Microsoft Australia's managers have nominated 40 of the company's large clients as being potentially "at risk" of information technology security breaches, the software heavyweight's security team leader revealed today.
Ben English told ZDNet Australia today the nominations had been received from customer-facing account and technical managers as part of a review of the security capabilities of the software heavyweight's 700-strong Australian enterprise client base. Enterprise clients are classed by Microsoft as those operating 1,000 or more personal computers.
"Our entire enterprise base is being looked at to see what sort of action is required, if any," English said.
Nominated companies are audited to ascertain the extent of any security deficiencies before further action is undertaken.
English said Microsoft Consulting Services had undertaken six engagements with companies within that group of 40 to help them fix their security problems and was presently undertaking six more. Several more were in the pipeline, he said, with some of these engagements to be completed by nominated Microsoft partners presently being trained by the software heavyweight. These partners include Dimension Data and Avenade.
The needs of other members of that group were being met by briefings, seminars and other educational methods, English said.
Where there was direct involvement by MCS and partners, Microsoft itself was presently picking up at least part of the tab. However, English said no decision had yet been taken on whether, if the program was extended to the small to medium market, further subsidies would be forthcoming. "We need to look at the success of the pilot before we go any further," he said. "It has to be an effective use of money".
English said the program would be reviewed this month and could continue into the next financial year.
He said that the predominant issue for companies in the group of 40 was patch management, with some not having patching processes in place and others not having the technology in place to install them.
Another common problem was the lack of awareness within some companies of how to "lock down" their systems, or, as English described it, "system hardening" or "presenting a minimised attack surface area".
This included "turning off things companies didn't need," engaging in best-practice password management and reducing the system access privileges of individuals who did not necessarily need the level of access they had at the moment.
English underlined the critical need for companies to keep their information technology security up to date. "What we've seen over the past year is more virulent and damaging attacks on organisations ...we've also seen the proliferation of tools and resources to enable script kiddies to build viruses and release them into the wild.
"As a result we've seen a lot more people trying to write viruses and release them into the wild.
"There is greater awareness and virus writers are becoming more sophisticated in the way they write them, with multiple attack vectors and an ability to spread extremely rapidly. It's more important than ever for organisations to keep up to date and [their systems secure]".
English was speaking ahead of the launch of Microsoft's second round of security seminars, kicking off in Sydney later this week. The first round of seminars was held in March this year.
The second round of seminars is focussing on more advanced security topics, including overviewing technologies such as Windows XP Service Pack 2, Windows Server 2003 Service Pack 1, Internet Security and Acceleration Server 2004 and patching via Windows Update Services and Systems Management Server 2003.
English revealed that Microsoft's global head of product security, George Stathakopoulos, would be visiting Australia to participate in the first round of seminars, to be held in Sydney, Melbourne and Brisbane. The second round of seminars -- which also includes a management stream -- will see Microsoft executives visit Adelaide, Perth and Canberra.