So how much, on balance, has the stateof security changed? Let us consider sev-eral key areas to try and answer this.

FirewallsFirewall technology has not changedmuch, but it has evolved. Modern firewall systems have undoubtedlyresponded to many of the network level threats of recent years and havealso grown to provide some (often rudi-mentary) intrusion detection facilities.The trend towards appliance-typedevices has made successful firewalldeployment easier. The pre-hardenedboxes act as a starting point for a mod-ern firewall and give a significantly bet-ter baseline for security than a vanillaNT or Solaris platform which requiresmanual hardening. Firewall softwareitself has also improved — firewallstoday have much greater functionalityto analyse and filter network and appli-cation level traffic and to provide addi-tional services such as strong VPNencryption, more detailed logging, bet-ter management etc. Appliances stillrequire some configuration though andit is important to ensure that thedefault settings are turned on or off asappropriate.

Firewalls have also become cheaper forthe most part, appliances mean thatimplementation costs are lower, but also

that the platforms themselves are morecost effective. Certainly some of theappliance firewalls around today giveexceptional value for money for the level of security and functionality theyprovide.

All this progress is best demonstratedby the move towards application-level attacks by the hacker community,most of the methods where websitesnow get compromised is throughattacks within the Web server itself orwithin the Web or database code thatprovide the site functionality. It is cer-tainly rarer to find a system that suffersgreatly from the network-based attacksof the past.

Having said all this, vigilance is stillrequired. The network level attacks are still present and must still be guarded against, the greater functionali-ty of firewalls and ease of configura-tion means that common failings are still around. Obvious hazardsinclude standard default passwords,activation of features that are not actu-ally required, failure to set anti-spoof-ing on interfaces and ill-conceived rulebases with use of the “any” word andwhole subnets in place of specific net-works or systems.

Verdict: Significant improvement, but con-tinued attention and improvement is stillrequired.

Operating systemsIn general the picture with operating sys-tems is no more rosy than some time ago.Modern operating systems have just asmuch wrong with them as ever. All themain OS’s have an ever growing library offaults, vulnerabilities and weaknesses. Ifyou broaden this out to the Web, data-base and application servers that externalfacing systems are so reliant on, then thepicture is even worse.

Microsoft’s much vaunted securityimprovement programme has yet to makea real impact and the future initiatives for“trusted” computer systems will probablycontinue to be plagued by the same kindsof problems.

What has changed is that modern oper-ating systems now contain as standardmany of the security functions that usedto require installation of third party tools.Take Windows 2000 — directory ser-vices, smartcard support, PKI (or sorts),group security policies, delegated admin-istration, VPN, (limited) file encryptionvia EFS etc.

These features are all welcome, butmany were truly version 1.0 features inWindows 2000 and as such are still someway off providing a fully effective solu-tion. They are a good start and withthought and careful development willgive businesses real tools to implementsecurity in a fully integrated way.

There is still a tendency in many envi-ronments to ignore many of these featuresand stick with the out-of-the-box buildwith all its insecure defaults.Verdict: Slight improvements, but muchmore work required by both vendors andadministrators.

Intrusion detectionIntrusion detection has improved signifi-cantly in recent years, the solutions on themarket today are much more manageableand capable than those that were arounda few years back when the technology wasless mature.

They often now support a hierarchicalarrangement to better control data flowsand many provide pretty good diagnos-tic/forensic capabilities to try to piece

feature

15

IT Security — State of theNationPiers Wilson, Senior Consultant

Insight Consulting Ltd.

Rather than tackle one particular topic in detail, this article will consider whereIT security has got to across several fronts — in some areas considerable progresshas been made, systems are “more” secure now than a few years ago. In otherareas however, little has changed; the problem has just been moved around orhasn’t really been effectively solved. Certainly the threat landscape has changed,modern attacks are often intriguingly clever and powerful (witness the breadth ofdistribution mechanisms that the NIMDA virus used, the use of SQL injectionagainst websites etc…). Technology has also presented further opportunity —just look at the flurry of threats that have surrounded wireless networks sincetheir inception.

