While most New Zealanders might be happy to be distant from areas of conflict and routine crime, our isolation could be fooling some companies into a sense of complacency.
Steve Riley, a product manager in Microsoft’s Redmond-based security business unit who was in Auckland last week presenting sessions at the Tech-Ed 2003 developer conference, told Computerworld that geographic isolation could encourage companies to think they were immune from internet vandals and thieves.
“Getting upper management to understand the need for information security is a challenge in New Zealand,” Riley says.
“Here’s the reason: geographic isolation. You’re just not accustomed to all those invasions and searches. As I talk to IT people in New Zealand a common complaint in these organisations is that management equates security with physical security.”
On the internet, however, everybody is potentially your neighbour, Riley says, adding that timed attacks are likely to strike New Zealand firms first.
“New Zealand is at a bit of a disadvantage being one of the first countries to see the sun.”
Riley says system administrators wanting more security resources need to talk to their managers in business terms.
“Ask them if they are doing business the same way they did five years ago. Probably they aren’t.”
During the opening keynote in Auckland Riley told conference attendees that his aim would be to stop people thinking of “Microsoft security” as an oxymoron. He told Computerworld that working for Microsoft’s security unit has some unique challenges.
“I would say probably at the very beginning the biggest challenge was trying to convince people that, yeah, we really care,” he says. “For so long Microsoft was features-driven, because that’s what customers asked for.”
When Microsoft announced its “Trustworthy Computing” programme, scepticism was rife among customers. “I think probably it initially looked like a way to capitalise on the market,” Riley notes, but he believes the company’s decision to twice delay the release of Windows 2003 Server for security reasons has improved its credibility.
He agrees more work is needed, however. “Trustworthy Computing is a journey. It’s a 10-year effort that we’re just getting started.”
Windows Server 2003 is the first product of the programme. By default, most services are disabled to reduce potential avenues of attack. The company is also trying to make configuration easier, citing research showing that 95% of successful attacks could have been avoided with an alternative system configuration.
Microsoft had to make some changes to the company’s structure to ensure security was a collaborative effort, Riley says.
“The culture inside Microsoft for so long has been product group competition.”
Security staff now work within a single security unit with responsibility for some of the company’s security products and all security aspects of the Windows OS.
“We also have visibility and hooks into the production of everything else.”
Microsoft is a frequent target of criticism for the spread of worms and viruses such as Blaster and Bugbear. Other observers point the finger at users who run unpatched systems, or network providers who don’t filter mail or quarantine infected users. Riley says he avoids apportioning blame for security failures.
“It’s everybody’s responsibility. I have a responsibility to keep my system protected, because other people depend on my security,” he says. “It’s part of being a good net citizen.”