Saturday, February 09, 2002

 
Posted by Mike Tarrani 2:55 PM
TOPIC: Security Issues and Resources: This entry might look like Microsoft bashing, but bear with me because it isn't. The topic is security, and my goal is to provide awareness, opinion and resources.

Awareness. First, if your organization has heavily invested in Microsoft technology or is leaning that way, take a quick look at the numerous problems you are facing or will be facing. Bleak? Overwhelming? These problems did not happen overnight, but the consequences have finally come to a head. Some of the more glaring problems and consequences can be found in two articles in eWeek and an article from E-Commerce Times.

The first article dated 28 May 2001 dropped a bombshell with the report that Insurer Considers Microsoft NT High-Risk. Another damaging article from this publication, dated 25 September 2001, turned up the heat with a report that Gartner Recommends Against Microsoft IIS. The article in the 4 October 2001 issue of E-Commerce Times Under Pressure, Microsoft Moves to Tighten Security unearthed a litany of problems.

Apparently Microsoft was listening. Here is the short-term response, the now famous Bill Gates' Email on Trustworthy Computing (copied from Paul Boutin's weblog).

Yes, it's a step in the right direction, but is it a sincere effort or a marketing/public relations ploy? The reported action is there will be a 30 day moratorium on coding to fix security problems. 30 days? Let's examine the realities here:

• There are millions of lines of code that make up the Microsoft product line
• Strong circumstantial evidence that Microsoft hasn't given much apparent thought to security until now
• The daunting planning and coordination challenges that need to be overcome before coding efforts of thousands of developers can be redirected towards the task of finding and fixing security vulnerabilities. Not to mention the training that the coders-turned-security auditors will need before they're effective.

Given the realities, consider this: a rollout of Windows XP for a 1000-person organization requires more planning and coordination than the project to which Mr. Gates proposes. Personally, I don't believe it is anything more than spin control.

From the foregoing it would appear on the surface that Microsoft can't produce secure software and, therefore, we should look to [pick your favorite vendor, OS or whatever] to save us.

Here's a dose of reality: go to the CERT/CC Vulnerability Notes Database, which is maintained by the CERT Coordination Center (CERT/CC). You may be surprised to notice the vulnerabilities reported for your favorite vendor, OS or whatever. If you're still not convinced, look through the advisories and draw your own conclusions. While you're on the site do a little exploring and you'll find tools and practices to help you shore up your own security posture.

I'll give an example of how we sometimes allow personal opinions and value judgements to cloud our objectivity. I happen to think that Oracle is the only sane solution for mission critical computing. When Oracle began advertising their Unbreakable database I took it as a matter of fact. You can well imagine my surprise and chagrin when I read the 7 February article in The Register that reported How to hack unbreakable Oracle servers. David Litchfield of Next Generation Security Software uncovered a number of vulnerabilities. If you want specifics download Mr. Litchfield's whitepaper titled Hackproofing Oracle Application Server. If your organization uses Oracle or Lotus Domino you would also do well to read the advisories and whitepapers in the site's research section.

Opinions:

1. Microsoft bashing has become so fashionable that we tend to not notice that software (including firmware) security vulnerabilities are the norm instead of the exception. This is dangerous because if Microsoft cleaned up every security flaw and vulnerability tomorrow there would still be a plethora of risks using computers for business or personal use.
2. Microsoft is positioned to lead. They acknowledged certain facts about their software and have announced that they are going to do something about it. If the announcement is spin control and empty promises they will ultimately suffer. However, if they do make a concerted effort and it starts showing results, then the rest of the industry is going to be followers that play the me too game.
3. I do not expect any real progress to be made within the 30-day timeframe that Microsoft announced.
4. The root cause of the problem, in my opinion, goes to shoddy-to-nonexistent software engineering and quality practices industry-wide. We're watching a company focus on security when it's really a process and quality problem. We're also watching a particular company, bashing them along the way, when it's the entire US software industry that should be watched.
5. If UCITA (see my 8 February entry) was law neither Microsoft nor any other US company would have much incentive to clean up the mess (that's my opinion, of course).

Do not construe my opinions as excuses for Microsoft. They are a monopoly and should be held to the highest standards. This does not exonerate the rest of the industry of their sins of omission and commission with respect to quality and professional standards.

The purpose of this weblog is to promote and foster best practices and improvement within the IT profession. To that end here's my advice with respect to shrink-wrapped software and COTS (commercial off-the-shelf software):

• Test all new producte and upgrades to existing products before deploying them in your organization. Remember, your goal is to deploy software that supports and enables business processes, not inflict problems. Include security testing into your QA and release processes. One starting point, from my 7 February entry, is A Parametric Approach for Security Testing of Internet Applications. Also see my 31 January entry, which addresses this need.
• Follow security and vulnerability reports daily. Sources: CERT/CC Vulnerability Notes Database, Security Wire Digest (free e-mail subscription) or Network World's Security and Bug Patch Alert (free e-mail subscription).
• Make security a core requirement for acquisitions, service level management, specifications and design, and quality and testing.

