Exposed to a Web of viruses

More than a decade ago, Bill Gates began pursuing his vision of tightly integrated productivity software, providing what he has called "object models that enable developers to control all the elements of an application."

Most enterprises ate it up. The object-based, drag-and-drop interaction of Microsoft Corp.'s Office made users more productive and relieved IT of the burden of integration.

Now, however, enterprise IT pros worry that the grand integration vision implemented by Microsoft has brought with it unintended consequences. Last year's Melissa virus and last month's worldwide barrage of mail-bomb attacks have spread concerns about insecure interactions among Microsoft applications.

Following the recent Love Letter attack, similar to Melissa but with far more pervasive and damaging effects, enterprise IT buyers have risen to demand that Microsoft give more attention to the safety of large networks. The connectivity of the Internet is different in kind, not just in degree, from the connectivity of the LAN, and Microsoft's architecture has not reflected this difference, they say. Microsoft has not acknowledged its responsibility as enterprises migrate to public networks with worldwide reach.

Indeed, the Redmond, Wash., company provoked the ire of IT managers when it offered a post-Love Letter patch that addressed Outlook's loopholes while denying its vulnerability. The update's startup screen warns that "lowering any of the default security settings may increase your risk," sounding much like the company's previous warning not to view a Web page if you don't know what's on it.

Beyond what's in the box
By failing to address the vulnerability of its Outlook mail client after the wake-up call of last year's Melissa incident, Microsoft neglected a crucial aspect of its duty to its customers. The greater attention to security in Windows 2000 does not address Microsoft's application-level issues: During conversations between Microsoft officials and eWeek Corporate Partner advisory board members, it appeared that the security posture of Microsoft's products is being evangelized by the Windows 2000 team across the company, rather than being guided effectively from the top down as a unified corporate goal.

IT managers must also live up to their duty to understand the security features available from Microsoft (in configuration options) and from other vendors (in software that's readily integrated with Windows and its applications). Mail screening tools and other add-ons are part of the security posture at eWeek Corporate Partner sites such as the Defense Advanced Research Projects Agency, for example, and should be examined and adopted even by sites that aren't protecting national secrets.

Reliance on default settings of installed software or on preloaded configurations of operating systems is a practice that some eWeek Corporate Partners condemn as ducking IT managers' responsibility to control their own sites -- although others in eWeek's advisory group reluctantly rely on preload set ups to keep their deployment costs under control.

During discussions with eWeek's advisory board, members unanimously agreed that multiple configuration options are too widely scattered and that their security interactions are too difficult to discern. They called for Micro soft to automate product configuration for varying trade-offs between security and convenience. Melissa also demonstrated the need to prevent invisible modification of security settings by application automation.

Enlisting the troops
IT managers must strengthen their positions as internal champions of secure processes. It's also vital for them to prevent the common perception that IT security is solely IT's job. Just as all corporate personnel are expected to take due care with a company's physical assets, an Information Age corporate culture must promote a general awareness of information risks.

Melissa and Love Letter, with their executable e-mail attachments, both relied on naïve users to act without consideration of systems' security loopholes. Computer system attackers have always relied on untrained users to underestimate risk and to value their own convenience more than the security of their systems. The vast majority of user- chosen passwords are easily guessed by brute-force methods, and users often fall prey to "social engineering" attacks that fool them into compromising defenses while thinking that they're assisting a co-worker. Any system is vulnerable in any environment that does not educate users and that does not emphasize integration of security measures into normal operations.

IT managers must take a stand with vendors such as Microsoft, demanding prompt disclosure of security issues and demonstrating their interest in ready access to information on risk reduction practices and products.

Target of opportunity?
The history of attacks against Windows is to some degree a testament to its popularity, as well as an indictment of its vulnerability. Any computing environment, in the opinion of security professionals such as eWeek Corporate Partner David Thompson, CIO of DARPA, of Arlington, Va., will fall victim to hacker ingenuity if the ego reward of widespread impact is likely.

History bears Thompson out: E-mail-based attacks were a tried-and-true hack long before Windows and Visual Basic for Applications emerged. A Melissa-style e-Christmas-card attack saturated IBM's internal network for days in 1987; the Morris worm, far stealthier than Melissa or Love Letter, made headlines with its Unix-based attack in 1988.

Thompson suggests that Lotus Development Corp.'s Notes, for example, would become a fruitful target for attacks if it were more widely used and offered attackers a greater chance of notoriety. He believes that Linux would prove equally susceptible if more widespread use increased its attack appeal.

However, Windows and its high degree of integration make attacks unnecessarily inviting, and IT pros say they believe that any competent developer could make security features more controllable and make security information easier to acquire and understand.

Advocates of open-source software, such as the Linux operating system or the Apache Web server, often argue that their approach is inherently safer than reliance on proprietary code such as Windows. Paul Vixie, president of the Internet Software Consortium, of Redwood City, Calif., and head architect of the Berkeley Internet Name Domain program that associates Internet addresses with human-readable URLs, asserts that "open-source software enjoys the best system-level testing in the industry," that "uncounted strangers reading the source code ... keep an open-source developer on his or her toes in a way that no manager could."

Those who champion the open-source process point to projects such as the OpenBSD operating system, with its tremendous security record, as proof of concept. But there are other examples, such as loopholes in Kerberos code that went unnoticed for years, that show the limits of volunteer effort.

Overall, open source represents a greater opportunity for enterprise IT to get as much security as it's willing to pay for, by enabling the creation of third-party companies that audit and maintain systems. The opportunity to scrutinize source code should not distract managers from giving at least as much attention to the issues of managing configurations and educating users.

Whether a site's applications come from Microsoft or elsewhere, it's the enterprise IT culture that must make security a priority.