Microsoft needs to look closely at security practices

Computer World –

Microsoft Corp.'s systems have been subjected to a roller-coaster ride of outside attacks since last fall, with yesterday's denial-of-service assault against its Web sites following two earlier hacking incidents. That's prompting some analysts to suggest that the software vendor needs to take a closer look at its security practices.

Eric Hemmendinger, an analyst at Aberdeen Group Inc. in Boston, said Microsoft has also been hit by some "plain old bad luck." That appears to have been the case earlier this week, when the company blamed a Web site outage that started late Tuesday and continued until Wednesday night on a "mistaken configuration change" made to the routers on its domain name system (DNS) network.

But the denial-of-service attack that struck Microsoft's Web sites yesterday adds fuel to the argument that the company needs to spend more time looking at its overall online presence, Hemmendinger said. "Security has probably not been given enough priority [by Microsoft] at this point," he said. "I would have to call into question whether they've paid enough attention there."

Some of Microsoft's Web sites again appeared to be experiencing intermittent performance problems today. Company officials didn't return calls this afternoon seeking comment on the current status of the sites.

Hemmendinger noted that denial-of-service attacks, in which servers are flooded with so many information requests that they either crash or stop responding, can't be prevented with existing technologies. "In their defense, it's really hard to defend against [such an attack]," he said.

Microsoft is also an intriguing target for attackers because of its size and influence, Hemmendinger added. But the bottom line, he said, is that Microsoft's systems "are probably an easier target than they need to be because they themselves haven't internally taken the issue seriously enough."

Ric Steinberger, a technical director at online security information provider SecurityPortal Inc. in Mount Vernon, Wash., said the recent problems should force Microsoft's IT managers to look at the robustness of the company's entire network architecture with a very critical eye. "They need to demonstrate that they understand the Internet infrastructure more than they have in the last couple days," Steinberger said.

In particular, Microsoft has faced questions for having all four of its DNS servers located at the same physical site on a single network. That leaves it without any external back-up servers if problems arise on that network -- a setup that some observers said is fraught with danger.

This week's outages follow an incident last fall in which Microsoft disclosed that its internal computer network was hacked by intruders who were able to view the source code for an unspecified future product. And two months ago, a Dutch hacker penetrated one of Microsoft's Web servers on two separate occasions after the company failed to plug a known security hole in its Web server software.

Microsoft spokesman Adam Sohn today defended the company's network and its Web security, saying that officials at the software vendor "take the security of our Web [sites] very seriously." Microsoft has "a very competent [security] team," he added. "They know what to do and they do it."

However, Sohn said Microsoft plans to carefully review the recent outages and make changes if needed in order to "insulate customers" from any similar future problems. "In general, security is a journey, not a destination, and we know that," he said. "We're always looking to make changes to raise that bar."

Pete Lindstrom, an analyst at Hurwitz Group Inc. in Framingham, Mass., said yesterday's attack shouldn't necessarily be held up as evidence of a security shortfall at Microsoft because of the difficulty of preventing denial-of-service assaults or stopping them once they've been launched.

And while some users said yesterday that this week's Web-site outages made it hard for them to get important technical support information, Lindstrom said he doubts the back-to-back problems will have much of a lasting impact on Microsoft from a customer relations standpoint.

Some users did experience "lost time and productivity," he said. "But are people going to stop buying Microsoft products? I doubt it. Are they going to stop going [to its Web sites]? Maybe."

What’s wrong? The new clean desk test
Join the discussion
Be the first to comment on this article. Our Commenting Policies