Microsoft security plan not likely viable for other companies |
 |
By Niall McKay, Information Security magazine Contributor
01 Dec 2003 | Information Security magazine |
|
|
Going to Microsoft for advice on security may seem like going to Little Red Riding Hood for advice on how to handle the Big Bad Wolf. Small wonder then that a document called "Security at Microsoft," detailing how the company protects its global network, raised some eyebrows among security watchers.
In fairness, the company gives a candid account of its risk management strategy and some of its previous weaknesses such as code vulnerabilities. The software giant admits that there is a "medium to high probability that within the next year, a successful attack will occur that could compromise the high value and/or highest value data class."
The document details how it secures its 300,000 computers and 4,200 servers from 100,000 attempts to break into its systems.
The document is seen by some as part of a new culture of openness regarding security within the company. Others, meanwhile, see it as marketing collateral rather than a serious security white paper.
"It's not that useful because it's a pretty formulaic approach," says Marc Maiffret, Windows expert and chief hacking officer at eEye Digital Security. "Microsoft is an unusual company. It's a lot more homogenous than most companies of a similar size, many of which run dozens of different systems."
Russ Cooper, surgeon general at TruSecure and moderator of the NTBugtraq security discussion list, said that the company could provide some really useful information, such as how it was infected with Code Red what it did to get rid of it. Also, what it's doing to prevent further attacks worms and viruses.
"Its too vague a document to be useful," he said. "It really doesn't offer any specifics."
|
|
|
|
