As the U.S. government nears opening day for the Homeland Security Department, IT buyers and users may wonder how the landscape of computer and network security will be changed by the governments actions—as well as by continuing development of attackers methods and security vendors innovations.
The previously separate worlds of public safety and foreign intelligence are converging on the evening news. The result appears in high-profile law enforcement actions, such as the investigation of Ptech Inc., of Quincy, Mass., late last year. It also appears in the invasive (and for IT vendors, potentially lucrative) information processing demands of laws such as the tortuously named USA PATRIOT Act, whose moniker abbreviates “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism.”
Private-sector IT managers are justifiably concerned about the impact of these intrusive new rules, especially when combined with the Beltways business-as-usual faction fighting—which threatens to impede the March 1 startup of the Department of Homeland Security due to struggles over whose people get which top jobs.
In this report, eWeek Labs examines corporate users security perceptions and concerns and explores IT vendors changing perception of the problems to be solved and their planned responses in corresponding products and services.
The international scope of the Internet greatly complicates the challenge of government response. “I write a virus in South America, I use a zombie in Japan, I attack targets in the U.S.,” hypothesized Vincent Weafer, senior director of Symantec Security Response at Symantec Corp., in Santa Monica, Calif. “Its hard enough to write a law thats not obsolete 2 minutes later, without the complication of normalizing laws across the various countries.”
Brian Kelly, CEO at private security intelligence company iDefense Inc., in Chantilly, Va., suggested that governments can enable security by permitting or aiding international efforts but that they cant produce it or even define it in law. “The government should provide some leadership and guidance, not get caught up in a lot of unnecessary legislation,” Kelly said. “That leads to auditors, bureaucracy, that I believe will ultimately be counterproductive.”
Nor is this just a case of security vendors protecting their own competitive arena. Enterprise users with whom eWeek Labs spoke were equally leery of government-directed computer security efforts.
“With the government trying to limit encryption technology exports and so on, they seem to be more of a hindrance than help,” said Ed Benincasa, director of MIS at FN Manufacturing Inc., in Columbia, S.C., and an eWeek Corporate Partner. “Many companies such as ourselves are multinational, and country lines begin to blur. Technology is also being developed in many other countries—limits may put a damper on U.S. competitiveness.”
Michael Schwedhelm, senior vice president and CIO at United Labor Bank, in Oakland, Calif., and also an eWeek Corporate Partner, doesnt see the necessary cultural fit between the dynamic security environment and the responsiveness of legislators and regulators.
“I feel more comfortable and confident about centralized private and semi-private organizations like CERT, SANS and BugTraq,” Schwedhelm said.
Symantecs Weafer downplayed the need for government anti-terrorism agencies to focus on cyber-warfare. “Its not 9/11 but 9/18—that was the key date,” he said about the Nimda outbreak just one week after the World Trade Center and Pentagon terrorist attacks. “Dont waste a lot of time wondering whos going to attack. Most of the attacks use the same techniques.”
But the government does have one credible role, and thats in enforcement.
“It used to be that auditors came in once a quarter, did what they had to do and went away; IT got ready for that visit, entertained them and then got back to work,” said Steve Artick, vice president at Pedestal Software Inc., in Newton, Mass. “Now theres a lot more interaction and a much higher management interest in assuring that operations take place in a secure manner because [the Health Insurance Portability and Accounting Act] hits people with massive penalties if they dont comply with regulations.”
This increased interaction and accountability make the cost justification for security tools more concrete than former speculation about potential threats or failures.
Border Patrol
Border Patrol
Those who use technology, and those who pay its bills, want to know why their identities are at risk, their financial assets exposed, and their day-to-day ability to get on with their jobs under constant threat from both irresponsible pranksters and chillingly professional criminals (not to mention unreliable technologies). Theyre feeling not merely disappointed but genuinely betrayed by the broken promises of what no one could accurately call “secure” computing.
Perhaps the worst sense of broken faith in IT systems security is among those “who think theyre done,” said Symantecs Weafer. “They have anti-virus, they have a firewall, and they think theyve paid the security bill. But you cant afford to just do the same thing.”
Indeed, IT architects are keenly aware of their need to divert scarce resources.
