Time for a New Model of Security

Part 2. of A Special Report on Information Security

In its ‘Technology Trends for 2003’, Red Herring Magazine concludes that software-based information security has been and will continue to disappoint. It states that “If software, the traditional approach to providing security, had been working, then businesses wouldn't have lost an estimated $1.7 billion to security breaches since the September 11 terrorist attacks. Software , by its very nature, is soft, it's easy to change, damage, or destroy. Chips, on the other hand, are made from hard silicon; a tougher nut to crack”.



The magazine points out that “Intel plans to include security features in its next generation of microprocessors. The company hopes these chips will ensure that computers are secure the moment they are turned on, thwarting a common hacker's trick”.

What Red Herring is referring to, is a well developed plan from the TCPA (The Trusted Computing Platform Alliance ) for the incorporation of security features into existing and future processor chips because “software performing sophisticated encryption eats up precious computer cycles on devices like PDAs and laptops. The idea is an enhanced hardware and Operating System-based ‘Trusted Computing’ platform that implements trust into client, server, networking and communications platforms and by “hardwiring the process onto chips, encryption speeds can increase anywhere from 10 to 10,000 times”.

This new expression, a new ‘Trusted Computing Platform’, suggests, that any predecessor was, if not untrustworthy, then rather less than perfect in matters involving security. This problem brings us to where we are today, at the beginning of 2003, looking back at a disastrous record of security incidents and exploits and wondering how long it will be before any new approach to the challenge ‘Trusted Computing’ can inspire real confidence from those at most risk from the technology they rely so much upon.

Trustworthy Computing

In January 2002, Microsoft’s founder and Chief Software Architect, Bill Gates, stepped forward to announce a radical shift in the strategic thinking of the company. He argued that Trustworthy Computing must be built on four pillars: reliability, security, privacy, and business integrity.

Bill Gates

All of Microsoft’s software engineers are now being put through security training programmes. In software releases, no sample code is being installed by default, VBScript is turned off by default in Office XP Service Pack 1, and Internet Information Server web server is switched off by default in Visual Studio .NET. To track and measure its progress, Microsoft has created a framework for the security objectives of Trustworthy Computing: Secure by Design, Secure by Default, Secure in Deployment and Communications (SD3+C).

Secure by Design

The objective of secure by design is to eliminate all security vulnerabilities before a product ships and to add features that enhance product security.

Secure by Default

The key idea of secure by default is to turn off services that are not required in many customer scenarios. This reduces the “surface area” available for attack. Making a conscious decision to invoke these services increases the likelihood of their being appropriately managed and monitored.

Secure in Deployment

Microsoft views Secure in deployment as equally or even more critical because the operation of computers is an ongoing activity”. Secure in deployment involves managing and coordinating the protection, detection, defence, and recovery of critical systems means having the right policies and procedures in place to tie these activities together.

The Skoda Principle

It wasn’t so long ago that the thought of a Skoda achieving a favourable comparison with an Audi, seemed as improbable an idea as associating the name of Microsoft, with any serious suggestion of secure computing.



Microsoft may be a market leader but like Skoda, it has consistently suffered from an image problem in an area of strategic importance. While Skoda, has achieved new respectability for its cars, Microsoft, still can’t shift the weary cynicism that surrounds claims that its software holds security as THE number-one priority and that the evidence of SD3 is already beginning to show. This new commitment to security and trust, confronts the company with new problems. As one Microsoft executive commented “Trust is not something that you can enforce, it’s a process” and the results are frequently invisible".

In defence of its development record, Microsoft argues:

“While the Internet offers tremendous value by opening up new levels of integration with partners, suppliers and customers, it also exposes business systems to new forms of malicious attacks. Despite heightened concern over security, recent incidents exposed potential weaknesses in Microsoft products, the difficulty in deploying them securely, and the challenges of keeping them secure as threats evolve over time. These product vulnerabilities were exploited during recent incidents for three primary reasons”:

1. Security boundaries have blurred or dissolved. When valuable data was stored in only a handful of large mainframes that could be accessed by relatively few users, it made sense to rely on the LAN to provide a security barrier. This is dramatically different from the situation today, where confidential and valuable data is distributed widely and accessed by users inside and outside of corporate private networks.

