Q&A: Microsoft's Scott Charney on security in a time of war

[InfoSec News <isn () c4i org>]

http://www.computerworld.com/securitytopics/security/story/0,10801,79554,00.html

By CAROL SLIWA 
MARCH 20, 2003
Computerworld 

Scott Charney, chief security strategist at Microsoft Corp., has 
extensive dealings with the government in the area of security on 
behalf of Microsoft, and his background also includes an eight-year 
stint as chief of the Computer Crime and Intellectual Property Section 
in the criminal division at the Department of Justice from 1991 to 
1999. Under his direction, the agency investigated and prosecuted 
national and international hacker cases, economic espionage cases and 
violations of federal criminal copyright and trademark laws. He spoke 
this week spoke with Computerworld about areas of concern for IT 
professionals during a time of war. 


How will the war impact you in your role at Microsoft? 

When you think about actual conflict, there are probably three things
that you can note historically. One is that conflicts between nations
tend to lead to parallel conflicts between hackers. When the U.S. spy
plane was down in China, you saw a large increase of defaced Web sites
between Chinese and U.S. hackers. ... You might see some increase in
that, if history is any guide.

The second issue, of course, people worry about is some sort of
terrorist strike against cyber. Most of us don't believe that a major
cyberterrorist attack is imminent for a host of reasons. Historically,
we haven't seen cyberterrorism attacks, and there's a lot of
speculation on why that's so. One is it's not actually so easy to
bring down the networks. There's a lot of redundancy and a lot of
resiliency. Second, it doesn't create the kind of graphic pictures
that terrorists often want. Third, it doesn't create the kind of fear
that terrorists want.

Most of us who worry about cyberterrorism worry less about a global
attack on the infrastructure as opposed to a specific, coordinated
attack on an infrastructure. Had they attacked Verizon 10 minutes
before the planes hit the tower, the disruption of the communications
networks through cyber would have made it much harder to restore when
you started replacing the physical parts of the network.

The third piece, which is of broad concern for the Defense Department,
is whether there will be a corollary information warfare attack of
some sort meant to disrupt communications and other things. There was
a case called "solar sunrise" in the mid-'90s when we were gearing up
for airstrikes against Iraq last time, where DOD [the Department of
Defense] noticed a very broad-based attack on their networks.

I got called around 2:00, 2:30 in the morning and I said, "Where's it
coming from?" They said, "United Arab Emirates." And I said, "Well,
I'm Justice, not State, but I think they're friendly, right?" And they
said, "Yeah, but we don't know where it's actually coming from. We
just know it's that region of the world. And with what's going on
militarily, this is of concern, of course." And they were right.

So we got court orders and launched an extensive investigation. It was
two juveniles in Cloverdale, Calif., who were looping through the
Middle East and coming back and attacking the Department of Defense
with the help of an Israeli. What you don't know in an Internet attack
is who's attacking or why. So there are some huge challenges here. But
I think in terms of what's going on in Iraq now, the things you would
watch out for are information warfare attacks.


> From the perspective of IT folks who are at home or perhaps have 
international operations, what should they be wary of or thinking 
about top-of-mind over the next couple of weeks? 

When I think about Sept. 11, it had a broad impact on the
cybercommunity. ... The reason it changes their thinking is because it
made them re-evaluate risk -- perceived risk vs. real risk. If on
Sept. 10 I had said to anyone anywhere, "What are the odds of four
planes being hijacked, three of them hitting buildings?" they'd say,
"Slim to none." And then on Sept.  12, it was 100%. So even in the
cyberworld, people started to ask, "OK. We don't think it's likely the
whole Internet could be brought down or terrorists would target us.
But we didn't think they were going to do that either."

Whenever there is some sort of international crisis like this, I think
it's time for people to step back, take a deep breath and say, "In
this changing world model, have we done enough things to make sure
we're reasonably secure?" Because it is all about risk management. In
times of conflict, risk goes up.

So people in companies should be saying, "Are we in an infrastructure
that might be targeted by terrorists? Am I in an infrastructure that's
supporting military operations and therefore may be a target?" If you
are, you should say, "Am I configured correctly? Have I run lockdown
tools? Am I up to date on my patches?"

If I haven't done that now -- and you should have -- this is a wake-up 
call to do it now, especially because your risk is elevated. 


Have you found that most IT folks reacted to that Sept. 11 wake-up
call?

Some people took it as a wake-up call and acted on it. I think 
some people didn't; they say it's not a cyberevent. I also think a 
combination of that and some other things, like Slammer for example, 
make it clear that vendors certainly have to make it easier for 
customers to manage their set-ups. 

As someone who thinks a lot about critical infrastructure protection, 
there are things clearly that Microsoft needs to do better. And we're 
devoting a lot of attention to it. 

Also this synergy didn't exist before, for the most part, between 
markets, public safety and national security. Having been in the 
government for a long time, from a public safety, national security 
perspective, I was screaming about security in the early '90s, but 
markets really weren't demanding it. ... I think what we've seen in 
the last couple of years is this synergy where markets are now 
demanding the same things that public safety and national security 
require. And that synergy is actually a wonderful thing. 


You said there are lots of things Microsoft could do better in the 
area of security. What in your estimation is the highest priority? 

The No. 1 priority for us is patch management. It absolutely has to
be. We have a patch management working group now that spans the
company. We said, "OK, let's define our problems." One, we need a
common nomenclature. We need to be talking about things in the same
terms. We need a common installer so that patches install the same
way. We need patches to register with the [operating system] in the
same way so we can scan for it later and see if you're patched. We
need the ability to uninstall. Some people wrote installers with
uninstallers. Some didn't. Well, it's important to have that because
you can test the patch and deploy it and then [if] it has an
unintended consequence, can you uninstall it and get back out?

And we need to improve the tools that allow you to scan to see if
you're patched, because today, the tools don't run across the suite of
Microsoft products.


What's the timetable for the patch management improvements? 

We've got eight installers today. Within a year, I want to get down to
two: one for applications, one for the [operating system]. ... I'm
always cautious about going public with road maps because you run into
challenges you didn't anticipate.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.