“Perimeter defenses are more important than ever,” said Robert Rosen, CIO at the National Institute of Arthritis and Musculoskeletal and Skin Diseases, in Bethesda, Md., and an eWeek Corporate Partner. “Im seeing statistics across the Department of Health and Human Services. The good news is, we are defending ourselves well. The bad news is, there is a significant cost. And what were spending there, were not spending on medical research to benefit millions.”
Too many IT sites betray themselves by spending money on security technology, then spending administrator time to deal with complications in ways that all too often neutralize the expected (and assumed) security benefits.
“People get a false sense of security after deploying technologies that they dont really understand,” said iDefenses Kelly. “They think as long as the lights are on, its working. Tools are improperly installed, improperly maintained or mis-configured—after all, the administrators job is moving data.”
The experience of eWeek Labs own international OpenHack challenges affirms Kellys contention that mis-configured systems are a principal source of problems that no legislation will ever prevent. Independent agencies such as The SANS Institute and the FBI also rank this problem high on their lists of security threats.
A major cause of dissatisfaction and a driver in the process of continually relaxing security settings just to get through the day is the high rate of false-positive warnings issued by many tools.
“Typically, when someone does a vulnerability scan, they get 200 vulnerabilities,” said Symantecs Weafer. “But if you look at your top attacks, you can actually take care of them by handling just a few of those.”
A tiny fraction of known vulnerabilities, Weafer said, account for the vast majority of common attacks, which is why its necessary to develop a security posture based on actual rather than potential threats.
Whats needed, as much as possible, are tools that continually learn whats normal and involve only administrators in deciding how to deal with the unusual. The whole proposition is “crazy, unless you have automated tools,” said United Labor Banks Schwedhelm. “You must keep human intervention to a minimum.”
The long-sought goal of combining security with administrator productivity is the promise made by Stratum8 Networks Inc., whose Stratum8 APS appliance uses several patented algorithms to develop a site-specific model of acceptable behavior after one or two days in a nonblocking “learning” mode.
“Suppose were in learning mode and we see 40,000 out of 40,000 sessions coming back with 18 bytes appended to the cookie,” said Stratum8 CEO Bob Walters, in Santa Clara, Calif. “We wouldnt call that Gods own denial-of-service attack. Wed nominate a relaxation rule, but we wouldnt activate that rule until a human says, Yea, verily. And so we have zero complaints from the field about false positives.”
By operating at the application level, Walters said, the Stratum8 approach can develop a much more efficient model than those approaches lacking high-level knowledge of whats supposed to be happening.
“Even for complex Web sites, were only generating one or two dozen relaxations, unlike intrusion detection systems at the network domain with hundreds or even thousands of such expressions,” he said. The Stratum8 technology has not yet been tested at eWeek Labs, but independent reports on the companys product are consistent with this claim.
Other vendors are also seeking greater leverage by shifting the fulcrum of protection—seeking a better balance between resources and results at the higher level of the application server, rather than struggling in the chaos of the network edge.
“The concept of firewalls emerged when we opened up e-mail or other specific services and limited the holes,” said Rod Murchison, vice president of product development at Ingrian Networks Inc., in Redwood City, Calif. “Now, what were seeing is that all the threats are coming in over protocols that we have to keep open to stay in business. Web servers are where were seeing the most damaging threats.”
This is likewise consistent with eWeek Labs OpenHack observations, in which attackers have systematically moved up the food chain to attack the application layer when lower-level vulnerabilities were addressed.
A problem that threatens the effectiveness of all perimeter-focused security systems is the growing fraction of traffic that crosses that boundary in some kind of encrypted form.
“The newest threat were seeing is Nimda and Code Red being modified to work over SSL [Secure Sockets Layer],” said Ingrian Networks Murchison. “Theres an encrypted tunnel from client to server; most of the servers deployed today are terminating SSL at a card inside the server itself.”
To protect the server against attacks that pervert defensive systems into protective camouflage, Ingrians appliances reclaim control of incoming traffic. “Were able to break open connections as theyre transmitted to the server,” Murchison said. “We can scan through the data, find a credit card number, for example, and encrypt it before it goes back to the server. Anything with a format or a structure, XML or SOAP [Simple Object Access Protocol] or whatever, we can find and encrypt with a key thats stored in hardware. Were getting very serious about field-level encryption.”
