July 29, 2003

Security is not a Product or OS, its a Process

Sorry I haven’t posted lately, but I have been in the dark chasms of the kernel debugger, working on a new mandatory access control system for Windows. Which gets me to my post today.

It seems lately I have been getting a lot of flak from friends and colleagues about my choice to develop security components on the latest Windows platforms, especially since Scoble commented on my visit to the Microsoft campus. I simply was ignoring the comments as everyone is entitled to their opinions, and I have been trying to stay under the radar for some time now. Besides that, as Scoble has pointed out recently secrets are a good thing(tm).

Although I won’t comment directly on what I am working on, I decided after a barrage of emails from a few hardcore Linux zealots that I respect (who wish to remain anonymous [cowards :) ]) that I should explain WHY I made this decision.

If you know me at all, you know I myself was a Linux zealot moons ago. Now I realize you need to use the right tool for the right job. (And Linux still is right for me as a server environment for small businesses) But for over 6 years I did nothing but live, breath and DIE by the Linux sword. I wrote components to build firewalls, IPSec VPN devices, IDS sensors, automated vulnerability assessment tools and a plethora of supporting code to wrap them all nicely together. I invented the FireCard (now called the GG-Blade) and lead the team that created the first secure embedded OS based on Linux way before the embedded movement even got started. (An entire security platform designed in under 8megs of ram) It won many awards and received great praise from the security industry. That’s where the ego-stroking fun ends of what I did, and reality begins.

The reality is that security is a process, not a product. Yes I continue to quote Bruce Schneier’s mantra to this day… but didn’t really live by it. What good was making great technology that was not used by very many people? More to the point, how arrogant could I be to assume that the world would change their beliefs in security and flock to an embedded device that truly could HELP them mitigate their online risks? Well, as I stand here now, I tell you now that security is a business problem, and not a technology one. And that is why I left and founded a new security company.

Which gets me to the core of why I decided to build security components on Windows. For years I criticized Microsoft for its lax position on security, especially at how it relates to the attack surface of its default installation, its continuous bad behavior in patch management and its release management cycles for security fixes. It was a sore spot, but something I could always attack because Linux was better. And it was. And in many cases it still is. But as I say this, I remember why I dislike where many Linux vendors like RedHat have been going. They have fallen in the same trap as Microsoft and sacrifice security for ease of use. For some silly reason people believe they can’t have both a secure environment and be easy to use. Here is a reality check for everyone. Operating systems MUST start shipping in a secure state before we can even begin to properly secure the network topology. With Windows 2003, Microsoft is starting to get that. It’s ridiculous to assume that Microsoft doesn’t have some of the brightest security minds on campus. I know some of them like Michael Howard KNOW what to do, and work hard in the Secure Windows Initiative division to distill this sense of mindset to rest of the campus. You can’t change a developer’s thinking overnight, but I am starting to see Microsoft slowly turn around. And this is where I come in. Instead of bitching about the insecurities of Windows, I have decided to do something about it. I think Kevin Day summed it up best in his book Inside the Security Mind:


Security can be accomplished in any environment. It can be accomplished without monopolizing our time and resources, and without emptying our wallets. It can be accomplished without years of training and without having to know every vulnerability, threat, and counter-measure in existence. When addressed in the correct manner, security simply becomes an extension of our normal operations, and the best protective measures require the least amount of ongoing effort.

Amen. So that is where I am. I am addressing what I believe are weaknesses in platforms used by a majority of the Internet in an attempt to make the best protective measures become normal operations within an organization. So that HAS to include Microsoft platforms. Most commercial operations have Internet or network facing devices running Microsoft product that are not properly maintained. This is a key realization. Each of these poorly secured systems has been administered by someone who did not treat security as a normal operation, and now it’s becoming our problem because their systems are now attacking us.

If security practices are a burden, something is wrong. This is where most vendors (including Microsoft) have failed. And that is the trick. Our role should be to keep ourselves safe so others will be safe from us. And this has to be accomplished by easing the complexities of the platforms and provide mechanisms to regain trust in these environments. Personally, I see this as something lacking in Microsoft platforms. It is simply to hard for many system administrators to regain that trust, which makes it to hard to trust them. We need to be able to trust… but verify… that the appropriate actions to properly secure the environment are being taken.

Don’t believe me? Consider this scenario. Someone has just defaced your main webpage on W2K. In a single command right now show me the last 10 people who logged onto you W2K environment, and tell me how long they were on. Now tell me which files they touched, and what changed. Restrict and jail IIS from being able to load any files except in the web’s root directory, and prevent no write operations on any of those files. If you are based off of a default W2K install… you can’t. And if you are not a guru of the platform, you probably won’t be able to figure out how to do this anyways. And by now... it’s already too late. You are in the process of doing a forensic analysis… and this wasn’t configured and set up before the incident occurred.

This has to change. And instead of bitching and moaning, I am doing something about it. And I stand by that decision. So continue to fire off more flak if you care to, I am thick skinned. While you barrage and berate me for making such a decision, remember that my efforts will result in helping YOU, as less Windows machines will have such a huge attack surface to be used as a hacker’s piñata… and thus end up being a launching point to nail your Unix servers and Windows workstations.

Posted by SilverStr at July 29, 2003 09:36 AM
Comments

As usual Dana, very well said.
I am not an expert on computers or computer security (I'm working on it), but I know enough to realize that what you're saying makes sense.
Keep on keepin' on.   ;)

Posted by: BSpudd at July 29, 2003 06:18 PM

As far as listing the last people that logged in in a single command, wouldn't that be last(1)? :)

Posted by: Arcterex at July 29, 2003 08:07 PM

Arc,

On Unix environments it would be... but figure out how to do that on Windows. See my point?

Posted by: SilverStr at July 29, 2003 08:09 PM

Hmmm,... where to start :)

I view your defection as a person who wrote an amazing Linux based tool and due to amazingly poor marketing never got to where it should have. Now due to concerns of feeding your family, are working on a platform that will not scare Joe Average like Linux does. Doing this is just plain smart. I don't agree that we should make Windows more secure, I'd rather we show more people why they shouldn't be running windows. I'm probably in the group that has slammed you (and if not, consider yourself slammed), but that's merely because I want Windows to fail because it's a monopoly that's trying to make Linux fail via not nice means.

In the end, you are a programmer and need to make money and will do what's necessary.

As for the whole security theme, I saw a cool sig.

Security is like Ogres and Onions, they have layers.

Last thought: I hope you aren't taking the "slams" as a personal attack against you. I'm sure they aren't. Most of them I'd suspect are a hope that you'd find a way to make money in Linux again, and not feed the Dark Overlord. It's like when people call me a lazy ass for not working, they just don't understand the whole picture.

(was THAT long winded enuf?)

Posted by: raskal at July 29, 2003 11:00 PM

You're right.

My belief is that this idiom can really be extended to not just security, but to any product. The value is in the process behind creating a project (software, widgets, tires, shoes, thread, pens, etc) and not so much the ingredients. It boils down to having a good process that properly utilizes the resources available. Two companies can have the same resources, talent, cash, etc available but yet end up with a different result... depending on how well their processes are designed, documented, measured, and so forth.

The only thing consistent in a process is change.

Definition of "Process" from dictionary.com: "A series of actions, changes, or functions bringing about a result".

Posted by: Cuvarack at July 30, 2003 07:26 PM