Focus on Identity, Vigilance

By Peter Coffee  |  Posted 2002-09-09

Focus on Identity, Vigilance

The terrorist attacks of last september permanently changed the terms of debate for subsequent discussions of IT security and the technical response to potential terrorist threats.

Almost no imaginable attack can now be dismissed, and it is no longer a confession of incompetence to acknowledge that at least some attacks will succeed.

Some technologies were unduly demonized in Septembers aftermath. For example, there was an immediate flurry of ill-conceived proposals to attempt restrictions on access to encryption. Thankfully, this notion is no longer holding sway among even the most ill-informed legislators or the most opportunistic enforcement agencies.

As noted in Februarys position statement from the IEEE, "Encryption is likely to be used by criminals to protect their communications, but their use of encryption is not necessarily obvious. ... Laws prohibiting the use of unescrowed, strong encryption would be of little use to law enforcement efforts."

Any broad use of Web services will depend on well-integrated encryption; distributed storage and processing solutions must also incorporate encryption to protect data and real-time business intelligence.

Enterprises should, therefore, be developing internal guidelines—and monitoring relevant industry standards and regulatory requirements—to strike a balance between the desired degree and duration of cryptographic protection and the performance overhead and costs of processor-intensive crypto algorithms.

Other technologies enjoyed brief moments in the spotlight of our hopes for a quick technology fix. Face recognition, for example, can be quite effective under controlled conditions, but tests in public airport security checkpoints during the past year have been disappointing. Tests in Palm Beach, Fla., this spring and in Boston this summer failed to limit false alarms to acceptable levels while still consistently recognizing "suspects" (played by airport employees).

More intrusive technologies, such as eye and fingerprint matching, have also failed to live up to their hype. Strategies as simple as breathing on a fingerprint scanner, making the previous users fingerprint reappear to be re-scanned, are dismayingly effective.

Prices for iris scanners, which are harder to fool and less likely to falsely reject legitimate users, are coming down into the same $100-plus price range as fingerprint scanners, but administrative issues still impede adoption: In eWeek Labs review of the Panasonic Biometric Groups Authenticam, for example, we found the included software far better suited to individual workstation access control than to large-scale network security. (For more on the use of biometrics, see story, left.)

Rather than pushing the envelope of cost, not to mention possible user discomfort with the "Minority Report" aura of pervasive biometrics, enterprises will do better to streamline their identity management systems. This means integrating e-mail, voice mail, workflow and file-sharing systems under well-defined privilege management schemes, rather than devoting resources to elaborate and conspicuous "gee-whiz" hardware.

USA Patriot Act

USA Patriot Act

Hopes remain high, though, for following terrorists footprints—not the kind left by shoes but the kind left in cyberspace by travel arrangements and other financial transactions.

The USA Patriot Act, signed into law last October, is named with a tortured acronym: Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (doubly condensed to USAPA).

The USAPA itself consists largely of revisions to other laws. The burden falls on ISPs, financial institutions and other potential targets of expanded subpoena powers to understand the aggregate effect on their resulting obligations.

Individuals and enterprises should also understand the effect of USAPA on the exposure of their records, electronic communications (including voice mail) and other information assets—especially to the extent that these are handled or stored by third parties.

Enterprises and outsource providers should conduct a complete review of their respective rights and obligations, especially to the degree that their service contracts and confidentiality agreements may be vitiated by subpoenas or court orders.

Focus on Identity

Focus on Identity

Enterprise IT architects in the year since Sept. 11 have also been hard pressed to cope with a flood of urgent items in more familiar domains, such as network operating systems, firewalls, virtual private networks, intrusion detection systems and anti-virus tools. The following trends are apparent.

Perimeter defense, as a viable strategy, is dead. Wireless and nomadic laptop devices, with external network connections, make it impossible to define even the physical location of the network edge. Web services make the logical location still harder to characterize.

Network protection must, therefore, focus on identities and privileges of authorized users, using tools such as Zone Labs Inc.s Integrity. During our review this spring, we found the product (priced at $80 per user with volume discounts) effective in controlling client devices Internet access on an application-specific basis.

The pervasive network can be its own worst enemy in the ease with which it propagates virus attacks. Enlisting the network in its own defense are products such as Network Associates Inc.s McAfee Security VirusScan ASaP, which uses peer-to-peer technology.

Meanwhile, key IT vendors have been addressing concerns about out-of-the-box insecurity with a long-overdue shift toward more secure default configurations. In our tests last month of Microsoft Corp.s Windows .Net Server Release Candidate 1, for example, we found that the installer utility detected our failure to run the Internet Information Services Lockdown Wizard and automatically disabled IIS.

Our pleasure was limited, though, by the discovery that restarting the server did not trigger any further notice of our exposures—notably, the many default extensions retained from our previous Windows 2000 installation. On the plus side, installation of .Net Server on a bare machine gave us ample warning of bad practices, such as leaving an Administrator password blank.

Poor administrative practices wouldnt be such an open invitation to attackers if systems didnt grant unrestricted superuser status. We remain strong advocates of the trusted-system architecture in products such as Argus Systems Group Inc.s PitBull, the only technology that has yet survived one of our international Openhack events unscathed—though a successful attack on the underlying operating system kernel, specifically on a version of Solaris 7 x86, did succeed in a challenge late last year.

The message here is that every security technology—regardless of architectural merits—demands continued vigilance. That vigilance is embodied in state-of-the-art intrusion detection in products such as OneSecure Inc.s Intrusion Detection and Protection appliance. Rather than merely relying on known attack signatures, the $16,495 OneSecure device (which we reviewed last month) uses various heuristics to detect previously uncharacterized attacks. By developing a model of normal traffic and using sophisticated analysis of attack patterns, the Intrusion Detection and Protection appliance can identify new threats while minimizing the time lost to false alarms—the goal, were sure, of every IT administrator a year after Sept. 11.

Technology Editor Peter Coffee can be reached at The reviews cited in this story can be accessed at

Related Stories:

  • Special Report: Rebuilding for Tomorrow
  • Still Much to Learn from Sept. 11
  • Locked Down, Planning for the Worst

  • Rocket Fuel