Microsoft Shares Its Security Procedures

Microsoft has released a technical case study of its internal security procedures, in which it spells out a three-pronged approach to thwarting malicious hacker attacks and urges enterprise admins to spend more time anticipating and preventing attacks. The case study includes several best practice recommendations for IT admins, including: a) The creation of a risk model for the enterprise to pinpoint potential risk areas and the probability and impact of a compromise to each area. b) Plans to determining what is worth risking and what must be fixed. "Doing nothing is an option if the risk probability or impact is low." c) The development of a library of the risk-rated vulnerabilities to verify if the known vulnerabilities are present in the scanning process and the documentation of technologies and resources (people and devices) that have access to those technologies. d) Management of the vulnerabilities by notifying users and forcing a patch or disconnecting the vulnerable system from the network.