NESE DECEMBER.qxd 10/12/2002 14:06 Page 15

together what has happened after anattack. The sophistication has also beenextended so it is now easier to monitormultiple high speed network segmentsand combine host and network-baseddetection. This, coupled with integra-tion of IDS features in firewalls andother network appliances, has made IDSeasier than ever to deploy.

What still fails within an IDS systemthough is the people element. When analarm triggers, what will you do? Howwill you investigate, escalate and resolveit? Clearly, the problem of false positivesaside, if you have inadequate procedures,knowledge or resources to resolve andlearn from an incident it is still difficultto see the actual benefit of IDS.

Clearly, the growth of managed servicesaims to address this, and in the opinionof most this type of service lends itselfvery well to the use of IDS.Verdict: Much greater technical maturity inthe market place, but problems with falsepositives and how to actually manage thetools remain.

Applications securityApplications fall into several categories,there are desktop or client applications orthe platform type such as Web or data-base systems (which have client applica-tions loaded on top of them). Many ofthe failings that affect operating systemssuch as insecure defaults and the largenumbers of vulnerabilities (that leaveunpatched systems open to exploit) alsoaffect applications themselves — espe-cially the Web and database systems thatare now so common.

Where attention has been focussedrecently is on the Web applications them-selves that so many companies now relyon to trade over the Internet. A muchgreater importance should be attributedto the security of the Web applicationand code. The threat level has increasedsignificantly — attacks on the site codevia the URL or the form elements arepotentially much more damaging. Thelikes of cross site scripting, hidden fields,cookie poisoning, HTTP state attacks,weak authentication schemes and SQL

injection (which can allow arbitrary data-base queries or system commands to exe-cute on the back end systems — yes thatright, the back end systems) all combineto mean that the world is a much moredangerous place if you are in Web appli-cation development. Many of these don’trequire any special tools as often they canbe exploited through the URL in thebrowser of the text boxes on a Web form.Verdict: Danger — many problems foundtoday have their roots within the applica-tions and site design.

Secure messaging/file encryptionTheoretically at least, encryption shouldbe a cornerstone of computer security, insome areas it is just that — look at SSL,used by virtually every transactional website in the world, or the IPSec proto-col suite that the majority of the world’sVPNs use. Why then do the equally useful concepts of email encryption anddisk/file encryption seem to be lagging sofar behind? Mainly the reason is down tothe difficulties of key management.Either generation, distribution or insome cases recovery. Certainly the hesi-tant take up of PKI has not helped orga-nizations to adopt secure email solutions,but the problems of virus checkingencrypted messages and trying to storeencrypted information safely (so that thatit can be recovered) still seem to be large-ly unsolved. Turning to digital signatures,despite legislation, the trust one can placein a digital signature is sometimes diffi-cult to establish if it has been generatedoutside your own environment.

File encryption or disk encryption hashad a better time, certainly single usersystems that aim to protect laptops areavailable and are manageable and useable.However, the inability or difficulty in set-ting up a community of users who canaccess a certain encrypted resource istricky, and where data is stored inencrypted format the ability to keep keyhistories (when keys change) or re-encrypting data or providing key recoveryare still the biggest problems.Verdict: Now capable of supporting securenetwork transmission or single user environ-

ments, but still difficult for any kind ofmulti-user environment such as email orshared file access.

Logging/monitoring/systemsmanagementSystem logs are not, in my experi-ence, effectively collected, archived andmonitored. This was the case a fewyears ago and is still the case now.There are emerging tools that can pro-vide some of what is required, certainlyto a reasonable extent in terms of log collection, storage and analysis/reporting.

But take up of these is rare and equal-ly so is the use of synchronised timesources and the definition of an appro-priate configuration to define exactlywhat information is required to be collected.

Regrettably it seems unlikely that thiswill improve much, although certainlyIDS can fill some blanks. However, log-ging and monitoring is still high in thelist of audit/review findings, but thereare real issues to actually achieve it inan effective way.

