Microsoft Security Whitepaper

An anonymous reader writes "Microsoft last week published a document on its Web site that describes how the company manages security on its own 300,000 node corporate network. The document is basically a dry discussion of IT risk management strategy, with lots of references to 'asset classes' and 'stakeholders,' and about five, nearly identical 'cycle of life' type diagrams showing how one risk management strategy leads to the next and so on, in a never-ending process. However, the document does open a window on how the biggest, richest software company in the world does security: from the deployment of 65,000 smart cards (let's see, at $50 a piece, that comes to....?), to MS's admission that 'there is a medium to high probability that within the next year, a successful attack will occur that could compromise the High Value and/or Highest Value data class.' According to the document, that includes things such as source code or human resources data."

is it ALL white?

[BFedRec]

cause the oxymoronic nature of using MS and Security in the same vicinity... one would think it's just an all white blank sheet of paper.

Re:is it ALL white?

[Fruny]

one would think it's just an all white blank sheet of paper.
No, I believe it comes triple-thickness, extra soft unscented rolls.

Re:is it ALL white?

[Lost+Dragon]

No, no, silly. It's white text on a white background. That's part of their security layer.

they

[AnonymousCowheart]

they recently published the bug list too

Good to see

[H.G.+Pennypacker]

It is encouraging to see a big security industry leader such as Microsoft make such a public display of its unwavering belief that security through obscurity is not security at all - by publishing an open document on its security infrastructure. Perhaps other large players could take a cue from this (IBM, Sun)?

Smart cards $50???

[terraformer]

from the deployment of 65,000 smart cards (let's see, at $50 a piece, that comes to....?)

Where does the $50 figure come from? I have two of them in my wallet (AE and Fleet Fusion) and two readers (useless on a mac) that retail for $29.99 a pop that I got for free being that I was an "early adopter". So where does that $50 really come from? And yes, I read the story, I just want to have a better handle on why someone supposedly "in the know" would trow out a figure like that for a quantity purchase of 65,000.

Re:Smart cards $50???

[rindeee]

$50 is cheap for some cards. Depending on the type of card you have there are a lot more things than simply a contact chip involved (multiple frequency radio power/emitters, blah blah blah etc.). $50 is probably a good average figure when one considers the range of cards on the market.

On a different but related subject, I think that three factor authentication will become the universal norm...a good thing me thinks. If anyone has seen the new military ID's, they are also CACs for login, med, etc. Very cool once they (EDS) gets things to speed up a bit.

Re:Smart cards $50???

I was thinking along similar lines, then I has a look at the linked document which states:

"OTG estimated that at a price range of approximately $55-75 per user, including labor for deployment and tool development as well as hardware such as cards and readers, Smart Cards were an inexpensive way to significantly strengthen corporate security."

So evidently $55-75 per user is a reasonable amount for them to pay for each user inclusive of hardware and software development.

To be honest it sounds a lot to roll that out to 65,000 users, but when you consider that this cost is tiny compared to what those guys get paid, the actual investment across the workforce is negligible. I mean if you can afford to pay 65,000 employees, you can afford to spend $55+ on each of them. And considering that a network instrusion might be the outcome of not doing it (See Valve for more information) it's incredibly cheap.

Re:Smart cards $50???

[nick_davison]

from the deployment of 65,000 smart cards (let's see, at $50 a piece, that comes to....?)

Either way, the implicit statement's invalid (that buying 65,000 x $n is wasteful).

Microsoft has, what, $40 billion in cash floating around? I work for a company that is lucky to have $40 million in cash floating around - does that make 65 smart cards wasteful? If your company has $4m, are 6.5 smart cards wasteful? If you have under a half a million in readily available assets, should you not use smart cards at all?

It's a simple scale thing. Microsoft is stupidly large when compared to most other companies. 65,000 of anything sounds like a big number, and it is. Still, relative to the size of their business, it's bordering on frugal, not wasteful.

See, I have so much Karma I can even occasionally support Microsoft on something. ;)

Re:Smart cards $50???

[swillden]

Where does the $50 figure come from?

I can't answer that, but I can tell you what smart cards cost.

The costs depend heavily on both volume and capabilities. At the low end, there are cards available in large volumes for substantially less than $1. At the high end, programmable cards with both contact and RF capability, lots of fancy printing, etc., plus some loaded and personalized applications can be up to $10, in large volumes, and over $50 each in developer quantities.

So, in general, $50 each for 65,000 cards is ludicrous.

However, in this case the figure may actually be accurate. The numbers I mention apply to "stock" cards, where the R&D investment is spread over hundreds of thousands, or even millions, of cards.

Microsoft, however, may very well have used Windows for Smart Cards cards, from their brief flirtation with the smart card business. These cards are based on a 32-bit processor from Atmel, which is itself significantly more expensive than many of the more common cores. In addition, the cards run a custom smart card operating system developed by Microsoft. They're high-end programmable cards that interpret (what else?) Visual Basic bytecodes (eeeeewww).

