Windows software can be a gateway for bad people to gain access to your company

Windows software can be a gateway for bad people to gain access to your company
Image Credit: Alexander Popov

How much Microsoft windows software is being used at your company? If you are like most of us, the answer to this question is “a lot”. Microsoft not only does a very good job with most of their software (think Office), but they have also been doing it for a long time – they are a key part of the importance of information technology at most firms. What this means is that over time we’ve all collected a great deal of their software and we’ve built it into our company’s IT infrastructure. However, the bad guys out there know this and they are using Microsoft software to gain access to our company.

What’s Wrong With Microsoft Software?

The first thing that we all have to understand is that Microsoft is everywhere. This is what makes it such an attractive target for hackers. They just keep attacking it over and over. What is starting to be realized by the person with the CIO job and security experts everywhere is that there is a reason for these repeated attacks. There is a fundamental weakness in the architecture of the Windows platform, which seems to make it particularly vulnerable to malware.

The really smart people who have taken a close look at the software that Microsoft has created over the years have made a discovery. What they have learned is that the fundamental weakness in Microsoft software that is attracting the hackers lies in its application programming interfaces (APIs). These are interfaces to pre-existing Microsoft software that lets a developer write an application and then simply make a function call to open a file instead of having to write new code to perform this task. It is also provides the set of tools that lets users take data from an Excel spreadsheet and insert it into a Word document. These Microsoft APIs are everywhere in their software products, operating systems, and tools. They are critical to the functioning of the connected world. The problem that the experts have discovered with the collection of core Microsoft APIs known as Windows API has to do with their age.

It turns out that some of these APIs were created before modern digital security practices were put in place. This makes them particularly vulnerable to abuse in today’s world by hackers. This is not an easy problem to solve. The APIs in Microsoft products are critical to how their software works and critical to the way that our companies use them. The simple solution of just turning them all off is not an option – too many other things would all of a sudden just stop working. The alternative to doing this is that Microsoft keeps issuing one software patch after another, fixing bugs and vulnerabilities as they arise.

Data breeches at Target and Home Depot have all had their origins in flaws in the Microsoft software that these firms were using. What this means for all of us is that we know that we are using insecure software. It’s really not a question of if another security hole in Microsoft software will be found, but rather when it will be found. There is no question that we need to continue to use Microsoft software. It’s too valuable to walk away from and in a number of cases, there is no strong competitor. However, we would be remiss as the person in the CIO position if we didn’t take steps to protect ourselves from threats that we know will be coming.

What Can CIOs Do About Microsoft Software?

The good news here is that we are not alone. Microsoft realizes that they have a problem on their hands and they are actively taking steps to address it. Each time that they release a new version of the Windows operating system they attempt to locate and strengthen APIs that might be used by the bad guys. Microsoft has said that Windows’ security feature will help to protect both your existing and your legacy code. Their spokesman has been quoted as saying “We are strengthening everything from identity and information protection to access control and threat resistance.” In all honesty, the challenges that Microsoft is currently facing are the evolving cybersecurity threats that the entire software industry faces.

Just to understand the scope of the problem that Microsoft is facing, back in 1985 when Microsoft released the first version of Windows, it supported fewer than 450 APIs. As each version of Windows has been released, the number of APIs has grown and so now the number of APIs is in the thousands. Microsoft releases security patches for its software on a regular basis. These are usually to fix a new found vulnerability that exists in the Windows API, which is the company’s core set of application programming interfaces. Microsoft has to be careful to not change or remove APIs that developers have built solutions on. The issue of backwards compatibility becomes a huge security vulnerability …

We have to acknowledge that Microsoft has a rigorous security program that has improved over the years and they recognize the magnitude of the challenge that the company faces. The success of Microsoft means that their platforms are particularly vulnerable to cyberattack because of the sheer number of products that have been created over the decades.

CIOs believe that as long as Microsoft provides the fixes, we will devote administrative hours to patching. We need to conduct regular maintenance windows for the company’s data centers to make sure they get latest patches. We also have to do monthly vulnerability assessments and annual penetration tests to find flaws.

What All Of This Means For You

Let’s face it: a great deal of our company’s application infrastructure has been built on top of Microsoft products. While these are fine products, the simple fact that they are so very popular has attracted the attention of hackers. Each Microsoft product has a large number of APIs and this is where the bad guys attack.

