Microsoft was apparently so concerned about Windows Vista passing the test of IT security and being useful in as many applications as possible that they called in probably the most proficient group of professionals they could find: The National Security Agency (NSA). Microsoft wanted Vista to meet Department of Defense (DoD) and federal standards for IT security, so they enlisted the help of the National Security Agency (NSA) to make sure that Vista would be up to the challenge. Whether or not Vista really is significantly more secure, or secure enough to meet DoD standards is a different issue entirely, but its likely as secure as its going to get, considering the bulk of security-related issues come from lapses in network security, patching, user education, or security policy.
Regardless, it’s rather impressive that Microsoft went to the effort of getting the help of America’s codewriters and codebreakers to help fortify its technology:
“Our intention is to help everyone with security,” Tony W. Sager, the NSA’s chief of vulnerability analysis and operations group, said yesterday.
The NSA’s impact may be felt widely. Windows commands more than 90 percent of the worldwide market share in desktop operating systems, and Vista, which is set to be released to consumers Jan. 30, is expected to be used by more than 600 million computer users by 2010, according to Al Gillen, an analyst at market research firm International Data.
Microsoft has not promoted the NSA’s contributions, mentioning on its Web site the agency’s role only at the end of its “Windows Vista Security Guide,” which states that the “guide is not intended for home users” but for information and security specialists.
The Redmond, Wash., software maker declined to be specific about the contributions the NSA made to secure the Windows operating system.
The NSA also declined to be specific but said it used two groups — a “red team” and a “blue team” — to test Vista’s security. The red team, for instance, posed as “the determined, technically competent adversary” to disrupt, corrupt or steal information. “They pretend to be bad guys,” Sager said. The blue team helped Defense Department system administrators with Vista’s configuration .
Red Teams and Blue Teams are nothing new to anyone who knows much about penetration testing, white-hat hacking, and security auditing and testing-the red team is the “adversary” or the “enemy,” the black-hat hacker or team of crackers looking to intrude on your network and collect information from your systems and networks. The blue team can either be the responding team, or the team that does the analysis once the red team has done its work, or can be as innocuous as the tech support folks who help set up and configure the network for the penetration test. The red team is where the action is.
It’s rather amusing that both parties are eager to discuss the fact that they helped the other, but neither is willing to discuss exactly how. Ah well, secrets will be secrets, I suppose.