eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.
As hackers continue to take shots at Microsoft business software, youd think companies would analyze what it would cost to move other operating systems, such as Unix, Solaris or Linux.
But calculating the expense of such a move costs money as well. Cendant Hotel Group, which runs about 1,850 Windows servers, understands this. The hospitality-industry firm periodically calculates the cost to switch its 3,700 Linux servers to Windows. Last time around, 18 months ago, the expected tab was $3 million.
So Cendant didnt change a thing. “Everything starts with price,” says David Chugg, senior director of hotel solutions at Parsippany, N.J.-based Cendant. “Then supportability. Generally we see [Linux servers] are easier to support.”
One of the reasons the tab for running Windows is so high: the expected cost of dealing with attacks by hackers on the Windows operating system and related software. Those costs are thought to be more onerous than those for the Linux operating system, Chugg says.
Thats the perception, anyway. Chugg and other technology managers may not really know. Chugg, for example, couldnt say exactly how much of the $3 million would have gone to security tasks such as patch management. And thats the rub. Companies have a tough time pinning down what they spend on security. Executives have security budgets for items like firewalls, network monitoring and authentication, but tasks such as Microsoft patch management and recovery from a worm or virus attack are often lumped in with regular maintenance costs—if they are calculated at all.
Simply put, technology executives cant rely on financial fact to fairly determine whether they should minimize their exposure to Microsoft. The homework hasnt been done to quantify line-item costs of downtime or other effects of hacker attacks such as worms and viruses, says Mark Lobel, a senior manager at PricewaterhouseCoopers.
This, even though leaked Windows operating-system code lives on the Internet and spawn of the six-week-old Mydoom worm continues to infect computers running Windows-based software. Microsoft products, increasingly used for critical corporate applications, have suffered worldwide digital attacks steadily since the Nimda worm in 2001. Hackers continue to find vulnerabilities in Windows to exploit, even as Microsoft says securing its products is a top priority.
The greater the perception that Microsoft products are unsafe, however, the closer customers come to their threshold for tolerance of risk.
Next Page: Lack of financial analysis wont last forever: CFOs will assert accountability.
CFOs Will Force Accountability
The lack of financial analysis wont last forever, if chief financial officers have a say. When evaluating the security costs related to Microsoft or any other vendor, technology managers should ask: How much time do systems administrators spend maintaining patches and monitoring intrusion-detection software? What does that time cost? Does patching take longer than installing a new operating system? If a hack attack has occurred, what time and resources did it take to mop up? How often does this happen each year?
One defense against hacks targeted at Microsoft is to diversify operating systems to balance your exposure. Linux generally is a less-expensive alternative that is often viewed— perhaps erroneously—as more secure, says Lobel.
The Weather Channel Interactive Inc. runs “a few” Windows servers amid 300 Linux servers and says theres no comparison regarding security, according to Dan Agronow, vice president of technology at the Atlanta company. “The number of vulnerabilities and the time-consuming nature of maintaining patches [in Windows] just doesnt make it,” he says.
But rather than run from one system to another hoping to find something impenetrable, the better response, security consultants say, is for corporate customers to acknowledge the worm-a-week syndrome and swallow the responsibility to guard against it themselves.
“Companies need to continue to exert pressure on vendors. But in the same vein, they have to get over the fact that were working with insecure products,” says Matthew Caston, consulting director for the enterprise security group at American Management Systems.
Castons bottom line? Youre on your own.
Caston advocates some basic steps that are often ignored: Install the patches. Buy server operating-system updates. Activate antivirus software. Even those companies with large technology-security departments led by chief security officers dont fully track the security steps theyve taken or the costs of those steps. They cant analyze whether what theyre doing works or if it makes sense to try something new, Caston says.
In the meantime, “users need to willfully take responsibility for doing what the vendor tells you to do,” PricewaterhouseCoopers Lobel says.
Next Page: One option: Disconnecting MS software from the Internet.
Disconnecting MS Software
Lobel remembers one client, after a round of Microsoft-targeted worms, studied whether to ditch Microsoft software or disconnect it from the Internet. The company opted for the latter because ditching the software and starting over with another operating system was, in its calculation, too costly. Instead, the company shielded its Microsoft applications with layers of Unix-based firewalls and authentication tools.
