March 2002

News and Analysis

Security Conversion
HIPAA Confusion Grows
Shifting Liabilities
Newcomers offer VPN alternatives
On The Move
@work
Profile

"What's compelling and interesting about the Bill Gates memo is that it's from their top dog, their spiritual leader, who has a track record for inspiring the company," says Joel Scambray, managing principal of Foundstone (www.foundstone.com ). "When he speaks, he does so with authority."

This isn't the first time Gates issued new commandments. In 1995, a similar memo focused the company's attention on the Internet. By comparison, experts say it will be a Herculean effort for Microsoft to improve its security.

Already, Microsoft has taken Gates's edict to heart. The OS development division suspended operations, sending its 8,000 developers off to a month-long security boot camp. From there, they'll scour existing OSes for bugs and vulnerabilities, eventually issuing rolled-up patches.

Additionally, Microsoft lured Scott Charney away from PricewaterhouseCoopers to be its new chief security strategist. Charney, better known for his days at the Department of Justice's cybercrime division, will work with the company's security team to develop new security strategies and foster a security-conscious atmosphere.

These developments are clear signs that Microsoft is paying more than lip service to security, but many say Gates and company really don't have a choice.

"If this doesn't happen, then .NET doesn't happen, Passport doesn't happen and Web services doesn't happen," says Chris King, an analyst at the META Group. "The next stage of their business doesn't happen without a trusted computing base."

Security Epiphany?

Many may find it hard to believe, but security has been a priority at Microsoft for some time. Nearly two years ago, the company founded the Secure Windows Initiative (SWI), which drove the security enhancements of Windows 2000 and XP. And security has been one of the strongest pillars of the .NET initiative from its conception.
What Gates's e-mail did was move security from the domain of security specialists to a topic that's discussed company-wide on every level.

"When you walk through the halls, you hear people talking about bugs and vulnerabilities and reading [security books]," says Steve Lipner, Microsoft's director of security assurance. "It's really had a huge impact on what we're doing and will have an impact on our products."

But the question hanging on many lips is why security hasn't taken root with such fervor before? The answer, they say, is Microsoft's underlying business philosophy.
Microsoft built its empire on innovation and entrepreneurship. It brought feature-rich, inexpensive software to the market faster than anyone else. In this environment, security was typically an afterthought.

"Security is a bit like water, because it runs through everything," says Royal Hansen, VP of the Americas at @stake (www.atstake.com ). "It will have to be a cultural shift. It's not something that someone will run off and do. Every executive, every developer will have to make security a part of everything they do."

Therein lies the rub. Even as Microsoft retrains its workforce, it will eventually be faced with the tough choice between revenue and security. The turning point observers are waiting for is when an OS developer is praised for holding up a new version release because of security problems.

"They've got smart people and a lot of money, but they have to worry about the market," says Foundstone's Scambray. "If they get under intense scrutiny and market pressure, the Gates memo may be put on the shelf to fight for their life."

Lipner says Microsoft has made tough choices before, citing how the SWI stopped shipment of Windows 2000 and delayed the release of XP because of security vulnerabilities. "This is the mandate in the Windows division for an extended period," he says.

Technical Challenge

The security cognoscenti have long bemoaned Microsoft's emphasis on functionality over security. The difference is that now consumers are waking up to the problems in Microsoft software, and many enterprises are coming right out and telling Microsoft to clean up its act or risk losing business.

"We think that trustworthy computing is the key to the growth of the computing industry," Lipner says. "This is a critical time, just as the Internet was a critical time in the mid-1990s. We have to get it right for the company to continue growing."

Given the complexity of today's applications, experts say it's virtually impossible to generate bug-free applications, particularly in operating systems with millions of lines of code.

"Everybody markets faulty software; every single software package on the market is faulty in some form," says Russ Cooper, editor of NTBugtraq and surgeon general of TruSecure Corp. (www.trusecure.com ). (TruSecure publishes Information Security.)

Microsoft's insistence on maintaining a closed-source development model is also seen as a hindrance to improving security. Some *nix-based OSes use an open-source philosophy to root out programming and security flaws. Many have urged Microsoft to embrace the open-source model, but Microsoft has vehemently refused to relax its proprietary posture.

Further complicating Microsoft's task is the underlying philosophy of its applications: interoperability. Much like the Internet, Microsoft's applications were made to share information. And the more applications that are linked together, the greater the potential for security problems.

"There's a good chance that there's no possible way that they can build security into a system that's inherently insecure," says Dana Paxton, an intellectual property consultant and writer. "We've built a sharing world, and Microsoft is leading the change. So, when they say they're going to be secure, they have to build it upon a very shaky infrastructure."

