OS Security

As I mentioned in this morning's TDI, Dark Reading put a stake in the ground by defining the "Top 10 Myths of IT Security." The link to the entire article is here. Having no pride, I figure I may as well jump on their coattails, add my two sense, and initiate some good discussion about some topics that I'm sure will create some passionate discourse. So without further ado, let's jump right in:

Myth #1: Epidemic Data Losses (link here)

"Let's all take a breath together: There is no data loss epidemic."

So the Dark Reading guys start off with a bang, that's for sure. They make this statement and then go on to reference the CSI/FBI survey to validate that security risks are going down. WRONG! Let me say that again WRONG!

Attacks are more targeted, so we are seeing less of the massive outbreaks, but I posit that more attacks are successful. We just don't know about most of them. And let's debunk the debunking of this myth: THERE IS A DATA LOSS ISSUE. The fact that is isn't a major, catastrophic issue is just by pure luck.

Millions of customers have had enough information compromised to be potential victims of Identity Theft. Has it happened yet? I don't know. Lots of folks have an issue, but it's hard to point back to one lost laptop, so to speak. And the idea that we've been losing stuff for years and now it's an issue because the Feds make us report it is just asinine. Because the status quo is to screw up doesn't mean we can/should accept it.

So, I give their first myth-buster an C. They are wrong, but the impact has not been felt or correlated back to these data losses.

Myth #2: Anything but Microsoft (link here)

"Nothing is bulletproof these days."

This one is better. Clearly Microsoft is a much bigger target, but that doesn't mean you should just buy a Mac (or use Linux) and not worry about anything. You still have other devices (servers, etc.) and data that can be compromised. Yes, I use a Mac when traveling. I think it is safer and definitely easier to use. It also gives me street cred with the Gen X crowd. OK, not so much. But what it isn't is bulletproof. Everyone should think layers and ensure that your network security posture is strong.

This one is better. B+

I'll be back next week to address a couple more of the myth-busters.

This morning I stumbled upon Roger Grimes' column in InfoWorld and his recent post "Effective Security isn't easy, but it's possible." Link here. In this piece, he makes a number of contentions that make a lot of sense and highlights the point that security your environment is achievable, but there is a cost - and I'm not talking about money.

The thing I didn't see in Roger's column that I think is pretty important is every company's threshold for security is going to be different. Some are willing to accept a bit more risk in order to either improve the user experience or perform an important business function. But the key here is for the end user to MAKE that decision, as opposed to having it thrust upon them.

Some of Roger's ideas will work for your environment, some not so much. But this is the kind of simple stuff (in concept anyway) that can really make a big difference in your security posture.

So let's go through Roger's list of "effective security solutions" (in his order of effectiveness):

1. Do not allow end-users to run or install unauthorized software - Bingo. This is why application control software is so effective at stopping malware. If users can't do stupid things, everyone is better off.
   
   
2. Don't put unnecessary software on the authorized list - This is where the rubber of #1 meets the road of the customers. He specifically mentions Flash, Real Player and iTunes. I'd posit that for many employees, RealPlayer is the only one that is "optional." With iTunes being a prevalent distribution mechanisms for podcasts (where folks can get info directly related to their jobs), I'm not sure iTunes is the villain it once seemed. And anyone that surfs the web needs Flash. Do these add risk, yes! But I'm not sure a strategy preventing these applications is defendable.
   
   
3. Implement default deny - Amen to this. Otherwise called the positive security model, unless you say it's good, it's not - so you block it. This can be implemented on routers and firewalls and will dramatically increase your perimeter security posture.
   
   
4. Don't allow end-users to be logged in as Administrator - This is easier said than done, and Roger admits that. But getting new applications isn't a very good answer for most folks. Vista will do a lot to help this problem for Windows users.
   
   
5. Automate comprehensive patching - This is great advice. A lot of companies have rigorous change control that takes weeks to authorize a patch. That is weeks of exposure. I say patch first, clean up the small percentage of messes later.
   
   
6. Convert all inbound email to plain text - Hmm. I'm torn about this one. If you have application control implemented, I'm not sure this does anything but piss people off that their email looks like crap.
   
   
7. Enforce long passwords - I don't buy this one. So it takes a password cracker 3 hours instead of 3 minutes. And the reality is that hackers get passwords via social engineering anyway. If you are worried about it, two factor (like BioPassword) could be a good alternative.
   
   
8. Encrypt all confidential data by default - I'm not sure what this means and how you do it. This only solves half the problem. What happens when that data is loaded to a laptop or sent in an email?
   
