Gartner's Pescatore: We are the enemy

Citing a range of transgressions, from improperly configured servers to ignorance of well-known security practices, Pescatore said he has seen the enemy and "the enemy is us."

Claiming that the events of Sept. 11 are irrelevant to an IT strategy, Gartner security analyst John Pescatore, who recently grabbed the spotlight by blacklisting Microsoft's Internet Information Server, said that the outcome of that tragic day was "simply a validation of what we already know."

Hinting that many companies have long overlooked the importance of security as a part of their strategies, Pescatore suggested that corporate security specialists should seize the opportunity that the heightened sensitivity presents to gain more leverage in their organizations in their efforts to protect digital assets.

Citing a range of transgressions, from improperly configured servers to ignorance of well-known security practices, Pescatore said he has seen the enemy and "the enemy is us."

Citing that security is sometimes an afterthought of many efforts, Pescatore said, "Security must come first" and lead the away, ahead of processes like development. Companies that heed Pescatore's recommendation will need to undergo a cultural shift before the discipline is universally accepted and deployed.

It was the second such cultural shift in the development cycle that Gartner has recommended at this year's Symposium. The first was presented earlier in the day by Gartner analyst David Smith who said that for companies to successfully deploy Web services, their developers will need to undergo a shift towards more of a component re-use culture that includes developing software as a service. Smith called the concept SODA, or Service Oriented Development of Applications.

During the conference, Pescatore has been defending his widely covered recommendation that companies dump Microsoft's Internet Information Server. According to Pescatore, the recommendation was not necessarily based on IIS deficiencies. Pointing a finger at Internet server managers, he was quick to note that 75 percent of exploited server vulnerabilities came at the expense of servers that were either misconfigured or not patched on a timely basis. While crediting Microsoft for making patches available before strikes such as Code Red and Nimda occurred, Pescatore said intruders wait for patches like that so that they know what exploit to try next.

Attendees had mixed feelings about Pescatore's remarks. Some referred to IIS customizations they had in place, such as active server pages (ASPs), that could not easily be ported to an alternative. The more security savvy attendees boasted of airtight security procedures that resulted in immediately patched servers and attacks that were repelled. Still, others were waiting to see if Microsoft CEO Steve Ballmer, scheduled to speak later during the conference, would respond to Pescatore's blacklisting.

Pescatore went on to define five priorities for any company interested in building a security foundation that can enable business. "The first priority is availability," said Pescatore. "Availability means: Can you do what you need to, when you want to?" The second and third priorities, ranked equally in importance, are authentication and authorization. "Authentication," said Pescatore "is the 'who are you' question while authorization answers the question of 'what you're allowed to do.'"

Pescatore's equally ranked fourth and fifth priorities are privacy and non-repudiation. "Can we protect your data, and can you prove it" according to Pescatore.

In addition to the many current challenges confronting security specialists, Pescatore expects the environment to get worse before it gets better. "For example," he said, "Web services are just the application guys poking another hole in your firewall." Although relatively new, the Web services sector is expected to explode with activity in the coming years.

All these challenges have security managers wishing for the ever elusive--and mythic--"security dashboard" said Pescatore. "Today, there are monitoring solutions that allow us to retrieve data from various devices, but we still can't manage them." Pescatore expects that to change, but not in the immediate future.

In the meantime, Pescatore is recommending new security measures. For companies with employees on laptops, he is strongly recommending personal firewalls. He also suggested encrypting data that resides in servers. "We're really good at encrypting data on the move, such as email, but now we need to start thinking about encrypting data at rest to prevent tampering."