Cybersecurity report card .:.

[Guest]

IT security is under siege. At this juncture, the intruders have the upper hand, and they are taking advantage of increasingly sophisticated tools and unsophisticated IT organizations and users. A Computer Security Institute and Federal Bureau of Investigation survey of 500 U.S. companies shows an increase in reported financial losses of 21 percent, or $455.8 million, for 2002. In addition, those losses are increasingly the result of organized, planned cyberattacks. Gartner predicts that by 2005, 60 percent of security breach incident costs incurred by businesses will be financially or politically motivated.

In light of the state of cybersecurity, I devised a report card for the various players involved in the security ecosystem. The key players include hackers, software developers, the security industry, Microsoft, government, IT organizations, and end users. What follows is the report card for each player involved in either perpetrating or preventing cyberattacks. The criteria for the grades is based on an assessment of each player's progress over the last year in improving its security profile or, in the case of hackers, an ability to perpetrate security breaches.

Hackers: A-

Security incidents continue to escalate, and are on track to double from the previous year. Malicious hackers are more prepared, organized, skilled and subversive. They are capable of erasing their tracks, making detection and prosecution difficult, as well as exploiting a host of vulnerabilities and software design flaws. Hacking tools --- especially the freely downloadable favor --- are growing in sophistication, which lowers the threshold for attacker knowledge. IT organizations are more aware of potential vulnerabilities, but can't keep up with the flurry of patches and managing across complex enterprises. Some patches do more harm than good, introducing incompatibilities that can bring systems down.. In addition, corporations haven't done a good job of educating employees about the dangers of social engineering, which is a common method by which hackers extract passwords and other essential data that make access to protected systems easy.

Unfortunately, the hacker community earned an A- for its collective efforts. The minus was given because no one or group is perfect, and the hackers-those with malicious intent-- will continue to have the upper hand for the foreseeable future.

Software developers: D+

While we haven't reached the level of "The Matrix" in terms of a digital universe pulsating with trillions of lines of code, there are billions of lines of code in use that were not crafted with security in mind. Common vulnerabilities, such as buffer overflows, continue to plague commercial and in-house software. Software developers are placing more emphasis on improving quality assurance and coding practices, but relief from insecure software is hampered by the amount of legacy code in place, as well as the challenges of hack-proofing code before it becomes commercially available. Gartner estimates that less than 20 percent of larger enterprises have the staff and expertise necessary to develop secure software for their enterprises.

The software developer community receives a D+ grade, indicating that they are making efforts to improve software security but have a long way to go before customers have confidence in the trustworthiness of the code. The number of vulnerabilities and resulting patches has been declining for some products, but we are only at the beginning of securing existing code bases and developing more effective coding and quality assurance practices.

Security industry: C-

The security industry has a significant burden on its shoulders, as well as opportunity. Hundreds of companies, ranging from the established giants to startups, are trying to get in on the action. IT spending on security products is outpacing spending on technology in general, but many IT organizations are falling short in acquiring and deploying solutions due to budgetary constraints.

The various products-such as virus protection, intrusion detection, VPNs, identity management, spam eradication and firewalls-continue to evolve and improve. Intrusion detection systems are still too easily fooled, but several companies are developing comprehensive security suites that combine real-time monitoring and sophisticated data correlation across an extended enterprise. While attackers will find ways to subvert detection systems, the number of false positives and concomitant fire drills will decline significantly.

Standards are getting sorted out for Web services and wireless security, which should ease the transition toward service-oriented architectures and the mobile enterprise. In addition, standards and trade organizations are focusing on ways to improve the process of vulnerability discovery and remediation. OASIS (Organization for the Advancement of Structured Information Standards) formed a Web Application Security (WAS) technical committee, which will develop a model and a data format for describing security problems, as well as a rating system to express the severity of vulnerabilities. The Trusted Computing Group--with founding members Advanced Micro Devices, Hewlett-Packard, IBM, Intel and Microsoft--hopes to license and market security hardware and software technology that they intend to integrate into every computing platform, from PCs and PDAs to mobile phones.

The security industry received a C- for its efforts, often self-serving, to develop better security products and services. The fact that many companies cannot afford to invest in the products and services, and that too often the products are difficult to implement, detracts from the overall ability of the industry to benefit more rapidly. With more spending from IT organizations will come more competition and product improvements. The minus goes to the somewhat sluggish efforts by the various standards bodies to establish the protocols and guidelines that simplify and lower the cost of security management.

Microsoft: D

Microsoft is singled out among all vendors to receive a report card because of its dominant market share across several software categories. The company certainly deserved a failing grade prior to 2001, but is making a serious effort to improve its security profile. The company's Trusted Computing Initiative launched in 2001 has yielded some improvements, but it will take several years to render significant impact.

The SQL Slammer worm earlier this year showed the impact that Microsoft vulnerabilities have worldwide. Despite that fact that a patch was available six months earlier, the Slammer worm had a devastating impact, temporarily disabling some ATMs and disrupting many corporate networks, including Microsoft's. In recent days, new patches were issued for vulnerabilities in the IIs server, Windows Media Services and NT 4.0. In early May, a major security flaw was surfaced in Microsoft's Passport user-authentication service. The flaw potentially could have exposed 200 million Passport accounts to unauthorized use.

Microsoft received a D grade, acknowledging that some progress has been made in addressing the way the company develops and updates its software. The interdependencies among the cybersecurity players, especially software developers and IT organizations, will require more of a collaborative effort to make the patching and upgrade process more pain and cost free.

Microsoft's Next-Generation Secure Computing Base (NGSCB), formerly known as Palladium, could help to create more secure applications, but it's too early to tell if this technology will solve more problems than it will create. Windows 2003 Server and the next Microsoft operating system ("Longhorn"), due in 2005, should provide a good benchmark on whether Microsoft's Trusted Computing Initiative will earn a better than 'D' in the coming years.

Government: D

The U.S. government has taken a more prominent role in cybersecurity since 9/11, but most of the onus is on the private sector, which controls 70 percent of the critical infrastructure. The government, a major source of revenue for the security industry, has budgeted to spend around $4.2 billion for security products and services this year.

As a cybercrime fighting force, the government is understaffed and underbudgeted to deal with the scale and complexity of issues and incidents. As a result, the various agencies dealing with cybercrime -such as the FBI and the Secret Service-- are often reactive rather than proactive in dealing with security incidents.

The Department of Homeland Security (DHS) is expected to establish a national cybersecurity center to improve information sharing and incident response. The government will likely look to work with the private sector to develop programs for educating the public, professional certification programs, and benchmarks for assessing levels of IT security. For the public sector, the National Institute of Standards and Technology is defining security measures for agencies as mandated by the Federal Information Security Management Act of 2002.

A major problem for the government cybercrime agencies is the reluctance of corporations, fearing adverse publicity, to share information about security breaches. According to a recent report from the Computer Security Institute and the FBI, 30 percent of respondents surveyed said they had contacted the law enforcement agencies after an intrusion. It will be difficult to compel corporations to involve law enforcement in cybercrime cases without more assurances that government will protect the identity of victims.

The U.S. government received a D for its current efforts to deal with cybercrime and securing its own IT infrastructure. The grade is a reflection of the bureaucratic and cultural challenges ahead in securing cyberspace in collaboration with the private sector, and in finding a balance between privacy and security.

IT organizations: D+

IT organizations have had a tough time in dealing with cybersecurity. Companies are increasingly reliant on the Internet, which is a fertile ground for attackers exploiting HTTP, open ports, and back door connections. Most enterprises lack sufficient resources-and budgets-to sufficiently limit damage from cyberattacks. System and network administrators often have skills and training to deal with the aftermath of an attack, but not for prevention. Most enterprises lack robust monitoring and logging capabilities to detect or prevent attacks. In addition, the complexity of network infrastructure and the sophistication of hackers make prevention a task requiring specialized skills and an array of products.

IT organizations received a D+ for their efforts to date. On one hand, IT organizations have an almost impossible task in defending their networks. In 2002, more than 5,000 vulnerabilities were reported. Most IT organizations fall down in trying to keep up with the overload of alerts, patches and upgrades. However, the majority of attacks come from known vulnerabilities with available patches, such as the SQL Slammer worm. Enterprises need more automated systems for maintaining up-to-date software and hardware configuration.

Over time, IT organizations will play the most critical role in improving the grade of all groups involved in securing networks. For example, if IT organizations were more inclined to use their buying power as leverage against their solutions providers to clean up their acts, we might be seeing swifter and more resolute action on behalf of all solutions providers. Perhaps the D+ could be attributed to the economy, which has frozen IT budgets, and to executive management that hasn't properly prioritized cybersecurity. An IT organization adequately funded, with resident expertise and a proactive attitude, can go a long way toward keeping up with the hackers.

End users: C

It's difficult to place blame on the end user population for the sorry state of cybersecurity. They are caught up in the maelstrom. The major problem is a lack of education and awareness among end users. Corporations, as well as communities, need to sponsor campaigns to educate employees about the dangers social engineering, insider attacks, and unprotected systems. This is not a costly endeavor in terms of time or money.

The end user community received a C, or average, grade for its more passive role in the security ecosystem. A more proactive end user community demanding more secure systems and high availability would help in a grassroots way, and raise the grade. More broad adoption of identity management systems would make life easier and more secure for end users. Finally, security standards for quality of service need to be set up to give end users more confidence in the products they use.

-http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2913868,00.html