Users show some sympathy to Microsoft over security breach

Computer World –

Bashing Microsoft Corp. may be popular sport on some issues, but the internal security breach that the company disclosed late last month has some corporate information technology users waxing sympathetic.

Several users last week said the incident -- in which a malicious attacker gained access to certain parts of Microsoft's corporate network and was able to view the source code for an unspecified future product -- did nothing to change their perceptions or opinions of the software maker or its products. They also said it won't affect their purchasing decisions.

"I don't think any less of them," said Jeffrey Ratner, director of IT engineering at Phoenix Home Life Mutual Insurance Co. in Hartford, Conn. "I know how things go. I feel bad for them."

Security breaches have become so routine that "after a little while, you stop noticing," said Rick Waugh, a project manager at Telus Corp. in Burnaby, British Columbia.

Illustrating his point, Microsoft last Friday confirmed that another hacker had managed to penetrate at least one of its Web servers after the company's security staff apparently failed to completely apply a patch that's supposed to plug a hole in Microsoft's Internet Information Server software.

But Cathy Hotka, vice president of information technology at the National Retail Federation in Washington, noted that Microsoft isn't alone in being at risk of attacks by miscreant hackers. "Security is a moving target, and if they can be hit, we can all be hit," she said.

"These things will be happening all the time. It's just the nature of technology," said Richard Viard, co-founder and senior vice president of research and development at SmarterKids.com Inc. in Needham, Mass. "There will always be somebody to outsmart you."

A security breach at one of the world's largest and most powerful technology companies didn't make Viard feel any more vulnerable than he already did, he said. "We've always been paranoid about this stuff," he said. "You can be very prepared, but you can never be impenetrable."

Much of the sympathetic response from IT professionals stemmed from their intimate knowledge of the struggle every company faces when trying to secure its own network.

"We understand exactly how difficult it is to avoid being hacked in multiple layers," said one IT executive at a large financial service provider. "We have hacking attempts every day, [although], I'm sure, less than Microsoft. There are lots of people trying all the time."

Sometimes attackers get through one layer of the company's defenses, "but that's about it," continued the executive, who asked not to be identified.

"We do reports every day to see what our vulnerabilities have been, plus we test against ourselves on virtually an everyday basis," he said. But no matter how much monitoring the company does, it frequently can be difficult to tell exactly what has happened. "You stop something at the door and you don't know what it is," the executive noted.

Ratner said he respected Microsoft's decision to acknowledge the incident, discuss which software source code was potentially viewed by the intruder and stop the breach. "It seems to me they're trying to change their company philosophy," he said. "They're being more open."

It's also to Microsoft's credit that it caught the breach, Ratner added. "Something like that can go on for a long time," he said.

But Wayne Richards, a senior technical support analyst at Goodyear Tire & Rubber Co. in Akron, Ohio, questioned Microsoft's tactic of monitoring the hacker's moves for up to 12 days after the security breach was discovered.

"I hate to say it, but if a hacker got in here, we wouldn't be monitoring his moves. He'd be cut out," Richards said.

Microsoft also should be concerned that product secrets might have been stolen, Richards said. "If people steal code and post it on the Internet, people will be writing stuff that will interface with Microsoft products and file formats, and you might find it coming out on other platforms, showing up anywhere," he said.

Richards added that he expects to see more break-ins as a result of this incident -- not just at Microsoft but also at any company that buys into the Microsoft .Net platform, a new set of technologies under which the vendor plans to turn its software products into Internet-based services.

What’s wrong? The new clean desk test
Join the discussion
Be the first to comment on this article. Our Commenting Policies