Digg this story   Add to del.icio.us  
Regaining control
Kelly Martin, 2005-11-29

Securing endpoint systems by locking them down using complex software brings back memories of another era, where business computers were once used for business applications only - and businesses retained control over their assets and data.

I remember when the dot.com bubble burst and Netscape was annihilated by Microsoft - I was traveling across India at the time, greatly amused at the fact that the world's second most populous country still uses ancient 286 computers and green screen Wang terminals everywhere. I found this very entertaining until I realized that these systems were 100% application-driven business systems used to fulfill a need, and nothing else. They functioned well as business equipment. Security issues were minimal. Lost productivity from web surfing, Instant Messaging and email was non-existent - because these “computers” had very little else that they could do except business.

Fast-forward to 2005. Most of the world's green screens are long gone, replaced with personal computers that can do so much more. Security now weighs heavy on the desktop, though, and it's starting to bring functionality and productivity full-circle again. More on this in a moment.

We should all agree that security of our endpoint systems (largely our "business desktops") is a complex nightmare now, a mess that no one can solve. Business applications have moved to the web, following a vision. Great. But having a browser and an email client today is still a massive security risk. Almost all businesses still rely on a single, compatible desktop for accessing business applications that have (almost all) moved to the web. I find this ironic in light of the universality of the Web and the availability of less expensive, more feature-rich alternatives that are easier to manage and secure. However, today's business environment means that our focus on security of the endpoint still starts with Internet Explorer, an integral part of today’s business operating system.

Browser security

The vision of using a browser as the future window into business applications has been blurred. We have been tricked into believing that a heavy desktop with heavy security add-ons is the only safe way to access the Internet and do business in 2005. Just to browse the web on my business computer I need a firewall, modern anti-virus with updates, three different anti-spyware applications with updates, frequent updates to the operating system and browser components, and of course I still need the browser itself - Internet Explorer. Simple, right?

Even with all these, I still do not feel safe doing any Internet banking on my business computer (during my lunch hour) because I might still have a rootkit - virtually undetectable - or an undetected virus or Trojan that was targeted to me or my company specifically and installed through some 0day exploit in my browser. Fantasy? Paranoia? No, this is happening all the time and it’s getting worse.

There are browser alternatives, sure. Version 1.5 of Firefox is expected this week, and most existing Firefox users will upgrade. Despite all the new features, however, I can barely stifle a yawn about this major release because of the limited market share that this (otherwise excellent) browser commands. And as far as security, with the latest run of security issues that have plagued Firefox, I’m no longer convinced that it’s any more secure than Internet Explorer when used with those three different anti-spyware applications I have been forced to run. I still use it for its features, but not for its security.

The reason that technologically superior, feature-rich browsers like Firefox have no more than a 10% market share after years of work is that they do not solve many of the security problems on the desktop. They also don’t offer any advantages for accessing business applications over today’s industry standard, Internet Explorer. They offer only features. And they don’t command enough market share to begin to offer any new web-specific features like Netscape did back in the day. It’s amazing to me that we still use old technologies Netscape invented - like cookies, Javascript and SSL/TLS - and that new technologies aren’t replacing these because there’s no longer any real browser war to facilitate innovation.

Time again, the best technology does not win the battle, it only gets copied like a cheap watch that’s made in China and then gets assimilated into a monopoly - one that calls these copies "innovation" and sells them to the mass market. When the springs in that watch keep falling out, as is happening now, the only ones to blame are those who bought the cheap watch in the first place - which is most of us. However, these watches still have many advantages: the springs are interchangeable and have less expensive parts, plus they are all compatible with each other. Never mind how much time, effort and money is spent to fix these problems. Never mind all the added software required to keep them running, either. The system you use at work has effectively the same springs, wheels and pulleys as the system you use at home - which is ideal for those of us who enjoy working evenings and weekends on top of every business day.

Securing a business computer

I believe we have almost come full-circle, to the point where our endpoint systems need to become 100% business oriented again just to keep them secure. Lock down those corporate computer systems so tight that they cannot be used for anything except business activities again - like those green screen terminals I saw in India, albeit with much more functionality thanks to today’s modern computing world. Take out the "personal" part of the personal computer, and make it a part of your business. Allow me some latitude to explain.

