[ISN] For security ask yourself...what would Microsoft do?

From: InfoSec News (isn@private)
Date: Sun Nov 23 2003 - 23:33:20 PST

  • Next message: InfoSec News: "[ISN] Linux Advisory Watch - November 21st 2003"

    http://www.nwfusion.com/news/2003/1121forsecur2.html
    
    By Paul Roberts
    IDG News Service
    11/21/03
    
    Despite taking a beating in the press and from customers for security
    holes in its products, decision makers at Microsoft appear to think
    the company still has something to teach the world about computer
    security.
    
    The software giant this week published a technical white paper that
    describes its internal security practices, which Microsoft hopes will
    "help customers successfully secure their environments," the company
    said.
    
    The paper, simply titled Security at Microsoft, details the methods
    and technologies that the company's Operations and Technology Group
    (OTG) use to secure the company's global corporate network of more
    than 300,000 computers and 4,200 servers.
    
    In the paper, Microsoft describes its risk management strategy, which
    involves classifying different computing resources according to their
    "value class" -- from servers hosting the Windows source code down to
    test servers. Microsoft also provides guidance on how its security
    group assesses the potential risks and threats to those assets and
    creates policies to secure the assets that are appropriate, given the
    value of the data they contain.
    
    Just as interesting are the tidbits of information about Microsoft's
    security operation that can be gleaned from the document. For example,
    Microsoft discloses that the company experiences more than 100,000
    intrusion attempts each month and receives more than 125,000 infected
    e-mail messages.
    
    To protect corporate assets from threats introduced by remote workers,
    Microsoft said it has invested heavily in smart card technology,
    deploying more than 65,000 smart cards to remote workers that enable
    them to log on to the corporate network using two-factor
    authentication.
    
    The company is also candid in admitting to past security failures,
    acknowledging that the company has been attacked in the past and that
    "there is a medium to high probability that within the next year, a
    successful attack will occur that could compromise the High Value
    and/or Highest Value data class," such as source code or human
    resources data, according to the document.
    
    Microsoft also says that prior to reforms enacted by the OTG in recent
    years, the company had no formal, enterprise-wide system for managing
    its source code. Instead, Microsoft's source code management was
    characterized by "redundant infrastructure and inconsistent
    processes," as well as inadequate security, according to the document,
    Microsoft said. At one point, any computer on the company's network
    could access the Source Depot servers storing the company's source
    code, creating a situation in which "the compromise of a single
    computer on the corporate network could potentially lead to
    penetration of one or more Source Depot servers," according to the
    document.
    
    Microsoft is equally candid about its struggles to enforce strong user
    passwords and thwart a flood of intrusion attempts on its rapidly
    growing network.
    
    Perhaps not surprising, the company also takes a tough stand on
    software patching on its own networks. Microsoft centrally monitors
    the patch level of machines on its network using its own Systems
    Management Server 2003 product, enforces the application of security
    patches "without end-user intervention" and prohibits users from
    disabling security patch management features without "an approved
    exemption," according to the document.
    
    The candid discussion of Microsoft's internal security operation is
    part of a company-wide effort to improve communication with its
    customers about security issues, according to Mike Nash, vice
    president of Microsoft's Security Business Unit.
    
    In addition to publishing the white paper, Microsoft has started
    broadcasting monthly webcasts featuring senior security executives,
    who articulate the company's message on securing its products and
    answer questions from IT professionals about where to find software
    patches and technical information, Nash said in an interview on
    Monday.
    
    The company has also launched a new security portal called the "IT Pro
    Security Zone" that brings together information on security best
    practices and provides access to Microsoft MVPs (Most Valuable
    Professionals), experts on the company's technology who are active
    participants in technology news groups and online discussions.
    
    The new resources address technical questions and are intended for IT
    professionals more than end users, Nash said.
    
    One prominent member of the technical community, however, said that
    Microsoft didn't spread the word about the IT Pro Security Zone or the
    new white paper.
    
    "They're not sending any of that stuff my way," said Russ Cooper,
    surgeon general of TruSecure and moderator of the NTBugtraq security
    discussion list, which focuses on Microsoft products.
    
    After reading the white paper, Cooper said that it probably had more
    public relations than technical value, especially with a reading
    audience made up of administrators at companies with constrained
    budgets.
    
    "Hey, if I had a $50 billion war chest, I'd do some of these things
    too," Cooper said.
    
    "My god, they deployed 65,000 smart cards. I mean, it's wonderful if
    you can get that kind of budget, but I know people who can't get
    approval for an antivirus e-mail gateway," he said, noting that smart
    cards can cost between $50 and $100 each.
    
    Microsoft also could make the document more useful by providing more
    examples of projects the company completed to secure its network, he
    said.
    
    Microsoft detailed one project in the whitepaper, to separate managed
    and unmanaged computers on Microsoft's network, was not complete, and
    said that it was just beginning one core component of the project,
    Cooper said.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Nov 24 2003 - 08:14:39 PST