Welcome to Volume 2, Issue 10 of The Internet Security Conference Newsletter, Insight. Insight provides commentaries and educational columns, authored by some of the best minds in the security community. Many of our columnists teach and speak at The Internet Security Conference. The editorial calendar at this time includes:
For previous Insights issues, click here.
TISC is about sharing clue. So is the newsletter. We promise to provide some- thing useful each issue. If we don't, flame me at mailto:email@example.com.
Enjoy, and be safe,
In this issue, Chris Klaus, ISS, presents an invited commentary on risk management and E-Commerce, where he suggests an integrated approach, based on the resources of both security vendors and insurance providers. Our feature columnist, Mike Rothman, Shym Technologies, offers his opinions on why PKI hasn't achieved the ubiquity and universal utility industry analysts predicted nearly five years ago, and speculates when the "Year of PKI" might finally arrive. Lastly, TISC faculty members Fred Avolio, Lisa Phifer, and Ed Tittel discuss the Outlook security upgrade made available by Microsoft following the recent spate of email-borne worms.
Until recently, information security management and e-commerce insurance have existed as discrete and separate entities. Information security vendors concentrated on preventing intrusion and misuse, with little attention to what happens after the unthinkable comes to pass. Insurance companies limited their attention to media liability and transaction warranty coverage plans. Policies protecting against financial loss or theft of intellectual property were either difficult to obtain or prohibitively expensive, as underwriters had no actuarial basis from which to measure levels of risk.
E-commerce, however, needs a comprehensive risk management solution. Internet-driven businesses by definition can't be 100% protected against all possible attacks and misuse. The closer the security management system comes to that 100% ideal, the more expensive that system becomes, eventually delivering only incremental gains for prohibitively astronomic increases in cost.
These businesses must protect themselves against lost consumer confidence, shareholder equity exposure and a host of legal issues if their systems are compromised. E-commerce insurance works in concert with managed information security services to provide this critical link, allowing for cost-effective risk management, whether at the information security or e-commerce insurance level.
The best approach to e-commerce risk management utilizes an integrated program drawing from the resources of both security vendor and insurance provider. This process usually starts with a managed security services vendor performing a standards-based assessment to determine current levels of risk exposure, establish the state of security policy and enforcement procedures and evaluate long-range plans for responding to a security incident.
Once the client's security state is known, the insurance company issues a policy tailored to the client's current needs. As recommended security improvements come on line, the client receives additional reductions in the cost of the policy. Regular assessments keep the insurance policy aligned with the client's needs as the organization grows.
This comprehensive risk management program provides high-level information security at very reasonable cost. Use of a managed security services vendor defrays the cost of information security across the vendor's entire customer base. By outsourcing security, the client realizes a significant reduction in security expense without compromising effectiveness. The second area of savings comes from the insurance provider being able to accurately match coverage needs to the client's security state. Underwriters and brokers can be assured that the client is well-protected by the managed security services vendor, and pass this confidence along in the form of lower premiums.
There are certainly great expectations for digital certificates and PKI to provide the security infrastructure for e-Business. But it does seem like deja vu when, for the third straight year, annual "Year of PKI" panels convene at conferences like RSA and Networld+Interop to talk about how this year is the year that PKI finally breaks out. Yet, as we look back little progress has been made.
I should explain that when I say PKI, I mean deployment and usage of client side certificates to provide mutual authentication and non-repudiable digital signatures. The use of server side certificates and SSL for Web encryption is certainly in mass deployment, with hundreds of thousands of server certificates in production use today.
The use of PKI in global enterprise organizations follows a fairly conservative and predictable process, starting with a pilot project. The pilot would then be followed by limited use production deployments (100's of users) before a significant commitment is made to the technology. The leading PKI vendors have been doing an effective job of placing pilot projects; based on reported numbers, there are over 1000 PKI pilots in operation today.
I figure only about 15% of those pilots have evolved to "production" deployments. So there are lots of people kicking tires, but not too many buying cars. After three years, this is certainly below expectations, as other technology markets have entered Geoffrey Moore's "Tornado" much faster. Those of us in the PKI business need to start looking for reasons why the PKI market has not taken off and what can be done to accelerate the market.
The most commonly cited reason for the lack of PKI deployment is complexity, an umbrella term that means, "it's pretty hard to figure out and there isn't a compelling enough reason to do so". Are Web applications complex? You bet, but people make the effort because of the compelling reason: their perceived e-Business survival.
Alongside complexity, consistently raised objections include cost, ease of use, and application integration. Clearly PKI is not for the faint of heart, given its hefty price tag (usually north of $100,000), the amount of user training required, and the ongoing operational overhead. But, I always revert to the compelling need factor: if there were a "killer application" for PKI, organizations would be deploying the technology.
In search of... Killer Applications
In a perfectly secure world, all applications would integrate digital certificate-based security, so a high level of authentication, privacy, integrity, and non-repudiation would be available as base services. Unfortunately, the world is not even close to perfectly secure, nor is it feasible to PKI-enable all applications at one time. So, we are looking for the critical application(s) that will get the ball moving in the right direction.