One of the challenges that the Microsoft products are facing is that much of this code was developed a long time ago. That means that many of the secure coding standards that we now use were not implemented and this ends up leaving a door open for attackers. Microsoft is aware of the problem and they are constantly releasing updated versions of their products. As CIOs we need to make sure that we quickly deploy security patches as they arrive.

The battle to secure our company will never be over. Microsoft enables us as CIOs to deliver the applications that the rest of the company needs in order to accomplish their work. We need to make sure that we keep a constant eye open for problems that using popular software can cause for us. You would think that some day all of the APIs will eventually be fixed and we can move on to dealing with other issues.

– Dr. Jim Anderson
Blue Elephant Consulting –
Your Source For Real World IT Department Leadership Skills™

Question For You: Because of the attacks on their software, should you stop buying Microsoft software?

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.

P.S.: Free subscriptions to The Accidental Successful CIO Newsletter are now available. Learn what you need to know to do the job. Subscribe now: Click Here!

What We’ll Be Talking About Next Time

Just imagine if you were David Rilly, chief technology officer at Bank of America. There you are, in charge of the IT infrastructure for one of the biggest banks around when all of a sudden the IT world starts to undergo yet another one of its transformations. What would you do – stand by and stick with the tried and true solution that you have in place or would you dare to change things up? It turns out that David is willing to make changes, but he’s got to move carefully.

{ 0 comments }

Does Your Company Need A Chief Safety Officer?

by drjim on January 27, 2016

Twitter has a problem on their hands and they think that they need a Chief Safety Officer

Twitter has a problem on their hands and they think that they need a Chief Safety Officer
Image Credit: Twitter

As more and more companies create online communities for our customers to interact with us and each other in, CIOs are starting to see a need for a new type of employee. In any online community, there are a lot of things that can happen. I can’t quite explain why some people behave like they do, but the anonymity of being online and not having to confront people face-to-face seems to embolden some people, perhaps too much. That’s why firms are starting to consider having Chief Safety Officers.

Why Is A Chief Safety Officer Needed At Twitter?

A great example of when a CIO felt the need to create the position is shown by what is going on over at the social networking giant Twitter. As you may well know, Twitter boasts a very large community of active users who “tweet” about anything and everything. However, with that popularity Twitter has attracted its share of both trolls and abuse. These types of users spend their time making disparaging remarks about other Twitter users. This can cause those users and their social contacts to get a negative view of Twitter and choose to leave the service.

In order to prevent this from happening, Twitter has created the role of the Chief Safety Office and Del Harvey is currently filling this role. One of her biggest challenges has been to place control over what each user sees into the hands of that user. This means that if someone is saying bad things about you online, you can simply make them disappear from your online life. Twitter has accomplished this by providing tools that permit them to mute the users that they don’t want to hear from.

In our day-to-day lives, people can’t just come up to us make make threats against us. What this means is that they should not be allowed to do things like this online either. One of the biggest challenges that firms like Twitter are facing right now is the bridging of the online and the real worlds. When someone does something online that they should not be allowed to do, like making threats, then the real world needs to step in. This means that Twitter needs to find ways to get law enforcement up to speed on what is going on online.

What Does A Chief Safety Office Do?

Twitter’s Chief Safety Office really has her job cut out for her. One of the biggest issues is that when someone makes a complaint about another user’s behavior, they want to know that their complaint has been heard. What this means is that the Chief Safety Office needs to create a process by which the person who lodged the complaint is updated on the status of the investigation of the complaint. A challenge to doing this is that Twitter needs to come up with a way to place a context on the nature of the threatening or intimidating comments that were made online. Their ultimate goal is to be able to deliver a consistent experience for the user.

The good news is that Twitter understands the importance of getting this functionality right. They know that they want people to continue to use their service, then they are going to have to be able to provide them with a safe and nonthreatening environment in which to operate. This is exactly why they’ve gone to the effort to create their Chief Safety Officer position.

Twitter understands that preventing online abuse of its users is a difficult thing to do. The problem is that what passes as normal interaction can all of sudden turn into abuse. This makes it very hard to be able to create software that can detect when a user is being attacked. Instead, you always need to include a human in the loop. The good news that that abuse can be detected, the bad news is that it takes both software algorithms and people working together to accomplish this.

