If you're looking for a silver lining in the black cloud hanging over Redmond, Wash., today, there is none.
The breach of Microsoft Corp.'s network and subsequent access to its source code represent to many the failure of that vendor's product design, the failure of enterprises to implement best practices and the failure to understand security as a risk-management proposition.
"I don't think that's a harsh enough way to describe it, actually," said Frank Bernhard, an analyst at Omni Consulting in Davis, Calif.
Indeed, asked what nervous CIOs should take away from the incident as a lesson, Bernhard said they should be extremely nervous and question whether someone is illegally skulking around their network right now.
"CIOs need a wake-up call," he said. "This is their fault. We look at budget allocation, and their propensity toward spending on security services is low. They need to push it way, way up. They are so fixated on applications right now and building out the networks. Hey bubba, you got to lock this down, and by that I don't mean get a firewall."
Other than that, it's a matter mostly of heeding the same advice that has been doled out for two years now: Don't open e-mail attachments. Update your security software. Implement best practices.
"So what this boils down to," said Brandon Musler at Vigilante, a managed security provider in Melville, N.Y., "is that users should obey standard best practices we have known for a long time." This was one of the most methodical attacks on a corporation yet. It is likely the perpetrators gained access to Microsoft's network months ago through an e-mail attachment opened by an unwitting Microsoft employee. The hackers used a known Trojan Horse, Troj/Qaz, to get in.
Desktop software, if updated, could have blocked the Trojan. The program used to access the e-mail likely wasn't updated to warn the user against opening certain types of attachments, or the Trojan could have been attached to an innocuous file type, like a Word document, experts said.
Having gained access, the hackers likely escalated their rights and privileges over several weeks by taking user passwords, according to several experts diagnosing the specks of information now available in the press.
Only after some period of time did the hackers go for the source code for Windows and Office, with Microsoft passwords taken and reportedly e-mailed to Russia.
"You don't walk into a museum and steal a Rembrandt with brute force in 10 minutes," noted Bruce Schneier, a security expert and founder of managed security service provider Counterpane. "You spend months in there scouting out weak spots in security. You get blueprints. You plan to steal a Rembrandt."
Compounding the issue, others said, is that, having had months of access, it will take months of digital forensics for Microsoft just to determine what was compromised.
"The scope of the attack suggests they were in there for more than a few hours," said Piers McMahon, a security expert with Computer Associates International Inc. "Indeed, they appeared to be fishing around in there." What the hackers caught while fishing is anyone's guess, McMahon suggested. But the depth of the attack, all the way to the source code of forthcoming products, means the effects of the attack could last for months or years.
It's not unlike a football team having its opponents' playbook, the security gurus suggested.
"You've got source code, and that means you've got a way to create very clever, very hard-to-defend attacks against the product," Counterpane's Schneier said. Others suggested the hackers could have planted bugs in products recently released that even Microsoft wouldn't know about, although there's no evidence yet that this has happened, and President Steve Ballmer said from Stockholm Friday that source code was not tampered with.
"It's out there now," said Omni's Bernhard, referring to the source code. "It's going to be chopped and sold. They've seen the design approach, which is proprietary. Losing the source code is an Achilles' heel." So the technology failed.
"I could have an hour-long conversation about why it continues, but the bottom line is: People have blind faith in technology," said Schneier. "They will never get it. Products will not save you."
And best practices were not implemented.
"When the failure happens, it's organic," said Bernhard. "It's within the organizations, and Microsoft, as a large or-ganization, has not done a good job of getting to the heart of the policy implementation and management. They haven't done a good job presenting best practices even to their own engineering force. This was an enormous amount of IP [Intellectual Property] to lose like this."
"It's a significant event, and I'm surprised it happened at Microsoft," said Sunil Misra, managing principal of e-business security and privacy solutions at Unisys Corp. "I would have thought there would have been more vigilance there."
That leaves services, and those championing managed security services were probably the least upset about the attack.
Indeed, one security services executive said he was "ecstatic" about the attack because it proves the need for services, although he then quickly retreated from such language.
The argument for services is that a services organization is dedicated solely to best practices and monitoring networks, so it will be better equipped to see and respond to hacks. But some, like Unisys' Misra, don't buy that gospel wholeheartedly.
"Maybe they could have caught this one, maybe they would miss another," Misra said. "You need security services as part of a risk-management portfolio, but you can't say that will protect me fully, just like a firewall won't protect you fully. Vendors have to be more mature about approaching security. Fundamentally, it's not just one thing."