   
9. Spend less money on new security software and more money on reviewing the basics - This is the best one of the bunch. A misconfigured firewall is about as good as not having one, so yes - in all of our desire to get that shiny new thing, we tend to forget about the simple stuff that can kill us.
   
   
10. Hack and audit your own network regularly - Again, this is great advice. Public companies need to do this and private companies should as well. You never know how effective your defense are until you try to break them.

So in general, Roger's list is real good. I agree that all of these are possible, given a CIO/CISO with an iron fist that can ram a no iTunes policy down the throats of the users. I know they exist, but I don't know too many.

Seems the folks over at Yankee Group are making some waves today by hypothesizing that the emergence of Vista will "dramatically" affect the Windows security product market. CNET's coverage is here. I will admit to being the master of the obvious at times, but I want to remind everyone that regardless of whether this projection is right or wrong - YOU DON'T CARE.

We all know that nothing happens overnight in this business. Vista will be out at some point (you don't care about that either) and it will have some embedded security capabilities that will overlap with some commercial products. So what? Are you going to shut off all the ZoneAlarm, Webroot, and Safeboot stuff you've been buying? Of course not, you are at risk TODAY and Vista is not going to be there for another 300-450 tomorrows (depending on your threshold for pain). So you better keep on keeping on. That's the only choice you have.

Let's look at the situation from a historical perspective because we've seen this moving before. Windows XP SP2 was supposed to kill the personal firewall market. I actually thought the timing was interesting that Check Point had acquired Zone Labs about 2 weeks before Microsoft announced they were bundling the XP firewall for free. Did that kill the personal FW market? A resounding NO.

Actually some of the personal firewall markets got a bit enterprising (like Sygate) and started morphing their "endpoint" security capabilities into a piece of a larger Network Access Control environment. Senforce is moving towards this vision as well, integrating StillSecure's NAC technology in. Microsoft did that too, right? Isn't that what NAP is about? Well, if you get in your time machine and step out in 2008 when Longhorn is there too, then the answer would be yes. But not today.

We'll see similar evolution in spyware and full disk encryption. Microsoft will offer a lowest common denominator and existing vendors better have a very clean, very crisp value proposition on top of that. If they don't, then these 3rd party vendors deserve to get steamrolled by the Vista juggernaut.

I also take issue with some of Yankee's comments about when to deploy Vista. They seem to think that because the user experience is different and the additional security may cause some users to get grumpy, it's OK to wait until 2008 to upgrade. My opinion is that it's OK to wait until 2008, but do it because you aren't refreshing your PC's until then or you've got other priorities, NOT because you don't want to impact the user experience. That's a stupid reason to do nothing.

Windows XP SP2 is not secure enough. We are reminded of this every day. If you are committed to Windows (like 80% of the world), then you'll want to upgrade to Vista when practical. As a security administrator, you have a choice - spend some time training your users about Vista's user account protection or continue cleaning up the mess of Windows XP.

So I applaud the Yankee Group's PR savvy, since I saw a lot of pick-up for this story today, but feel compelled to remind folks that Vista is still practically a year away and you've got a lot of work to do between now and then.

Looks like the G-men are projecting that Microsoft is going to slip Vista another couple of months. Here's the Reuters story.

I want to be very clear on this. I don't care when Vista ships and neither should you. Anyone that is building a security architecture around Vista is nuts. Who knows when it's finally going to arrive? Best case volume shipments won't be in the market until midway through Q1 2007. We all know that you never never never never never deploy a 1.0 release from Microsoft, so you are looking at probably Q3 2007 for Vista SP1, right?

I'm no mathematician folks, but that's over a year away. A lot of bad stuff can and will happen in the next year. So if I were you, I'd be focusing on what needs to be done today. Is your perimeter in good shape? Does some stuff need to be refreshed? Are you looking at NAC? What about identity management? Have you addressed some simple endpoint solutions, like application control? What about your data center? Are your web applications protected? Your databases?

See my point? There are lots of things you need to worry about and Vista isn't one of them. Unless you are a one person shop, you are not going to snap your fingers and be 100% Vista on day 1 and expect that all your problems will be gone. It's just not going to happen.

So do me a favor and think about security pragmatically. Figure out your future state (as I described in this AM's post on security ROI) and work on a plan to get there. It's OK to figure out how and where Vista and Longhorn (the server side of Vista) fit into the mix, but make sure you aren't planning on them for another 12-18 months.

And forget about all the media frenzy this week about whether Vista will be delayed some more. The media loves these kinds of projections - which generate a lot of page views. Let the pundits fight it out. Keep in mind that ultimately for you and me it doesn't matter when Vista ships.