CASE ASSIGNMENT 2: Questions for Microsoft Security Response Center (A) Case Toan ui !

t"#$$2%&% 1) What are the main issues surrounding this case? The main issues surrounding his MSRC (A) case is that a CyBER Paladin (CyP) a !airly "ell #no"n mem$er o! the hac#er community is currently in %rocess in hac#ing the Microso!t Security Res%onse Center (MSRC)& Scott Cul% "ho is the security %rogram manager "as "arned $y CyP that 'isitors "ould $e a$le to ($rea# out) !rom the normal 'ie"s o! the "e$ site te*t and gra%hics and access the ser'er+s o%erating system& ,sers "ill $e a$le to re!ormat the ser'er+s hard dri'e change or modi!y "e$ site content steal data or install additional so!t"are on the machine and many other things& -) Who are the main sta#eholders that Cul% should $e concerned "ith? The main sta#eholders that Cul% should $e concerned "ith is CyBER Paladin (CyP) and the internet in general& There are many hac#ers out there and the most crucial and se'ere hac#er is the one that has already threatened you "ith 'alid %o"er to hac# into your o%erating system& E'ery$ody that had Microso!t+s o%erating system should $e highly concerned at this time as their com%uter could $e hac#ed& .) /denti!y and %rioriti0e the issues that Cul% should $e concerned "ith and de'elo% a %lan o! action and a timeline The most im%ortant item to $e %rioriti0ed as o! no" is that the Microso!t Security Res%onse Center is under a ma1or threat o! $eing hac#ed $y CyBER Paladin& The ne*t most im%ortant item on the list is to s%eci!ically !ind "hich %arts o! the MSRC in!rastructure are under the most %otential harm& Plan o! action time line 1& The MSRC should no" meet internally and see# all %otential damages in the near !uture that could %ut their com%any at ris# -& The MSRC should thoroughly list all %otential damages and !igure out a security 'ulnera$ility scheme that could !i* any o! these %otential harms immediately .& Since Cul% reali0ed that this issue re2uired his immediate attention his duty no" is to dro% all current %ro1ects and to ta#e the ne" %ro1ect at hand head on 3& 4a'e all o! the %ossi$le security %ro$lem in!ormation a'aila$le through the di!!erent sources such as secure5microso!t&com %roduct su%%ort ser'ices internal security tests e*ternal mailing lists e*ternal We$ Sites 6& Ta#e action on each %otential damage in order to success!ully eliminate the chances o! harm in the u%coming near !uture 7& Contact any other de%artments !or assistance at the necessary time&

3) 8ot all hac#ers are as ethical as CyP& 4o" do you re"ard him9her and encourage that $eha'ior? Since CyP "anted to "arn system administrators as soon as %ossi$le o! the ris#s he "as $asically gi'ing in sym%athy to MSRC& To re"ard CyP as a security %rogram manager / "ould sim%ly gi'e CyP a com%ensation re"ard to sho" my a%%reciation o! "arning us o! %ossi$le ris#s& Although / "ould not $e a$le to sol'e the %ro$lem as a %atch could / #no" the course o! action that / "ill ta#e& 6) The %u$lic $lames so!t"are com%anies !or de'elo%ing %rograms "ith 'ulnera$ilities and then ta#ing so long to %ro'ide solutions !or 'ulnera$ilities& a& Should the com%anies ta#e more time to de'elo% so!t"are (to ma#e sure that it is not 'ulnera$le)? :es the com%anies such as MSRC should most de!initely ta#e more time to de'elo% so!t"are to ensure that it is not 'ulnera$le& Although / do not $elie'e that com%anies can do much more and $e more secure than MSRC it does not hurt to ha'e a se%arate team to do more research as needed& MSRC sim%ly !aced a tough o%%osition in CyP $ecause they are 'ery #no"ledgea$le in "hat they do to %otentially harm $ig organi0ations such as Microso!t& $& What are the arguments !or or against %ro'iding source code to the %u$lic (e&g& ;inu*)? The argument against %ro'iding source code to the %u$lic such as ;inu* did is that it %uts con!idential in!ormation not only to "here the %u$lic eye can see it $ut "here %otential threats could see and access the code& /t is %er!ectly !ine to %ut it out sim%ly !or $usiness %ur%oses as needed $ut "hen the code gets into the hands o! a %otential threat then that+s "here things could $e ta#en too !ar and the com%any could ha'e a tremendous target on their $ac#&

7) Pu$lic %erce%tion (and con!idence) is integral to sales& 4o" can the in!ormation $e released to the %u$lic "ithout %ro'o#ing the thought (4o" many other 'ulnera$ilities li#e this are there in other %roducts?) <oes the %u$lic ha'e to #no" a$out the %otential e*tent o! the 'ulnera$ility? Pu$lic %erce%tion is de!initely integral to sales& Perce%tion is de!initely the #ey in the ma1ority o! the time& Com%anies such as ;inu* or MSRC can release their source code and other in!ormation to %u$lic com%anies $y "or#ing internally "ith the com%anies& Sending the in!ormation directly to the de%artment in the o%%osing com%any that re2uires the source code& They could also consider ha'ing a "ai'er to sign $y the o%%osing com%any or a certain deal as to i! the source code or in!ormation is used in a harm!ul "ay they could in'ol'e a com%ensation in the deal so that they could ensure sa!ety& The %u$lic does not ha'e to #no" a$out the %otential e*tent o! the 'ulnera$ility i! the "ord that the highly harm!ul 'ulnera$ility could e*ist then that could encourage hac#ers such as CyP to ta#e action and use the %u$licly shared source code in a negati'e "ay&