The events of September 11th, 2001, touched off a torrent of change in the way we safeguard our national and global infrastructure. No industry or business sector is immune. Indeed, in the aftermath of the terrorist attacks, the provisions of the federal government’s proposed Anti-Terrorism Act now incorporate key components of the Computer Fraud and Abuse Act that make it illegal to crack a computer for the purpose of misappropriating assets, or to deliberately cause damage. Likewise, launching a malicious program that harms a system, like the Code Red Virus or the Nimda worm, or making an extortionate threat to damage a computer, may also find itself included under the definition of terrorism.
To better understand the risks and defensive measures along the gauntlet of this new, high-tech battlefield, we caught up with Jack Danahy, Senior Vice President, Server Security, for Seattle’s WatchGuard Technologies. Danahy is an authority on advances in security trends and technologies, driving international awareness of the need to eliminate sources of widespread compromise in critical infrastructure. In addition to holding several patents in the field, he has been involved in a variety of national security and private sector security initiatives, including the US Army War College, the Center on Law, Ethics, and National Security, the President’s 1997 Commission on Critical Infrastructure Protection and the House Subcommittee on Information Technology.
Seattle24x7: Jack, if we were to take the subject of computer security and make an analogy to recent acts of terrorism, equating a terrorist with a virus, and, given recent events, looking at an airplane as the computer server, than WatchGuard’s security role could best be described, not in terms of identifying the face or the fingerprints of the terrorist nor functioning as a metal detector, so to speak, but as creating a kind of impenetrable shield around the plane…?
Danahy: Using that analogy, we are like the cockpits in El-Al [the Israeli Airline], where you’re simply not allowed to effect the underpinnings of the way the system is operating. So, as opposed to preventing the individual from getting on a plane for a heinous deed, or as opposed to putting a Sky Marshall on board whose going to shoot at them when they attempt to do something, instead, you simply have a separate entrance for those pieces of the system which are necessary for smooth operation That could be the operating system itself or your own data, and anything that shouldn’t be changed can’t be changed, no matter who is walking around at the back of the plane.
Seattle24x7: In this analogy, would Microsoft serve as a kind of airport security and screening force?
Danahy: If you look at the recent announcements put out by Microsoft — the Microsoft Security Initiative — it is really all about walking around the plane and checking people to make sure they’re not carrying weapons. It’s a great way to get people more educated about the risk, and to take some proactive measures to try and prevent the bad stuff from getting on the plane in the first place.
If you look at technologies like Intrusion Detection, with which we’re all familiar, those are actually the video cameras running in the plane so that at least the people on the ground, or perhaps the pilot, can see that they’re about to be hijacked, and after the fact, like a flight data recorder, you can go back through and find out what exactly happened. WatchGuard exists in the position to prevent the damage that would have been done as opposed to try and do all those other things which I think are important but which are at the front end of the problem. Depending on which way you come at it, we are either the last line of defense when everything else has failed, or we’re the first line of defense when you’re trying to build your system.
Seattle24x7: Do you see Microsoft’s initiative as a very timely reaction to the glare of public scrutiny? And is there something about the Windows OS that makes it particularly vulnerable to attack?
Danahy: It is very much guided in its timeliness by the onset of the Code Red and Nimda worms that have deeply affected the Microsoft community. Is Microsoft’s platform fundamentally more vulnerable? My answer there is, technically no, it’s not. But in practice? Yes, it is. And the difference there, in my opinion, is that the largest risk to Microsoft’s customers, and the security risk of the platform, are engendered by those self same customers.
Seattle24x7: You’re talking about the relative sophistication of the administrators?
Danahy: Typically, UNIX-based servers like Apache require a fairly well-educated and experienced administrator in order to get configured. Microsoft provided a rich, feature set, and didn’t necessarily focus on the security portion (i.e. keeping things turned off), because it’s contrary to getting these people up and running. Microsoft let the user do whatever they wanted to — and users did. There’s a risk there. It isn’t that there’s a new stack buffer overflow in the IIS indexing server. The risk there is that the users who take full advantage of the Microsoft feature set tend to be people with less experience in general. As a result, they don’t have the wherewithal to close down the services that they don’t need or to pay rigid attention to the patches that are available for the system which a more experienced administrator would. Microsoft’s announcement of reeducating and taking responsibility for helping these people along is important .
Seattle24x7: In the Internet era of connectivity, why can’t we have a method of regularly polling a server to download the latest patch ?