So the cost of these specialized, low-volume chips, plus the cost of developing a smart card operating system, building tools to construct, load and manage applications, implementing the card applications, implementing the workstation and server software, implementing the key management systems, issuance systems, etc... Yeah, $3.25M is not only believable, it's impossibly low.

I suspect that the $50 per card figure is accurate, but that it includes more than just the cost of the cards.

Keep laughing, moron.

[duffbeer703]

Perhaps you forgot about the compromise of kernel development servers and the Debian website?

Microsoft's concerns regarding source code are likely less about preventing someone from SEEING it (you can pay them money to look at code) and more about modifiying it.

Open Source is a wonderful thing -- but it isn't a silver bullet. Sophisticated programmers with access to any source repository, open or closed can create all sorts of havoc.

Horrors indeed.

[Fruny]

Meanwhile Microsoft is stuck spending mega-bucks and lots of time trying to protect themselves from having anyone actually...gasp...see the source code. Horrors!

Have you considered that the masses should actually be protected from Microsoft's source code ? You wouldn't want your neighbours to become stark raving lunatics after having been confronted with the lovecraftian abomination that is Hungarian Notation, would you ?

Trust me my friend, there exist Code Man Was Not Mean to Read. Microsoft is dutifully protecting reality as we know it. We should be thankful.

This is the same company

[DAldredge]

This is the same company that said, under oath, that reveling the windows source code would harm the National Security of the United States, then they gave the source code to China.

Isn't that perjury?

Re:This is the same company

This is the same company that said, under oath, that reveling the windows source code would harm the National Security of the United States, then they gave the source code to China.

Isn't that perjury?

Or treason?

Uh, riiight...

[Svartalf]

I do believe the issue isn't just code compromise (i.e. putting back doors in...), but in the case of the closed source, finding exploits and backdoors. I need only point to the rationale that MS gave for not disclosing pieces of their source code- it would endanger National Security. Now, either that was a dodge, in which case, Allchin should be doing time in at least Club Fed for lying to a Judge, or it's the God's truth. If it's the God's truth, being in the open is going to reveal most of those things and get them zoomed right off the bat- if it's closed, only the people working on it know about the code (well, and anyone that manages to see it without them looking...) so you don't have as many people looking over the code in question so you end up with things like MS Blaster which caused a packet storm from Hell on the Internet.

A new low, even for Slashdot

[duffbeer703]

Did any of the idiots commenting on this story with sophmoric (hehe, M$ security sUx045!) even start to read the Whitepaper?

If they did, they would probaly notice that the paper describes a methodology of security management, including dealing with operating system & application security issues.

Information security is more reliant on process than using x product or y product. If you have established methods to classify what needs protection, identify vulnerabilities & intrusions and rectify the situation, you have a secure IT shop.

Easy

[Mistlefoot]

It's easy for them to afford 65,000 licences.

The sell them to themselves as a loss. Therefore using them as a tax deduction twice - once for the loss and once for the cost......and if the loss is great enough they might even make a profit!

Re:Whoa, all joking aside...

[duffbeer703]

The whitepaper simply presents the dirty little secret that highly technical IT people have always known -- there is no such thing as a totally "secure" system.

Sophisticated hackers identify exploits before they get mentioned on bugtraq and before a fix or patch is even looked at. Those people are a big threat to a company like Microsoft.

Instead of being horrified at Microsoft, you should be pleased. They are taking a remarkably straightforward tack by highlighting the industry's dirty little secret. That is an about face from typical Microsoft FUD.

Re:Real discussion

Thank you! I too tire of the 'ms sucks' posts.

I work with MS once and awhile to get a bug fixed. Like ANY major software out there they have bugs just like the rest of us. Worked with a nice gentleman yesterday. He traced through their code for me. I have done if I had the code. But its their code, and I respect that. They were looking into why an API I use in my code changed after a 'security' hotfix. After an hour of tracing he found that it was wrong. I knew that, but thats ok too, he had to prove it to himself. After all that he told me 'if its a security hotfix it will not be fixed your lucky the code ever worked the way you were using it'. He was right, I knew what they had done and its a good thing.

The moral here? They are deadly serious about security. They will not back out a fix just 'cause'. They are fixing the holes that are there.

I am convinced they are enduring some of the most punishing testing on the face of the planet. To use a term from open source, 'many eyes make all bugs shallow'. They are on a much larger number of desktops then any other OS out there.

I have never found them 'arrogant', 'loud mouthed', or 'bullying'. Like I find on slashdot sometimes about open source. I have found them to bend over backwards to fix ANY bug they have. They do not pounce on it. But they DO fix it. They do not 'hack' it into the code. They test it and make sure its good. If you act like an ass to them they respond in kind. They have THOUSANDS of bugs to fix and they have prioritized them. They only have so many 'core' developers and they are trying to write new stuff and retrofit old stuff.

