Rundown on risk: Untangling security

Few IT issues generate as many headlines as security. The latest rapid-spread virus/worm attack or cracker intrusion is front-page news, even in the mainstream press. Yet as serious as these threats continue to be, managing enterprise IT security increasingly involves a broader range of evolving challenges.

“Security, as a practice area, is probably the least-mature IT discipline,” said Christian Byrnes, senior VP for security practice at industry analyst firm Meta Group in Stamford, Conn. “We had it knocked back in 1985, but the whole world changed around us, and we’ve had to start over again.”

One of the biggest security challenges for IT managers today, Byrnes said, is one of the most basic: figuring out how much security is appropriate for the organization.

“Security inhibits business, so it is possible to be over-secure,” he said. “If you stop people from doing things that would be appropriate for your enterprise, then you’re over-secure. Think about it this way: The only truly secure computer is one that has been put into a car crusher and taken down to the size of a one-inch cube. That machine will never get hacked, but you can’t do much business with it.”

Many companies that Byrnes would describe as “over-secure” are also overspending on security. Finding that appropriate level is not always about the size of the budget. In fact, organizations can and do spend a bundle and still fail to achieve reasonable security levels, he noted.

To begin to get a handle on this issue, Byrnes recommends designating a security point person within the firm. “You need someone who can maintain contact between the business and IT communities on everything to do with security. That’s a minimum starting point for getting the problem under control.

“Keep in mind that the organization will be addressing fundamental questions,” he added. “Can we restrain the business in some way? If not, how can we manage the risk associated with that lack of restraint? If we can restrain the business, how do we do it with the least impact and the most benefit? These are things that technical staff is not typically qualified to make judgments on, and a technical staffer is not typically the ideal person to communicate with business management about these issues.”

About 4% of Meta’s clients have no security problems at all, Byrnes said. No virus outbreaks. No cracker intrusions. So there are companies out there who manage IT security effectively with existing technologies and practices. Yet managers should keep in mind that security is not a risk elimination issue but a risk management issue, he said.

“When we talk with those organizations,” he said, “we find that they are the ones that have dealt with all of the higher-level issues. They have trained their employees in how to use a computer securely, communicated the importance of the information and explained why the company’s policies are the way they are. They’ve figured out all of the business issues having to do with security and that leads them to spend their dollars appropriately on technology solutions.”

Author and security expert John Viega agrees that designating a security point person within the company is a good basic strategy. “In most organizations there’s someone who has a passion for this, whether it’s in their job description or not,” he said. “If you can leverage that passion, they’ll be effective, even if it’s only a secondary responsibility.”

Viega is founder and CTO of Tyson’s Corner, Va.-based Secure Software Inc., and the author and co-author of several books, including “Building Secure Software” (with Gary McGraw, Addison-Wesley, 2001), “Network Security with OpenSSL” (O’Reilly, 2002), and “Secure Programming Cookbook for C and C++” (O’Reilly, 2003).

While Viega said that most firms will eventually want to reach out to third-party experts for security assessments and to refine their strategies, he believes that virtually every organization should invest in developing some internal expertise. It is one of the best ways to get the security issues in focus in the context of the particular enterprise.

“We’re seeing a lot of organizations starting to build internal awareness campaigns,” he said. “One of the best examples is Microsoft. About a year and a half ago, the company took two months during which their developers weren’t allowed to add any features to their products, but were allowed to improve security only. They’ve done a great job of making security a primary focus for them. Oracle did the same thing with its ‘Unbreakable’ campaign.”

Microsoft’s decision was likely driven by branding concerns; the company did not want to be seen as weak on security. And although Microsoft might wear the biggest hacker/cracker bull’s-eye, the folks in Redmond are not alone on this issue.

“There’s a lot of worry about brand damage,” Viega said. “The more security is talked about in the news, the more public awareness builds and the more customers begin giving firms feedback. I know some large public companies that never worried about spending money on security until their customers started complaining about the number of security incidents with the product.”

Fitting security into the dev process
Although a growing number of development organizations are beginning to institute their own security awareness programs, Viega said, the concept is still new and so there is a lack of deep expertise on integrating security with the development process.