VPN: Providing strong authentication for virtual private networks tends to be the path of least resistance: it can be cost justified (as opposed to using private dial networks) and many leading VPN equipment makers have integrated digital certificates for authentication. Unfortunately there is an existing, entrenched competitor - token-based authentication, which provides the same functionality in a less complicated manner. So, while VPNs are a legitimate killer app in new deployments (those not using token cards), they are unlikely to displace existing token implementations unless other application(s) can be identified.
Web Applications: Clearly a significant amount of the Y2K investment has now been diverted to Web-based e-Business applications. Considering the leverage and efficiencies gained by integrating supply chains, and the sheer value of B2B transactions, providing strong authentication and digitally signed transactions would seem to be a no-brainer. Of course, the complexities and cost of issuing client-side certificates has constrained this market thus far. That being said, SSL (using server side certificates) is critical for any e-commerce site.
E-Mail: Since e-mail is the first ubiquitous network-based application, it would seem like common sense that organizations would want to secure the valuable cargo sent via e-mail with digital signatures and encryption (via S/MIME). In fact, all of the prevalent e-mailers already support certificates, but unfortunately the client side security services are still far too difficult to use. End users must set up security profiles and ensure that security is turned on, and even worse, centralized administrators have no way to enforce security policy at the client level. Another complicating factor is the widespread interoperability problems inherent to S/MIME (though progress is being made), and the lack of a ubiquitous public key directory so ad hoc message encryption (without an out of band certificate exchange) is feasible.
ERP: Since ERP (enterprise resource planning) applications drive many businesses and therefore its e-Business strategies; there is a critical need to open up ERP data stores to external constituencies in a B2B trading context. This leads one to believe that it's only a matter of time before high levels of security are demanded considering the high value of information stored in ERP systems. This is compounded with the rapid evolution from client/server to Web-based ERP environments, which are better suited to serving B2B partners. The constraint to using PKI with ERP applications is one of integration, deploying and managing certificates to huge external communities, and cross-certification (in a B2B context). It is very difficult to integrate certificates with the ERP applications, requiring a significant investment in custom integration and development. Application security integration products do ease the pain here, but are not in widespread deployment yet.
Wireless: No one even marginally interested in wireless communications can escape the escalating hype surrounding wireless security using PKI. Each of the leading PKI vendors made a strategy announcement and partnered with the prevalent handheld vendors. This is great news and a needed requirement for mobile e-commerce to gain traction. Of course, these new technologies require a generational upgrade of the wireless devices and that takes money and time (especially when dealing with hundreds of millions of units). I'm very hopeful that wireless commerce will be a great market for PKI, but the question is when. My gut says not very soon.
There are lots of options for the killer application to drive PKI to the masses, yet it's hard to tell which will hit first. I personally hope that all of them work out, since that's good for the industry.
The Importance of Ubiquity
Given the lack of an easily identifiable killer application, other technologies have gone into widespread deployment once they were made part of the base-operating system platform. This is the "build it and they will come" approach. If a technology or tool is something that is just available, organizations will find a way to use it.
IP stack developers back in the early 90's are a good historical example of this approach. Shops experimenting with UNIX-based client/server applications were forced to spend a lot of money to outfit desktops with IP software to connect to the back-end. There was a similar search at that time for applications (FTP, Telnet, email, etc.) that would drive desktop IP much deeper into an organization.
Yet, when Microsoft included a very functional IP stack in Windows 95, it changed everything. Organizations didn't need to go out of their way and justify huge software investments to deploy IP because it was already there. So as the migration to Windows 95 proceeded, the ability to connect to client/server applications was built in, and it accelerated client/server application deployments.
The presence of the IP stack on every desktop was a key factor in the unprecedented adoption of Internet and browser technology. If customers first had to start deploying IP stacks before their browsers could be operational, requiring specialized technical expertise and a significant investment, it would have taken much longer for Internet technologies to reach critical mass.
The advent of digital certificate services within the Windows 2000 Advanced Server has the potential to make PKI ubiquitous. Windows 2000 has made issuing a certificate a core part of setting up a user. The Active Directory has integrated certificate lookup with user and network resource location, and provided another piece of the core services needed for PKI deployment and usage - an integrated directory. As many organizations migrate to Windows 2000, they will have the ready-to-use ability to issue and manage certificates. If history is a guide, this will spur a massive adoption of PKI for both internal and external security functions.
Within a three-year planning horizon, a nearly ubiquitous operating system-based PKI utility will be in place within most global corporations. How does that bode for the current generation of leading PKI vendors? For better or worse, the process of issuing a certificate is a commodity, a fact I doubt any of the PKI vendors would argue. The question of their future prosperity is in adding value on top of the base certificate issuance process. Whether it's in the form of key management/rollover/ validation, public trust services, or application security integration, existing PKI vendors must find a way to differentiate in a world that will get their certificates through Windows 2000 (and successors).
