Reducing Software Flaws Key to Security, Users Say

Focus on vulnerabilities seen as most important part of national strategy

Of the five main priorities set forth in the National Strategy to Secure Cyberspace, users and security experts pointed to the goal of working to reduce software and Internet vulnerabilities as the one that could actually make a difference in the near term.

Released Feb. 14 as part of the Bush administration's multipronged effort to develop a program for reducing cyberspace security threats and vulnerabilities, the national strategy calls for a concerted effort across four major components of cyberspace: the key Internet protocols; digital control systems, such as those that manage the flow of electricity; software and hardware components; and physical infrastructure interdependencies.

Many users and security experts acknowledged the need to improve critical protocols, such as the Domain Name System (DNS); the Border Gateway Protocol (BGP), which enables routing information to be exchanged between networks; and the current version of the Internet Protocol, which is now being migrated from IPv4 to IPv6 for improved security. But the majority of users who spoke with Computerworld last week remain convinced that the most pressing challenge is improving software security.

Software Comes First

"It doesn't matter how well we secure DNS, IPv6 [and BGP]," said a security administrator at the Virginia Polytechnic Institute and State University in Blacksburg who requested anonymity. "If we fail to address the vendor-induced vulnerabilities of client machines, then everything else will be compromised."

Last July, the university started requiring software vendors to prove that their products aren't susceptible to the top 20 vulnerabilities listed by the FBI and the SANS Institute.

"Every major attack on the Internet since 1986 has involved at least one of two factors: weak configurations or software flaws," said Jeff Shawgo, a former security administrator at a major health care company who is now an independent consultant.

"Our software economy pushes time to market above all else," he said, adding that software vendors must be held to a specific time requirement for sending fixes to users.

But getting software patches quickly isn't the only issue, said Susan Bradley, a security manager at Tamiyasu, Smith, Horn and Braun Accountancy Corp., a law firm in Fresno, Calif. Security patches designed to fix vulnerabilities often end up "breaking" other applications, she said.

"We must [then] determine whether the vulnerability exposed by not patching is worth the risk of patching," she explained. This process has left Bradley and her staff "shellshocked" from having to decide if a vulnerability warrants a patch that will almost certainly impact the firm's productivity, she said.

Vendor Action Required

Clint Kreitner, president and CEO of the Center for Internet Security in Hershey, Pa., said operating system vendors need to start shipping products with at least a baseline level of security settings in place as the factory default.

Application vendors also need to stop using practices such as requiring root-level access for software installs, since that activates certain services that, if left on, could send user names and passwords in clear text; using random port numbers that can't be filtered properly; and allowing ephemeral network connections from outside the user organization's network, Kreitner said.

Other users said all of this will require more than good intentions on behalf of the government. To be effective, the national strategy will require incentives and negative repercussions and possibly regulation—something that remains on the table, according to Bob Stephan, special assistant to Secretary of Homeland Security Tom Ridge for information analysis.

"If the DHS [U.S. Department of Homeland Security] is serious about creating real security real fast, it should do what government does best: create incentives that make what is best for homeland security best for the organizations that provide and use networked computing devices," said Gerald L. Jenkins, head of the IT group at Goldberg, Kohn, Bell, Black, Rosenbloom & Moritz Ltd. in Chicago.

But in the end, "the federal government may be forced to confront the hated 'R word'—regulation," said Jenkins. And a package of incentives that contains both "carrots and sticks" need not be heavy-handed or burdensome; it can be "precisely tailored," he said.

Plan of Attack

The National Strategy to Secure Cyberspace calls for:

IMPROVING key Internet protocols, such as DNS, BGP and IP; promoting improved routing through address verification and out-of-band management - separate control networks used to counter distributed denial-of-service attacks.

FOSTERING development of trusted digital control systems for critical industries, such as energy and telecommunications.

REDUCING software vulnerabilities by improving patch distribution and encouraging software developers to promote out-of-the-box secure installation.

UNDERSTANDING infrastructure interdependencies and improving physical security for cyberinfrastructures.

WORKING with service providers to develop a code of conduct for network management.

Copyright © 2003 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon