NEWS AT SEI
This article was originally published in News at SEI on: September 1, 1998
Security Matters will focus on the topic of network security and its relationship with and impacts on the network environment on which we all rely so heavily. Security is an underlying but often overlooked factor that touches so many aspects of day-to-day activities on intranets and the Internet that the list of possible topics is virtually endless.
I'll be joined by other members of the SEI Networked Systems Survivability Program wishing to contribute to this column, to discuss and debate network security topics of interest to them. We'd love to hear what topics you'd like us to discuss and debate. So if you're interested in topics such as forming a computer security incident response team, responding to security incidents, secure programming practices, security improvement, the security impacts of emerging technology, or another network security topic, then send me your suggestions in email!
Striking up conversations with new people is always interesting; you never know where the discussion will lead. Invariably though, the question of "What line of business are you in?" will come up. When faced with the reply "Internet security," the next response often takes the form, "That's interesting, but security isn’t really something that matters in our organization." It is hard to imagine an organization for which this statement is true. The truth is that many organizations don’t think about security until after they have suffered a computer security incident. Then their eyes open to reality – security is a fundamental foundation that supports business operations.
Our daily reliance on technology has changed a great deal in the past decade with the advent and proliferation of the Internet. Just think about your home or office environment 10 years ago and how it differs today. Home computers were out of the price range of most people’s pockets, and few of us had dedicated desktop systems. Today, the Internet has become one of the most powerful and widely available communications mediums in the world. Governments, corporations, banks, and schools conduct their day-to-day business over the Internet.
The Internet is easy and cheap to access, but the systems attached to it lack a corresponding ease of administration. As a result, many Internet systems are not securely configured. We know of a case where someone setting up a workstation took a lunch break and by the time he returned, the system had already been compromised! Additionally the underlying network protocols that support Internet communication are insecure, and too few applications make use of the limited security protections that are currently available. The combination of the data available on the network and the difficulties involved in protecting the data securely make Internet systems vulnerable attack targets. As a result, it is not uncommon to see articles in the media referring to Internet intruder activities that result in financial loss, data corruption, loss of public confidence, and potential loss of life.
With such widespread use of the Internet and its inherent insecurity, the information that resides on and flows across the network is increasingly sensitive and at risk. Clearly, security does matter to you as your banking and securities transactions, your medical records, your company’s proprietary data, and your personal correspondence are at risk.
Catch-22: keeping pace with security needs
What is more worrying is that Internet security improvements haven’t kept pace with the dramatic increase in the use of the network and the need to protect the integrity, authenticity, and privacy of the data that traverses it. How did this imbalance came about in the first place? It boils down to a lack of demand: vendors providing only the level of security that their customers have been willing to pay for. The price was high; vendors didn’t just have to address the issue of protecting their own systems and applications, they also had to overcome the inherent insecurity of the underlying Internet protocols by building a secure communications channel on top of the existing infrastructure. So when asked, the vendor community responded that it would include security if enough customers required it in purchases. But most customers didn’t know what to ask for and some didn’t see the point in asking for security that wasn’t available.
Over the years this Catch-22 scenario has perpetuated. The good news is that at last, there are signs that this cycle is now being broken, and there is hope that slowly this will start to redress the imbalance of Internet use and security.
Signs of progress
What happened to break the deadlock? Progress is partly a result of vendors responding to the negative publicity that they received as a result of security vulnerabilities in their products. The advent of electronic commerce on the Web has also played a part. But the biggest factor is the strong push for improved security standards spearheaded by business-to-business communications and commerce needs. Fortune 500 companies are finding that they can save large amounts of money by moving to network-based data communications and storage--indeed they will stop being competitive if they fail to move. The demand for security standards to be established and incorporated into vendor products was a result of their clear understanding of the need for their communications to be secure and protected.
Today the effect is being felt most strongly in the area of data encryption and public-key infrastructures (PKI). These are the areas that will most directly affect business-to-business communications, contracts, and commerce. Over the next couple of years we expect to see encryption and PKI technologies much more widely available and used--for everything from digital signatures on contracts to private email. We hope that this will also focus more attention on other areas of security technology that need similar improvement.
What you can do
How does this affect your ability to secure and protect your data? There are basically two things you can do. First, you can use security as a discriminating factor in system and software procurement. It is now economically feasible to include security considerations during purchase negotiations. You don’t need to be a security expert to do this. It is as simple as asking vendors what security they offer. They’ll respond with details on the standards they conform to and the integrated security functionality they provide and explain at length the differences between their products and their competition’s. Secondly, you can encourage your organization to participate in security standards efforts to be sure they address your business needs.
So the future is looking much healthier for Internet security. We’ll soon have the integrated security tools and secure architectures so desperately needed, and doing a good job of securing a system won't require a masters degree or 10 years of on-the-job training! The hope is that one day, systems will be sufficiently secure out of the box that system administrators will be able to take lunch breaks without fear of an intrusion!
But the future hasn’t arrived yet! We can’t become complacent as we still have to cope with today’s problems. This means that we must all be vigilant and do our best with the limited tools and insecure architectures that are available to us. You can take steps to secure your data, but it is neither easy nor cheap. It requires spending time and resources on securing individual systems, communications equipment, and your overall network infrastructure.
In future issues of this column, we will discuss efforts underway in the security community to improve security, the things you need to consider, and what you'll have to do and be aware of to protect your data. A security nirvana may never be attainable; even with the improvements available today and others on the horizon, we have to continue to work at maintaining security.
About the authors
Moira J. West-Brown is a senior member of the technical staff within the CERT® Coordination Center, based at the SEI, where she leads a group responsible for facilitating and assisting the formation of new computer security incident response teams (CSIRTs) around the globe.
Before coming to the CERT/CC in 1991, West-Brown had extensive experience in system administration, software development and user support/liaison, gained at a variety of companies ranging from academic institutions and industrial software consultancies to government-funded research programs. She is an active figure in the international CSIRT community and has developed a variety of tutorial and workshop materials focusing mainly on operational and collaborative CSIRT issues. She was elected to the Forum of Incident Response and Security Teams Steering Committee in 1995 and is currently the Steering Committee Chair. She holds a first-class bachelor's degree in computational science from the University of Hull, UK.
James T. Ellis is a vulnerability analyst at the CERT® Coordination Center located at the SEI. His primary focus is on understanding the root causes of security vulnerabilities, determining how they can be avoided in systems, and transitioning that information to software developers. He is a past general chair for the Symposium on Network and Distributed System Security sponsored by the Internet Society.
Before joining the SEI, Ellis worked at the Pittsburgh Supercomputing Center, also located at Carnegie Mellon, where he was responsible for system performance and security for the Unicos operating system on a Cray Y-MP/832 supercomputer. Before coming to Carnegie Mellon, Ellis was the manager of computing facilities at the Microelectronics Center of North Carolina (MCNC).