After further review, security experts last week said enterprises can glean some new lessons from the Microsoft Corp. hacking saga. First and foremost, if you get hacked, don't do what Microsoft did.
According to at least a dozen security experts contacted last week by eWEEK, Microsoft, which thwarts most hack attempts, did not know how to react to a successful hack. The Redmond, Wash., company's response was flawed in how it disseminated information about the security breach to its customers and in how it handled the intrusion once the company's in-house security experts recognized it.
The successful attack also highlighted what's becoming a major concern to businesses large and small: The vulnerability of telecommuters' remote computers.
"If it can happen to Microsoft, it can happenâ€"and is happeningâ€"to you" was the mantra of more than a half-dozen security experts since the incident came to light on Oct. 27.
In dealing with news of the event, Microsoft's first problem was confusing what was rumor and what was fact.
"They had five spokesmen and six stories," said Amit Yoran, CEO of Riptech Inc., in Alexandria, Va., and a former security expert at the Department of Defense. "You need a single voice. They were not well-prepared for this from that perspective."
Indeed, between Oct. 27 and Oct. 30, at least seven people from Microsoft commented on the situation on and off the record in the media. The fact that internal passwords were mailed to a Russian e-mail address was confirmed, only later to be denied. Spokespeople later contradicted company President Steve Ballmer several times after he claimed that hackers saw source code. The amount of time the hacker, or hackers, had access to Microsoft's network, according to the company, also ranged from three months to six weeks to one week to 12 days.
"[Security] forensics are like that to some extent," said Fred Rica, a partner in the technology risk services practice at PricewaterhouseCoopers, in Florham Park, N.J. "It may look like one thing ... and turn out to be something [else]. I'm not surprised that the information was inconsistent. I am surprised so many people were talking about it."
The flow of contradictory information all moved in one direction, though, toward minimizing the damage the hackers could have done to Microsoft. That left many experts feeling dubious about the information being presented.
"I don't think they can fully assess this yet," said Paul Proctor, director of technology for CyberSafe Corp., a security vendor in Seattle. "I would express doubts they know as much as they say they do. I doubt they are sure about any of this. The largest thing they can lose here, more than the source code, is brand equity. You lose trust, you're dead."
Others were troubled by the fact that Microsoft is stating that it knew the hacker was in the network for 12 days and did nothing to shut him or her out.
Instead, the company tracked the hacker, most likely in hopes of entrapping the culprit. This is one of the two common forensic philosophies in security, and some experts understood why Microsoft would do it.
"I know and respect their security officer [Howard Schmidt]," said Tom Talleur, KPMG International managing director of forensic and litigation practice, in New York, and a former security executive at NASA. "I know he's doing what he can to catch this person."
But since Microsoft hasn't yet caught the hacker, Riptech's Yoran thinks entrapment was probably a bad approach. "It doesn't surprise me that Microsoft might want to go after this person and send a strong message," he said. "That seems to have backfired."
what is your advise to my lighting website for embarking on such a luxurious set up?