Wednesday, January 11, 2006

What is "security"??

Good question. We each approach topics like this differently, based on our background, experiences, etc. This thread on Slashdot caught my eye this morning, as did Brian Kreb's latest blog entry on SecurityFix (careful folks, it's a long blog entry, but an excellent read nonetheless).

My background in security started with pen-tests, war-dialing, and vulnerability assessments. I've also done policy development, etc. I've had a hand in incident response and forensics, as well. This is very different from Bill Gate's we view security differently. The Microsoft stance has been to support better security practices and there have been intiatives with regards to in light of things like SoBig, CodeRed, Nimda, and the more recent WMF issues, can we say that Micrsofot has failed?

Before giving you my thoughts, let me tell you about something that happened to me back on '00. I was working at a now-defunct telecomm company, as part of the corporate security staff. There was a rogue group of guys who claimed that they had security responsibilities, but you could never really tie them down...they were like kids who were told to not to do something, but they did it anyway. So, at one point, one of the guys from the team comes over and tells me how his group had identified an issue and confiscated a system. When they confronted the employee (without the presence of or even notifying HR, BTW...), the employee denied any knowledge of the issue. So these guys hired an outside consulting firm to come in and do forensic analysis of the hard drive...and the tasking they gave was to locate any files specific to the SubSeven Trojan/backdoor. That's it.

So this guy tells me that he looked at the hard drive and found a hidden DOS partition. He told me that we shouldn't deal with this company b/c in his mind, they didn't know what they were doing.

We (my boss and I) sat down and talked to the forensic analyst from the company. He showed us the tasking, and their final report. The documents clearly stated that the sole tasking was to locate files associated with SubSeven, which the company did (and to be honest, pretty much anyone could have done at the time).

So the question is, did the company "fail" or perform poorly? The analyst said that he'd identified the hidden DOS partition, but that partition did not contain the files in question. Since it wasn't part of the tasking, and the company was never given any information regarding the overall case or issue, they provided what they were asked for.

Now, back to the issue with Microsoft. I think what this all boils down to is a matter of expectations. When someone high up the food chain within Microsoft gets up on stage, most of the security guys in the audience hear "blahblahblahsecurityblahblah". They then fill in the gaps surrounding "security" with their own expectations, and feel justified pointing out failures. But wait a second...had they listened to the speaker, they might have heard him (or her) set those expectations and define "success" in their own context.

So, on the one hand, you can look at what Microsoft has done to improve security with things like a firewall for XP, and IIS 6.x functionality that's "off" by default as successful steps toward better "security". But does the recent WMF exploit issue really show that Microsoft has failed overall? Perhaps not. Microsoft's stance seems to be, "yeah, we know that this issue has been around since Windows 3.0, but there haven't been any publicly available exploits until now, and we had higher priority things to work on." Can you get mad at them for that? Really? I mean, don't we do the exact some thing everyday? Don't we have limited resources (time, money, etc.) and make decisions about what's important to us? How do we then feel when someone comes back to us and says that we "failed", but their determination of success is different from our own?

Maybe the approach that needs to be taken is different. Maybe what needs to happen is that more of Microsoft's customers need to get together and say, "hey, this stuff you've done is all well and good, but you know, malware, worms and rootkits are really kicking our butts...can you help us out?" Maybe if enough customers said this, Horton would hear the Who (NOT Roger Daltry). After all, haven't customers gotten Microsoft to redefine "success" before? Didn't someone from Microsoft say back in the early '90s that the Internet would never become what it has, in fact, become today?

No comments: