In early 2001, Bill Gates sent out a memo (a shorthand for sending a company-wide email) that marked a historic moment. He acknowledged that, “…he had come under fire from some of his largest customers (government agencies, financial companies and others) for security problems in Windows, problems that were being brought to the forefront by a series of self-replicating worms and embarrassing attacks.”
So something was supposed to change, drastically. Put the focus on Cyber Security. Get away from those “self-replicating worms.” Windows was threatened by malware that would seem like a joke today. At the end of that same year, Windows XP was launched, and things got worse. More attacks and more problems.
But the strategy germinated. It took many years before they were able to reap some fruits of that initiative… because there were some. Let’s review the pillars on which the initiative was based to change course.
Microsoft has spent 15 years consolidating a strategy that has impacted cybersecurity globally.
Active measures and secure development
The “self-replicating worms” were simply malware that, taking advantage of any bug shared among all Windows, allowed them to run and infect others. Exponential growth. Those bugs were essentially code vulnerabilities.
And so, the enemy was not so much each individual virus or worm, but to fight against the vulnerabilities that made it possible for them to replicate in each Windows connected to the network. And against that it focused on its next operating system: Windows Vista.
It was supposed to be released in 2004 but wasn’t until 2006. It was delayed by the attempt to make it more secure. One of its great achievements was to incorporate ASLR, which prevents the same bug from being exploitable in the same way in all Windows. In other words, it eliminated the possibility of “self-replicating worms” being programmed. And, except for horrible exceptions such as Wannacry, which managed to evade ASLR protection, it is true that in general this plague was largely eradicated.
With Vista, despite its bad reputation in usability, substantial progress was made in basic technologies to fight malware and its way of exploiting bugs. It laid the first stone. The new system project did not come to fruition until Windows 7, but it laid the groundwork.
With Vista, Microsoft laid the foundations for an effective fight against malware, although this did not happen until Windows 7.
Although many users did not realize it, from that year onwards, the server version of Windows and the system’s internals began to contain a good handful of measures aimed at eradicating how the most common vulnerabilities were exploited. More or less effective technologies such as CFG, MemGC, CIG, ACG… are quietly making their way to protect us. Although, as is often the case with defensive technologies, they attract more attention because of their failures than their successes.
All these functions were programmed under the umbrella of a secure development methodology called Secure Systems Development Life Cycle, a way of programming that put cybersecurity at the center. This more secure programming project will also be complemented when some of the code is moved from C to Rust to alleviate the burden of memory management that causes so many bugs.
The Blue Hat Prize
Microsoft used to offer bounties to hunt down malware creators until 2011. Usually, $250,000 for anyone who offered a clue that would lead to the arrest of the creator of a major virus of the moment. MyDoom, Conficker, Blaster… It was not a sustainable strategy.
From 2011 onwards, something completely different was proposed. It decided to award $250,000 to any researcher who offered a technical improvement in Windows to stop malware. Invest in techniques and protection measures instead of punishment. And so, it did.
Since then, they implemented many formulas that today in Windows 10 help make it harder for malware to replicate, and they did it by listening to the community and researchers.
Antivirus included in Windows
Microsoft announced in June 2003 that it was acquiring antivirus technology. The antivirus houses looked askance. A default antivirus in Windows?
Despite all the doubts, the company finally made a good move. It introduced a very simple tool (Malicious Software Removal Tool), which was launched from time to time on the system and removed the most popular viruses, nothing too advanced.
What was Microsoft’s intention with this move? The goal was to take care of users, but also to capitalize on metadata. What it got was a good snapshot of the malware that was “out there” and so it knew firsthand what was going on in its most unprotected systems to, again, improve its defenses.
Then came Windows Defender, which began to be resident and still managed to coexist with traditional antivirus. Later Windows 10 has turned Defender into a whole security strategy in the operating system.
“Defender” is an umbrella that brings together a global cybersecurity policy of Microsoft not only on the desktop but also in the cloud.
EMET and Windows 10
In 2009 a tool called EMET was launched, aimed not so much at detecting viruses (of which there were millions), but at thwarting the techniques they used to spread (of which there are only dozens). It was free and almost “amateurish”.
However, its importance grew and after six years of development it was abandoned in favor of including its improvements as standard in Windows 10. Thus, it incorporates improvements to stop the exploitation of vulnerabilities and therefore malware that have proven their effectiveness in a non-“production” environment.
Although little known, it is a tool that really scared attackers and today, incorporated as standard, have made Windows 10 much less palatable to malware.
So, what does this mean?
The moral is that a solid cyber security strategy, with several open fronts, global and in a changing environment, does not reap rewards the first time around.
It took Microsoft almost 15 years (from 2001 when the memo was written to 2015 when Windows 10 came out) to consolidate a strategy that has impacted cybersecurity globally and, in the meantime, of course, they have suffered failures and many new milestones and challenges to address.
This is a sliding window, but good ground has been gained. The threat has not disappeared but has mutated into something that must continue to be fought with other weapons and will need new and better strategies.
But those arguments, or the never-ending long-distance race that is cyber security, should not be enough to make us forget that it is never too late to start an ambitious strategy.
The only failed cybersecurity strategy is the one that is not implemented.
Featured photo: Ed Hardie / Unsplash.
