If they can hack Microsoft, you could be next

Last month's big Microsoft hack has raised fears across the industry that, if Bill Gates gets broken into, no one is safe. James...

Last month's big Microsoft hack has raised fears across the industry that, if Bill Gates gets broken into, no one is safe. James Rogers asks if there is such a thing as safety when connected to the Internet, traces the origins of the attack and reports that spending on security will increase by 50% in the next two years.

The hacking attack on Microsoft last month has sent shock waves around the industry. Aled Miles, vice president of Internet security specialist Symantec, summed up the general feeling when he said, "This could have happened to anyone, Microsoft's security is very strong but the determined hacker will get in."

For Miles, and other security professionals, this is not an excuse for complacency, but rather a call for increased vigilance and an assessment of the balance between profitability and security.

"Trying to make your network 100% secure is a very difficult task," said Shaun Orpen, director of corporate marketing at Microsoft. "The only way to be 100% safe is not to be connected to the Internet."

Miles agreed, "If you want to go for 100% security then you don't have the amount of profitability that you need. What we have seen is that this balance is extremely difficult to get," he said.

Internet connectivity is at the heart of the problem. The Web is the life-blood of many businesses but it also provides a fast track to the inner sanctum of an organisation.

"This issue is about Trojan horses," said Miles, "but it is also about plugging holes in your network. The blocking and management of gaps are at the heart of this problem."

Ian Williams, technology analyst at strategic consultancy Datamonitor, suggests using software to identify malicious code. Products are available that sit behind the firewall and scan all the applications going through it. They can then alert administrators and let them know who is down-loading what.

Perhaps more important than malicious attacks from outside is the security management of internal systems. One industry expert told Computer Weekly that the two most commonly used passwords in the UK are "password" and "elephant".

This is good news for hackers but it suggests that companies need a radical rethink not just of their systems but also how they perceive security.

Raj Panesar, European product manager at anti-virus specialist Trend Micro, said, "Microsoft has got a lot of access points to the Internet but all this goes down to how well you implement your own security policies."

The message is that an effective security policy is more than just a firewall. All staff need to be aware of both internal and external threats to their business.

Graham Cluley, senior technology consultant at Sophos, advised, "You should educate your users to act sensibly and take data seriously by not downloading things from the Web if there isn't a business case for it."

Graham Satchwell, managing director of security specialist Dick Tracy and a formerMicrosoft employee,added, "Thebalancein security is difficult, but you need to have a regime of strict compliance."

JohnStewart, chief executive of Internet authenticationservice Signify.net, warned,"You have to be suspicious of people. Seventy per cent of all security intrusions come from inside.

"What is important then is to ensure that everyone's action has an audit trail so that you force internal users to take responsibility for their actions."

Key points for your security policy

Steve Barnett, managing director of Internet security company Checkpoint, suggests that organisations ask themselves the following questions.

Security spending up, but only the fittest will survive, says Forrester

Corporate spending on security will increase by more than 50% in the next two years, but only the companies that secure their business processes will survive.

That is the warning from the latest report, Sizing the Security Market, from analysts' group Forrester Research.

The company urged organisations to build security monitoring into external business processes.

A spokesman for the group explained, "Companies can take action now to offset the coming shortfall in security planning and business process security. They can also help drive suppliers to extend application management products to meet security needs."

Forrester recommends:

  • Make business managers responsible for all security

  • Set up corporate security policies that place responsibility for business process security with the business unit managers.

    "Charter the IT security department with the authority to evaluate and implement security," saidtheForrester spokesman.

  • Include security risk assessments in business decisions. The research firm advocates putting processes in place to ensure that IT security risks are evaluated on the same level as other security risks.

    nPut escalation procedures in place for business policy failures. "Looking at end-of-month reports is no longer a timely way to detect fraud. Companies have to put their own detection and escalation procedures in place now, and externalise them when the security industry catchesup,"saidForrester's spokesman

    nBuild security monitoring intoInternetbusiness processes.

    Forrester gave an example of a company that monitored its internal networks but could not know immediately whether a traffic jam had been caused by a misconfigured router or a denial-of-service attack.

    The spokesman said, "It is only by co-ordinating IT operations and IT security that the company can make that call and deal with that problem."

    From Russia with love

    There is a whiff of last century's Cold War about the Microsoft hackers. The company has traced the successful breach of its defences to St Petersburg in Russia.

    Ilya Medvedovsky, general director of St Petersburg-based Secure Information Systems, told Computer Weekly it was unlikely that the attack was designed to gain publicity for the hacking community in Russia.

    "It is more likely that it was just the spontaneous action of a lone hacker which was successfully executed because of Microsoft's typically careless attitude towards their own security," he said.

    The Federal Burean of Investigation (FBI) is now on the trail of a St Petersburg link, but Medvedovsky said, "This could mean that the hacker was from St Petersburg, on the other hand there was nothing to prevent him from using a previously hacked computer with an IP address here.

    "Either way, I think that the most likely scenario is that the break-in was executed from Russia. This shows the ability of Russian hackers, although it doesn't justify breaking into the Microsoft network."

    There has been speculation that the Russian Mafia could be behind the incident, although both Microsoft and FBI investigators have so far remained tight-lipped.

  • Read more on IT risk management