Were sure that computer-chip makers smile at the thought of enterprise buyers encrypting, decrypting and re-encrypting the same data, because networks are assembled piecemeal rather than from a unified design, but its probably the price of enjoying the other economies of an independent Internet rather than a proprietary value-added network.
In the long run, eWeek Labs prefers systems that let enterprise managers see exactly whats flowing where, rather than monolithic systems that may be more efficient but suffer from risks of single-point failure and use technologies not subject to peer review.
On the plus side, enterprises are rapidly adopting encryption-based VPN (virtual private network) solutions, with results that they find pleasantly surprising (a phrase uncommon in security discussions).
“The implementation of a VPN resulted in increased bandwidth, reduced costs and higher reliability than the frame network,” said FN Manufacturings Benincasa. “Users are pleased, and even though they do not necessarily understand VPN technology, they are happy with the change and accept it.”
Benincasas experience suggests that IT administrators may be able to accompany the nuisance of increased security with other improvements so that users perceive, overall, an improvement in utility that encourages greater cooperation with security measures.
The Enemy Within
The Enemy Within
The length of a border grows only in proportion to the size of a figure, but the area grows with the square of the size; in the same way, its tempting to focus on problems at the edge of the network because theyre much easier to identify and address than those that can arise from any point inside the perimeter.
However, studies from groups such as the FBIs Computer Intrusion Squad, in San Francisco, suggest that internal attackers represent at least a third of the problem—or more, if the problem is broadly defined in terms of damage to systems or cost to the enterprise, without regard to motive.
“People are spending a lot of money on firewall and intrusion [detection] technology,” said Dan Jude, president of software vendor Security Software Systems Inc., in Sugar Grove, Ill. “But 70 percent of breaches are internal. Its not just financial information; its intellectual property, its things being sent internally that create liability.”
If “insecure computing” is broadly defined as abuse of IT systems creating serious costs to the enterprise, Jude said, then enterprise IT must concern itself with activities such as the sending of sexually harassing e-mail as well as with attacks on IT infrastructure or sensitive data.
SSSIs Policy Central product directly confronts the issue of enterprise surveillance of employee IT activity. Court decisions to date tend to support the idea that activities on enterprise networks are the property, and are subject to the scrutiny, of the company and its appointed IT or other security staff; appropriate, documented notification to users is the crucial ingredient, and SSSI fills that gap.
“Before users are allowed to access any application or Web site, they must agree to the companys customized policy on acceptable use,” Jude explained. “Their acceptance is logged in a database.” With that acceptance formally recorded, SSSIs technology is then free to scan not just e-mail messages but also document files such as spreadsheets as well as Internet access activity—with immediate results, said Jude, once people realize that their individual activity is now a matter of record.
Like it or not, the precedents have been set and lack only the enabling technology to make this common practice. Once the tools become pervasive, failure to use them could risk civil findings of employer negligence, even without corresponding legislation.
“Users seem to be more tolerant toward blocking and scanning tools than in the past,” said FN Manufacturings Benincasa. “Publicity of events seems to have sensitized users more to the issues and risks. They dont like it, but they understand the need.” (Benincasa may have had a head start on this process, given his companys involvement in the stringently documented arms business.)
Users and business unit managers are still a law unto themselves, though, when a technology becomes an affordable off-the-shelf convenience. “I worry a lot about wireless networks. How easy it would be for a rogue employee to place a dongle into the USB port of one of their PCs and compromise our network,” said Schwedhelm.
Conventional wired connections can also escape the protection of enterprise security architects in the pursuit of short-term convenience.
“People complain about firewalls all the time,” said Taher Elgamal, chief technology officer at Securify Inc., in Mountain View, Calif. “People set up Internet access themselves. They buy a router and install it with no firewall. Thats not a technical problem; thats a problem of management. Theres too much focus on technical vulnerabilities.” (Read the review of Securifys SecureVantage packet sniffer.)
As author of the patent on the SSL protocol, the heart of most Web retail transactions, Elgamal speaks with authority on the limits of technology: “There are way too many technology companies in security these days, when the real solution is to run things like a business: The business owns the data, the business owns the computer, the business has to come down on these things and say, This is how they should be used.”
