Information Security News mailing list archives
Security: Everyone's concern
From: InfoSec News <isn () C4I ORG>
Date: Mon, 19 Jun 2000 09:19:27 -0500
http://www.zdnet.com/eweek/stories/general/0,11011,2589474,00.html June 18, 2000 9:00 PM PT Be careful what you wish for -- you just might get it. During a roundtable discussion with eWeek editors, IT managers said they asked for the tight integration and product synergy that Microsoft Corp. offers. What they didn't ask for were the security vulnerabilities inherent in this model. eWeek Corporate Partners Steve Curcuru, resident wizard at Boston-based Mugar Enterprises Inc.; Sam Inks, director of IS at Atlantic Research Corp., in Gainesville, Va.; and Dave Thompson, CIO of the Defense Advanced Research Projects Agency, in Arlington, Va., take not only Microsoft but also the IT community to task for not anticipating and preventing these vulnerabilities. During a conference call with eWeek Technology Editor Peter Coffee, Executive Managing Editor/eBiz Strategies Jeff Moad and Executive Editor/eWeek Labs Deb Donston, the Corporate Partners offered recommendations for turning things around. eWeek: Did we get what the market produced because people voted with their wallets for features and integration? Curcuru: I get great value out of Microsoft Office and the way the applications integrate. Security and a way to turn off automated features should have been included, but I will have to confess that I didn't stand up and say, "Bill, this is what we need. Why the heck isn't it in the core of your operating system?" eWeek: Some would say that Microsoft has waited for demand before doing what good engineers would do on their own. Does that limit your interest in adopting a highly integrated platform such as Microsoft's Next Generation Windows Services? Curcuru: Yes, absolutely. eWeek: Is the phrase "Microsoft security" an oxymoron? Curcuru: Yes, because I just don't think they've taken security anywhere near as seriously as they should have in the past. Thompson: Windows 2000 is heading in the right direction. Microsoft has come damn close to getting it right on this one. They have built [security] into the OS, and they have built it into the OS in the right way. It's really going to be a matter of getting people to actually make use of the features. eWeek: Are you comfortable with the degree to which Microsoft has departed from the previously existing standard in areas such as Kerberos? Thompson: I certainly understand that people are concerned about Kerberos interoperability. To me, though, getting Microsoft to stand up and say they support the concept of Kerberos is a huge win for the marketplace in the first place. eWeek: Would it be an important offset if the Kerberos extensions Microsoft adopts can reduce the administrative workload and make it more likely that the protections will actually be used? Thompson: Absolutely. Kerberos is a very good technology that is not adopted by the marketplace. eWeek: There are those who would argue that it is not that Microsoft platforms are inherently insecure, but that they are the dominant platforms and, thus, the target of choice. Do you agree? Thompson: I absolutely, 100 percent agree with that statement. Inks: Me, too. Thompson: It is simply a matter of market share, a matter of attention. There is no operating system that is foolproof, and that includes Windows 2000. You cannot fundamentally rely upon your technology to protect yourself. It takes active measures and constant vigilance. That's the only way you can protect yourself. The threat changes on a daily basis. The concept of risk management is well-understood within business, but it's not understood and not implemented within the IT departments. eWeek: I think I hear you saying that there's an inexplicable blind spot here. Thompson: People understand the notion of spending money to contain risk, but for some reason they simply don't relate that concept to the domain of their IT budget. eWeek: Do you believe that Microsoft responded appropriately during the year it had between the relatively low-impact Melissa virus and the ILove You virus and its variants? Curcuru: Not at all, but is that entirely Microsoft's fault? Or is that our fault for not screaming and shouting loud enough? Thompson: That should have been a wake-up call to the user community, and it wasn't. eWeek: If you had an opportunity to run Microsoft for the next year, ignoring little issues like whether you'd be presiding over a breakup of the company, what would you do? Thompson: The No. 1 issue would be establishing a culture in which security matters. Inks: I think the time is right for that now. Microsoft can make a good commitment to the IT community and deliver some real value-add to the product line. eWeek: Is there anything Microsoft could do almost literally tomorrow in terms of changing the default configuration of a product or making administrative utilities available via its Web site? Thompson: It seems to me, for example, that you could sell [a Windows NT version] that would install out of the box in a locked-down configuration. Inks: The best thing Microsoft could do for me would be to show me where to lock down some of the systems -- a batch file that I could execute against a virgin installation that would give me a known secure configuration that I could work from. eWeek: If Microsoft opened up source code, would its platform be more secure or more securable? Thompson: Yes, but nobody can look at Microsoft's code. I mean, be reasonable -- how many lines of code does Windows 2000 have? eWeek: Tens of millions. Thompson: Do you think any IT department would have the time to go through that code? Would they even understand what they were looking at? Nobody has the tools to do code-walking effectively. However, I do think it would be nice if there were a kind of an Underwriters Laboratories concept within the industry. I think it would be very useful to have the major vendors be able to submit their code to some kind of a bonded entity that existed just to take a look at code. eWeek: In many organizations, security is still perceived as an IT problem. What's going to change that? Thompson: I have heard that venture capitalists are insisting that dot-coms do things like ethical hacks to make sure they're running OK. eWeek: You're saying that's become a required part of a business plan? To talk about your security strategies? Thompson: Yes. It's a start, but we are not asking the right questions yet. eWeek: Microsoft has been ordered to split its business into two companies. How will that affect product security? Inks: I think it's going to complicate security issues. It's an under-one-roof problem -- at least an under-one- Microsoft-roof problem. ISN is sponsored by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Security: Everyone's concern InfoSec News (Jun 20)