[ISN] COMDEX: Panel: Accept the Net is vulnerable to attack

From: InfoSec News (isnat_private)
Date: Tue Nov 19 2002 - 23:55:19 PST

  • Next message: InfoSec News: "[ISN] Security holes aren't being filled"

    Forwarded from: William Knowles <wkat_private>
    By Nancy Weil
    IDG News Service, 11/19/02
    Companies and home Internet users need to accept that the global
    computer network is inherently vulnerable to attacks, worms, trojans
    and anything else miscreants want to unleash on it, and then accept
    that securing the system is everyone's responsibility, a panel of
    security experts said Monday at the Comdex trade show.
    Security can't be accomplished through applying patches to vulnerable
    software, panelists agreed, though they varied in how best to make the
    Internet more secure and disagreed sharply in some areas, with Bruce
    Schneier, founder and CTO of Counterpane Internet Security, serving as
    the naysayer - a role he seemed to relish.
    "As a scientist, I can tell you that we have no clue how to write
    secure code," Schneier said, prompting agreement from John Weinschenk,
    vice president of the Enterprise Services Group at VeriSign, who said
    the best that can be done is to protect corporate computer systems and
    Web sites so that if there is an attack they aren't taken out for a
    long, costly period.
    "I think every software vendor here can do a better job of providing
    more secure software," Gene Hodges, president of Network Associates,
    chimed in. As the discussion went on, though, it was that idea that
    led Schneier into one of his favorite topics - liability.
    The panelists were led by moderator Andrew Briney, editor-in-chief of
    Information Security Magazine, into chatting broadly about their views
    on whether there should be more government regulation related to
    securing cyberspace, and as the other panelists talked, Schneier went
    from grinning to smirking to shaking his head. Briney commented that
    Schneier seemed to be disagreeing and asked him which comments he
    found fault with to which Schneier replied: "Which part should I
    respond to - I don't even know."
    Then things got lively.
    "The reason the software you buy isn't secure is that companies don't
    care," Schneier said. Software vendors care about profits and without
    a sufficient push from concerned users willing to pay more for
    security features, companies just are not going to slow the production
    cycle to add those features. Security is not a priority.
    Microsoft with its ballyhooed Trustworthy Computing initiative drew
    particular invective. "Microsoft is producing software that is
    completely insecure," Schneier said, prompting scattered applause from
    the audience. "The reason is there is no liability for producing a
    shoddy product." If car makers produced vehicles that did not operate
    properly, they would be held liable and sued, but the same doesn't
    happen with software makers, Schneier said.
    "Microsoft produces software that has three systemic flaws a week and
    nothing happens to them," he said, adding that the company simply
    releases patches and that's that. The Boeing Co., which makes
    airplanes, "won't use Windows at all," he said, because the company is
    "playing in the real world" where problematic software matters.
    When Schneier was called to task for singling out Microsoft, he was
    quick to note that Microsoft isn't the only offender, just an easy one
    to cite.
    The security vendors represented on the panel, in fact, could all be
    doing a better job of making more secure software, Hodges had said
    before Schneier ranted on Microsoft. Part of the problem is that the
    security software industry is reactive. First, criminals exploited
    vulnerabilities in floppy disks and so antivirus software was created
    that prevented disks from spreading viruses. Then, the Internet
    flourished and criminals figured out ways to exploit holes in that
    system and the companies responded, creating products and patches
    dealing with specific malicious code. Then, criminals started sending
    nasty code by e-mail and the companies responded by creating products
    and patches for that.
    Wireless networks present the next major challenge. Companies need to
    set up VPNs and other technology and products including firewalls and
    also establish policies that forbid employees from bringing their own
    wireless equipment into offices and using it on corporate LANs,
    several panelists said. There was some back and forth on that point,
    though, because one sentiment is that employees won't heed those
    policies, so companies are better off to assume employees will violate
    the rules and to figure out ways to keep networks safe in any event.
    One things corporate users can't do is to rely on wireless security
    standards. "The people who designed wireless protocols did a horrible
    job with security," Schneier said, referring to Wired Equivalent
    Privacy and IEEE 802.11, which has been notoriously problematic from a
    security standpoint.
    "It's something that's not just insecurity, it's robustly insecure,"  
    he said.
    Securing wireless LANs requires putting "enforcement technologies on
    your network so you can tell when those (rogue devices not approved by
    the IS department) are plugged in," said Dan McDonald, vice president
    of Nokia.
    In the view of some panelists, steps are already under way to focus on
    security nationally with the initiative of President George W. Bush,
    whose administration released a series of recommendations aimed at
    educating Internet users and leading to cooperation between private
    industry and the public sector.
    Some have criticized the effort as lame because it doesn't go far
    enough, but Tom Noonan, president and chief executive officer of
    Internet Security Systems, who is a member of the National
    Infrastructure Protection Board, which is spearheading the initiative,
    defended it as focusing on prevention through education, creating a
    mechanism to respond to attacks and cluing the public in to how the
    computer infrastructure works and how to protect it.
    "The problem is pretty vast, it's pervasive and the problem is
    significant as far as how we're going to approach it," he said.
    Businesses want to deal with system security without government
    interference because "the last thing you want to do is to fully expose
    everything you're doing to protect yourself because this is a
    cat-and-mouse game," he said. Some have called for government to force
    businesses to reveal what they are doing to keep their networks
    Further complicating the issue of creating new laws and regulations is
    that system administrators are already burdened and "can't get to
    patches from last year," let alone figuring out how to comply with
    additional federal requirements, Noonan said.
    Asked by Briney to comment on the one thing that they either believe
    is a myth about security or that they would like to see change, most
    panelists said they want everyone to take responsibility for security
    - which is part of the administration push - including home users who
    need to insist that the software they buy have security features.
    Schneier had a different take, saying he wishes government and
    companies would focus on "actual criminals and not hackers ... I think
    we focus too much on the kids, on the spraypainting and not on the
    actual crime," including those who break into systems and steal
    information or otherwise cause havoc.
    "Communications without intelligence is noise;  Intelligence 
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Nov 20 2002 - 02:12:52 PST