“There really are no business processes for integrating security into product development,” he said. “The consequences are that people continue to take an ad hoc approach. A few start-ups are trying to address this issue with point products, but there’s no unifying message establishing how it all fits into an overarching development process.”

That lack of integration of security in the development process becomes a critical factor when it comes to assessing the security posture of acquired software. This issue is especially important in the public sector, Viega said, where there are growing concerns about the software and systems developed outside of the United States.

“The primary concern is that engineers in another country could insert back doors into software,” he said. “A secondary concern is that those developers are not very good and the software they develop will be vulnerable.”

The way many companies are coping with this issue at present, Viega said, is either through self-assessment or by simply ignoring it. The problem is that third-party assessments are very expensive. Worse, they do not plug every potential security hole.

“The basic idea [behind security assessments] is that you put a couple of smart people in a room with the product and let them bang on it for a couple of days and see what they turn up,” Viega said. That approach, often called “red teaming,” can sort out policy issues, but it may not provide a complete profile.

“They run the program, and they measure what it does while they’re running it,” Viega said. “But if there’s functionality they did not execute, they may end up with surprises down the road. You can imagine a program that has gone through this kind of testing that, once every couple of months, calls home and sends information to someplace outside the country over the Internet. Those kinds of things are a very real concern for the government.”

Quality affects security
Security guru Gary McGraw sees bad software -- wherever it comes from -- as the single most important enterprise security issue.

“Security has been, by and large, about operations -- about infrastructure and the people who keep the network going,” McGraw said. “But the problem is not being caused by the operators. They get this broken software and they have to install it on their pristine networks. They know that the software is broken, but they don’t know how to fix it because they’re not software guys. So they just put something around it, like an app firewall, or maybe they poke it a couple times to see how broken it is with some black-box testing. And if you’re an operations guy, that’s a natural way to approach it. Unfortunately, operations cannot solve this problem. The only people who can solve it are the software builders.”

McGraw is CTO at Cigital Inc., a Dulles, Va.-based provider of software quality management solutions. He co-wrote “Building Secure Software” with John Viega, and “Exploiting Software: How to Break Code” (Addison-Wesley, 2004) with Greg Hoglund.

“This is something that IT managers are beginning to worry about,” he said. “And that’s a good thing. Everybody ought to be worrying about it. They need to focus more on the [software] development life cycle and less on the ‘probe-ee/poke-ee’ reactive solutions to software problems. There are some people who would like to pretend that you can probe software with some dynamic testing tool to figure out how bad it is. That’ll certainly tell how bad it is, but it doesn’t do anything to help you fix it. The fact is, it’s just better to build it right in the first place.”

A prime example of a reactive solution is patch management, said McGraw. Although it is one of the top security activities, he sees it as the wrong approach. “If you’re stuck with crappy software, you better have a good way to deal with patch management,” he said. “But there’s a much better way: Don’t settle for crappy software.”

Patches are issued to secure vulnerabilities, McGraw points out, and so the announcement of the availability of a patch is also the revelation of a security hole. Consequently, he calls patch alerts “attack maps,” and points to tools that allow hackers to hold a patch against a binary to find the hole. “The bad guys have been doing this for years,” he said. “Why find a new hole when the vendors will find them for you?”

Nevertheless, for the foreseeable future at least, effective patch management is bound to be one of the top concerns of IT managers.

“We’ve had a tremendous number of conversations with clients about patch management,” said Mark Nicolett, an analyst at Stamford, Conn.-based Gartner Inc. “They want to know what they can do to patch faster. Companies are on the patch treadmill and the longer this goes on, the more there’s a general realization that we’ll never be able to patch every system that has access to our network. Some laptops are owned by contractors we employ, and we’re not managing those systems. Some employees are using their own PCs through a VPN. And we have mobile workers who spend most of their time disconnected, so we can’t get to them with a patch fast enough.”

Adding to the problem, Nicolett said, is the shorter time period between the announcement of a vulnerability and an attack. “There’s just less and less time to act,” he said.