Companies can quantify their annual security budgets but a lot of security spending typically falls outside of the identified costs, Lobel says. Some of it is labeled basic infrastructure spending, while other portions may be buried in what systems administrators do for part of each day. Accurate cost allocation, he says, “is an art, not a science.”
As for Microsoft, the company is pledging real security improvements. Two years ago, company chairman Bill Gates decreed that a new Trustworthy Computing initiative would make security first priority in Microsoft product development. Last month, Gates said in a speech that security is the biggest part of his $6 billion research-and-development budget and that Trustworthy Computing amounts to “many years of work, lots to be done, billions of dollars to be invested in it, but a very critical and worthy goal.”
Certainly, making future Microsoft software bullet-resistant is necessary. But how far in the future is a critical issue to cost-conscious companies. The hacks are coming faster; the time between Microsoft revealing a software vulnerability and a related exploitation by hackers is decreasing.
Map it out: Microsoft reported vulnerabilities in its Internet Information Server Web folders in October 2000. The Nimda worm messed with those Web folders 357 days later. The Slammer worm appeared just 184 days after the July 2002 bulletin about problems in the SQL Server database. The time between Microsofts July 2003 revelation of an Internet interface problem in Windows and the Blaster worm? 26 days.
Meanwhile, clumsy patch management from Microsoft can make matters worse. When Windows XP came out in October 2001, it came bundled with additional separate software to fix problems discovered before launch but too late to address in the core code. Since then, 30 additional megabytes of patches have been issued for XP.
Next Page: Microsofts hole-fix software can have holes.
MS Hole
-Fix Can Have Holes”> And even Microsofts hole-fix software can have holes. On Feb. 10, Microsoft revealed a “critical” vulnerability—its highest threat rating—in a common file-library component in Windows. By exploiting that flaw, intruders can run code on unprotected XP and Windows Server 2003 systems. Companies with Windows NT servers, meanwhile, arent affected unless—and heres the twist—they have previously installed certain patches for other, older problems.
Michael Cherry, an analyst at independent research company Directions on Microsoft, says Microsoft is doing an excellent job communicating security problems to customers—but not managing the fixes. “The weak area is still deployment—how patches are installed,” says Cherry, a former manager at Microsoft.
For instance, consumers are expected to go to Microsofts Web site to download patches, but not all have broadband connections. “If you go into Frys or CompUSA, you can pick up a marketing CD to show you how wonderful XP is,” Cherry says. “Why cant they do that with a CD of patches? They have the wherewithal.”
Microsofts response to current patch frustrations is a “service pack” due this summer to address several issues. On the disk will be tools to track, for example, which patches are installed and which arent and whether antivirus software is present and turned on. A more-secure version of the Internet Explorer browser and a new firewall to protect Internet-facing systems will also be included. Gates said in his speech that the service pack demonstrates Microsofts commitment to security first, new product features second.
Still, customers are annoyed at Microsofts tendency merely to fix—rather than prevent—problems, says an executive at a major consulting firm. “They say, Develop secure code. Dont give me an automated solution for patching your code after Ive already bought it,” he says.
Scott Charney, chief strategist for Microsofts Trustworthy Computing plan, says the ultimate goal is better initial software. “We have a large installed base with software that was not designed with todays threat model in mind,” he says. “You have to have R&D, coding, testing, getting software into market, adoption—it takes time.”
Agronow of The Weather Channel Interactive says Microsoft is making the right noises about security.
He likens it to Microsofts response to the Internet in the mid-1990s. Microsoft at first dismissed Web software. But when customers flocked to an Internet browser from Netscape Communications, a start-up company built on the ideas of a 24-year-old programmer, Gates noticed. Microsoft created its own browser and wrote support for Internet standards into all products. Gates initiated the turnabout with a companywide missive about the Internet tide and turned around the S.S. Microsoft behemoth to surf it. “If they put as much effort into that as they have into other initiatives, like the browser wars, they could win the security battle,” Agronow says. “But its not there today.”
—additional reporting By Deborah Gage and Larry Dignan