The Problem That CIOs Have With Windows Software

Windows software can be a gateway for bad people to gain access to your company
Windows software can be a gateway for bad people to gain access to your company
Image Credit: Alexander Popov

How much Microsoft windows software is being used at your company? If you are like most of us, the answer to this question is “a lot”. Microsoft not only does a very good job with most of their software (think Office), but they have also been doing it for a long time – they are a key part of the importance of information technology at most firms. What this means is that over time we’ve all collected a great deal of their software and we’ve built it into our company’s IT infrastructure. However, the bad guys out there know this and they are using Microsoft software to gain access to our company.

What’s Wrong With Microsoft Software?

The first thing that we all have to understand is that Microsoft is everywhere. This is what makes it such an attractive target for hackers. They just keep attacking it over and over. What is starting to be realized by the person with the CIO job and security experts everywhere is that there is a reason for these repeated attacks. There is a fundamental weakness in the architecture of the Windows platform, which seems to make it particularly vulnerable to malware.

The really smart people who have taken a close look at the software that Microsoft has created over the years have made a discovery. What they have learned is that the fundamental weakness in Microsoft software that is attracting the hackers lies in its application programming interfaces (APIs). These are interfaces to pre-existing Microsoft software that lets a developer write an application and then simply make a function call to open a file instead of having to write new code to perform this task. It is also provides the set of tools that lets users take data from an Excel spreadsheet and insert it into a Word document. These Microsoft APIs are everywhere in their software products, operating systems, and tools. They are critical to the functioning of the connected world. The problem that the experts have discovered with the collection of core Microsoft APIs known as Windows API has to do with their age.

It turns out that some of these APIs were created before modern digital security practices were put in place. This makes them particularly vulnerable to abuse in today’s world by hackers. This is not an easy problem to solve. The APIs in Microsoft products are critical to how their software works and critical to the way that our companies use them. The simple solution of just turning them all off is not an option – too many other things would all of a sudden just stop working. The alternative to doing this is that Microsoft keeps issuing one software patch after another, fixing bugs and vulnerabilities as they arise.

Data breeches at Target and Home Depot have all had their origins in flaws in the Microsoft software that these firms were using. What this means for all of us is that we know that we are using insecure software. It’s really not a question of if another security hole in Microsoft software will be found, but rather when it will be found. There is no question that we need to continue to use Microsoft software. It’s too valuable to walk away from and in a number of cases, there is no strong competitor. However, we would be remiss as the person in the CIO position if we didn’t take steps to protect ourselves from threats that we know will be coming.

What Can CIOs Do About Microsoft Software?

The good news here is that we are not alone. Microsoft realizes that they have a problem on their hands and they are actively taking steps to address it. Each time that they release a new version of the Windows operating system they attempt to locate and strengthen APIs that might be used by the bad guys. Microsoft has said that Windows’ security feature will help to protect both your existing and your legacy code. Their spokesman has been quoted as saying “We are strengthening everything from identity and information protection to access control and threat resistance.” In all honesty, the challenges that Microsoft is currently facing are the evolving cybersecurity threats that the entire software industry faces.

Just to understand the scope of the problem that Microsoft is facing, back in 1985 when Microsoft released the first version of Windows, it supported fewer than 450 APIs. As each version of Windows has been released, the number of APIs has grown and so now the number of APIs is in the thousands. Microsoft releases security patches for its software on a regular basis. These are usually to fix a new found vulnerability that exists in the Windows API, which is the company’s core set of application programming interfaces. Microsoft has to be careful to not change or remove APIs that developers have built solutions on. The issue of backwards compatibility becomes a huge security vulnerability …

We have to acknowledge that Microsoft has a rigorous security program that has improved over the years and they recognize the magnitude of the challenge that the company faces. The success of Microsoft means that their platforms are particularly vulnerable to cyberattack because of the sheer number of products that have been created over the decades.

CIOs believe that as long as Microsoft provides the fixes, we will devote administrative hours to patching. We need to conduct regular maintenance windows for the company’s data centers to make sure they get latest patches. We also have to do monthly vulnerability assessments and annual penetration tests to find flaws.

What All Of This Means For You

Let’s face it: a great deal of our company’s application infrastructure has been built on top of Microsoft products. While these are fine products, the simple fact that they are so very popular has attracted the attention of hackers. Each Microsoft product has a large number of APIs and this is where the bad guys attack.

One of the challenges that the Microsoft products are facing is that much of this code was developed a long time ago. That means that many of the secure coding standards that we now use were not implemented and this ends up leaving a door open for attackers. Microsoft is aware of the problem and they are constantly releasing updated versions of their products. As CIOs we need to make sure that we quickly deploy security patches as they arrive.

The battle to secure our company will never be over. Microsoft enables us as CIOs to deliver the applications that the rest of the company needs in order to accomplish their work. We need to make sure that we keep a constant eye open for problems that using popular software can cause for us. You would think that some day all of the APIs will eventually be fixed and we can move on to dealing with other issues.

– Dr. Jim Anderson
Blue Elephant Consulting –
Your Source For Real World IT Department Leadership Skills™

Question For You: Because of the attacks on their software, should you stop buying Microsoft software?

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.

P.S.: Free subscriptions to The Accidental Successful CIO Newsletter are now available. Learn what you need to know to do the job. Subscribe now: Click Here!

What We’ll Be Talking About Next Time

Just imagine if you were David Rilly, chief technology officer at Bank of America. There you are, in charge of the IT infrastructure for one of the biggest banks around when all of a sudden the IT world starts to undergo yet another one of its transformations. What would you do – stand by and stick with the tried and true solution that you have in place or would you dare to change things up? It turns out that David is willing to make changes, but he’s got to move carefully.