Said Schwedhelm, “Our board of directors is pretty good about understanding security issues when they are presented with information, and I was very happy that our bank regulators showed a great interest in security during a recent examination. It emphasized to our board of directors how important network security really is.”
Like FN Manufacturings Benincasa, however, Schwedhelm is in a business accustomed to a high degree of regulatory scrutiny and may be ahead of the curve in acclimating managers and users to these necessities. IT departments in other domains may get more initial resistance.
All Together Now
All Together Now
Both internal and external threats must be considered from an international and multidisciplinary point of view. Internally, Symantecs Weafer told eWeek Labs, “you used to see an anti-virus desktop team, an IDS team, a firewall team; the blended threats of Nimda and other modern attacks have changed all that.”
Externally, he continued, “you need to be talking with people at other sites who can notice common patterns, where the same five steps take place at 10 different sites. Thats where someone has passed the stage of trying the doorknob and has a foot in the door.”
There are many reputable online resources for discussion of threats against widely used products, but its worth the effort to also seek out sites serving particular industries.
“I recently met with five banks in Canada,” said iDefenses Kelly. “Theyre curious as to what theyre seeing, compared to what their sister banks are seeing. If someone is probing a port at one bank, and they can find out that the same probe is being seen by the others, thats probably important as an indicator of a possible attack.”
With marketing firms offering directories of tens of thousands of trade associations, eWeek Labs is not able to give industry-specific advice. But association leaders should seek to lead in this area rather than finding themselves in a reactive posture after a high-profile incident.
Like other techniques, this collaboration across multiple sites offers opportunities for automation and therefore more consistent protection at lower cost.
“Taking the knowledge of which PCs are being secured, and spreading that knowledge to other PCs in cooperative enforcement, keeps systems that are potential vulnerabilities from being exposed to other systems,” said Frederick Felman, vice president at San Francisco-based Zone Labs Inc., whose Integrity 2.0 product offers cooperative enforcement measures designed to be feasible for deployment to remote users.
United Labor Banks Schwedhelm is in favor of cooperative approaches but feels that smaller companies such as his are at a disadvantage because top-tier tools come at top-tier prices.
“Were a $125 million bank but have only 30 employees,” Schwedhelm said. “We outsource a good deal of our processing, but we keep network security in-house. Getting our hands on the newest tools at prices that wont break the bank is next to impossible. We need cheaper intrusion detection products and better log analysis tools that can see through all of the clutter and tell me if Im at risk—and where that risk is originating.”
Only with the broad participation made possible by more affordable security products will the community have the number of data points needed to spot threats quickly—and only with that ability to detect and recognize threats will a Department of Homeland Security be able to play any role in securing enterprise IT.
Technology Editor Peter Coffee can be reached at peter_coffee@ziffdavis.com.
A Matter of Trust
A Matter of Trust
There are four distinct promises that must be kept, or at least more nearly honored, if IT administrators are to regain the confidence of enterprise managers and if the private sector is to remain free to innovate.
- Secure borders First is the promise of perimeter defense—the sense that there is some clear boundary between those who have authorized access to information and other assets and those who may well be invited guests but whose privileges are definitely in a subordinate class. This promise has been the goal, express or implied, of the vast majority of IT security effort and investment to date.
- Adult supervision Second is the promise of internal control—the clear allocation of privileges such as information access and modification in proportion to the needs of ones job. Here, there has been less success in defining goals and policies, let alone in reflecting them in actual technologies and IT practices. Enterprise IT builders may find it difficult to communicate the need to spend money and time defending the organization against itself, but the vast majority of serious but subtle threats are internal—whether they arise from accident or malice—in even the best-run organization.
- Neighborhood watch Third is the promise of community collaboration. Enterprise IT spans all 24 time zones; its best tool for responding to new threats, in time to prevent their devastating effect, is the capacity of the community to join in saying, “I dont know what that is, but I see it, too—and its not anything good.”
- In the public interest Fourth–and not to be despised, even if it is the weapon of last resort—is the double-edged sword of government response. Inspired by the shock of Sept. 11, 2001, legislators are prepared to grant broad powers to executive agencies; those agencies are prepared to focus resources, and risk public discomfort with what may seem like breaches of personal liberty, in an atmosphere that says, “The risks are real; the harm is hypothetical.”