If Microsoft goofed with all of the resources at its disposal, are you really that certain your partners and clients won't?
Despite all of the hubbub about Microsoft's recent uninvited visitor, we know relatively little about what actually happened. Microsoft has acknowledged that someone breached its corporate network using a Trojan horse known as QAZ to create back doors on multiple machines. Microsoft admits the intrusion lasted a minimum of 12 days, and that the intruder had at least brief access to some development source code. Everything else is just industry speculation and Microsoft spin. Indeed, despite Redmond's claim to having tracked the intrusion in real time, it's highly unlikely the company knows all of the details.
Still, there are important lessons to be gleaned:
Do people break into reputable tech companies? People do. Microsoft has enormous motivation and almost unparalleled resources to maintain the most formidable defenses possible. Of course there is no such thing as 100 percent security, but one would expect Microsoft's internal network to be well into the 90th percentile. Yet it was cracked by what appears to be a relatively simple attackââ,¬"QAZ is a known Trojan, easily blocked by standard user practices, antiviral software and firewalls.
This was an e-mail-attachment worm, for heaven's sake, not some demonstration of hacking brilliance. Someone in Redmond dropped the ball. Think about this the next time you rely on someone else's security: If Microsoft goofed with all of the resources at its disposal, are you really that certain your partners and clients won't? What about your bank? Your employees?
Blaming problems on users doesn't make them go away. One of Microsoft's favorite responses when faced with a security issue involving one of its products is to point out the user or administrator's role in the process. Melissa, Bubbleboy and the Love Bug, for example, were not the result of problems with Outlook or Exchange, but rather the users' failure to follow best practices. This seems like a debatable argument. Should a developer be responsible for those who misuse its products? If it is clear that the vast majority of users fail to follow best practices, is that really "misuse"? The break-in, however, has made it clear that Microsoft cannot even enforce within its own network some of the simplest practices it advocates among its customer base. At the very least, Microsoft employees disabled their antiviral defenses and almost certainly opened infected e-mail attachments.
If your own employees can't use your product properly, you've got a design problem. It is simply irresponsible to market products as "user friendly" and "simple to administer" while expecting often extremely inexperienced users to maintain security practices your own trained staff cannot.
The time has come for software developers to either redesign their products to be secure as they are used in the real world, or adjust their marketing practices to reflect the real risks their users face.
