Very recently, The Microsoft Security Response Center (MSRC) published a blog post about Security Advisory 979352. Go ahead and take a minute to read the blog post. The Security Advisory is only interesting from a comical (not informational) perspective.
This is crazy, on two fronts. First, it's like a security advisory from Ms. Cleo "Ya' gots som'body doin' sum'tin' baaaaaadd on yo' network! Ya gots ta' fix da Intanet Explora!" There's less detail than in ... well, a Microsoft security bulletin. A third grader could've published something with more actionable intelligence in it.
Second, Um... but, targeted attacks have been going on FOR A LONG TIME. Now Google decides to go public about one of their's, with only a few blog posts, I might add. That's all it took? One company to make a stink about it? Just had to be the right company, I guess. (This behavior of American media only paying attention to "celebrities" (whether they are Paris Hilton or Google) and ignoring "experts" (SANS, other Information Security groups) is ridiculous, but that's another blog posting)
We've crested an inflection point in the Information Security Industry. Here's what I mean:
- Google has gone public about them falling victim to a targeted attack which appears to have used vulnerabilities in IE and Adobe Reader. They point out that many other, very large organizations were also attacked.
- Adobe responds by saying that everyone should (purchase an) upgrade to the latest and greatest Acrobat version which has 90% more securification. Or, something like that...
- Microsoft has published a security advisory (granted: with zero detail) for something that only one customer has reported. This is a huge change for Microsoft. Historically, Microsoft has tried to temper reported vulnerabilities by saying that only small numbers of companies had been effected or such. This is a new direction for them. Hopefully one which will continue.
It appears that we're crossing an inflection point in the history of Information Security. Companies which are serious about security have been spending large amounts of money on their Information Security programs. First, they have to understand what's happening on their networks; which is no easy task. Second, they have to recognize when they're being attacked; which is even harder. Here's where it gets really difficult: At this point you need a two pronged approach to understand if the attack was successful, and understand the damage; the second prong is to figure out how to defend yourself against that attack in the future.
In the past, these companies have relied on best-of-breed commercial and open source tools which consistently failed to meet their needs. So, they've spent countless man-hours creating custom tools to fill the gaps. They've spent countless hours fighting vendors who blew them off because they were the "only one" experiencing said problem.
Now (I hope!) the tables have finally turned. Google (who loves to tote that their key servers run Linux) has forced Microsoft to publicly acknowledge a vulnerability which only caused financial harm for one company. Google is forcing a major world government to rethink their policies.
Google is forcing every company out there to rethink their security policies, written and unwritten. Every company now knows that they bad people out there will work hard to get at their data.
Links:
- Microsoft Blog Post
- Microsoft Security Advisory (979352)
- McAfee Gets It: Read the ending paragraphs
- Slashdot Article
No comments:
Post a Comment