Danahy: In a theoretical world, that works perfectly. In a practical world, Microsoft can’t do that from a business sense and I’ll tell you why. Let’s say that I’m a financial services company running transactions on my Microsoft IIS Web server. And Microsoft releases a patch as soon as they find a problem, and that patch happens to come out at 3:45 in the afternoon. If the regularly polling interface is going to go forth and get that and rework my system for me, then I could be in some pretty deep trouble since it could be a busy time of day where millions of transactions could be in progress. You really have to rely on the business sense of the organizations implementing the platform. Because this really isn’t a question of making sure you’re absolutely secure all the time. Appropriate security is a question of “risk management” like everything else in our lives. People will have a different sense of urgency in the way in which they apply these patches. You can’t really do it automatically because you take away from the customer their ability to be able to manage this.
Seattle24x7: In the case of Code Red, the Internet remained vulnerable even while most of the world was patching their IIS servers, so long as one Sys Admin was unaware and left the door open for the worm to enter.
Danahy: Recognize it’s just one more ingredient in your risk management. Take the example of an automobile with the keys left in it. If it’s stolen and it causes harm, the individual who left the keys in it can be held civilly responsible. If that same sort of penalty were to apply to a system administrator, clearly the risk factor associated with not patching a system widens. It’s not just your system going down. It’s the potential civil liability associated with you hurting others. That portion remains pretty much sub rasa, they don’t think about it so much.
Seattle24x7: Your literature mentions that WatchGuard’s AppLock Web product auto-discovers more than 200 known file extensions for protection. What does that apply to?
Danahy: The protection that we implement is built into the kernel of the operating systems that we protect. What we’re doing is that we’re going to deny, even the Systems Administrator, the capability of changing file types that shouldn’t be changed. A good example of that is anything from .WAV files and graphic files which, because of their format, shouldn’t be goofed with by individuals, to things like system executables. On the far side, you’ve got other things like content. My marketing brochure shouldn’t be getting changed on-the-fly. My .PDF files typically shouldn’t be editable on my Website. Nor should the pointers to any of this kind of information. These are all things that should not changing on a day-to-day-basis. By providing this level of protection, we deny the type of corrupting that happens through attacks that are based on the server.
Seattle24x7: What about abuses that can occur by spoofing, say on a Unix system, that someone is the Superuser?
Danahy: The SuperUser, who is the most potent of all users, can at any time, change anything he or she wants to on the system, thereby making impractical the idea that Read, Write or Execute Permissions really mean anything. You can think of traditional mechanisms (Read, Write, Execute) as being access-control which are user-based. We’ve made the machine state-based. And so if the machine is in an operational state, no one, regardless of their UserID is allowed to change these things. For example, think of a bank vault. The president of the bank, even though he has permission to open the vault, can’t open the vault but eight hours day. We are that time lock. It’s not based on time of course, but we have that same sort of function. Even the president of the bank, if he’s got a gun to his head, can’t open that vault after hours. We are the mechanism that allows you to create that same level of security. Because you know that , with any number of mechanisms, from stack buffer overflow to a number of drinks at a local watering hole, one can get Superuser privilege on a Unix system, or Systems Administrator privilege on an NT system.
Seattle24x7: Your ServerLock system has been designed to augment a Firewall, since a Firewall, by itself can provide only limited protection?
Danahy: If you look at the reasons why we had to build a product like ServerLock, the fact is that a Firewall is just that, it’s not meant to be a complete wall, it allows traffic types through. If you look at both Code Red and Nimda as current examples, both of them use trusted traffic to get through. As a result, you need something that protects that end point inside, protection at the core. Secondarily, a firewall can’t protect you from people who are already on the inside, whether that’s a bad person, or more commonly, a laptop that’s been corrupted, through someone’s home account or a virus that arises through a misconfigured mail server.
Seattle24x7: With terrorism having raised the scepter of all kinds of sabotage, what do you recognize as the greatest challenges to Internet security that you see at a corporate and governmental level?
Danahy: Well, I think that one of the issues that is being undertaken quite seriously is the whole national infrastructure issue. If you look at things like the power grid, telephone service, 911 service, particularly the way in which trains get scheduled, how the loads get carried, the way in which GPS is managed, there exists within the national infrastructure, a great many places where it is not as problematic as one would hope to go in and cause some harm. This is a result of a contention for personnel between private industry and public industry, and the deal there is that if you look at really smart people who go into the federal government in order to perform things like IT functions, as soon as they get really smart they tend to leave. This leads to an environment where really important systems aren’t getting all the focus and scrutiny that they should in terms of the way they’re protected.
If you were to talk to a lot of security analysts there’s going to be a lot of concern over privacy issues and ways in which we can maintain the openness of the network vs. a need to gather information but again, I view that the biggest threat to our infrastructure is not that people are allowed to send encrypted information back and forth to set up bad things that happen. More importantly, I think is the fact that the network itself actually gives access and venue to those types of attack on the critical PC infrastructure.
Larry Sivitz is the Managing Editor of Seattle24x7.
=============================================================
