sophisticated and dealing with them is increasingly complex.
Here’s an example: phishing begat spear fishing which in turn is giving way to whaling—an emerging attack technique that involves targeting a high value individual and conducting incredibly deep research about that person to craft a highly personalised attack which, if successful, will result in a huge payday. If Brad Pitt and George Clooney in the film Oceans 11 were cybercriminals they’d have been “whalers”.
Security expert after security expert impressed delegates with increasingly fascinating tales of cybercriminal ingenuity along with guidance on how to protect against it.
But I couldn’t help thinking that perhaps a point was being missed; all the discussion was about dealing with the symptoms of cybercrime, but no one wanted to talk about the root cause of cybercrime. By that I mean that behind every cyber-attack there’s a person, or group of people, scheming and planning to do something illegal.
So what’s my point? I guess it’s that of course we must defend against cybercriminal attacks, and the security solution companies, of which Microsoft is one, do a great job. And of course, it’s important that developers of software, of which Microsoft is also one, do a better job of developing code that is hard to exploit. And lastly, organisations of all kinds, again Microsoft included, need to continue to educate people and help them avoid becoming victims.
We can and should do all those things, but cyber criminals will still be there, still being the root cause. Dealing with them is slow, complex, unglamorous, time and resource consuming and frustrating work. But putting cybercriminals out of business is what we have to strive to do if we are serious about the cybercrime problem.
For us at Microsoft security is an all-in thing. We work hard to make our software secure; to make security solutions with which our customers can protect themselves and their data; to help keep customers more secure in the face of emerging threats; to research and understand future threats and, and here’s the point, to partner with law enforcement to address the root cause of cybercrime. Take a look at how we partnered with law enforcement to take down the Kelihos botnet to see what I mean.
Check in with us from time to time to see what else we are doing in security, privacy and reliability.