By Tom Field, Editorial Director, Information Security Media Group

The three pillars on how organizations can be secure today and to participate better in the changing economy:

• Reduce Risk
• Cut Cost
• Enable New Business Opportunities (i.e. Cloud Computing and Mobility)

I’ve spent the week at the RSA Conference. It is a great place to meet colleagues, customers and friends. I had been a Conference Chair for the last 5 years, helping pick speakers and build panels. That was lots of fun, but this year I chose to sit out and let some other lucky soul have a chance. I did participate in the program, however. My friend Caroline Wong put on a panel on security metrics, and asked me to be one of the four panelist. The panel was a blast, and is worth a blog post in its own right.

But the subject of today’s post isn’t my panel, or metrics, but about a key part of the show. It’s about a time-honored ritual at RSA: the industry keynote delivered by Microsoft’s Corporate Vice President of Trustworthy Computing, Scott Charney. In a speech that was covered by multiple media outlets, including IDG News Service, CIO, and Computer Reseller News, Charney made three significant announcements. He:

• Admitted that last year’s suggestion, to require ISPs to cut off serially infected machines, was not realistic because it imposed undue costs on ISPs. Charney argued instead that end-users must take more responsibility for the safety and security of their own machines. To that end, he…
• Proposed a system of “public health certificates” that customer client machines would present to relying parties like banks and on-line websites that needed extra assurance that their customers’ machines were clean. Charney calls this “Collective Defense.” In addition, Charney…
• Argued that the Internet must attribute activities to people wherever we can. Charney argues that with threats, there is always a Who, a What and a Why. Figuring out who the Who is would go a long way to helping national governments fight the various cyber-wars, cyber-skirmishes and cyber-hair-pulling matches that have been documented so well in the press over the last few years.

It seems to me that Scott, as the designated security spokesman for Microsoft, clearly understands his responsibility to set forth a vision for the industry. Microsoft’s preeminent position as the world’s leading software and systems vendor demands that he think big, think fast and think provocatively about The Future of Security. Moreover, the RSA Conference, as the preeminent industry conference devoted to information security, gives Microsoft (and Charney) the perfect platform for presenting their big, fast and provocative thinking. But let’s be honest, there’s a fine line between provocative and pollyanna. This year, Charney donned blue-tinged gossamer winds and fluttered off into the magical land of wishful thinking.

Let’s start with Microsoft’s ideas about Collective Defense and “public health certificates.” If I understand the idea correctly, relying parties (such as banks) would elect to trust — or selectively trust, or not trust — devices that presented digitally-signed attestations about their health. Rather than call this Collective Defense, let’s call it NAC’s Nephew. Practically, here is what that would mean: if McAfee or Symantec AV tells your bank that you have a clean bill of health, then your bank ought to let you transfer your money to Liberia. But if you don’t, they might think twice or ask for secondary authentication.

If you are technologist, especially one who drinks the Better Living Through Cryptography Kool-Aid or believes that “non-repudiation” actually refers to a real legal concept, digitally-signed health certificates sure sounds like a great idea. But upon closer scrutiny, nagging questions about practicality, implementation complexity and the so-what factor make it less attractive. Dan Geer has noted that technologists need to beware whenever they catch themselves saying “…and then a miracle happened.” That’s what we have here. I could raise a dozen objections, including (1) the decreasing efficacy of endpoint anti-malware software, (2) the high likelihood of certificate forgery, (3) the lack of likely implementations for platforms that aren’t Windows, and (4) the serious doubt that banks are asking for this stuff anyway (Trusteer isn’t exactly setting the world on fire, is it?).

But these are just the obvious objections. Slightly more worrying is Charney’s admission that ISPs aren’t part of the solution for keeping PCs safe. By that I assume he meant: Comcast, Time Warner, Charter, Cox had a few objections to cutting off infected customers. I can imagine a conversation between the two Steve Bs (Ballmer and Burke) that went something like this:

Burke (Comcast): So, Steve, I understand that you’d like to have me start cutting off Internet subscribers when we figure out that that their machines are infected.

Ballmer (Microsoft): You better believe it. We’re all-in on making our customers safer. ALL-IN!

Burke: I’ve got 80 million high-speed customers. My customer support team tells me I’ll lose 5m of them within the first year of running this program. That’s 7 billion dollars of lost revenue in the first year.

(pause)

Burke: Are you trying to get me to throw a chair at you?

(pause)

Burke: Excuse me Steve, but you’ll understand if I pass. I’ve got to run anyway. It’s time for me to start working on my 2011 Christmas cards.

That conversation never happened, and the numbers I presented are fictitious. But you can understand why putting the onus on ISPs to “keep their pipes clean” isn’t good for business. That Microsoft realizes this now is merely an admission of reality, and most welcome.

But while Microsoft’s new position reflects a more realistic appreciation of the limits of securing customer computers, Charney doesn’t push his thinking as far as he could. For example, consider his analogy comparing infected PCs to infected people. These are both health risks, and in both cases it behooves authorities to be aware of infections as early as possible. To the extent you can compare people to PCs, It also makes sense to educate customers about basic practices they can take to reduce the risk of infection (although I suspect Symantec might object to the implied comparison of installing their software to hand-washing.)