2. New threats have appeared. The architects who designed the foundations of today’s systems and networks did not conceive of the innovative threats created by security researchers and hackers. For example, the wide use of Perl and Web-based scripting languages on Web servers has enabled attackers to write exploits in these languages—something that simply wasn’t possible years ago.

3. There are more potential attackers. More computers, more Internet connections and sophisticated automated hacking tools mean more opportunities at less effort for attackers. The attention given to successful attacks also encourages new ones. In addition, the payoff for stealing data or disrupting operations at a target, weighed against the likelihood of not getting caught, makes computer-based attacks much more attractive than conventional attacks

While all of these arguments in its defence are valid, Microsoft, the company that most represents the idea of computer software in the imagination of the public, has become a victim of its own remarkable success. The rapid emergence of the Internet, took the company by surprise and its open-sided 'commodity' approach to software design left it more vulnerable to security exploits than others.

The Case for the Defense

Having occasionally being accused of being a company in ‘Denial’ Microsoft has spent the last seven years reacting to the security flaws in its products, through a process of patching instead of ‘biting the bullet’, establishing leadership and assuming responsibility for latent state security in its software, as reflected by the new SD3 strategy. As a consequence, Microsoft now finds itself temporarily trapped between where it was and where it wishes its products to be in future. The company’s success and its unfortunate history as a convicted monopolist, has made it the largest ‘Soft-target’ in the business software industry and while other platforms, such as Linux, may be reportedly no more secure than Windows, it is Windows that represents the bulk of reported security exploits and it is Windows that represents the ‘glue’ that connects much of today’s wired society.

While most people would probably identify Microsoft as having the most vulnerable platform and products on the market, The Aberdeen Group, in a report published in November of 2003 suggest otherwise:

"Contrary to popular misperception”, the report says, "Microsoft does not have the worst track record when it comes to security vulnerabilities. Also contrary to popular wisdom, UNIX and Linux-based systems are just as vulnerable to viruses, Trojans and worms. Furthermore, Apple's products are now just as vulnerable, now that it is fielding an operating system with embedded Internet protocols and UNIX utilities. Lastly, the incorporation of open source software in routers, Web server software, firewalls, databases, Internet chat software, and security software is turning most Internet-aware computing devices and applications into possible infectious carriers."

Aberdeen writes that Microsoft products have had no new virus or Trojan advisories in the first ten months of 2002, while Unix, Linux and Open Source software went from one in 2001 to two in the first ten months of 2002, that in the same 2002 time period "networking equipment" (operating system unspecified) had six advisories and Mac OSX had four.

What the Aberdeen report suggests is that while reported vulnerabilities on different systems can vary on an annual basis, the overall vulnerability and incident trend continues to increase, as reported by other sources, such as Security Focus, Riptech and Mi2G. However, while Microsoft claims to be doing everything in the company’s power to strengthen the security of all its current and future products and has recently been awarded Common Criteria security certification for Windows 2000, it carries behind it an impressive legacy of Windows 95 and Windows NT sales that remain connected to the Internet with inadequately configured firewalls or weak or non-existent passwords.

No Quick Fixes

When Microsoft’s Craig Mundie delivered his 'annual report' on the company's trustworthy computing initiative. He illustrated the deployed population of different versions of Windows within a total active user base of approximately 400 million. The largest installed base remains Windows 95, while the first results of the SD3 initiative "remain in the earliest stages of deployment”. What Mundie said was important from the customer perspective, as it clearly details the company’s intentions in relation to trustworthy computing and it may be useful to study the text of his speech.

