Scott Charney, chief security strategist at Microsoft, tells us about the IT security challenges that his company is trying to address with its Trustworthy Computing initiative.
Scott Charney believes strong IT security is still many years away. A former US government security specialist, he is responsible for Microsoft’s Trustworthy Computing initiative.
Charney believes that no matter what Microsoft and the rest of the industry does, it will be up to businesses and end-users to upgrade to a more secure platform. However, this is easier said than done, as Microsoft produced a lot of legacy code before Trustworthy Computing.
Although users need to adopt more secure platforms faster, forcing change is not the answer. "Suppliers have to make it easier for users to adopt this technology," he said. "Windows 2003 may be secure, but the level of security it provides could break backwards compatibility."
Charney believes a big barrier to more secure IT is that users cannot justify the costs. "It is difficult to see a return on investment on security," he said. For instance, it is hard to put forward a business case for purchasing an intrusion detection system. Winning over the business will require a change in tack.
"Good security is about risk management. There is little point in breaking the bank," he said. The big question for businesses is how much they should spend and what a security breach would cost.
Charney said users have been reluctant to buy or use secure technology, even when such technology has been built into the computers they purchase. For example, IBM has provided a trusted computer module for its Thinkpad laptops, while smartcard and fingerprint scanners are options for desktop and laptop PCs. But manufacturers cannot justify the additional cost of developing this security technology if no one uses it.
How long will it take?
Charney said Microsoft is about one third of the way towards Trustworthy Computing. He wants to see improvements in the way Microsoft handles patch management.
"We need better installation and distribution processes for patches," Charney said. He wants better tools to check whether users need to apply a patch. This is an important area for Microsoft, as users need to know whether their IT configurations require a security patch when Microsoft issues a new one.
One of Charney’s biggest concerns is the time it takes for patches to be made available to users. Once a security issue has been identified, there is a window of opportunity for hackers before the patch is released and users install it.
"We need to be in a position to make patches available within 24 hours of a security alert," said Charney. Ideally, PCs should be updated with new patches automatically without any intervention, he added.
Charney’s other main worry is that a new, destructive worm could hit users at any time and no one will be prepared. "This year’s SQL Slammer and MSBlaster attacks did not have destructive payloads. But that day will come," he said.
So far, users have escaped any real damage. Worms such as SQL Slammer and MSBlaster have simply caused networks to run slowly or crash through a denial-of-service attack. Charney warned that it was only a matter of time before smart worms such as Slammer evolved in a way that could make them more destructive. Such worms could easily be modified to delete or steal data and computer system files.
In terms of security technology, Charney said the focus of network security is moving inside company networks. "Perimeter security is no longer sufficient," he said.
Windows XP offers firewall protection for every PC connected to the corporate network. If configured, such technology can stop the spread of worms and viruses.
But locking down the corporate IT environment is only the first step. With the increase in broadband use among home users and the availability of wireless networks, there are plenty of opportunities for hackers to cause disruption. Charney is confident the IT industry will improve security, but said progress will bring more virulent threats, such as the prospect of morphing viruses that would be almost impossible to target with traditional anti-virus software.
What is the next step?
Charney said public key infrastructure technology has limited use. A PKI is designed to minimise fraud on the internet by providing a way for people to guarantee the organisations they deal with are genuine. But PKI is difficult to manage, and is not suitable for the general public, he said. For example, many people send and receive e-mail messages but how many understand what to do when they receive a PKI certificate?
Ideally, authenticating the PKI certificate should be transparent to the end user, but as it is not, its effectiveness is reduced, said Charney. Many people would simply click to accept the PKI certificate without really acknowledging its relevance.
Smartcards may work in the corporate environment, but any form of security requires users to accept to use it. And, in spite of all the education on sound security and back-up strategies, Charney questioned whether users bothered to back up their PCs.
He said the industry needs to work collectively to tackle security. For example, when the the SQL Slammer worm infected corporate systems, users did not have a central source of information. A SAP user would have gone to SAP for help, while others turned to their hardware provider, and some called Microsoft.
"What is needed is a federated approach to security to define the roles and responsibilities of IT suppliers when a security breach occurs." said Charney.
This was first published in October 2003