Beating the cyber criminals

Ed Gibson, Microsoft UK

Microsoft UK's chief security advisor, Ed Gibson, gives us his view of the dangers presented by cyber crime, and what we can all do to stay safe.

How can we keep our computers secure, prevent them being attacked and the information on them stolen? IT security is vital to all our working lives, and it's something I've been passionate about for over 20 years.

Over that time, the nature of the threats we face has changed, but the need for vigilance and strong protection in both the software we use and the way we use it has always been of the utmost importance.

I came to Microsoft UK as its chief security advisor from a background as an FBI agent specialising in criminal cases involving the Internet. The most important fact I learned in my years working there was that cyber criminals can attack from anywhere.

They aren't governed by geographical boundaries, and tracking them down and prosecuting them involves international co-operation. What's more, the threat is growing; over the past few years, criminal activity on the Internet has been growing exponentially, and the nature of the people involved in the crime has changed too.

If you think of a cyber criminal, you might think of a hacker working alone, but organised crime has moved in and runs much of the criminal activities on the Internet. The people working for those organised crime groups on the Internet may not ever have met any of their fellow gang members; they may be spread across many countries.

It's a new type of crime gang. What's more, the Internet enables the gang bosses to base themselves in countries where they are unlikely to be caught and prosecuted.

One of the challenges we found at the FBI was that much of the crime that goes on is fairly low level; the individual victims may lose a few hundred pounds. No one incident is enough to hit the headlines, but multiply that crime by several hundred times, and the criminal quickly nets millions of pounds.

For example, a classic Internet crime happens when someone advertises something for sale on one of the online sites; maybe they're selling a car. The seller receives an email offering a good price for the car, conditional on them accepting more money than they advertised the car for, and passing on the extra to a third party. I owe someone in the UK £500.

If I send you a cheque for £500 more than you want for the car, can you transfer the £500 for me? The seller waits for the cheque to clear, passes the money on, and a couple of weeks later the bank discovers that the cheque was stolen. It's a relatively small amount of money, it won't make the front page of a national newspaper, but the thieves are £500 closer to their next million in profit from cyber crime.

The reason I took on the role of chief security advisor at Microsoft UK was because it enables me to talk about computer security to so many people - computer users, industry groups, anyone who will listen. My role also enables me to encourage everyone at Microsoft to understand how they can help our customers to enjoy a safer computing experience.

So many people rely on Microsoft software to run their computers, to write their emails, to browse the Internet, and we know we have to ensure our software is secure. For example, our Hotmail servers are filtering out 3.4 billion spam emails a day. We're spending billions on research to ensure our software is secure. However, the criminals never stop trying.

They'll attack any organisation; they'll  attack government departments; high profile companies such as Microsoft are a particular target, but don't think that your own organisation won't be targeted. The fact is that every company has some data that can be bought and sold.

Address books, for example, that you may not perceive as particularly valuable - provide valid email addresses for spammers to target, and every PC is likely to contain at least one address book.

One question that is always asked is who should be responsible for tackling the problems? The answer lies in the collaboration between many parties. Law enforcement agencies, governments and those in the industry all play their part. Microsoft has brought a number of civil actions to pursue cyber criminals, and we're part of various industry consortiums, because this is an industry-wide problem, and we all have to tackle it.

We're building more secure software through our Security Development Lifecycle process, and we're continuing to work on this. For example, if you look at our operating systems, in Windows XP SP2, we added a further security layer. When Windows Vista is released, the security is there by design and default.

It's been built into the technology as part of our Trustworthy Computing initiative. This is a long-term, collaborative effort to provide more secure, private, and reliable computing experiences for everyone. Trustworthy Computing is built on four pillars: Security, Privacy, and Reliability in our software, services, and products; and integrity in our Business Practices.

We want our customers to run secure computer systems, and to help them in this we have introduced the Microsoft Forefront family. This is a suite of business security products that provide security for the desktop client computer; and for our server applications including Exchange, SharePoint, and Office Communications Server. Microsoft Internet Security and Acceleration (ISA) Server 2006, is also included as part of the Forefront family.

Microsoft Forefront Client Security will help guard against threats such as spyware, viruses, worms, and Trojan horses. The e-mail and collaboration security products act one level back, at the application server.

Analysts estimate that spam (unwanted e-mails) accounts for anywhere from 50 to 70 percent of all e-mail traffic. In addition to e-mail threats, an evolving ecosystem of viruses, worms, and blended threats are finding new ways to propagate inside corporate networks - including Web portals and instant messaging applications.

Our intention is that all our security related products and services provide a holistic range that protects everything our customers do. Wherever our software is used to interact with other computers or information from other sources, we want to ensure our customers remain safe.

We are doing our utmost to ensure that security is simply there; it's not something you have to enable in the Control Panel; it's not something you need a system administrator to set up; it's just there, transparent, so you don't need to be concerned, either in your working environment or on your PC at home.    

Security products, or the security technologies built into our software are just one part of the overall security picture. Equally important is the need for all of us to know what threats exist and how we should behave to minimise them. The threats to the users of your networks are becoming more prevalent, because in many cases they are the easiest point to attack.

You can't guard them by technology alone; they need to be taught what the potential problems are and how to respond to them. Currently, only eight per cent of the IT budget of a typical company is spent on training, yet those untrained users are the weak point in your defence.

Whether it's the company laptop left on the back seat of a car, the file downloaded from a strange site on the Internet, or the giving out of their user names and passwords to someone claiming to be from the IT department, a user can compromise even the most stringent security system.

In the end, security has to cover three areas - the people, the processes, and the technology. Leave any one of the three un-secured, and your organisation will be compromised. We all need to play our part in stopping the spread of cyber crime.

About the author: Ed Gibson is the Chief Security Advisor for Microsoft Ltd, in the UK. His primary role is to serve as an advisor to Microsoft's customers, and the public, on the work Microsoft is doing to improve the security of its products.

This role comes on the heels of his retirement from a 20-year career as a Supervisory Special Agent with the Federal Bureau of Investigation (FBI). During this period, Gibson was a recognised expert in investigating complex, international money laundering schemes, asset identification and confiscation, and intellectual property theft.

From early 2000 - mid 2005, Mr. Gibson was assigned to the FBI's Legal Attache office, US Embassy London, as an Assistant Legal Attaché. There, he was responsible for all FBI cyber, hi-tech, cyber-terrorism, and infrastructure investigations in the UK.

For more information, please visit www.microsoft.com/uk/security