Microsoft report: Cybercrime losses more often result from human error

Microsoft's six-year effort to improve computer security is paying dividends, according to a report the company plans to release today, but human errors, such as lost laptops, account for the biggest share of security vulnerabilities.

And cybercrime continues to rise, following us online as we spend more time doing business on the Web.

The Microsoft Security Intelligence Report, the fifth such study the company has undertaken, found that lost and stolen IT equipment resulted in 47.5 percent of reported data losses.

That should give IT professionals and security-conscious consumers some perspective, said George Stathakopoulos, general manager of Microsoft product security.

"It is more important for them to protect the physical access to the device that they have — and not leave their cellphone in a taxi — than anything else," he said.

Other human behavior, such as falling victim to "social engineering" attacks, also remains a major problem, particularly for consumers.

Social engineering, in which the text of an e-mail, for example, persuades the reader to open an attachment that installs malicious code, is the top software deception, Stathakopoulos said. Some attacks ask people to enter a password to open the attachment, tricking them into thinking what they're doing is secure.

While office workers have learned not to open attachments they weren't expecting, attackers have upped their game by researching users individually and tailoring "a much more targeted and finessed attack for this particular person," Stathakopoulos said.

Protecting against these sorts of attacks requires better education.

Vulnerabilities in the software itself are declining in number, but a larger portion of them are categorized as high severity and easy to exploit.

Stathakopoulos said Microsoft is proud of the work it has done since 2002 to harden the Windows operating system. The percentage of total software vulnerabilities found in operating systems is down from more than 16 percent in the second half of 2003 to less than 8 percent in the first half of 2008, the period measured by Microsoft's latest report.

Computers running the 2001 release of Windows XP are infected by malware at a rate of 35 machines per 1,000. For fully updated machines with Windows XP Service Pack 3, the rate drops to 9 per 1,000. It drops further still with Windows Vista SP1, to 4 infected machines per 1,000.

"It looks to me as if they can make the point that the [Security Development Lifecycle, a practice stemming from Microsoft's Trustworthy Computing effort] is working because the vulnerabilities in their software on computers running Vista is a lot lower than on computers running XP," said Don Retallack of Kirkland-based independent analyst firm Directions on Microsoft.

Now attackers are targeting applications instead of operating systems.

"When I look at the ecosystem [of software developers], I'm more worried," Stathakopoulos said. "... I know that there are a lot of lessons I learned really hard over the last 10 years that a lot of people have not learned yet."

That means Microsoft is shifting its focus as well to helping independent software vendors secure their products from attackers.

"The whole ecosystem has to come together and put a united front against them," he said.

Benjamin J. Romano: 206-464-2149 or bromano@seattletimes.com