Resources. Linda and I have an Information Technology Security page that contains links to a large number of resources, many of which are primary sites for security professionals. We also have documents on this site that will prove helpful. Use this site as your gateway to the primary security sites on the web and you'll be on your way. Since the Information Technology Security page is infrequently updated (we have since discovered weblogs and use this and Notes from the Field to update content and share news and documents), I'm including a few resources that you will not find on our page:

• A nicely designed and useful security page from the National Institutes of Health. This resource is included because it's a model for your own organization, and it has security policies, guidelines and a handbook that you can benchmark against yours. The IS Security Program Handbook in MS Word format is especially valuable.
The Network Risk Assessment page (also from NIH) has a manual in MS Word format and an accompanying Excel risk assessment tool that are invaluable.
• Speaker notes and presentations from the Black Hat Briefings '01, which took place in Amsterdam, November 2001. The presentations are a treasure trove for security professionals.

Since it's a Saturday I am going to enjoy the rest of the day.

Friday, February 08, 2002

 
Posted by Mike Tarrani 7:58 PM
If you're initiating process improvement you'll want to read American Productivity & Quality Center's whitepaper titled Benchmarking: Leveraging Best-Practice Strategies. You'll find that it's a good fit with the material on process improvement that I've posted in the last two entries. If you're interested in knowledge management and how it enables business processes and process improvement you'll also want to download the PowerPoint presentations from APQC's September 2001 conference on Next-Generation Knowledge Management: Enabling Business Processes.

I also recommend e-Newsletter of Practical Process Improvement if you want to read insightful articles about process improvement.

If you are pursuing improvement in project management or program management practices you'll want to check out NNH Enterprise's earned value project management papers and associated earned value definitions.

On 17 January Linda and I each addressed the Uniform Computer Information Transactions Act (UCITA) in Notes from The Field. One of the key issues (and there are many) that we have with UCITA is the restriction against criticizing a product. This extends to reviews, statements of fact concerning shortcomings and the like. If you want to see justice before UCITA check out the short article from The Register dated 7 February 2002 headlined as NY sues NAI so you can say McAfee sucks. If UCITA were in force McAfee would have prevailed. Food for thought. If you're not up-to-speed about UCITA do take the time to read Linda's and my 17 January comments, as well as InfoWorld's UCITA briefing page and Ed Foster's incisive thoughts in his Gripeline article titled The Bride of UCITAstein.

Another legal issue (actually a raft of them) that affects our profession and the businesses that we support concerns intellectual property. I won't go into my thoughts about the Digital Millennium Copyright Act (DCMA) today because I'll wind up writing a tome instead of making a weblog entry. I will recommend that you read Bill Zoellick's excellent book titled CyberRegs: A Business Guide to Web Property, Privacy, and Patents, which succinctly captures the essence of the thorny legal issues and the laws that are being passed to keep pace with our web-enabled, information-driven world. I reviewed this book on 25 September, and my friend Kate Hartshorn also reviewed it on 8 November. Kate's review is interesting because her expertise is competitive intelligence (a fancy word for corporate spy), and her comments place the issues in a different perspective than the rest of the reviews.

One site I frequently visit for news regarding intellectual property issues on the web is Info Anarchy. This site's stated mission is to cover: reviews of file sharing/anonymity tools, announcements of new releases, ideas and concepts, legal proceedings, statements and other relevant news. Along these same lines, Deborah Branscum's weblog is a worthwhile resource. Her views of UCITA, Microsoft follies and related topics are completely in line with mine. The difference between Deborah and me, though, is she does not sugar-coat her opinions.

Closing items are odds and ends that are valuable to IT managers:

• A thought-provoking paper titled Collaboration between Firms in Information Technology. Given the alliances that mark consolidation within our industry, and the vertical business consortiums that are springing up to foster and promote B2B and supply chain management between and among partners, this paper is essential reading in my opinion.
• The effects of the business model on object-oriented software development productivity, which ties together development practices, productivity metrics and business models. If you're on the applications delivery side and are managing an OO shop, this article will shed interesting insights.
• An Introduction to Web Traffic Measurement by Paul Strupp, which is a PowerPoint presentation that discusses ways to mine business information from logs and other sources.

TGIF. Tomorrow's entry will address more security issues and provide some documents and resources that you may find especially valuable for refining your security posture.