It is possible to have a very secure business computer on a network - quite different from a personal computer that one might find in his home. Business computers are equipment used to perform business tasks and are the property of the business that purchased them. Therefore, personal information on this equipment should be kept to an absolute minimum. No games are allowed. No illegal MP3s. No administrative access should be allowed - reduced user rights are an absolute necessity. No personal software is allowed either, due to support and security issues. No music CDs either, because they might be a major security hole. No privacy is guaranteed - the company’s policy almost assuredly permits the monitoring of all web surfing activity, email and instant messaging activity. No peer-to-peer software is permitted and definitely no personal VoIP software. Manage and administer all installed applications from within the IT department and consider this software as inventory. Not even personal screensavers or desktop backgrounds are allowed - the company’s logo must typically be seen at all times. Corporate policy must be enforced on these business systems - not only because they are property of the business and represent the business, but because it is also the only way to enforce security.

The latest craze, heavily managed endpoint systems in a business environment, are not too far from this mark.

However, none of these approaches go far enough. Viruses are still rampant, and anti-virus software just does not properly address today's corporate threats (disclaimer: SecurityFocus is owned by Symantec Corporation). Trojans and worms can, will, and do penetrate all major corporations. Targeted Trojans are siphoning away corporate profits. Users will click on just about anything.

A business computer should be secured according to its function. For many users, the business computer is little more than a glorified stapler, calculator or typewriter, a tool used to perform a task to conduct business. Companies should treat it as a piece of equipment. Email attachments need to be stripped away. USB ports need to be closely monitored or even filled with glue. Business cases need to be made why Sally in Accounting needs to surf the web over her lunch break or listen to music through her equipment, because either of these actions can now threaten the entire corporate accounting system through a rootkit or a backdoor that accesses private data from the inside. CIOs need to put their foot down, and make a stand on corporate policy in the name of security. Those nuts on the corporate computer systems need to be locked down so tight that they can do little else except permit the business to run.

Good luck doing this at any level lower than the CIO.

Securing information

Once the desktop systems are secure, we can try to tackle the larger job of securing, indexing, and accessing the wealth of our business information and associated profits - what actually drives our businesses and business transactions. Companies like Oracle have a major stronghold on most data systems today. Microsoft is in there as well, and surprisingly has a better track record of keeping its database secure.

I believe we’re in good hands, too - the juggernaut known as Google seems to believe the web and the Internet are still the key to the future of the world's information. I wonder if they’re onto something? They really don’t care which browser or operating system we use, either, or how many holes are found in it each month. It’s a fundamentally different business model than selling software and game consoles.

Now if we could only get those endpoints secure.


Kelly Martin has been working with networks and security since 1986, and he's editor for SecurityFocus, Symantec's online magazine.
    Digg this story   Add to del.icio.us  
Comments Mode:
Regaining control 2005-11-29
Anonymous (1 replies)
Re: Regaining control 2005-11-30
Anonymous (1 replies)
Re: Re: Regaining control 2005-11-30
Anonymous (2 replies)
Re: Re: Re: Regaining control 2005-12-01
Anonymous (1 replies)
Re: Re: Re: Re: Regaining control 2005-12-02
Anonymous (2 replies)
Re: Re: Re: Re: Re: Regaining control 2005-12-03
Anonymous (1 replies)
Regaining control 2005-11-30
Anonymous
good grief 2005-11-30
Anonymous (3 replies)
Re: good grief 2005-11-30
Anonymous
Re: good grief 2005-11-30
Don Parker (2 replies)
Re: Re: good grief 2005-12-01
Anonymous (2 replies)
Re: Re: Re: good grief 2005-12-01
Anonymous
Work@home and vice-versa 2005-12-25
Anonymous
Re: Re: good grief 2005-12-07
Drew
Re: good grief 2005-12-06
Anonymous
the failure of fascism 2005-12-01
Anonymous
Sounds like a good plan to me 2005-12-01
Eric (3 replies)
Re: Sounds like a good plan to me 2005-12-02
Anonymous
Re: Sounds like a good plan to me 2005-12-02
Anonymous
Re: Sounds like a good plan to me 2005-12-02
Anonymous
bla bla bla 2005-12-02
Anonymous


 

Privacy Statement
Copyright 2010, SecurityFocus