IT reaches out for security

[InfoSec News <isn () C4I ORG>]

http://www.zdnet.com/eweek/stories/general/0,11011,2593630,00.html

By Scott Berinato, eWEEK
June 25, 2000 9:00 PM PT

IT managers besieged by hackers and viruses are waving the white flag,
and a new wave of managed security providers --dozens of them --are
ready to pounce on the opportunity.

Their main target: administrators such as the one at a Boston
financial institution whose network was brought down for several hours
last week by one of the newest virus strains, Life Stage. "This is
proving to be a pain," said the administrator, who requested
anonymity. "You can't keep up. Something has to happen."

Life Stages was just the latest security headache in a week that also
saw Nike Inc.'s Web site brought down by political activist hackers
and America Online Inc. customer service accounts compromised by a
Trojan horse.

Overwhelmed by such security threats and facing an endless IT labor
crunch, companies increasingly are turning to outside vendors to
monitor, manage and respond to security breaches.

"Security's a large problem that oftentimes even large organizations
don't have the resources to deal with," said Roy Thetford, CEO of one
of the newest companies specializing in intrusion detection and
response, a Pittsburgh-based startup called Schwoo.com Inc.

"The reason you do managed security services is because security is
complex, difficult and distasteful," said Bruce Schneier, a
cryptographer and the founder of Counterpane Internet Security Inc., a
security services company in San Jose, Calif. Schneier will chair the
eWeek/DCI Web Security Summit in Boston this week. "It's hard to
build, hard to train and hard to find expertise."

While this new brand of service provider --the managed security
provider, or MSP --presents fresh options to besieged IT staffs, the
glut of offerings also poses new issues. Which one to choose? Who's
trustworthy? And what to do with existing security infrastructures?

Many MSPs started in the software business and so offer services that
coexist with their legacy, such as public-key infrastructure vendors
that manage certificate authorities.

Others, such as Schneier's Counterpane, focus on 24-by-7 monitoring of
networks for malicious or careless activity. RSA Security Inc. and
myCIO.com center their service on auditing and assessing networks,
then offer subscription services that employ their software.

Software companies including Cyber Safe Inc. and Symantec Corp.,
meanwhile, are re-engineering their products to work as hosted
applications. This week, Netlock Technologies Inc. will announce
Netlock Version 3.0, and Zone Labs Inc. will announce a partnership
with a major Internet service provider to host and deploy its
ZoneAlarm intrusion detection software.

At the same time, service companies such as Ernst & Young are cobbling
security software together with services. E&Y last week launched a
portal site called eSecurityOnline.com.

Schwoo, a startup comprising self-proclaimed "Carnegie Mellon
University code geeks," is developing software that applies new
techniques for detection and automatic response to security breaches.
But Thetford said his company won't sell the software; instead, it
will offer a managed service, packaging the software with education
and methodology expertise.

"A managed service allows us to protect the algorithms and, on the
fly, modify our detection response," he said. "The software is locked
away in our operations center. You can't buy it or download it and
reverse-engineer it. It takes away some of the hacker's advantage."

Still other vendors are wrapping managed security into bigger managed
services. Aventail Corp., for example, is offering security as part of
its business-to-business commerce offering, while Critical Path Inc.
is doing the same as part of its hosted messaging solution.

Some users, while open to exploring these new security services,
remain wary. No matter how frustrated by security headaches, many IT
managers say outsourced security services raise questions about legal
liability, trust and dealing with legacy security inside the
enterprise.

"There's a future for managed security, but I am dubious," said Jeff
Uslan, manager of security at 20th Century Fox, in Los Angeles. "One
of the reasons is many of these companies have something to sell. If I
ask for help, that's what I want, help. An assessment. I don't want
their software."

Counterpane's Schneier believes that, in the face of increasing
security threats and lack of IT talent, those concerns will erode and
managed security will become part of a basic IT strategy.

"Some will at first say security is core and you have to keep it
in-house, but that's bogus," he said. "You want to move money around,
you give it to the armored car driver, the guy that's done it 2,000
times before. Every bank in the country uses another company to ship
its money around. That's core."


Virus authors exploit human weaknesses

At first, it didn't seem the life stages virus would cause much
disruption; Computer Associates International Inc. ranked it a "medium
threat." But two days later, CA upgraded the risk to "medium high" as
the virus ended up disrupting mail servers across the Internet.

The reason: social engineering. Users have grown savvy in fighting
viruses, so the new challenge for those who write them isn't how
creative or damaging their script is, but how well they can hide the
fact that they are launching a virus.

"This was clever," said Mark Sipos, a software developer in Boston,
who was working with companies whose servers went down last week as a
result of the newest e-mail virus. "They get points for style."

The ILoveYou virus was the first to use the social aspects of viruses.
Because of its friendly message, experts said, and the fact that it
"came from" a familiar person (since the recipient's name was in the
previous recipient's Outlook address book), the virus writers
increased the odds a user would open the VBS payload.

The follow-up to ILoveYou, NewLove, went one step further by changing
the subject line of the e-mail each time it proliferated. This
decreased the chance that anti-virus software or mail filters could
catch it before it reached end users and also made it difficult to
warn users, since IT managers could not definitively state what the
offending mail would look like in a user's in-box. That's where Life
Stages picked up. It made its entrance to e-mail as a joke, common
fare in e-mail. It also changed its subject as it proliferated. No
fewer than 12 subjects may have accompanied the virus.

Also, instead of attaching a VBS file, Life Stages attached a Windows
"scrap" file with the SHS extension, called life_stages.txt.shs. In
many e-mail programs, the SHS extension is hidden, so users would only
see life_stages.txt and likely believe it was a harmless text file

These new strains show that there's no easy way to keep up with the
techniques virus writers use to mask the intention of their payloads.
Some see blocking too many files as a problem on a level with the vi
ruses themselves.

"You want to fight them, but if it looks like a real e-mail, how do
you block it?" asked Fred Barling, an independent software developer
in Redwood Shores, Calif. "If you block files that seem real, you'll
block real files with them. It's already started to happen. I sent my
sister a joke e-mail and my ISP's [Internet service provider's] filter
kicked it back to me with a note that said, 'This looks bad.' If you
can't send your sister an e-mail because your ISP is filtering at that
level, you might as well shut your computer off."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".