Organizations need to have the ability to install patches quickly, analyze the environment, discover lapses or vulnerabilities, and automate as many of these processes as possible. But automated patch management will not be enough, Nicolett said.

“You also need to implement various forms of shielding to give yourself some breathing room so that you can patch at a more measured pace,” he explained. “We can’t continue to patch at a more rapid pace. We are disrupting the environment too much, and we’re increasing the risk of an outage caused because we rushed an update.

“The approach that we take to protecting assets needs to change, as well,” Nicolett added. “We need to have more capability in terms of shielding vulnerable systems. We’ve also advised clients to pay attention to how they’ve configured their systems, making sure that services that aren’t required are turned off, and that they have well-defined standards for user administration, configuration settings and so on.”

Patch management certainly makes Somesh Singh’s top five list of enterprise IT security management issues. Singh is VP and general manager of BMC Software’s security business unit. BMC is a Houston-based provider of business service management solutions designed to align IT resources with business goals.

The ability to distribute patches quickly is essential to any large organization, Singh said, but patching carries substantial risks. In fact, he calls the patch management process “a very high-risk problem.”

“Because of automation and distribution of these patches,” he explained, “there is a capability to very quickly send any new code to hundreds, thousands and even tens of thousands of servers immediately. If a process is not in place to look at these patches and make sure that there are no viruses and no security breaches before they are sent out, the fast distribution technologies become the means of very quickly distributing problems across the enterprise.”

Internal threats and regulatory compliance
Although Singh agrees that patch management is a key security issue, he also believes that threats from without are often less dangerous than threats from within an organization.

“In the popular press, and when you talk to people on the street, when they think of IT security, they think of vulnerabilities and most of the discussion is around external threat,” said Singh. “Yet survey after survey shows that the vast majority of all security breaches come from internal sources. Some are malicious; some are just inappropriate access to data. So the question for IT managers becomes: How do you manage your infrastructure so that the right people have the right access?”

Singh pointed to retail as an example: “You are a large retail store. You have 300,000 permanent employees and 50,000 temporary employees that come and go. Your margins are razor-thin. You want to make the temporary employee productive right away. To do that, he has to have access to four or five different apps that he accesses from the cash register. It often takes five to 10 days to get that access. Many times the permanent employees will get frustrated and, after a couple of days, they’ll give their password to these temporary folks and say, ‘Start using my account.’”

Consequently, the challenge becomes one of facilitating the business by enabling proper access to the right person at the right time while keeping the system secure. Throw in the need to prove all of that and you have arrived at one of the biggest enterprise IT security management challenges, and easily one of the market’s most powerful drivers: the increasing need for regulatory compliance. The Public Accountability Reform and Investor Protection Act (better known as Sarbanes-Oxley), the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and an expanding menu of regulations from both the U.S. and Europe are forcing companies to focus on things like identity and access management, separation of duties and controls, repeatable processes, resource protection, and the ability to discover and track lapses in policies.

And as organizations strive to comply with regulatory requirements, the paper is piling up, creating another security challenge: security information management.

“We collect a tremendous amount of data on events,” said Singh. “There are tools available that look at behaviors and patterns and do correlations, but the challenge is to eventually connect these events and correlations to answer this question: So what? And then: Now what? That is a challenge. We can tell anything that’s happening in the enterprise that looks suspicious, but we’re not able to connect it to business processes.”

“The time has come when security has to move from a standalone discipline into something that is part of the IT operation,” Singh added. “And every aspect has to be security-conscious.”

Securing Web services
Regulatory compliance and its attendant challenges are at the top of Rick Caccia’s enterprise IT security management list. Caccia is director of product management at Oblix Inc., a Sunnyvale, Calif.-based maker of software for managing user identities on corporate networks. Also topping his list: a brand-new set of enterprise IT security challenges associated with Web services. Oblix moved into the Web services space earlier this year with the acquisition of Confluent Software, a Web services and application management tools vendor.

