[ISN] Applying Pressure

From: InfoSec News (isn@private)
Date: Wed Jul 07 2004 - 03:42:25 PDT


By John Foley,
George V. Hulme,
Steven Marlin
July 5, 2004 

What began as an uncoordinated din of IT professionals complaining
about computer security has turned into a collective movement that's
spanning entire industries. For evidence, consider the actions taken
by BITS, a powerful financial-industry organization that recently
crafted a detailed security policy on how it expects technology
companies to respond to the needs of its member firms. Two weeks ago,
the nonprofit consortium squeezed concessions from Microsoft. Now,
other big-name vendors are in its sights.

BITS acted because the costs and risks associated with rising software
vulnerabilities have become "untenable," senior director John Carlson
says. Coping with software vulnerabilities has become a $1
billion-a-year problem for the financial industry, according to BITS,
whose heavyweight roster includes Bank of America, Citigroup, Fidelity
Investments, and Wells Fargo. "We clearly anticipated that the costs
are going to increase over time unless something is done," Carlson

Dissatisfied with the pace at which IT vendors were moving to address
security problems, BITS decided to engage them on its own terms.  
"There's almost no one who's immune," says Larry Seibel, information
security director at Huntington National Bank, whose chairman and CEO,
Thomas Hoaglin, is on BITS's board of directors. "I don't think anyone
believes we're going to have a quick fix." Just last week, the SANS
Institute's Internet Storm Center reported an attack in which hackers
attempted to capture, via Internet Explorer, user-login information
from customers of dozens of financial institutions.

BITS held an invitation-only meeting in February for its members and
some undisclosed software companies, and, in late April, it unveiled a
sweeping plan to encourage IT vendors to show a "higher duty of care"  
in delivering foolproof products. A detailed policy statement, issued
jointly with the affiliated Financial Services Roundtable, calls on
vendors to make security a fundamental part of software design,
support older versions of products, make upgrades easier, improve the
patch-management process, and give companies with "critical
infrastructure" advance notice of new vulnerabilities.

The group hopes to influence product development and support across
the technology industry. Prominent names are at the top of its list:  
Cisco Systems, Computer Associates, Hewlett-Packard, IBM, Microsoft,
Oracle, and PeopleSoft. "There are lots of potential weak links,"  
Carlson says. "Our members said, 'These are important companies to

InformationWeek surveyed some of those leading technology companies to
assess their readiness to meet BITS's specific proposals. To see their
answers, go to informationweek.com/996/ responses.htm.

BITS supports incentives, including tax breaks, to encourage vendors
to put more research and development into security, and it promises to
help protect industry groups from antitrust laws as they collaborate
on security measures. It's also wielding a stick by encouraging
regulators to share some of the information they already gather on the
security practices of software companies.

Security professionals believe there's something to be gained by
bringing the collective weight of an industry to bear on the issues
they face every day. "These efforts present a united front and focused
pressure, rather than each of us working on our own to improve
software and to get change," says Gene Fredriksen, VP of information
security with Raymond James & Associates, co-chair of BITS's
software-security working group, and a member of its security and
risk-assessment executive committee.

It doesn't hurt that BITS has the backing of some big guns. Thomas
Renyi, chairman and CEO of the Bank of New York, is chairman of BITS's
board of directors. According to Cisco, its CEO, John Chambers, has
met directly with the industry group.

BITS is rallying companies from other industries around the same set
of issues. Technology executives from the telecommunications,
chemical, and electric-utility industries were invited to its
closed-door February meeting, and the group coordinated with the
influential Business Roundtable on the details of its
software-security policy and the timing of its release.

"Everyone's looking at everyone else's work, saying, 'What can we do
working in collaboration with each other to solve this problem?'"  
Carlson says from his Washington office, where he had just returned
from a meeting last week of the House Subcommittee on Technology,
Information Policy, Intergovernmental Relations, and the Census. Last
month, the chairman of that subcommittee, Rep. Adam Putnam, R-Fla.,
co-authored an amendment to the 1996 Clinger-Cohen Act that would make
information security a required consideration when government agencies
buy computer systems. Putnam is monitoring self-regulation efforts by
groups such as BITS in the private sector.

Microsoft's arrangement with BITS was the first of its kind, but it
won't be the last, says Gytis Barzdukas, director of product
management with the vendor's security business and technology unit.  
After six months of discussions, BITS talked Microsoft into providing
more-favorable terms for Windows NT 4.0 custom support and making
Windows support personnel available to BITS's members in their local
offices. Both sides say further cooperation is planned.

With new security threats popping up weekly, banks have kept one eye
on the perpetrators and the other on regulators. Marguerite Gear, VP
and sourcing manager at Bank of America, says the risks to a bank's
reputation can equal or surpass losses from lawsuits or penalties. "In
financial services, trust is paramount," she says. "Identity thefts,
firewall attacks, viruses, or intrusions can devastate a bank."

Under Basel II, an accord reached last month by international banking
authorities, large banks must be able to measure by the end of 2007
their exposure to operational risk, including software flaws, in
addition to credit and market risk. Large financial institutions have
had Basel II preparations under way for at least a year, beginning
with compiling data about previous cyberattacks and formulating
scenarios about potential new ones.

Conscious of the need to proceed without disrupting ongoing business
activities, teams of IT, compliance, legal, and audit specialists are
working to formulate plans combining all these elements. The hope is
that by working collaboratively, they can present business heads with
a single plan of action. "We don't want to go to them with one set of
compliance questions and another set of security questions," says an
information security executive at a large multinational bank.

When reviewing software products, this executive says, "we ask
[vendors] to show us their model for providing software updates and
patch distribution, both during the ordinary course of business and
during emergencies." Vendors are grilled on their response procedures
in the event of a crisis. Bank of America's Gear says banks routinely
write into contracts clauses that specify software products are
warranted as being free of malicious code. "It's a huge, huge issue,"  
she says.

BITS has set the security bar high with its own stringent set of
criteria for product certification, introduced in 1999 and
reintroduced two years ago after being aligned more closely with the
international security evaluation standard known as the Common
Criteria. So far, only two products--HP's VirtualVault and Archer
Technologies' SmartSuite Framework--have passed muster. "It tells us
software companies have a lot of work to do in terms of meeting the
targeted needs of our profiles," Carlson says.

Carlson and many security professionals agree that vendors have shown
an increased willingness to address their concerns and acknowledge
that IT departments bear much of the responsibility for securing their
systems and networks. But they say vendor efforts haven't yet passed
the most important test: There's been no decline in the number of
security threats or attacks, or in costs associated with them (see
story, Under Attack).

What comes next? BITS is working to define best practices for
patch-management and on security issues associated with spyware,
wireless technologies, and remote access. Users would also like to see
increased collaboration among technology suppliers themselves.  
"Ultimately, I would like to see the industry get to the point where
we have common security baselines among vendors," says Raymond James'

Oracle is thinking along the same lines. "The next frontier is for
vendors to drop their competitiveness," says Mary Ann Davidson,
Oracle's chief security officer. "Developing secure code is not a
trade secret. Vendors need to start calling each other up and sharing
development techniques. The hackers certainly share attack and
vulnerability information."

If the vendors can ever outpace the hackers, their customers will
deserve part of the credit.

Help InfoSec News with a donation: http://www.c4i.org/donation.html

This archive was generated by hypermail 2.1.3 : Wed Jul 07 2004 - 06:15:37 PDT