Is Microsoft ignoring the biggest source of security threats?

Computerworld - We've seen it in several years' worth of FBI surveys: Most security incidents are "inside jobs" perpetrated by employees, former employees, contractors, vendors and others with inside knowledge, privileged access or a trusted relationship with other insiders.
What do the insiders do that constitutes a security incident? They steal, alter or corrupt information assets. In other words, they take source code, customer lists, plans or specifications; they deface Web sites; they defraud the organization or embezzle funds; and they damage critical-information systems, which consequently threaten ongoing operations, at least for a time.
Gates emphasizes external threats
Bill Gates, chairman and chief software architect of Microsoft Corp., gave the keynote speech at the annual RSA Conference in San Francisco yesterday (see story). In his address, he touted the many improvements in Microsoft products that are coming in 2004, 2005 and beyond. He demonstrated a few of the improvements that we'll see in Windows XP Service Pack 2 later this year.
Nearly all of the software improvements cited address external threats. For instance, two-factor authentication using smart cards, tokens and biometrics will improve credential security and virtually eliminate the opportunity for hackers to use brute force to make their way into user accounts.
Also demonstrated was the new firewall component that will be turned on by default. It has some nice features that are reminiscent of other firewall products that have been around for a while. Perhaps Microsoft is getting this one right, and this will be a good thing.
Gates also demonstrated Active Protection Technology, where a security module in the operating system blocks the browser from loading ActiveX content from a Web site until the user can install an ActiveX-related security patch. This too was a nice feature.
Gates also discussed long-term improvements such as additional features in Visual Studio intended to help developers write more secure software and software that can be installed and run in nonprivileged mode.
These improvements are welcome, since they will help to reduce the external threats that are making headlines today. But both the short- and long-term initiatives seem to be ignoring the biggest threat: insider malfeasance.

	Peter H. Gregory, CISSP, CISA, is a security consultant, freelance writer and author of several security books. He can be reached at phg@vantagepointsecurity.com. .