What All Of This Means For You

Here in the 21st Century, in order for your company to be a success, it needs to both attract and retain as many customers as possible. One of the key methods that we are using to accomplish this is to create online communities where our customers will feel welcomed and want to come. However, since we throw the door open to anyone who wants to come in, we can get people who don’t want to play by the rules. This is when a CIO needs to create a Chief Safety Officer.

Over at Twitter, they are being hit very hard by unruly customers. People have been using the Twitter online service to say and do things that make other users uncomfortable. This issue has results in Twitter’s CIO creating a new position: Chief Safety Officer. This person is responsible for identifying and getting rid of online abuse and trolls. The job is not an easy job and it can often seem as though work in one area just leads to issues in other areas.

As a CIO you are going to have to determine if and when a Chief Safety Officer is required for your company’s online properties. Constant monitoring of the interactions within your customer user groups is required in order to identify when things start to get out of hand. Bring in your Chief Safety Officer when needed and use them to get things back under control.

– Dr. Jim Anderson
Blue Elephant Consulting –
Your Source For Real World IT Department Leadership Skills™

Question For You: Should the Chief Safety Officer report to the CEO or to the CIO?

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.

P.S.: Free subscriptions to The Accidental Successful CIO Newsletter are now available. Learn what you need to know to do the job. Subscribe now: Click Here!

What We’ll Be Talking About Next Time

How much Microsoft windows software is being used at your company? If you are like most of us, the answer to this question is “a lot”. Microsoft not only does a very good job with most of their software (think Office), but they have also been doing it for a long time – they are a key part of the importance of information technology at most firms. What this means is that over time we’ve all collected a great deal of their software and we’ve built it into our company’s IT infrastructure. However, the bad guys out there know this and they are using Microsoft software to gain access to our company.

{ 0 comments }

How A Gold Mine CIO Is Preparing For The Internet Of Things

January 20, 2016

As the person with the CIO job, you have a challenging job. It is your responsibility to understand that importance of information technology and to keep watch over your IT department as it works to service the rest of the company. If there is an issue, then you deal with it. You visit the people […]

Read the full article →

Finding The Time To Be Strategic

January 13, 2016

Pick up any IT trade journal and you’ll probably find an article that is telling CIOs that because of the importance of information technology they need to get a seat at the company’s planning table. In order to do this, they need to become more strategic. I think that we can all agree with this […]

Read the full article →

What CIOs Need To Know About Software Defined Networking

January 6, 2016

Guess what CIO: there is a revolution that is just starting in the world of computer networking. Sure, you know about the importance of information technology but are you going to be ready for this? For the longest time, we’ve all been building our networks in pretty much the same way: we go to a […]

Read the full article →

Do We Really Need To Encrypt Our Customer Data?

December 16, 2015

Guess what: there’s been another hacker break in. This time it happened at the big U.S. healthcare provider Anthem. Nobody’s quite sure how big of a breech it was, but initial guesses are saying that tens of millions of customer records may have been copied by hackers. What makes this break-in even worse is that […]

Read the full article →

What 3 Questions Should CIOs Be Asking?

December 9, 2015

As a CIO we are always searching for ways that we can better communicate the importance of information technology in order to improve ourselves, our IT shop, and, of course, our company. Exactly how go about doing this is one of life’s greatest mysteries. It turns out that each and every one of us has […]

Read the full article →

The HSBC CIO And The Money Laundering Problem

December 2, 2015

The person with the CIO job has a lot to do in the best of circumstances. When your company has been accused of aiding in aiding in the laundering of US$881M and has had to pay a US$1.9B fine, things just got a whole lot tougher and the importance of information technology doesn’t matter as […]

Read the full article →

Is Embedding IT Staff The New Way For CIO’s To Organize IT?

November 18, 2015

The person with the CIO job understands that the because of the importance of information technology, the role of the IT department is to support the rest of the company. The challenge for the longest time has been how exactly to go about doing this. Over the past few years, the interactions between the IT […]

Read the full article →

When It Comes To Cyber Threats, CIOs Don’t Like To Share

November 11, 2015

By now we all know that our firms are under an almost constant set of attacks from a wide variety of outsiders because of the importance of information technology. Some of these attackers are simply children who are just fooling around with their computes and are trying to see how far they can get. However, […]

Read the full article →