The Perception Battle

When XP was released last fall, Microsoft said the new Windows version was its most secure OS ever. With a built-in firewall and intense quality controls, XP held the promise of reversing Microsoft's security woes. Six weeks later, however, the first security problem was discovered--the Universal Plug and Play (UPnP) vulnerability.
Although difficult to exploit, the UPnP vulnerability continues to generate headlines, further scarring Microsoft's reputation. While other OSes also suffer from security bugs, Windows flaws attract extra media attention because of Microsoft's ubiquitous installation base.

"The media doesn't want to write a story about a buffer overflow in a Unix application, because most of their readers won't know what they're talking about," says Cooper. "But if you talk vulnerabilities in Outlook, about 95 percent will know what you're talking about."

One key battleground in Microsoft's war on perception is the .NET initiative, which makes secure code a requirement. Foundstone reviewed the development framework and found that .NET's quality control mechanisms make vulnerabilities such as buffer overflows virtually impossible.

But in a world where beating up on Microsoft is a sport, even minor security problems will be enough for people to say Microsoft's developers are asleep at the compiler.
"I don't think Microsoft will be able to fix what's nipping at its heels, because there are far too many people who dislike them because of their size," Cooper says.
From this point on, analysts say, Microsoft will be measured by whether it puts security before profits, quality before innovation and practicality before features.

"They will always be more scrutinized than other players," says Mike Silva, VP and research director at Gartner Group. "Microsoft has a history of creating good enough products, but unless they can improve security, then it won't be good enough."

Although they have different approaches, vendors--including Neoteris (www.neoteris.com ), Flatrock (www.flatrock.com ), Yo.net (www.yo.net ), Netilla (www.netilla.com ) and NetSilica (www.netsilica . com)--are trying to create the next generation of secure remote connectivity that eliminates or vastly simplifies the necessary infrastructure.

VPNs provide secure connections, but are notoriously difficult to deploy and manage across complex open-systems architectures. While managing a simple remote access VPN client/gateway is relatively straightforward, virtual enterprises often require more complex topologies involving clustered VPNs, multisite extranets and "cascaded" VPN tunnels. According to Jason Matlof, Neoteris' director of marketing, the desire to "virtualize" the enterprise is great and growing. "At the end of the day, there is such an enormous pain point in deploying remote access," Matlof says.

Neoteris attempts to alleviate this pain by creating remote access through existing Web technology. Neoteris "Webifies" network resources, allowing users to access networks through an SSL-secured browser session. This eliminates the need for installing a client application, and access rights are linked to existing gateway ACLs. The downside to the solution is that it can't handle legacy client/server apps and others that aren't Web-enabled.

Flatrock, by comparison, provides secured access to any IP-based application. The system connects Provider Application Routers (PARs)--which typically sit in the DMZ--to Subscriber Application Routers at the end-user's site via an IPSec-secured tunnel. The PAR has a second interface that faces the LAN and accesses application servers if requests are authenticated.

While these newcomers have a long road ahead if they're to make a dent in the burgeoning VPN market, analysts say these alternatives are worth watching.
"They have to build up a passel of success stories--and not only in making the sale, but in supporting the rollout," says Jim Slaby, a senior analyst for Giga Information System.

---

On THE MOVE

Thomas Nolan
Kyberpass

Tom Johnston
Caradas

Joyce Brocaglia
Alta Associates

Nick Felicione
Finjan Software

• PKI and access control solutions provider Kyberpass named Thomas Nolan president and CEO.
• MSSP TruSecure appointed Thomas Joseph VP of managed services, Carl Humes VP of operations and managed services and Jim DeBald VP of channels worldwide--all three are former principals at Three Pillars, a managed monitoring company. TruSecure also named Jim O'Connor, formerly of Parabon Computation, VP of engineering
• Warwick Ford, joined the board of directors at Ponte Communications, a provider of network security management software.
• Caradas, an application security systems provider, appointed Tom Carty COO and Tom Johnston CTO.
  Aladdin Knowledge Systems, a provider of user authentication products, named Gregory Gronowski VP of software commerce for North America.
• VPN provider AppGate appointed Brian Offi CFO, Sam Kumarsamy VP of sales for North America and Willem C. Vander Kaaij VP of sales for Europe, Middle East and Africa.
• Joyce Brocaglia was appointed president and CEO of Alta Associates, an information security personnel recruiting firm.
• Internet Security Systems, a provider of security software and managed services, named Pete Privateer VP of protection services.
• Scott S. Blake was promoted to VP of information security at BindView, a security management solutions provider.
• Security Automation, a developer of automated forensics tools, named Garry Stenzel senior VP of sales and marketing.
• Finjan Software, a provider of malicious code security solutions, appointed Nick Felicione president, Rober Yusin VP of sales for the Americas and Lorri LoGrande director of channel sales.
• Cenzic, a developer of risk management products and services, appointed Alan Henricks president and CEO, Steph Marr VP of engineering and John Blumenthal VP of product marketing.
• Bob Walters joined Stratum8, a developer of hacking and intrusion prevention solutions, as CEO.
• MSSP NETSEC appointed Tom McHale senior VP of operations.
• Venture capital firm Trident Capital named IDS expert Rebecca Bace as a venture consultant.
• Ted Healey joined DMOD, a provider of encrypted end-to-end data distribution solutions, as VP of engineering.