If we had three wishes, we would askfirst that there was a central time sourceusing NTP to provide at least consis-tency, second we would specify a policyto actually control the log informationthat was collected to ensure that it isappropriate (not too much, not too lit-tle) and third that there was at leastsome mechanism to centrally or locallycollect and rotate/archive log data overa period of time (e.g. rotate daily andarchive weekly, say). At least you wouldthen at least have the information avail-able in a useful form (for diagnostic,investigative or trouble shooting purposes), even if there was no auto-matic mechanism to actually analyse itproactively.Verdict: Effective logging is alarmingly rare.

AuthenticationAuthentication is important, it forms thefoundation stone for so many other con-trols such as access control, accountability

16

feature

NESE DECEMBER.qxd 10/12/2002 14:06 Page 16

and logging that getting it wrong oftenmeans a system or organization faces veryreal problems.

Luckily things are improving in thisarea, notably the password controls in the most common desktop opera-ting systems are now improved and also support for smartcards has beenmade easier, the number and quality ofthird party authentication products is also now good and the availability of USB ports within laptops means that the same functionality as smart-cards can be provided in a compacttoken that doesn’t force you to carryaround a bulky reader. These mean that strong authentication (i.e. two fac-tor) is easier than ever and can start tobe adopted for uses outside purelyremote access which it has tended to belimited to in the past. Smartcards andUSB tokens also provide a good andsecure way to hold user keys too, making the use of encryption moreeffective.

Also biometric technologies have pro-gressed to the point where they are now starting to gain increasing marketacceptance. The advent of combinedmice/keyboards and fingerprint readersmeans that the barriers to deploymentare dropping away. Although there arestill issues with the technology, these

are increasingly becoming offset by thebenefits.

If organizations make maximum use of the controls in their operatingsystems and investigate the adoption ofstronger schemes beyond remote accessusers, for example fingerprint biomet-rics or smartcard logon they will bemaking real inroads into providing avery high level of assurance in theauthenticity of users and avoiding theproblems inherent in password-basedschemes.Verdict: The technology is there, it justneeds to be adopted.

State of the nationWe’ve only covered a few issues here,there are undoubtedly others that you may feel are equally, or more,important — but where has all thisbrought us?

What should be clear, is that progressis being made to make systems moresecure, but in some areas the pace ofchange has been slow. What should alsobe evident is that in many areas we haveaddressed one family of threats to seeanother rise up to take its place.

Certainly there is more work to do,look at the issues above and assess yourown progress against them (it will atleast give a starting point). If you’ve

deployed appliance firewalls, investedin Windows 2000 (and used the securi-ty features it provides) and strategicallyplaced IDS sensors on critical or exter-nal network segments you are movingforward at least, but have you improvedyour handling of logs, is your patchingprocess any slicker than in previousyears and have you looked seriously atreplacing passwords with somethingmore secure and manageable?

If you have Web applicationsdeployed on your public site, have you had a proper review of their designand implementation done? I’m not just referring to a token vulnerabilityscan but a proper assessment of the weaknesses in the systems as awhole.

There is still much room for improve-ment. We often find many problems,such as lack of patching, poor rule bases/security policies and ineffec-tive logging, still haunt many onlinesystems, and often the welcomeimprovements in some areas are tam-pered by a continued failing to get thebasics right.

We have seen the desire to change andimprove security is increasing, people arebecoming more and more aware of theproblems and getting better in-houseskills to ensure that these risks can be met.

17

managing network security

The problem with backupsI cannot express to you how painful ithas become to do proper backups lately.Last month I bought four new 120 Gighard disks. The purpose of two of thedisks was to provide backup for theother two.

This month's article is about thedecreasing options for doing backupsand the implications of the lack of back-up on protection.

Back Up a Minute Fred Cohen

Series introductionNetworks dominate today's computing landscape and commercial technical protec-tion is lagging behind attack technology. As a result, protection programme successdepends more on prudent management decisions than on the selection of technicalsafeguards. Managing Network Security takes a management view of protectionand seeks to reconcile the need for security with the limitations of technology.

MANAGING NETWORK SECURITY

NESE DECEMBER.qxd 10/12/2002 14:06 Page 17