PKI vendors can dismiss Microsoft's PKI platform at their own peril. I remember the days when FTP Software and NetManage told me that the IP stack in Windows 95 wasn't functional enough, and their business would be fine since they added value. That story did not have a happy ending. My former colleagues at META Group agree, having written in a Feb 1999 research report, "To stay alive, existing PKI vendors will tie management functionality to Microsoft's PKI as a value-added service."
So, I head into the second half of 2000 with high hopes that 2001 will finally be the "Year of PKI." The increasing ubiquity of a Windows 2000 digital certificate platform will remove the complexity and cost obstacles and really allow enterprises to start solving application security problems with PKI-based solutions. Which is really the point, after all.
About the Author:
Mike Rothman is co-founder and executive vice president of SHYM Technology, an application security company with snap-in software that makes securing e- Business applications (including e-mail) faster, easier and less costly. Prior to founding SHYM, Mike was VP of META Group's Global Networking Strategies Service and a consultant with Ernst & Young and American Management Systems.
On May 15, Microsoft announced availability of the Outlook Email Security Update, a "significant security enhancement to the Microsoft Outlook messaging and collaboration client designed to thwart the spread and impact of many computer viruses - including those similar to the recent 'I Love You' and 'Melissa' viruses." Both the press release and the Office Update page posted the week of May 22 indicate this update protects against viruses, but limits certain functionality within Outlook to provide a significantly improved level of security for Outlook users (see http://officeupdate.microsoft.com/).
I don't use Outlook -- mostly because I've used Eudora *forever* and never broke the habit -- but increasingly, because I can't afford the headache nor the embarrassment of having my mail client hacked, as some colleagues and friends have, with Outlook. I'm not claiming that I'm 100% safe with Eudora, but I have convinced myself that the ice under my feet is thicker with Eudora than Outlook.
When the Outlook Email Security Update was announced, I visited the site, to see if there was any reason to consider Outlook anew. I wasn't real enthused about some of the constraints the upgrade appeared to carry with it (not uninstallable?) so I asked folks more familiar with Outlook than I for an opinion. Here's what they replied:
Lisa Phifer, Core Competence:
"Outlook's automation allowed it to be exploited by worms, and Microsoft appears to be taking a two-prong approach to fix this: prompt the user to avoid surreptitious use of automation, and block everyone from mailing content types that can sometimes carry viruses. The problem I see with this update is that it applies a quick-fix to flag and block existing virus vectors in a relatively brute-force, disruptive fashion.
"Stripping .exe and .vbs attachments may help prevent damage by known viruses, but unless content is actually scanned by a virus detection engine, it would seem that users can still send and receive harmful content by naming it something else? Will hackers simply shift to a new vector that avoids the protection provided by this update? This kind of "blind" stripping may hamper the exchange of legitimate email while providing a false sense of security.
"The hurried nature of this update -- not uninstallable, install known to fail in some cases, Word MailMerge breaks, PDAs cannot sync, PowerPoint files inadvertently blocked -- should ring alarm bells with IT sysadmins who need robust, enterprise-class anti-virus protection. Residential users will probably benefit the most from this Outlook band-aid -- and be troubled the least by its limitations."
Fred Avolio, Avolio Consulting:
"What a surprise...
"Usability and features often directly and negatively affect security. The Melissa Virus, et al., weren't possible 8 years ago. Not technically possible? No, just not feasible. People could not easily (point/drag/drop) forward executables and word processing documents. Now they can. In the name of usability and features, word processors execute programs, e-mail programs execute content, and we've got these problems. What surprise.
"So, Microsoft is forced, in the interest of security, to remove some of this functionality that was unsafe to add in the first place. They are forced to undo what they've already done. Word processors should never execute programs. E-mail programs should never interpret content beyond formatting (and no arguments about what that could mean... it is fairly well understood). They will probably do it in such a way as to allow users to get around it (click here if you don't want to see this warning again), so we're not done with these kinds of things yet.
"So, really no surprise. Microsoft is putting in features to undo other features which should not have been added in the first place."
Ed Tittel, LANwrights:
"Fred Avolio is dead on when he talks about removing dangerous functionality from Office in general, and Word and Outlook in particular. Some aspects of Microsoft's approach have the benefits of some elegance, by guarding the Outlook address book, and by increasing outlook security settings.
"Nevertheless, Microsoft's solution has it in common with other, earlier solutions posted to various security mailing lists (see a choice list of such resources below) that rely on disabling file extensions (e.g. .vbs), removing associations between extensions and particular programs (e.g. the Windows Scripting Shell, or WSH), and similar techniques to halt the automatic execution of potential rogue programs.
"It will be interesting to observe if there are other methods whereby executable images can be invoked from inside Microsoft Office components, beyond extension- application associations and built-in macro language support. I personally wouldn't be surprised to see other patches of this type in the future. On the other hand, improving the security awareness of Outlook is a good approach, even if I'm not completely in love with Microsoft's notions of "security zones."
Do you have an opinion on the upgrade? War stories to share? Let us know.
@copy;1999 - 2006 Core Competence & Mactivity, Inc.