That said, computers aren’t like people at all. Computing can be improved in ways that the most audacious recombinant DNA theorist can only dream of. Because unlike humans, machines’ “DNA” — the operating systems and software that they are made of — can be replaced wholesale. From the security perspective, operating systems like SELinux, Qubes OS, BlackBerry OS, Apple’s iOS, Google’s Android or even Microsoft’s own Singularity or Windows Phone 7 OSes are fundamentally superior to Windows, because they have built-in protections like code-signing, verified roots-of-trust — often burned into hardware — and mandatory access control. From the security perspective, replacing Windows PCs with trusted Post-PC OSes such as Singularity or iOS isn’t merely a minor improvement like washing your hands. It’s more like replacing humans with a carbon-based life-form that’s immune to influenza.

Now, these other Post-PC OSes and their associated App Stores have other problems that I will be writing about in future posts, such as chatty, privacy-invading apps. But infections that compromise machine integrity isn’t one of their most pressing problems. And yes, I know I’m going to catch a lot of flak from the app security absolutists for saying this (“NOTHING is 100% secure…”). Please. Captain Obvious already paid me a visit today. Given enough time and money, anything is breakable. But acting as if mandatory code-signing, sandboxing and hardware-based trust anchors don’t decrease risk significantly is tantamount to dismissing 30 years of research by people much smarter than you and I. And that, in turn, means that we are ignoring lessons about how software should be built. In other words: we should not let loose talk about “ecosystems” distract from the critical need to re-examine the core software we run on the systems we use in our daily work.

Charney gets close — so very close — to this key point. When he calls for public health certificates that rely on hardware roots-of-trust to vouch for the integrity of devices, he should, instead, ask himself why they are needed in the first place. When he admits that ISPs can’t filter out infected PCs because of the expense, he should be asking whether he ought to, instead, design an operating system that fundamentally resists infection.

And finally, when he suggests that customers should share responsibility for educating themselves about keeping their PCs clean, he should ask himself why they should care, and whether the hassle of “education” and “taking responsibility” is worth it from the customer’s standpoint.

Now that’s a visionary speech I wish he’d made.

By Venture Capital Dispatch

The following dispatch comes from Robert Armstrong, a senior columnist with Dow Jones Investment Banker:

Big IT companies buy their smaller peers to ward off competition. Paradoxically, the strategy can give innovative young companies a foothold in the market.

For entrepreneurs in enterprise IT and their venture capital backers, this phenomenon should provide inspiration. For M&A strategists at the market leaders, it’s a warning.

Dow Jones Investment Banker recently spoke with several profitable and fast-growing venture-backed enterprise technology companies. Many executives emphasized how the acquisition-minded giants — as difficult as they are to compete against — have created opportunities for upstarts like themselves.

Big vendors such as International Business Machines, Hewlett-Packard and Oracle Corp., have an iron grip on the enterprise market, due to conservative corporate IT buyers and high switching costs. Adding new products though acquisition is a strategy designed to tighten this grip further. The thinking is that buyers will be happy to one-stop shop with a trusted name and will be enticed by all-in pricing packages.

Oracle, for instance, has bought 31 companies in the last three years, including Sun Microsystems and BEA Systems Inc. Rival H-P has bought 23 companies, including Electronic Data Systems, 3Com Corp, 3PAR Inc. and ArcSight Inc, over the same period.
Some smaller companies are turning the acquisition strategy against its practitioners.

SevOne Inc., backed by Osage Ventures, sells software and hardware for IT infrastructure performance management, and competes against a murderers’ row of IT giants including H-P, IBM, CA Inc. and BMC Software. The Delaware-based company has managed to grow well all the same, swelling from 15 employees three years ago to 50 today. Thomson Reuters Corp., Comcast and Computer Sciences Corp. are on its customer list.

SevOne’s products identify, analyze, document and report on problems in customers’ networks. Chief Executive Mike Phelan says his competitors’ offerings “are often actually a different product for each step in the process.” In many cases, the parts were picked up in separate acquisitions.

The messy genealogy of the big vendors’ products, along with the very fact that they are often part of a much larger product suite, leads to two problems for buyers: cumbersome upgrade paths and difficulty scaling up. “We deliver new capabilities a little at a time, but very frequently,” says Phelan, and when customers are looking to grow, scaling up to manage a bigger network is simple.

The idea that the big guys are at a disadvantage when it comes to upgrades and scaling up is echoed by Samir Gulati of Appian Corp., a Virginia-based maker of business process software. He has found that the competitive products from the large IT houses are often four different products — a database, a reporting engine, a process server, a portal product — parts of which will have been developed at different companies. The key issue, again, is that the focused, organically grown product is easier to update: “we upgrade every month or quarter — the big vendors can’t match the innovation.”

