[ISN] Q&A: Microsoft's Scott Charney on security in a time of war

From: InfoSec News (isnat_private)
Date: Thu Mar 20 2003 - 23:06:15 PST

  • Next message: InfoSec News: "[ISN] Internet hackers wreak havoc to protest Iraq war"

    MARCH 20, 2003
    Scott Charney, chief security strategist at Microsoft Corp., has 
    extensive dealings with the government in the area of security on 
    behalf of Microsoft, and his background also includes an eight-year 
    stint as chief of the Computer Crime and Intellectual Property Section 
    in the criminal division at the Department of Justice from 1991 to 
    1999. Under his direction, the agency investigated and prosecuted 
    national and international hacker cases, economic espionage cases and 
    violations of federal criminal copyright and trademark laws. He spoke 
    this week spoke with Computerworld about areas of concern for IT 
    professionals during a time of war. 
    How will the war impact you in your role at Microsoft? 
    When you think about actual conflict, there are probably three things
    that you can note historically. One is that conflicts between nations
    tend to lead to parallel conflicts between hackers. When the U.S. spy
    plane was down in China, you saw a large increase of defaced Web sites
    between Chinese and U.S. hackers. ... You might see some increase in
    that, if history is any guide.
    The second issue, of course, people worry about is some sort of
    terrorist strike against cyber. Most of us don't believe that a major
    cyberterrorist attack is imminent for a host of reasons. Historically,
    we haven't seen cyberterrorism attacks, and there's a lot of
    speculation on why that's so. One is it's not actually so easy to
    bring down the networks. There's a lot of redundancy and a lot of
    resiliency. Second, it doesn't create the kind of graphic pictures
    that terrorists often want. Third, it doesn't create the kind of fear
    that terrorists want.
    Most of us who worry about cyberterrorism worry less about a global
    attack on the infrastructure as opposed to a specific, coordinated
    attack on an infrastructure. Had they attacked Verizon 10 minutes
    before the planes hit the tower, the disruption of the communications
    networks through cyber would have made it much harder to restore when
    you started replacing the physical parts of the network.
    The third piece, which is of broad concern for the Defense Department,
    is whether there will be a corollary information warfare attack of
    some sort meant to disrupt communications and other things. There was
    a case called "solar sunrise" in the mid-'90s when we were gearing up
    for airstrikes against Iraq last time, where DOD [the Department of
    Defense] noticed a very broad-based attack on their networks.
    I got called around 2:00, 2:30 in the morning and I said, "Where's it
    coming from?" They said, "United Arab Emirates." And I said, "Well,
    I'm Justice, not State, but I think they're friendly, right?" And they
    said, "Yeah, but we don't know where it's actually coming from. We
    just know it's that region of the world. And with what's going on
    militarily, this is of concern, of course." And they were right.
    So we got court orders and launched an extensive investigation. It was
    two juveniles in Cloverdale, Calif., who were looping through the
    Middle East and coming back and attacking the Department of Defense
    with the help of an Israeli. What you don't know in an Internet attack
    is who's attacking or why. So there are some huge challenges here. But
    I think in terms of what's going on in Iraq now, the things you would
    watch out for are information warfare attacks.
    >From the perspective of IT folks who are at home or perhaps have 
    international operations, what should they be wary of or thinking 
    about top-of-mind over the next couple of weeks? 
    When I think about Sept. 11, it had a broad impact on the
    cybercommunity. ... The reason it changes their thinking is because it
    made them re-evaluate risk -- perceived risk vs. real risk. If on
    Sept. 10 I had said to anyone anywhere, "What are the odds of four
    planes being hijacked, three of them hitting buildings?" they'd say,
    "Slim to none." And then on Sept.  12, it was 100%. So even in the
    cyberworld, people started to ask, "OK. We don't think it's likely the
    whole Internet could be brought down or terrorists would target us.
    But we didn't think they were going to do that either."
    Whenever there is some sort of international crisis like this, I think
    it's time for people to step back, take a deep breath and say, "In
    this changing world model, have we done enough things to make sure
    we're reasonably secure?" Because it is all about risk management. In
    times of conflict, risk goes up.
    So people in companies should be saying, "Are we in an infrastructure
    that might be targeted by terrorists? Am I in an infrastructure that's
    supporting military operations and therefore may be a target?" If you
    are, you should say, "Am I configured correctly? Have I run lockdown
    tools? Am I up to date on my patches?"
    If I haven't done that now -- and you should have -- this is a wake-up 
    call to do it now, especially because your risk is elevated. 
    Have you found that most IT folks reacted to that Sept. 11 wake-up
    Some people took it as a wake-up call and acted on it. I think 
    some people didn't; they say it's not a cyberevent. I also think a 
    combination of that and some other things, like Slammer for example, 
    make it clear that vendors certainly have to make it easier for 
    customers to manage their set-ups. 
    As someone who thinks a lot about critical infrastructure protection, 
    there are things clearly that Microsoft needs to do better. And we're 
    devoting a lot of attention to it. 
    Also this synergy didn't exist before, for the most part, between 
    markets, public safety and national security. Having been in the 
    government for a long time, from a public safety, national security 
    perspective, I was screaming about security in the early '90s, but 
    markets really weren't demanding it. ... I think what we've seen in 
    the last couple of years is this synergy where markets are now 
    demanding the same things that public safety and national security 
    require. And that synergy is actually a wonderful thing. 
    You said there are lots of things Microsoft could do better in the 
    area of security. What in your estimation is the highest priority? 
    The No. 1 priority for us is patch management. It absolutely has to
    be. We have a patch management working group now that spans the
    company. We said, "OK, let's define our problems." One, we need a
    common nomenclature. We need to be talking about things in the same
    terms. We need a common installer so that patches install the same
    way. We need patches to register with the [operating system] in the
    same way so we can scan for it later and see if you're patched. We
    need the ability to uninstall. Some people wrote installers with
    uninstallers. Some didn't. Well, it's important to have that because
    you can test the patch and deploy it and then [if] it has an
    unintended consequence, can you uninstall it and get back out?
    And we need to improve the tools that allow you to scan to see if
    you're patched, because today, the tools don't run across the suite of
    Microsoft products.
    What's the timetable for the patch management improvements? 
    We've got eight installers today. Within a year, I want to get down to
    two: one for applications, one for the [operating system]. ... I'm
    always cautious about going public with road maps because you run into
    challenges you didn't anticipate.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Mar 21 2003 - 02:16:05 PST