[ISN] Security crisis? Keep your cool, expert says

From: InfoSec News (alerts@private)
Date: Thu Mar 01 2007 - 23:03:17 PST


By Jeremy Kirk
IDG News Service

Security managers have to keep their cool and clearly communicate with 
CIOs during a crisis affecting company networks, a top security official 
with Microsoft said Wednesday.

Otherwise, trying to educate CIOs in a panic mode will complicate how an 
attack is countered, said Greg Galford, Microsoft security architect, 
who gave a presentation at the EuSecWest 2007 security conference in 
London on Thursday.

Galford was a technical lead during a massive attack on Microsoft's 
network in 2000 that prompted the company to make many changes to its 
networks and its response approach. He now works with Microsoft's 
Security Response Center, which handles new vulnerabilities and exploits 
affecting the company's software.

The hacking attack in 2000 wasn't a huge surprise, since Microsoft was 
using much of its own newly developed software that had security faults, 
Galford said. At the time, the company wasn't nearly as vigilant as it 
is now about security, he said.

Microsoft had a huge web of insecure connections leading to its 
corporate network, including employees who worked from home and 
connections security officials were unaware even existed, Galford said.

The company also mistakenly made public much information on how its own 
corporate networks were constructed, which likely aided hackers. One 
network engineer had even made most of the information on his hard drive 
available over the Internet, he said.

"We shot ourselves in the foot," Galford said.

During its response, Microsoft learned hard lessons in how to 
communicate developments up the chain of command. Technical people have 
to be separated from management. CIOs need to be told regularly when 
they will be briefed again after receiving an update, Galford said.

"We had executives coming down to the offices of people that were doing 
the actual technical work," Galford said.

Ideally, management should be briefed before a crisis, so they know how 
the response will proceed, Galford said. Also, security managers need to 
know how to communicate in nontechnical terms for CIOs who may not have 
the same background, he said.

CIOs "are always worried about what's going on," Galford said.

The IDG News Service is a Network World affiliate.

Visit the InfoSec News Security Bookstore

This archive was generated by hypermail 2.1.3 : Thu Mar 01 2007 - 23:16:06 PST