Craig Mundie

"So we know”, says Mundie, “that in practice it's impossible for us to remediate the threats that we know exist in the world today in systems that were designed in 1991, '2 and '3 and deployed in '95 and which are actively still in use today... Now, we know that these waves just keep rolling through and they will ultimately change, but it shows how long the threat exists of bad things happening and why it's not completely possible to fix every old system”.

"The message here is that there will have to be two tradeoffs that have to be made, and to some extent the events of last September (9.11) have facilitated us in making one of those tradeoffs or changes."

"We have decided”, says Mundie, “that we will begrudgingly forsake certain app compatibility things when, in fact, they don't allow us to have a default configuration that opts for more security. In the past, the biggest thing that happened to us was IT managers would come to the company and say, hey, all those new features, they're great, all that new security stuff, that's great, but whatever you do don't break my app. So just turn it all off and trust me, we'll fix the apps and then we'll turn it all on. And the reality is that never happened”.

"And so we're going to tell people that even if it means we're going to break some of your apps we're going to make these things more secure and you're just going to have to go back and pay the price."

“Naturally, being secure is going to cost money, but if you are insecure because you're unprepared to foot that bill, then your insecurity stems from your own irresponsibility”:

"And the other thing is that the customers, whether they're individuals or corporations, are going to have to make a decision about when and how much they spend to get these machines to be more secure. And to some extent you can do it by insulating them, to some extent you can do it by putting things around them or in front of them that protect them, you know, firewalls in some sense. And then in some cases, you can just replace them when you get new machines or new software or both that have intrinsically better capabilities”.

Mundie also referred to the next version of Windows, Longhorn, which will support the Intel-based hardware (TCPA) architecture named Palladium, a security and digital-rights management technology which is still at least two years away and which will offer a trusted security environment within the hardware framework.

Some Thoughts on Palladium

In an interview on www.kuro5hin.org, this month, Adam Barr, a former Microsoft developer, was asked "What's the story on Palladium? Is this Microsoft's latest attempt to regain control of the industry"?

Barr answered that "Palladium is at its heart a fairly simple idea, which is hardware support for storing keys and performing cryptographic operations on those keys. It's true one of the uses of this could be for Digital Rights Management, but Palladium is just one component that a (Digital Rights Management) DRM system could potentially use to make itself more reliable and hack-proof."

He went on to say. "Actually I really see no particular way in which Palladium will make software more secure. If you look at why software is unsecure, you have bad design (such as Outlook allowing macros to run by default), bad administration (people not properly configuring their system security settings), and genuine bugs (such as buffer overflows). Palladium doesn't really address any of those directly, although I suppose Palladium might help a user notice some of those problems (if a user tries to play a DVD on a system with the wrong security settings, it might refuse to do so)".

What Palladium is doing is going after a security problem that really isn't addressed by current software, and trying to solve it. Microsoft has to fix all the other problems first: make design decisions that favor security over ease of use, make the system easy enough to administer that people actually do so properly, and cleaning up all the bugs. Then it can attempt to write a Palladium system that is trusted.

Incidentally, said Barr, "I think one of the steps it will have to take is releasing the source code. Not as open source, but as "read only" source".

In summary then, the solutions that will appear from Intel and Microsoft tomorrow, offer little immediate comfort to organisations facing by an escalation in the digital threat environment today. The harsh reality for most customers may be found between-the-lines in Mundie's speech. The message clearly moves much of the responsibility back to the customer and argues, that if you are not using the most up-to-date versions of Microsoft software, in conjunction with ‘state-of-the-art Firewalls and supported by a BS7799 information assurance policy, then information security will remain very much a lottery, often determined by accident and a hacker's personal interest in the victim's domain or business.

In Part 3. of this report, I’ll be asking whether Open Source Computing offers a more secure alternative to Microsoft’s Windows?

Comments

Popular posts from this blog

The Nature of Nurture?

Civilisational Data Mining