The need for 'Known Source' in IT

By Michael Wilks, Microsoft (Asia-Pacific) Regional Director of Public Safety and National Security | Nov 14, 2011

In recent times, there have been numerous and successful cyber-attacks on established organizations and governments, which have resulted in loss of data and reputation. These activities represent a concerted effort by motivated individuals to obtain or disrupt sensitive financial and geo-political information. Commercial enterprises have often been the focus for financial attacks.

According to a recent  Organization for Economic Co-operation and Development (OECD) report on cyber-warfare, large sections of national infrastructure of most OECD countries are no longer under direct government control but are now in private ownership. Hence, the commercial landscape is presently seen as a fundamental risk to confidential data, intellectual property and even state secrets.
 
Polarizing trends

The focus of these new attack points may have far-reaching ramifications. There is an obvious and natural tension between access and security. Providing more access to a system inherently makes that system less secure. Consequently, accompanying global trends such as the consumerization of ICT, outsourcing, international supply chain integration and Gov 2.0, the urgent need to embrace higher levels of security and to educate users is becoming ever greater.

While improvements have been made to drive awareness and deliver upon secure ICT infrastructure, much remains to be done. There is no doubt that the proliferation of cyber-attacks has forced governments and industry to pause in the headlong race towards some of these global trends.
 
Given the interconnected online and social elements of the modern cyber society, a new and more radical approach is needed to combat the threat of infection and insurgency from potential terrorists, activists and hacker criminals. Ultimately the decision to implement any form of security should be based on a fully developed and agreed threat and risk analysis. In the case of cyber-security, this process is not easy, as the attackers often have the advantage of secrecy and surprise.
 
The country of Georgia knows all about this. Back in 2008, the prelude to ‘war’ included a DDoS attack, which was devised to pave the way for ground forces. It systematically crippled the country from the top. “It was devised to isolate Georgia from the rest of the world,” Georgia’s Vice Prime Minister Giorgi Baramidze said at a Defence Summit held in Singapore last year. “Our country was almost shut down: the banking sector, government agencies, the ministry of defense, the ministry of interior, the president’s office, the ministry of justice, the judiciary and the transport system.”
 
Today, attackers and disrupters also enjoy the advantage of operating outside legal jurisdictions, flouting and ignoring data protection laws for political, criminal or socially disruptive ends.  Defenders, however, are often restrained by legal constraints and social norms, which can inhibit their ability to act. The challenge is to maintain the open and unfettered nature and democratic principles of the Internet and Open Government initiatives, whilst at the same time developing more robust and defendable networks and systems.
 
Known Source

Attack vectors to cyber-assaults can take many forms, therefore in the wake of these threats, the importance of procuring Known Source has become of upmost concern as Chief Information Officers and Chief Security Officers evaluate and decide upon solutions that best meet their requirements. The Known Source concept is an extremely simple one, which has resonance in a variety of circumstances. It basically prescribes the necessity of obtaining the most trusted, secure and manageable software.
 
*Trusted Software
With so many different suppliers to choose from, it is critical to evaluate the origins of the code. For anyone contemplating the introduction of software application or similar innovation the key question that must be asked is, “Do I know the source of this new introduction to my device, network or IT infrastructure?” If you do not, how can you be sure that nothing harmful or malicious has been introduced to compromise the integrity of the application, or worse, introduce a hidden functionality which could have serious consequences.
 
A recent and high profile example, involves some vendors collecting and monitoring data on users of their products for commercial purposes, which has caused users to question the trust they have in those vendors’ software and services.
 
Similarly, Open Source licensing offers a great opportunity for software to be developed in a collaborative manner. Some Open Source projects have a good level of focus upon enterprise requirements, whilst others have components produced by communities or hobbyist developers. This often means that the code was not subject to the same levels of quality control as commercially developed products. There have been instances in the past where malware such as Trojan Horses and Root Kits have been inadvertently, or deliberately, inserted into Open Source projects. This is not to suggest all Open Source software is bad, per se, but with the escalation of cyber-warfare and cyber-attacks, being mindful of this risk has become an increasing concern.
 
Through Microsoft’s customer centric approach, adherence to standards of business conduct and privacy policies, Microsoft has consistently been distinguished by many third parties one of the most trusted and ethical brands across all industries.