Thursday, February 07, 2002

 
Posted by Mike Tarrani 11:48 PM
In yesterday's entry I ended by sharing a process improvement manual that I made available for download. That manual is valuable as a standalone asset, but when combined with Continuous Improvement: A way of life (a 36-page essay by P. R Balakrishnan), you'll be armed with enough material to place process improvement into the context that is right for your organization.

There is much ado about security these days. I've frequently written about it here and in Notes from the Field, and will continue to do so because it's an important topic from operational and software engineering points of view. One interesting resource is Generally Accepted System Security Principles (GASSP). This page contains the principles in HTML and MS Word format. The approach used is to cast security principles in the same manner as generally accepted accounting principles (GAAP). Given the fact that accounting and auditing, and core security practices are closely related, the GASSP approach makes sense. Bear in mind that this is no real standard outside of MIT, which developed it, but it does reflect best practices from which you may want to borrow. Final notes about security in this entry: Security Focus is a repository of resources, including a fairly complete library of security documents that is worth checking into. If you're working on e-commerce or Internet projects you'll want to read A Parametric Approach for Security Testing of Internet Applications to make sure the test and release phases of your project cover key aspects. That's what due diligence is all about.

If you haven't guessed, I subscribe to the adage that if you can't measure it it doesn't exist. It's finding what needs measuring that's the challenge. An article from Baseline Magazine titled A Dozen Smart Metrics, To Go provides twelve useful indicators that you should be measuring, including:

• IT Return
• IT Efficiency
• IT Innovation
• Customer Management

Before ending I want to share a new weblog I discovered today: VoidStar, which is Julian Bond's creative outlet for his valuable thoughts and ideas. Mr. Bond has much to say about a wide range of subjects and topics related to IT operations, software engineering and anything that falls on the periphery or in between. I spent a few hours earlier today reading, absorbing and assimilating. I'm impressed.

Wednesday, February 06, 2002

 
Posted by Mike Tarrani 1:41 PM
On Risks: The theme of this post is risk management. Leading off is a pointer to Resource Management Systems, which sells tools that are reasonably priced and useful. Their FastPlanner for IT is an Excel add-in for IT budgeting and estimating. At $79.00 it's cost-effective because it will surely shorten the time spent doing one of the most painful tasks that goes with the territory if you're an IT manager. What does this have to do with risk? Everything. How many budgets and estimates are accurate? FastPlanner provides a framework that fosters accuracy by ensuring that all cost drivers are taken into account. Budget risk, especially when shareholder value is at stake, is inversely proportional to budget forecast accuracy. However, products aren't the only reason to visit Resource Management Systems' web site - there are online tutorials, budgeting FAQs and briefs that are valuable and freely available.

Risk Matrix from Mitre (compliments of your tax dollars) is a free risk assessment tool. You can obtain it by filling out a registration form, and instructions will be promptly sent for downloading it. The advantage of registering the tool is you'll receive update notifications. If you can't wait you can download it from my server. I do urge you to go through the registration process at your convenience if you do get the tool from me.

Simtools and Formlist are free Excel add-ins that should be in the toolbox of every risk manager, strategic planner and project manager. Simtools adds statistical functions and procedures for doing Monte Carlo simulation and risk analysis in spreadsheets. Formlist is a simple auditing tool that adds procedures for displaying the formulas of any selected range. There is an additional tool, TORNDIAG.XLS, that adds a Tornado Diagram procedure to the Excel Tools menu. This procedure can then be used to make a tornado-style sensitivity-analysis diagram in any open workbook. (Tornado diagrams show how an output value would change as various input parameters are changed, one at a time, from a given best estimate to a given low estimate and a given high estimate.)

On the topic of business continuity and disaster recovery planning, which are two activities that are steeped in risk management, I have three papers that are worth reading:

1. BCP and DR in Perspective
2. High Availability in Perspective
3. Negotiating Business Continuity Contracts

In addition, Managing Risks in an Increasingly Automated Customer Contact Center by PricewaterhouseCoopers LLP is a summary of call center automation risks that call center professionals will find useful.

If you haven't been following the Microsoft Passport vs. Project Liberty posturing and you're involved in e-commerce you should visit ZDNet's Tech Update page for the Project Liberty Special Report. In my opinion (as well as many in the industry) there are many inherent risks in Microsoft's online ID system. For more information see also Meta's report titled Passing Passport. Passport is tied into Microsoft's .NET initiative, which has its own set of risks, foremost among them is Internet interoperability. A piece of reassuring news for those of us who espouse open standards is the ZDNet report of a .NET Alternative.