“Most companies I’ve talked to over the past year or two have had their IT guys fiddling with Web services in the background,” Caccia said. “They seem to have 25 or 30 of these things deployed, and a lot of them are hooked up to the Web already. But the chief security officers and CIOs have no idea what security, if any, is built into these things. If you take an order-management app and expose it to the Web as a service that anyone can talk to, it becomes a security issue.”

Equally disturbing from a security point of view, Caccia said, is the emergence of Web services-enabled apps. The latest version of Microsoft Excel, for example, is Web services-enabled.

“You can have an Excel spreadsheet making calls to another company’s inventory system,” Caccia said. “If no one ever thought about that happening and they didn’t put any security policies in place, they’ve got a hole.”

Because of the ongoing growth of the public Internet and the likely widespread proliferation of Web services on that network, patching this particular hole may be a real challenge.

“The bottom line is that there’s going to be more stuff talking to more stuff, so the holes get magnified,” Caccia said. “More things are linked together, so there’s just more opportunity for a blow-up somewhere to affect everybody else. Just wait until Microsoft Office 12 comes out and it’s completely Web service-enabled, and you have a million spreadsheets making calls to someone’s financial Web service. That changes the whole game. If you don’t have policy-driven tools, that never gets fixed.”

All of which continues to provide new opportunities for the bad guys. External threats do exist, of course, but they are changing, too.

“The threats are no longer one-trick ponies, one cool little rifle shot,” said Peder Jungck, founder and CTO at CloudShield Technologies, Sunnyvale, Calif. “We’re throwing so much one-off technology at the problem that we’re killing off the ankle biters. So now we’re left with almost nation-state-level professionals building extremely complex stuff, and it’s getting to be a war we can’t handle.”

CloudShield develops programmable packet processing app servers, or Open Network Services Platforms (ONSPs), for high-speed network applications and services. The company’s products are used by solution developer partners to build, among other things, security policy enforcement solutions.

“We have an entire industry based on antivirus, anti-addware and intrusion protection,” Jungck said. “But they’re facing blended threats and polymorphic worms. Security is now about making sure that you have a breadth of technology and processes and the ability to continuously move up the protection level.”

A new breed of hacker
Perhaps more disturbing than the evolution of malicious code is the emergence of a new generation of profit-driven intruders. William Malik, director of security marketing at Sun Microsystems, believes that today’s hacker/cracker is a new breed.

“Hackers are linking up with bad people,” Malik said of sightings at recent security conferences of “informal contacts between known figures of international organized crime and hackers.

“Some of these people may be recruited overtly,” he added, “but most are probably unwittingly supporting [criminal activity]. For instance, one of the best ways to pull off a crime would be to get every bell in the enterprise ringing so they don’t know which alarm is real. If I can get a couple of hackers to pull a stunt when I know that company is going to be flooded with a bunch of alerts, I can plan my heist to coincide with the coming storm.”

The solution here, Malik said, is to get to know your friendly neighborhood FBI and Secret Service agents. “Do it before you have to,” he said. “Show up at an Inforguard meeting. Show up at an Electronic Crime Taskforce meeting. There are 60 or 70 Inforguard chapters nationally; there are a dozen Secret Service offices that have Electronic Crime Taskforces. They are designed specifically to facilitate communication and information sharing among business and law enforcement at various levels and the attorneys general offices.”

But Malik also agrees with Secure Software’s Viega, Cigital’s McGraw and Meta’s Byrnes on the issue of code quality. He said, “a security problem is nothing more than an exploitation of a defect. If you write high-quality code, there aren’t that many defects to exploit.

“One of the things that we all learned going way back is that the quality of the fix is going to be an order of magnitude worse than the quality of original code,” he added. “If you ship a 40 million line-of-code environment that has one defect for every 10,000 lines -- which is pretty good for your average bear -- that means that environment will contain 4,000 defects. If you have to ship a 1 million line-of-code fix, it’ll mend some of those defects, but it’s going to introduce another thousand because its defect rate is one per thousand. That’s just the characteristic of fixes. So you’re much better off shipping high-quality code from the beginning than trying to fix it in the field. You can get to the point where you put in more defects than you take out.”

Please see the following related story: “A look at static binary analysis and better security ” by Jack Vaughan