---

PROFILE/Rob Rosenberger

Rob Rosenberger, editor of Vmyths.com (www.vmyths.com ), built his 2,800-square-foot home in the heart of Iowa Amish country with all the modern amenities of network computing. The house is equipped with a T1 line, a CAT6 network, a CAT5 phone system, a commercial-grade server room and computer lab, and whole-house surge protection.

It has everything you'd find in a typical data center, with one exception. "There's no antivirus protection," Rosenberger says proudly.

Since going live in September 2000, Rosenberger says, the network hasn't suffered an infection. He attributes the success to running properly configured software and using firm, but flexible security policies. "The entire project has remained free of both viruses and antivirus software since its inception," he says.

"House 2.0" is a natural evolutionary step in Rosenberger's crusade. Since his treatise on computer virus myths in 1988, his anti-AV rants have attracted a cult-like following that's led to speaking engagements and media commentary on the evils of virus and vulnerability hysteria.

Rosenberger started out by distributing plaintext rants through the BBS community. In 1995, he launched the Computer Virus Myths home page, which helped ease the gnawing in his belly every time the media fueled hysteria over virus outbreaks, such as Michelangelo. In 2000, he changed the name of the site to Vmyths.com.

But the avocation consumed all his spare time. So, when he quit his job as a security manager for a Fortune 1000 company and moved to Iowa with his wife in 1999, she suggested he turn his hobby into a paying crusade.

Now, Rosenberger and his small staff of hoax-busters survive on austerity and advertising. The site's $100,000 budget probably would be bigger if Vmyths didn't have an aversion to AV ads.

As a measure of Vmyths' success, Rosenberger and his business partner Eric Robichaud say e-newsletter subscriptions have climbed to 10,000. But, they're told, readership is much higher. "I know inside the computer security world we're a must read," he says. "They hate our guts, but I know they have to read us."

One admitted reader is Scott Culp, manager of Microsoft's Security Response Center. "Computer security issues often involve overblown claims and sensationalism, and Rob has a unique ability to cut through the fog of hype," Culp says.

A "little guy" with a big mouth, Rosenberger insists he's only interested in aiding the people who need ammunition in the form of honest appraisals to bring about security policy changes at their companies.

Although Vmyths has recently extend its debunking to include industry analysts, security "experts" and the National Infrastructure Protection Center (NIPC), Rosenberger says the core mission remains the same--dispelling virus hysteria.

"The first word in Vmyths' mission is 'truth.' We're not afraid to break friendships to get the word out there," he explains.

This Month in INFOSEC HISTORY

1995

Two crackers, one a mole working at MCI as a technician, were sentenced to federal prison for defrauding MCI and other telephone carriers of more than $28 million in stolen services. The insider installed software that captured 50,000 credit card and phone numbers, which he fed to confederates in Europe.

1996

In one of the first examples of a denial-of-service attack on a high-visibility Internet target, hackers diminished the White House's Web access by flooding its e-mail system with unwanted list subscriptions. The auto-responder at whitehouse.gov sent responses, further reducing availability.

1997

A test by the Defense Information Systems Agency found that 90 percent of 15,000 Pentagon systems were vulnerable to common penetration techniques, even though a previous audit had alerted defense officials to the problem.

1998

The National Infrastructure Protection Center was established under the FBI to investigate cybercrimes and combat sabotage of the country's critical IT infrastructure.

2000

Crackers broke the encryption copyright protection of Stephen King's "Riding the Bullet," allowing the horror writer's fans unlimited access to one of the first for-pay e-book
experiments. The novella appeared on six Web sites and several chat groups. The book's publisher, Simon & Schuster, contacted many of the ISPs and had the pirate sites shut down.

By The Numbers

55% Percentage of business-technology managers who said their companies will increase infosecurity spending from 2001 to 2002. Forty-three (43) percent said their spending will stay the same, while 2 percent said it will decrease. (Information Week)

24.5% Compound annual growth rate (CAGR) of the U.S. managed security services market between 2000 and 2005, from $720 million to $2.2 billion. (IDC)

$237,000 Average annual compensation of computer security executives at Fortune 500 companies, representing a base pay of $161,000 and a bonus of $76,000. (The Broadmoor Group)

$581,000 Average corporate spending for physical security products and systems in 2002, up 7 percent from 2001. (Security magazine)

57%, 69%, 55% Percentage of large, medium and small companies, respectively, that plan to invest in IDS software in 2002. (Information Week)

March 2002 Table of Contents

Copyright 2002 TechTarget