This Government's Security Brought to you by Microsoft
Who don't you want to get in, today?
The Australian IT section has reported on the imminent announcement by the Australian Attorney General's Department that they have extended a 2003 agreement with Microsoft (the shared source agreement) to cover information security. The extended agreement claims to "help Australia tackle threats to 'national security, economic strength and public safety'",is similar to agreements held by the USA, Canada, Norway and Chile and will allow Microsoft staff to examine attacks against Australian government networks.
It will be interesting to see how the proposed data sharing works out, especially as Government agencies can be quite restrictive about sharing sensitive information with external bodies. The proposed advanced notice by Microsoft of upcoming updates and vulnerabilities being tracked (to allow the Government to plan and implement a response) introduces the dichotomy of all intelligence products - the more you share, the less useful it becomes.
Microsoft have been improving their security response timelines, but have still been hit with two 0-day exploit vectors in the last four months which this service would have done nothing to protect against (not many companies were placed for an immediate response, but some were), and which affected almost all Windows-based systems - the WMF vulnerability affected all the systems from Windows 95 through to Vista - all the systems which could connect to the Internet.
The addition of community security awareness training is a good sign for some of the native Information Security companies, such as Sûnnet Beskerming (regarded by Microsoft as 'Security Experts'), that are likely to play some part in the eventual implementation of such training based on historical involvement with Microsoft Security events.
What about the non Microsoft systems?
There is no indication as to the support or protective services that will be extended to non-Microsoft products. This could be a concern in the future as it is likely that there are still Government departments which have pockets of unsupported systems (i.e. Windows NT) connected to various networks, and other agencies of the Government have recently announced moves to centralise on non-Microsoft software.
In particular, the National Archives announced five days ago that it will standardise on OpenOffice.org 2.0 (OO.o 2.0) as its primary office file preservation format and that the OpenDocument Format will be the primary format used for archiving of electronic data (text, spreadsheets, charts and graphical documents).
Most of the government systems and interfaces that have successful attacks launched against them, and are known about, have been based on Microsoft technologies, which adds value to the extended agreement. The non-Microsoft based systems which have been successfully attacked may be left out in the cold as a result of this agreement.
Major data stores that rely upon Oracle, DB2 or other database platform (not MS SQL) could be overlooked even though they carry significant risk and recent history is suggesting that these are becoming the more valuable targets to attackers. For example, there are a number of serious Oracle issues that are evolving and have evolved recently almost on a par with MS SQL's historical 'sa' account.
It can not be realistically expected of Microsoft to provide security support and advice for these other systems and products. However, the reporting on the agreement makes it appear that they are supplying a 'Whole of Government' solution.
5 April 2006
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.Comments will soon be available for registered users.