Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Security Whitepaper

Posted by michael on from the security-through-asset-classes dept.

An anonymous reader writes "Microsoft last week published a document on its Web site that describes how the company manages security on its own 300,000 node corporate network. The document is basically a dry discussion of IT risk management strategy, with lots of references to 'asset classes' and 'stakeholders,' and about five, nearly identical 'cycle of life' type diagrams showing how one risk management strategy leads to the next and so on, in a never-ending process. However, the document does open a window on how the biggest, richest software company in the world does security: from the deployment of 65,000 smart cards (let's see, at $50 a piece, that comes to....?), to MS's admission that 'there is a medium to high probability that within the next year, a successful attack will occur that could compromise the High Value and/or Highest Value data class.' According to the document, that includes things such as source code or human resources data."

8 of 269 comments (clear)

  1. Re:No Problem by jjhlk · · Score: 2, Informative

    Or get an equally unobtrusive and effective plug-in for IE. Like this one.

  2. Yes, you missed an article... by Svartalf · · Score: 3, Informative

    A quick Google search ("russian hackers microsoft") comes up with:

    http://www.newsmax.com/articles/?a=2000/10/27/1800 52.txt

    There's tons of others. It made a big splash on the tech news circles- and then was apparently promptly forgotten for some unknown reason. Strictly speaking, MS has already had one of their critical breaches they talk about and they couldn't have instituted a scheme like they're talking about in the timeframe from when this was discovered to now (i.e. It pretty much had to be in place or largely so because of the scope and scale of the effort in question...).

    --
    I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
  3. Not quite by Synn · · Score: 2, Informative

    Except that you forgot to mention that the "compromise" of the kernel never happened and the Debian compromise was a password issue and again nothing serious happened.

    The difference between open source and closed source is that due to open source being so open the developers on it tend to trust no one. Closed source projects tend to be a little more lax because the closed nature of the project makes it easy to get sloppy.

  4. Re:300k node? by vample · · Score: 4, Informative

    No, its not really excessive. When I worked there, I usually had 4 machines for myself, in my office, and I did development work. Oh, and I had a laptop as well. Testers often used, many, many more machines.

    Then add the build machines, servers, a laptop for many people, machines for temp/consultants, people VPN'ing in from home, and it easily makes 300k.

    --
    -- Ryan Watkins vamp@vamp.org http://www.vamp.org/
  5. Windows update kacked by psgalbraith · · Score: 3, Informative

    During the original Code Red incident, for a short time, the Windows Update webpage was showing "Hacked by Chinese Worm".

    (There was concrete evidence of this but unfortunately I don't have it.)

    Here it is.

  6. Than why the hell are you reading slashdot? by xeno-cat · · Score: 5, Informative
    Oh those MS guys are'nt bad people their just misunderstood!

    For some reason you wrote:
    "Realisticly, what is the point of trying to exploit linux? Why exploit the little guy when you can go after the big fish?"

    Apache is the single most prevalent web server on the internet. Why then is it that hackers "target" IIS? Maybe because it's easier?

    and decided to continue:
    " they do employ some of the best and brightest in the world. I imagine some of you may not believe that, but I do."

    Have you seen Balmer lately? The problem with working for MS is that, even though you may be smart your just wasting your time. Who cares that you can give a lecture on some brilliant way to link corporate data to business users if your entire architecture needs to fit into a proprietary MS 5 year plan for the enterprise?

    MS has had 20 years and billions in funding and the best they can come up with is Windows XP. XP solves problems that Unix, Apple, X, NeXT, Amiga, et als. solved a decade ago. MS produces over architected under engineered gaming consoles that are'nt even compatable with themselves.

    If your looking for "fair and balanced" where are you going to go? Read a frigin Windows rag if you want to "balance" Slashdot. I'm sure there are plenty of fine articles on .NET just waiting to provide you with hour of fun filled and objective learning experiences.

    Kind Regards

    --
    "A few great minds are enough to endow humanity with monstrous power, but a few great hearts are not enough to make us w
  7. Re:Seriously, what is a "whitepaper"? by nosredna · · Score: 3, Informative

    Answer here.

    Basically, it's an official report from a company/government meant to be released to the customers/public.

  8. Many of the exploits aren't just buffer overflows by Svartalf · · Score: 2, Informative

    They're more fundamental than that. A buffer overflow allows you to execute code in ring 0 that would otherwise not be ran. This isn't the same thing as something like MS Blaster and it's ilk. Now, those were found the same way as the buffer overflow exploits, but they could have been even more easily found via an audit of the source code. Under Open Source, the code's looked at by MANY people- it's likely to be found and corrected. In Closed Source, it's not so likely and it's more likely that a code leak will result in someone else doing an audit and finding weaknesses and exploiting them.

    --
    I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas