Posted by Mike Tarrani
2:55 PM
TOPIC: Security Issues and Resources: This entry might look like Microsoft bashing, but bear with me because it isn't. The topic is security, and my goal is to provide awareness, opinion and resources.Awareness. First, if your organization has heavily invested in Microsoft technology or is leaning that way, take a quick look at the numerous problems you are facing or will be facing. Bleak? Overwhelming? These problems did not happen overnight, but the consequences have finally come to a head. Some of the more glaring problems and consequences can be found in two articles in eWeek and an article from E-Commerce Times.
The first article dated 28 May 2001 dropped a bombshell with the report that Insurer Considers Microsoft NT High-Risk. Another damaging article from this publication, dated 25 September 2001, turned up the heat with a report that Gartner Recommends Against Microsoft IIS. The article in the 4 October 2001 issue of E-Commerce Times Under Pressure, Microsoft Moves to Tighten Security unearthed a litany of problems.
Apparently Microsoft was listening. Here is the short-term response, the now famous Bill Gates' Email on Trustworthy Computing (copied from Paul Boutin's weblog).
Yes, it's a step in the right direction, but is it a sincere effort or a marketing/public relations ploy? The reported action is there will be a 30 day moratorium on coding to fix security problems. 30 days? Let's examine the realities here:
- There are millions of lines of code that make up the Microsoft product line
- Strong circumstantial evidence that Microsoft hasn't given much apparent thought to security until now
- The daunting planning and coordination challenges that need to be overcome before coding efforts of thousands of developers can be redirected towards the task of finding and fixing security vulnerabilities. Not to mention the training that the coders-turned-security auditors will need before they're effective.
Given the realities, consider this: a rollout of Windows XP for a 1000-person organization requires more planning and coordination than the project to which Mr. Gates proposes. Personally, I don't believe it is anything more than spin control.From the foregoing it would appear on the surface that Microsoft can't produce secure software and, therefore, we should look to [pick your favorite vendor, OS or whatever] to save us.
Here's a dose of reality: go to the CERT/CC Vulnerability Notes Database, which is maintained by the CERT Coordination Center (CERT/CC). You may be surprised to notice the vulnerabilities reported for your favorite vendor, OS or whatever. If you're still not convinced, look through the advisories and draw your own conclusions. While you're on the site do a little exploring and you'll find tools and practices to help you shore up your own security posture.
I'll give an example of how we sometimes allow personal opinions and value judgements to cloud our objectivity. I happen to think that Oracle is the only sane solution for mission critical computing. When Oracle began advertising their Unbreakable database I took it as a matter of fact. You can well imagine my surprise and chagrin when I read the 7 February article in The Register that reported How to hack unbreakable Oracle servers. David Litchfield of Next Generation Security Software uncovered a number of vulnerabilities. If you want specifics download Mr. Litchfield's whitepaper titled Hackproofing Oracle Application Server. If your organization uses Oracle or Lotus Domino you would also do well to read the advisories and whitepapers in the site's research section.
Opinions:
- Microsoft bashing has become so fashionable that we tend to not notice that software (including firmware) security vulnerabilities are the norm instead of the exception. This is dangerous because if Microsoft cleaned up every security flaw and vulnerability tomorrow there would still be a plethora of risks using computers for business or personal use.
- Microsoft is positioned to lead. They acknowledged certain facts about their software and have announced that they are going to do something about it. If the announcement is spin control and empty promises they will ultimately suffer. However, if they do make a concerted effort and it starts showing results, then the rest of the industry is going to be followers that play the me too game.
- I do not expect any real progress to be made within the 30-day timeframe that Microsoft announced.
- The root cause of the problem, in my opinion, goes to shoddy-to-nonexistent software engineering and quality practices industry-wide. We're watching a company focus on security when it's really a process and quality problem. We're also watching a particular company, bashing them along the way, when it's the entire US software industry that should be watched.
- If UCITA (see my 8 February entry) was law neither Microsoft nor any other US company would have much incentive to clean up the mess (that's my opinion, of course).
Do not construe my opinions as excuses for Microsoft. They are a monopoly and should be held to the highest standards. This does not exonerate the rest of the industry of their sins of omission and commission with respect to quality and professional standards.The purpose of this weblog is to promote and foster best practices and improvement within the IT profession. To that end here's my advice with respect to shrink-wrapped software and COTS (commercial off-the-shelf software):
Resources. Linda and I have an Information Technology Security page that contains links to a large number of resources, many of which are primary sites for security professionals. We also have documents on this site that will prove helpful. Use this site as your gateway to the primary security sites on the web and you'll be on your way. Since the Information Technology Security page is infrequently updated (we have since discovered weblogs and use this and Notes from the Field to update content and share news and documents), I'm including a few resources that you will not find on our page:
- A nicely designed and useful security page from the National Institutes of Health. This resource is included because it's a model for your own organization, and it has security policies, guidelines and a handbook that you can benchmark against yours. The IS Security Program Handbook in MS Word format is especially valuable.
The Network Risk Assessment page (also from NIH) has a manual in MS Word format and an accompanying Excel risk assessment tool that are invaluable.- Speaker notes and presentations from the Black Hat Briefings '01, which took place in Amsterdam, November 2001. The presentations are a treasure trove for security professionals.
Since it's a Saturday I am going to enjoy the rest of the day.