Analysts: Microsoft needs to look closely at security practices

Microsoft's systems have been subjected to a roller-coaster ride of outside attacks recently, with last week's denial-of-service assault against its websites following two earlier hacking incidents.

          Microsoft's systems have been subjected to a roller-coaster ride of outside attacks recently, with last week's denial-of-service assault against its websites following two earlier hacking incidents. That's prompting some analysts to suggest that the software vendor needs to take a closer look at its security practices.

          Eric Hemmendinger, an analyst at Aberdeen Group in Boston, says Microsoft has also been hit by some "plain old bad luck." That appears to have been the case earlier this week, when the company blamed a website outage that started late Tuesday night and continued until Wednesday night on a "mistaken configuration change" made to the routers on its domain name system (DNS) network.

          But the denial-of-service attack that struck Microsoft's websites last weekadds fuel to the argument that the company needs to spend more time looking at its overall online presence, Hemmendinger says. "Security has probably not been given enough priority [by Microsoft] at this point," he says. "I would have to call into question whether they've paid enough attention there."

          Hemmendinger notes that denial-of-service attacks, in which servers are flooded with so many information requests that they either crash or stop responding, can't be prevented with existing technologies. "In their defence, it's really hard to defend against [such an attack]," he says.

          Microsoft is also an intriguing target for attackers because of its size and influence, Hemmendinger adds. But the bottom line, he says, is that Microsoft's systems "are probably an easier target than they need to be because they themselves haven't internally taken the issue seriously enough."

          Ric Steinberger, a technical director at online security information provider SecurityPortal in Mount Vernon, Washington, says the recent problems should force Microsoft's IT managers to look at the robustness of the company's entire network architecture with a very critical eye. "They need to demonstrate that they understand the internet infrastructure more than they have in the last couple days," Steinberger said last week.

          Last week's outages follow an incident last fall in which Microsoft disclosed that its internal computer network was hacked by intruders who were able to view the source code for an unspecified future product. And two months ago, a Dutch hacker penetrated one of Microsoft's web servers on two separate occasions after the company failed to plug a known security hole in its web server software.

          Microsoft spokesman Adam Sohn defends the company's network and its web security, saying that officials at the software vendor "take the security of our [websites] very seriously." Microsoft has "a very competent [security] team," he adds. "They know what to do and they do it."

          However, Sohn says Microsoft plans to carefully review the recent outages and make changes if needed in order to "insulate customers" from any similar future problems. "In general, security is a journey, not a destination, and we know that," he says. "We're always looking to make changes to raise that bar."

Join the newsletter!

Error: Please check your email address.

More about Aberdeen GroupMicrosoftSecurityPortal

Show Comments
[]