[ISN] Is Vista security a selling point?

From: InfoSec News (alerts@private)
Date: Mon Nov 20 2006 - 22:48:38 PST


http://news.com.com/Is+Vista+security+a+selling+point/2100-1029_3-6137223.html

By Will Sturgeon
Special to CNET News.com
November 20, 2006

An assortment of new security features in Windows Vista will help many 
consumers become "secure enough," but businesses are unlikely to abandon 
their current levels of additional, backup security if they adopt the 
new operating system, some experts say.

Among more than a dozen security features within Vista are improvements 
such as the malicious software removal tool, smart card and log-on 
authentication changes, user access controls, USB device controls, 
Windows defender and Windows firewall.

But none of these, even in combination, should be seen as a panacea, 
security professionals say, and the need for a layered approach to 
security remains as critical as ever.

Stuart Okin, security partner at Accenture and former U.K. head of 
security at Microsoft, told Silicon.com: "As I see it, there are 15 
security features in Vista and none of them are this great panacea where 
if you install them the world will be OK.

"Security is about layers and you need to take a layered approach to 
security."

While Okin's admonition is not new--or unexpected--it is worth 
repeating, especially to protect consumers from an overreliance on 
Vista's security features.

The net effect for consumers, however, will undoubtedly be improvement, 
Okin said. "From a consumer point of view, I think the biggest 
improvements are going to be around user access controls and Internet 
Explorer.

"The downside is they are going to be prompted a lot more. But if people 
and the wider industry get a sense that this is a more secure 
environment, then I think that will have the biggest impact from a 
positive point of view."

It's those prompts that raise some questions among security experts 
about a perennial trade-off between security and usability. To what 
degree would Microsoft ever risk making an operating system less 
user-friendly to make it more secure?

Peter Wood, a penetration tester--or "ethical hacker"--from First Base 
Technologies, suggests the Redmond, Wash., giant has made promising 
strides in answering this question.

"If Microsoft wants to make a more secure (operating system) then they 
need to weight the balance between usability and security more in favor 
of security," Wood said. "I believe they have done that by making more 
things turned on as default than turned off."

And the early impressions of Vista is that consumers will indeed be 
safer if they're willing to leave features disabled and work with 
increased prompts and pop-up warnings.

"For the end user, Vista is definitely a net benefit," said Jay Heiser, 
research vice president at Gartner. "Although Vista apparently exceeds 
expectations for robustness, which is a welcome surprise for everyone, 
my personal feeling is that Vista represents a much higher relative 
improvement for end users and small business than it does for the 
enterprise.

"Vista should be a much more robust environment for safe use by 
inexperienced, unsupported people on the Internet."

But while Vista was always expected to sell well to consumers, there's 
no doubt Microsoft hopes that its greater emphasis on security will also 
help boost enterprise sales.

Gartner's Heiser isn't convinced that will be the case. "Many 
enterprises are experiencing a very acceptable level of security failure 
today, without Vista," he said of the fact businesses have been raised 
on an expectation to need to secure past Microsoft operating systems and 
are seeing a growing trend toward risk-based security.


Identity and access management

However, Accenture's Okin said being able to simplify those very 
expensive security architectures--while maintaining strong layers of 
protection--will appeal to many enterprises. And he adds there are a 
number of features in Vista that businesses likely will add to their 
regular inventory of security tools.

"From a business perspective, I think the one feature which will have 
the biggest social change will be the new architecture around log-ons 
and smart-card authentication," Okin said. "For the first time ever it 
will be really very simple for applications to call upon smart-card or 
biometric authentication."

Currently half of Accenture's security business is done around identity 
and access management--a fact that makes Okin confident his former 
bosses have hit something of a sweet spot with the user-identity and 
authentication features.

"Over the next few years, you're going to be seeing the first apps which 
will find it very easy to say, 'OK, you need your biometric 
authentication now or your smart card,' whether it's online banking or 
e-commerce or anything else, he said.

