Security: Everyone's concern

[InfoSec News <isn () C4I ORG>]

http://www.zdnet.com/eweek/stories/general/0,11011,2589474,00.html

June 18, 2000 9:00 PM PT

Be careful what you wish for -- you just might get it. During a
roundtable discussion with eWeek editors, IT managers said they asked
for the tight integration and product synergy that Microsoft Corp.
offers. What they didn't ask for were the security vulnerabilities
inherent in this model.

eWeek Corporate Partners Steve Curcuru, resident wizard at
Boston-based Mugar Enterprises Inc.; Sam Inks, director of IS at
Atlantic Research Corp., in Gainesville, Va.; and Dave Thompson, CIO
of the Defense Advanced Research Projects Agency, in Arlington, Va.,
take not only Microsoft but also the IT community to task for not
anticipating and preventing these vulnerabilities. During a conference
call with eWeek Technology Editor Peter Coffee, Executive Managing
Editor/eBiz Strategies Jeff Moad and Executive Editor/eWeek Labs Deb
Donston, the Corporate Partners offered recommendations for turning
things around.

eWeek: Did we get what the market produced because people voted with
their wallets for features and integration?

Curcuru: I get great value out of Microsoft Office and the way the
applications integrate. Security and a way to turn off automated
features should have been included, but I will have to confess that I
didn't stand up and say, "Bill, this is what we need. Why the heck
isn't it in the core of your operating system?"

eWeek: Some would say that Microsoft has waited for demand before
doing what good engineers would do on their own. Does that limit your
interest in adopting a highly integrated platform such as Microsoft's
Next Generation Windows Services?

Curcuru: Yes, absolutely.

eWeek: Is the phrase "Microsoft security" an oxymoron?

Curcuru: Yes, because I just don't think they've taken security
anywhere near as seriously as they should have in the past.

Thompson: Windows 2000 is heading in the right direction. Microsoft
has come damn close to getting it right on this one. They have built
[security] into the OS, and they have built it into the OS in the
right way. It's really going to be a matter of getting people to
actually make use of the features.

eWeek: Are you comfortable with the degree to which Microsoft has
departed from the previously existing standard in areas such as
Kerberos?

Thompson: I certainly understand that people are concerned about
Kerberos interoperability. To me, though, getting Microsoft to stand
up and say they support the concept of Kerberos is a huge win for the
marketplace in the first place.

eWeek: Would it be an important offset if the Kerberos extensions
Microsoft adopts can reduce the administrative workload and make it
more likely that the protections will actually be used?

Thompson: Absolutely. Kerberos is a very good technology that is not
adopted by the marketplace.

eWeek: There are those who would argue that it is not that Microsoft
platforms are inherently insecure, but that they are the dominant
platforms and, thus, the target of choice. Do you agree?

Thompson: I absolutely, 100 percent agree with that statement.

Inks: Me, too.

Thompson: It is simply a matter of market share, a matter of
attention. There is no operating system that is foolproof, and that
includes Windows 2000. You cannot fundamentally rely upon your
technology to protect yourself. It takes active measures and constant
vigilance. That's the only way you can protect yourself. The threat
changes on a daily basis. The concept of risk management is
well-understood within business, but it's not understood and not
implemented within the IT departments.

eWeek: I think I hear you saying that there's an inexplicable blind
spot here.

Thompson: People understand the notion of spending money to contain
risk, but for some reason they simply don't relate that concept to the
domain of their IT budget.

eWeek: Do you believe that Microsoft responded appropriately during
the year it had between the relatively low-impact Melissa virus and
the ILove You virus and its variants?

Curcuru: Not at all, but is that entirely Microsoft's fault? Or is
that our fault for not screaming and shouting loud enough?

Thompson: That should have been a wake-up call to the user community,
and it wasn't.

eWeek: If you had an opportunity to run Microsoft for the next year,
ignoring little issues like whether you'd be presiding over a breakup
of the company, what would you do?

Thompson: The No. 1 issue would be establishing a culture in which
security matters.

Inks: I think the time is right for that now. Microsoft can make a
good commitment to the IT community and deliver some real value-add to
the product line.

eWeek: Is there anything Microsoft could do almost literally tomorrow
in terms of changing the default configuration of a product or making
administrative utilities available via its Web site?

Thompson: It seems to me, for example, that you could sell [a Windows
NT version] that would install out of the box in a locked-down
configuration.

Inks: The best thing Microsoft could do for me would be to show me
where to lock down some of the systems -- a batch file that I could
execute against a virgin installation that would give me a known
secure configuration that I could work from.

eWeek: If Microsoft opened up source code, would its platform be more
secure or more securable?

Thompson: Yes, but nobody can look at Microsoft's code. I mean, be
reasonable -- how many lines of code does Windows 2000 have?

eWeek: Tens of millions.

Thompson: Do you think any IT department would have the time to go
through that code? Would they even understand what they were looking
at? Nobody has the tools to do code-walking effectively. However, I do
think it would be nice if there were a kind of an Underwriters
Laboratories concept within the industry. I think it would be very
useful to have the major vendors be able to submit their code to some
kind of a bonded entity that existed just to take a look at code.

eWeek: In many organizations, security is still perceived as an IT
problem. What's going to change that?

Thompson: I have heard that venture capitalists are insisting that
dot-coms do things like ethical hacks to make sure they're running OK.

eWeek: You're saying that's become a required part of a business plan?
To talk about your security strategies?

Thompson: Yes. It's a start, but we are not asking the right questions
yet.

eWeek: Microsoft has been ordered to split its business into two
companies. How will that affect product security?

Inks: I think it's going to complicate security issues. It's an
under-one-roof problem -- at least an under-one- Microsoft-roof
problem.

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".