Scott Charney, chief security strategist at Microsoft,
tells us about the IT security challenges that his company is
trying to address with its Trustworthy Computing
initiative.
Scott Charney believes strong IT security is still many years
away. A former US government security specialist, he is responsible
for Microsoft’s Trustworthy Computing initiative.
Charney believes that no matter what Microsoft and the rest of
the industry does, it will be up to businesses and end-users to
upgrade to a more secure platform. However, this is easier said
than done, as Microsoft produced a lot of legacy code before
Trustworthy Computing.
Although users need to adopt more secure platforms faster,
forcing change is not the answer. "Suppliers have to make it easier
for users to adopt this technology," he said. "Windows 2003 may be
secure, but the level of security it provides could break backwards
compatibility."
Charney believes a big barrier to more secure IT is that users
cannot justify the costs. "It is difficult to see a return on
investment on security," he said. For instance, it is hard to put
forward a business case for purchasing an intrusion detection
system. Winning over the business will require a change in
tack.
"Good security is about risk management. There is little point
in breaking the bank," he said. The big question for businesses is
how much they should spend and what a security breach would
cost.
Charney said users have been reluctant to buy or use secure
technology, even when such technology has been built into the
computers they purchase. For example, IBM has provided a trusted
computer module for its Thinkpad laptops, while smartcard and
fingerprint scanners are options for desktop and laptop PCs. But
manufacturers cannot justify the additional cost of developing this
security technology if no one uses it.
How long will it take?
Charney said Microsoft is about one third of the way towards
Trustworthy Computing. He wants to see improvements in the way
Microsoft handles patch management.
"We need better installation and distribution processes for
patches," Charney said. He wants better tools to check whether
users need to apply a patch. This is an important area for
Microsoft, as users need to know whether their IT configurations
require a security patch when Microsoft issues a new one.
One of Charney’s biggest concerns is the time it takes for
patches to be made available to users. Once a security issue has
been identified, there is a window of opportunity for hackers
before the patch is released and users install it.
"We need to be in a position to make patches available within 24
hours of a security alert," said Charney. Ideally, PCs should be
updated with new patches automatically without any intervention, he
added.
Charney’s other main worry is that a new, destructive worm could
hit users at any time and no one will be prepared. "This year’s SQL
Slammer and MSBlaster attacks did not have destructive payloads.
But that day will come," he said.
So far, users have escaped any real damage. Worms such as SQL
Slammer and MSBlaster have simply caused networks to run slowly or
crash through a denial-of-service attack. Charney warned that it
was only a matter of time before smart worms such as Slammer
evolved in a way that could make them more destructive. Such worms
could easily be modified to delete or steal data and computer
system files.
In terms of security technology, Charney said the focus of
network security is moving inside company networks. "Perimeter
security is no longer sufficient," he said.
Windows XP offers firewall protection for every PC connected to
the corporate network. If configured, such technology can stop the
spread of worms and viruses.
But locking down the corporate IT environment is only the first
step. With the increase in broadband use among home users and the
availability of wireless networks, there are plenty of
opportunities for hackers to cause disruption. Charney is confident
the IT industry will improve security, but said progress will bring
more virulent threats, such as the prospect of morphing viruses
that would be almost impossible to target with traditional
anti-virus software.
What is the next step?
Charney said public key infrastructure technology has limited
use. A PKI is designed to minimise fraud on the internet by
providing a way for people to guarantee the organisations they deal
with are genuine. But PKI is difficult to manage, and is not
suitable for the general public, he said. For example, many people
send and receive e-mail messages but how many understand what to do
when they receive a PKI certificate?
Ideally, authenticating the PKI certificate should be
transparent to the end user, but as it is not, its effectiveness is
reduced, said Charney. Many people would simply click to accept the
PKI certificate without really acknowledging its relevance.
Smartcards may work in the corporate environment, but any form
of security requires users to accept to use it. And, in spite of
all the education on sound security and back-up strategies, Charney
questioned whether users bothered to back up their PCs.
He said the industry needs to work collectively to tackle
security. For example, when the the SQL Slammer worm infected
corporate systems, users did not have a central source of
information. A SAP user would have gone to SAP for help, while
others turned to their hardware provider, and some called
Microsoft.
"What is needed is a federated approach to security to define
the roles and responsibilities of IT suppliers when a security
breach occurs." said Charney.