"Up until now it has been expensive and difficult to do, and as long as 
it is expensive and difficult people will find a reason why they don't 
want to do it."

And it's not just Vista's identity and access management features that 
Okin thinks will have chief technology officers thumbing their 
checkbooks.

The operating system includes USB-device controls that help stop data 
leakage via devices such as digital cameras, iPods and memory keys, and 
also help prevent the introduction of unlicensed applications, 
copyrighted media and potentially infected files.

"I've got clients at the moment who are getting very excited about 
BitLocker," Vista's hard-drive encryption technology, Okin added.

This encryption feature is a long-awaited improvement to a Windows 
operating system that ethical hacker Peter Wood says is a definite move 
in the right direction.

"The BitLocker technology is quite an interesting approach. We've been 
pushing a long time for (corporations) to take whole-disk encryption 
seriously, particularly on laptops and other devices outside the 
physical perimeter, and the majority of people we've spoken to still 
don't have a strategy in place," Wood said.

However, Wood also suggested that BitLocker, like other Windows 
features, could yet be undermined.

"We use PGP (the Pretty Good Privacy encryption program) for our 
whole-disk encryption because it is independent of the operating 
system," Wood said. "My experience to date with Microsoft's controls of 
these systems is that there is usually a way around it because it is so 
part of the Windows environment."


Security as a selling point

Wood said that determined hackers may discover that searching for holes 
in the operating system will offer the path of least resistance. But he 
admits he has yet to get his hands on Vista and is basing his criticism 
on the ease with which he has cracked past Microsoft code.

And he remains to be convinced Microsoft can learn from all its past 
mistakes.

Probability plays a part, said Wood: "It's an enormous chunk of code and 
it is going to be full of holes because anybody's code would be."

BitLocker, though, will most definitely be an improvement, because 
encryption that could potentially be cracked is still better than 
nothing. But as with any new technology, Wood's major concerns with 
Vista relate to the biggest potential security weakness: the end user.

And because encryption will be tied to individuals' Windows user 
accounts, Wood fears this, too, will make BitLocker inherently insecure.

He doesn't share Okin's confidence that two-factor authentication--and 
Vista's greater receptiveness to stronger authentication--will make much 
difference, or even be used.

Wood fears that for all Vista's improvements, passwords--a "perpetual, 
primitive and stupid problem"--will still be the Achilles' heel for many 
businesses rolling out the operating system.

And while biometrics and smart cards are an improvement on passwords, he 
says, they are still only a superficial improvement. He instead favors 
pass phrases, which he says could dramatically increase the security of 
any Vista environment and make its other features work more effectively.

But the bottom line is it seems Microsoft is going to need more than one 
generation of secure code under its belt before people start to believe 
the prerelease Vista hype. All in all, Accenture's Okin isn't convinced 
security will have much to do with how well Vista sells.

"The clients I work with today are probably looking at migration because 
they are using Windows 2000 and they aren't about to switch to XP," Okin 
noted. "I've seen economics around power usage and around lost laptops 
and savings that could be made from BitLocker and everything else, but 
even jointly they are not compelling."

It's more likely businesses will be swayed by other factors, such as the 
timing of their equipment-replacement cycle or by a wish to not be out 
of step with employees using Vista's home edition outside of work.

Okin says chief technology officers are telling him: "I don't want my 
guys to go home and have a better experience."

"If you are on Windows 2000, then of course it's compelling and you may 
as well go. Those on XP will be trialing and can pick their time to go.

"But are they doing it because of the security features? No. Have I seen 
security features as part of a business justification? Part of them, 
yes, but really the business justification (based on Vista's security 
features) is weak as a whole."

Will Sturgeon of Silicon.com reported from London.


_________________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
 



This archive was generated by hypermail 2.1.3 : Mon Nov 20 2006 - 22:56:33 PST