IT wanted integration; Microsoft delivered. Now both must fix lax security. by Peter Coffee, eWeek
More than a decade ago, Bill Gates began pursuing his vision of tightly integrated productivity software, providing
what he has called "object models that enable developers to control all the elements of an application."
Most enterprises ate it up. The object-based, drag-and-drop interaction of Microsoft Corp.'s Office made users
more productive and relieved IT of the burden of integration.
Now, however, enterprise IT pros worry that the grand integration vision implemented by Microsoft has brought with
it unintended consequences. Last year's Melissa virus and last month's worldwide barrage of mail-bomb attacks have
spread concerns about insecure interactions among Microsoft applications.
Following the recent Love Letter attack, similar to Melissa but with far more pervasive and damaging effects, enterprise
IT buyers have risen to demand that Microsoft give more attention to the safety of large networks. The connectivity
of the Internet is different in kind, not just in degree, from the connectivity of the LAN, and Microsoft's architecture
has not reflected this difference, they say. Microsoft has not acknowledged its responsibility as enterprises migrate
to public networks with worldwide reach.
Indeed, the Redmond, Wash., company provoked the ire of IT managers when it offered a post-Love Letter patch that
addressed Outlook's loopholes while denying its vulnerability. The update's startup screen warns that "lowering
any of the default security settings may increase your risk," sounding much like the company's previous warning
not to view a Web page if you don't know what's on it.
Beyond what's in the box
By failing to address the vulnerability of its Outlook mail client after the wake-up call of last year's Melissa
incident, Microsoft neglected a crucial aspect of its duty to its customers. The greater attention to security
in Windows 2000 does not address Microsoft's application-level issues: During conversations between Microsoft officials
and eWeek Corporate Partner advisory board members, it appeared that the security posture of Microsoft's products
is being evangelized by the Windows 2000 team across the company, rather than being guided effectively from the
top down as a unified corporate goal.
IT managers must also live up to their duty to understand the security features available from Microsoft (in configuration
options) and from other vendors (in software that's readily integrated with Windows and its applications). Mail
screening tools and other add-ons are part of the security posture at eWeek Corporate Partner sites such as the
Defense Advanced Research Projects Agency, for example, and should be examined and adopted even by sites that aren't
protecting national secrets.
Reliance on default settings of installed software or on preloaded configurations of operating systems is a practice
that some eWeek Corporate Partners condemn as ducking IT managers' responsibility to control their own sites --
although others in eWeek's advisory group reluctantly rely on preload set ups to keep their deployment costs under
During discussions with eWeek's advisory board, members unanimously agreed that multiple configuration options
are too widely scattered and that their security interactions are too difficult to discern. They called for Micro
soft to automate product configuration for varying trade-offs between security and convenience. Melissa also demonstrated
the need to prevent invisible modification of security settings by application automation.
Enlisting the troops
IT managers must strengthen their positions as internal champions of secure processes. It's also vital for them
to prevent the common perception that IT security is solely IT's job. Just as all corporate personnel are expected
to take due care with a company's physical assets, an Information Age corporate culture must promote a general
awareness of information risks.
Melissa and Love Letter, with their executable e-mail attachments, both relied on naïve users to act without
consideration of systems' security loopholes. Computer system attackers have always relied on untrained users to
underestimate risk and to value their own convenience more than the security of their systems. The vast majority
of user- chosen passwords are easily guessed by brute-force methods, and users often fall prey to "social
engineering" attacks that fool them into compromising defenses while thinking that they're assisting a co-worker.
Any system is vulnerable in any environment that does not educate users and that does not emphasize integration
of security measures into normal operations.
IT managers must take a stand with vendors such as Microsoft, demanding prompt disclosure of security issues and
demonstrating their interest in ready access to information on risk reduction practices and products.
Target of opportunity?
The history of attacks against Windows is to some degree a testament to its popularity, as well as an indictment
of its vulnerability. Any computing environment, in the opinion of security professionals such as eWeek Corporate
Partner David Thompson, CIO of DARPA, of Arlington, Va., will fall victim to hacker ingenuity if the ego reward
of widespread impact is likely.
History bears Thompson out: E-mail-based attacks were a tried-and-true hack long before Windows and Visual Basic
for Applications emerged. A Melissa-style e-Christmas-card attack saturated IBM's internal network for days in
1987; the Morris worm, far stealthier than Melissa or Love Letter, made headlines with its Unix-based attack in
Thompson suggests that Lotus Development Corp.'s Notes, for example, would become a fruitful target for attacks
if it were more widely used and offered attackers a greater chance of notoriety. He believes that Linux would prove
equally susceptible if more widespread use increased its attack appeal.
However, Windows and its high degree of integration make attacks unnecessarily inviting, and IT pros say they believe
that any competent developer could make security features more controllable and make security information easier
to acquire and understand.
Advocates of open-source software, such as the Linux operating system or the Apache Web server, often argue that
their approach is inherently safer than reliance on proprietary code such as Windows. Paul Vixie, president of
the Internet Software Consortium, of Redwood City, Calif., and head architect of the Berkeley Internet Name Domain
program that associates Internet addresses with human-readable URLs, asserts that "open-source software enjoys
the best system-level testing in the industry," that "uncounted strangers reading the source code ...
keep an open-source developer on his or her toes in a way that no manager could."
Those who champion the open-source process point to projects such as the OpenBSD operating system, with its tremendous
security record, as proof of concept. But there are other examples, such as loopholes in Kerberos code that went
unnoticed for years, that show the limits of volunteer effort.
Overall, open source represents a greater opportunity for enterprise IT to get as much security as it's willing
to pay for, by enabling the creation of third-party companies that audit and maintain systems. The opportunity
to scrutinize source code should not distract managers from giving at least as much attention to the issues of
managing configurations and educating users.
Whether a site's applications come from Microsoft or elsewhere, it's the enterprise IT culture that must make security