Appian, backed by Novak Biddle Venture Partners, generated 60% growth in license revenue in 2009 and has secured customers such as Amazon.com Inc. and the Office of the Comptroller of The Currency.

The increasing complexity of companies’ IT infrastructure is another key factor. It has become more important than ever that when a new product is added, it is interoperable with all those that went before, which often come from a variety of suppliers.

Augie Gonzalez, director of product marketing for the storage virtualization firm DataCore Software Corp., says “our pitch to buyers is, whoever they buy their storage infrastructure from, we can help them maximize the value of that infrastructure.”

Florida-based DataCore competes against many companies, such as IBM, that offer a hardware/software solution — which precludes this kind of vendor agnosticism. Its investors include Flagship Ventures, Insight Venture Partners, New Enterprise Associates, and Updata Partners.

The same message is shared by Tim Harvey, CEO of Connecticut-based Perimeter E-Security, which offers security monitoring and reporting services to customers, and last summer raised $104 million from Bessemer Venture Partners, Goldman Sachs and Stripes Group. Its product is designed to work with — indeed to maximize the value of — products offered by security giants McAfee Inc. and Symantec, and Harvey sees this as a key selling point.

There is an irony here. The fact that companies like these have profitably exploited the intrinsic weaknesses of the big acquisitive conglomerates increases the chance that they will, in their turn, be acquired by those very conglomerates.

If history follows its usual course, some of these acquisitions will work well — but others will do little more than open the door to new entrants.

Original post:
http://blogs.wsj.com/venturecapital/2010/09/29/when-consolidation-fosters-innovation-among-start-ups/

Microsoft said “Given the public disclosure of the details of the vulnerability, and how to exploit it, customers should be aware that broad attacks are likely,” this includes worms and a host of other malware that can automatically exploit this code through a variety of methods.

This is worse than most vulnerabilities we see.  Most vulnerabilities allow the system to be compromised in a specific way that may allow limited access or flexibility to the hacker.  This vulnerability makes it very easy for the cyber criminal to install any software they want as if they are the system administrator.

The solution?

• There is no automated fix from Microsoft at this time. However, there is a manual ”work around.”

The manual “work around” involves editing the Registry.  Note – only experienced system administrators should manually edit the registry.  One wrong move can cause major stability and bootup problems.  The details for the registry edit can be found in the Microsoft Security Advisory (2219475).
Beware that Microsoft says that this may break links that you are trying to use in the Help and Support Center.  Microsoft has also posted a knowledge base article with a “fixit” here.

• Stay tuned for more details from Microsoft

Microsoft is working on a patch. The Google researcher who discovered the flaw has released a fix; however, Microsoft says that this fix is easily bypassed and that users should not rely on the Google fix to resolve the problem.

While Microsoft is working on a patch, Perimeter E-Security continues to encourage users (especially those using XP) to create a limited user account for everyday computing.  Read more on this here. This will go a long way to protect systems from this exploit as well as many others we have seen in the past and will likely see in the future.

Contact us today at 800.234.2175 to talk with a security expert if you have further questions.

Tags: Windows XP exploit, Server 2003 exploit, vulnerability assessment tools, IT security, application penetration testing, managed service providers, intrusion detection system, security penetration testing

Good security professionals are expensive and difficult to find. When they are found, they are usually snatched up by large organizations leaving a security expertise shortfall for small and medium sized businesses. Even some enterprises find these individuals, get them certified and trained, and then they leave for greener pastures leaving the company holding the bill and no security resource. This is one of the key reasons we have seen a massive migration towards the use of managed security service providers. Even some large organizations that have security staff have decided to outsource some of the more mundane elements of their security to save money and keep their resources dedicated to specific “high value” projects. The good thing for companies is that it is very reasonable (from a cost perspective) to outsource elements or all of their security.

Symantec reports that 61 percent of enterprises are now using third-party security services or are planning to employ them in the next 12 months.

The amount of unique malware out on the Web has grown 571 percent since 2006.

About half of the companies say they’re understaffed in security.

26 percent say they don’t have the funds they need to hire appropriately.

19 percent said they’ve been affected by layoffs [in IT].

Forrester found that third-party security services was one of only a few line items where spending was expected to increase among enterprises this year.

The majority of businesses said they use third-party services for email security and content filtering, and almost half outsource their firewall monitoring.

The two top drivers among firms for using a managed security service provider are the demand for a specialized skill set (29 percent) and the need to reduce costs (28 percent), Forrester says in its report.

Symantec’s study found similar results. In that study, the need to offer 24/7 security coverage was the top reason for using third-party services (55 percent), followed by the need for access to skilled expertise (48 percent), and the need to lower overall costs (45 percent).

While compliance is still a driver, other factors have trumped this as the number one reason for security outsourcing.

Email security — including encryption, archiving, and/or content inspection — is the most popular form of security outsourcing in the enterprise, experts agree. Web security, including firewall management and filtering for malicious or inappropriate content, is generally considered to be the second-most popular service.

They summarize the situation in this way….”The threat is growing exponentially at a time when budgets are being reduced and skills are harder to find.”