Information security policies are designed to reduce, mitigate or avoid risks. An excellent PowerPoint presentation that addresses this is Measuring Information Security Policy Conformance. I also have material on project risk management at the following pages: PM Overview Page and Tools & Documents. Both of these pages are on my old Infrastructure, Life Cycle and Project Management site. The site is dusty and does not receive much maintenance from me, but remains popular and does have a wealth of useful material.

A parting note: improving processes reduces risk. I'm including a manual in MS Word format titled Managing Process Improvement that may prove useful. If you're also interested in software engineering I'll be updating Notes from the Field with material that addresses software risk management, among other topics.

Monday, February 04, 2002

 
Posted by Mike Tarrani 5:42 PM
Here's a question: What is your interest level in policies, processes and procedures for the following?

• change control
• issue management
• user profile management
• data center facilities management

Linda and I have enough material to produce a set of generic documents for each of these. We also have a complete and comprehensive project plan that includes a work breakdown structure, critical path analysis and estimates for tasks and deliverables for a service level management project. This also includes SLA templates, a risk-adjusted estimating worksheet and other artifacts.

One idea is to sell them in Word and Excel format, allowing clients to customize them to their own needs and organization. This will greatly shorten the development and implementation time for these critical processes, which adds to their value. Another idea is to sell them in PDF format as guidelines and idea resources.

An initial strategy was to price the Word/Excel collection at a premium, and the PDF files at a reduced price since they are difficult to customize, but still have value. Another idea is to give away the PDF collection as locked files that can only be viewed (not printed) as a see-before-you-buy option, and sell the Word/Excel versions. That is the direction in which we're leaning.

We are also leaning towards selling them by topic because the entire collection may be overkill, such as in the case of an organization that has existing issue management processes and procedures, but wants a more mature change control process.

The difficult part from our viewpoint is pricing. How much should we charge? Here we're leaning towards a pricing strategy that is in the $49.95 range for each topic area with rights limited to single companies. For consultants we're toying with the idea of a license scheme whereby each topic is priced at $495.00 and can be resold to clients as tailored documents.

We welcome your comments, opinions and recommendations.

Sunday, February 03, 2002

 
Posted by Mike Tarrani 3:43 PM
How not to launch a commercial service. This weblog is hosted on a free service called blogger, which has just launched a professional offering that is reasonably priced, but ultimately not worth the price unless you are (pick one or more):

1. Currently using IE 5 or above
2. Unconcerned about security
3. In agreement that item 2 applies and you're willing to use IE 5 or above
4. Unaware of the ongoing problems documented in the site status log, which indicate bigger problems than requiring a vendor-specific browser

What are my real issues? First, the status log shows that this is one unstable system, even with the professional service. One of the features is Priority Server Access, yet the log shows problems in paradise.

Second, looking at the Tuesday, January 22, 2002 entry in the status log leads me to conclude that changes are made to the production system without any testing and release procedures. Hence, I doubt there exists a test system (unless you consider the production servers to be the test system, which is what I suspect). That accounts, in my opinion, for a good deal of instability that is reported in the status log. A professional option that gives Priority Server Access will not and cannot guarantee that what goes on in the background isn't going to deny access because of some silly change (feature, fix, whatever) that the cowboys and cowgirls running this system feel like making.

Given the manifold security problems associated with VBA, which I suspect is the reason IE 5 or above is required to use the professional option, who in their right mind is going to willingly use VBA on the Internet? Another red flag is the Professional Option FAQ which cannot be read without IE 5 or above!

What's my point? Here is a service designed to bring revenue into a company that disenfranchises Linux and UNIX users, anyone who is security conscious regardless of their browser choice, and forces customers into using a browser they may not otherwise want to use. I had IE completely removed from my machine, which was no small feat. I'm certainly not about to put what I consider a virus back on just to pay someone for the privilege of using many features I don't need in order to get a level of availability that doesn't seem to be possible given the support practices I've extrapolated from the status log. It does serve as an example of what we IT professionals sometimes inflict on our own users, and therefore, should go into the worst practices category. Think about this worst practice if you're designing a B2C system. If you want to read about best practices I recommend a visit to World Wide Web Consortium, especially their Seven Points, which leads off with Universal Access (i.e., browser-independence), and their online validation services that allow you to validate compliance of your pages using their online tools. I also recommend a book titled Web Project Management that shows not only how to manage web projects, but also how to make them customer-friendly.

Notes: Some sources upon which I base my security concerns include:

• Security Tracker Alerts
• Internet Explorer security (Georgi Guninski Security Research)
• VBA Implementation & Virus Risks whitepaper (PDF format)

Postscript added 18:30 PST: The following is an example of a browser-independent web application. This example is a heck of a lot more difficult than a GUI edit window and spell checker, and the designer managed to pull it off without requiring a specific browser brand or version. It shows what can be developed when the developer(s) know what they're doing.