They have a serious challange. The code is basicly done. They now have to go through it ALL and fix things that were never a priority for them. I would cringe at someone coming up to me and saying my code has the same serious problem in every module, and every function. That is basicly the problem MS has. And making the code 'open source' would make the problem better in some ways, but much worse in others. Also would you want them to rush out a fix for something? Or test it and make sure it works? Also if you want top shelf support out of MS you need to talk in the language of the corporate world. You need money to wave at them. Otherwise get in line with the thousands of other people.

Also do not be fooled by that linux has no 'serious' bugs. They exist, can you say 'root kit'. If you belive that linux is secure by default your living in a dream world neo.

I look at the two systems as tools for me to do things. I have both types of boxs. I use both for many things all the time.

Some people at Microsoft are smart.

And don't you forget that. Microsoft DOES have people with considerable technical skill and knowledge. I'm guessing that the probability of a security breach was calculated by the people who know what they're doing.

The problem is that you don't get to be the biggest software company in the world without selling products. (And Microsoft is arguably the most important software company - although I think overall Linux is more important in it's potential as an equalizer - there is no one single Linux company).

Selling products implies marketing. This is where it goes wrong. The second that product development is driven by marketing telling customers what features they want - things explode. I mean, really - half the crap in Windows and Office was never wanted by customers in the first place.

I'd still prefer to be using BeOS (I loved 5.0, but lack of support for new hardware meant I had to move on), so Windows 2000 is a pretty good compromise for my needs.

Re:more of the same, over and over and over

[mao+che+minh]

We are always scarcastic when it comes to Microsoft's relationship with security because of the many unpaid hours of overtime it has cost us.

I, like many here I would imagine, have to manage a lot of computers. In any common enterprise environment systems tend to range from old Windows 95 systems whom's only purpose is to drive some old piece of software with a very specific function, to Windows 98 and 2000 workstations, to Macintosh boxes for the marketing folk, to Linux servers running enterprise anti-virus solutions, to Netware servers running ZENworks, to 16 processor HP-UX beasts for databases, to OS/2 servers that run physical security systems (like magnetic card readers that grant access to the NOC for certain people/staff).

Of all of these operating systems that we people manage, a disturbing trend of insecurity has always plagued the Windows operating system(s) and the applications that Microsoft pushes for it. For years. Email clients, mail servers, web servers, core OS compenents, or just plain bad OS design that leads to the easy proliferation of things like viruses and worms. ANd worst of all: there is no escape from it. Everyone uses it, the management only wants stuff that is "supported" and/or "warrantied", and let's face it, it gives us job security.

So, when we relax, unwind, and gripe, we tend to end up taking a stab at the shitty software that has absorbed so many of our hours - time that could have been better spent having fun, or with our families, or responding to morons on web forums. You know.

Re:300k node?

[vample]

No, its not really excessive. When I worked there, I usually had 4 machines for myself, in my office, and I did development work. Oh, and I had a laptop as well. Testers often used, many, many more machines.

Then add the build machines, servers, a laptop for many people, machines for temp/consultants, people VPN'ing in from home, and it easily makes 300k.

Than why the hell are you reading slashdot?

[xeno-cat]

Oh those MS guys are'nt bad people their just misunderstood!

For some reason you wrote:
"Realisticly, what is the point of trying to exploit linux? Why exploit the little guy when you can go after the big fish?"

Apache is the single most prevalent web server on the internet. Why then is it that hackers "target" IIS? Maybe because it's easier?

and decided to continue:
" they do employ some of the best and brightest in the world. I imagine some of you may not believe that, but I do."

Have you seen Balmer lately? The problem with working for MS is that, even though you may be smart your just wasting your time. Who cares that you can give a lecture on some brilliant way to link corporate data to business users if your entire architecture needs to fit into a proprietary MS 5 year plan for the enterprise?

MS has had 20 years and billions in funding and the best they can come up with is Windows XP. XP solves problems that Unix, Apple, X, NeXT, Amiga, et als. solved a decade ago. MS produces over architected under engineered gaming consoles that are'nt even compatable with themselves.

If your looking for "fair and balanced" where are you going to go? Read a frigin Windows rag if you want to "balance" Slashdot. I'm sure there are plenty of fine articles on .NET just waiting to provide you with hour of fun filled and objective learning experiences.

Kind Regards

People ask when Linux will lead instead of follow

[JimmytheGeek]

"The open source world needs to learn a little about UI consistency and try to make things easy to use if any Open Source OS is ever going to be taken seriously on the desktop or in the home."

Here is an opportunity for Linux to bring something entirely new to the table: UI consistency. The gratuitous UI changes from one windows flavor to another are deeply frustrating. Finding a particular admin applet is like playing whack-a-mole. As I recall in NT 3.51 the hard disk management applet was easily reached. Every generation hides it deeper.

And the default XP screen is really infantile - inspired by Teletubbies. You can see Po and La-la on really hi-rez screens.