CHICAGO –- The days of having all software functionality ready by default upon installation are numbered, Microsoft's chief security strategist, Scott Charney, said this morning during his keynote address at the Computer Security Institute's annual Computer Security Conference and Exhibition.
Microsoft is making a big push to release its software with features turned off by default. Previous versions were released with all the bells and whistles on. While the latter approach made compatibility with existing applications easier, from a security perspective, it was flawed, Charney said.
For example, many users trying the beta of IIS version 6, which comes with all services turned off by default, had problems with applications that relied on traditionally turned-on services. "We got a lot of calls that the new version broke their applications," Charney said.
Yet the no-services-by-default approach is one that security experts have been suggesting for years. Security is improved when users are forced to turn on the services they need "and everything else is off by default," Charney said.
Recently, the SANS Institute and the FBI released their list of the Top 20 Internet vulnerabilities, many of which involved services that users shouldn't be running unless they need them.
Microsoft isn't the only company that has released software with services turned on by default. Now, the company is getting better at releasing software with services turned off by default. "It's actually sad in a way. It is cool being able to get down to business right away," said David Litchfield, a well-known vulnerability finder and co-founder of Next Generation Security Software Ltd., which is based in Sutton, England.
Many popular Unix flavors have services switched on by default. With such systems, it's been assumed that users would know enough to turn off the things they don't need, Tim Mullen, CIO and chief software architect for AnchorIS.com, a developer of secure, enterprise-based accounting software, has said.
Charney admits there are some tradeoffs that need to be made when balancing functionality and security. Issues such as backward compatibility can be hampered by security. There can also be downtime when a new version conflicts with an existing application. "We can't assume the demand for functionality has gone down [as more attention is paid to security]," Charney said.
One reason for the tension between functionality and security is that executives understand the worth of functions much more. If an application can do more things or do things better, it's good for the business. Security, on the other hand, is seen more as a bottomless pit that sucks money out of the budget without producing anything per se.
Yet companies don't think twice about buying fire alarms and sprinklers, even if they never have fires, Charney said. Granted, some of these are required by building codes, but executives can understand what a fire could do to their business. The compromise or outright theft of digital assets is much harder to understand or even to detect than when a concrete asset is swiped.
"If you car got stolen, you could tell because your car was missing," he said.