Scott Charney: Windows8 has extensive reliance on TPM; Flame & Stuxnet will hurt individuals; Offense beats defense

Here are some of the key points derived from Scott Charney, Corporate Vice President, Microsoft’s presentation:

  • “Response in the physical world depends on who is attacking and why, but on the internet, we often don't know this information”
  • “We need to focus on creating an environment that is more effective in controlling the use of data”
  • Windows8 Server supports claim-based Dynamic Access Control to restrict access to data
  • Windows8 supports secured boot, remote attestation, UEFI and early load anti-malware
  • Increasing reliance on rooting security into the hardware is essential
  • You will see extensive reliance on the trusted platform module (TPM) in Windows 8
  • Metadata linked to a rules server could enable user control
  • “Security messages and alerts are traditionally built by geeks, for geeks. We need to carefully tune the messages we give to users to allow them to make intelligent decisions.”
  • There are three forces creating change in IT security: Big data; Role of government; Evolution of cyber threats
  • “In the US when you apply for a loan, they look at your friends’ credit ratings and other public information not collected from the applicant”
  • Offense usually beats defense online
  • “Determined and persistent attackers will eventually get in, so we need to adapt security strategies.”
  • Cyber attacks like Duqu, Stuxnet and Flame will inevitably hurt private companies and innocent people as well as governments
  • [The industry] needs to shorten privacy statements so you are only giving the audience non intuitive stuff.
  • There are four main vulnerabilities: Supply chain vulnerabilities; Software vulnerabilities; Mis-configured systems; Social engineering attacks
Charney on joining Microsoft
Charney joined Microsft in 2002 - six weeks after Bill Gates sent a companywide memo stating that Microsoft must make trustworthy computing the highest priority for the company and for the industry over the next decade – as Chief Security Strategist, a title he informed the press that he “made up”.

“Friends of mine laughed when I said I was going to Microsoft to do security”, he remembers, “because I used the two words in the same sentence.”

Fast-forward ten years and Charney believes Microsoft and security go hand-in-hand. “The goal isn’t to get the matter of vulnerabilities to zero – that’s not practical or achievable. The goal is to keep people safe”, explained Charney. “If we assume there will always be vulnerabilities in products, we need to work out how to keep people safe even when there are vulnerabilities”.



What’s hot on Infosecurity Magazine?