By Edward P. Yakabovicz
Regarding the recent FBI/NIPC vulnerability alerts and warnings about general security issues with Microsoft products: Was anyone really surprised? I would venture to say that a vast majority of the information security professionals in the financial world agree that the warnings should have been issued months or even years ago. These warnings are not new, nor are they the outcome from any one recent incident. Instead, the black eye Microsoft has endured from the FBI is really the result of inexperienced systems managers and poorly informed company executives who have fallen into the belief that systems maintenance, both Microsoft and others, is a once-a-year effort, thus budgeted so.
Don't get me wrong, the Microsoft server software product line is excellent and has been the catalyst for many of the Internet and technology advancements that exist today. I believe the shortcomings of Microsoft are not based on the product, but on perceptions, human nature and simply poor information security management practices. Many solutions exist today to resolve these issues, but companies must be willing to invest time and effort -- weekly, monthly and yearly, not simply a one-time practice.
Although the Microsoft Server product line is exceptional and has provided the means for the overall industry to advance many technology years in a short
Experts and novices alike seem to agree, Microsoft makes systems management appear easy -- sometimes too easy. Simply put, Microsoft is "pretty" when presented with all the graphical administrative tools and features. Presentations from Microsoft show these excellent interfaces and how systems are maintained, yet they don't always mention the technically advanced command line and registry entries that are not easy or graphical based.
Did Microsoft miss something by accident, on purpose, or did the industry create the issue now at hand? That issue is not the reason systems are being hacked. This is commonplace in the industry today. There are many vulnerabilities for every product on the market. Not one is completely secure from attack or hacking simply because most must function and communicate with the Internet, which is TCP/IP based. Since the TCP/IP suite has inherent flaws, any system proposing its use must also accept these weaknesses.
The Microsoft alert issue is not the pretty GUI interfaces or features. Instead, the issues now at hand have been caused by the inherent weakness involved with using the TCP/IP suite on the Internet, technology increasing faster than humans can be educated and lack of clear-cut general information security management of networks. Additionally, Microsoft is one of the leaders in computer software manufacturing, thus making it a primary target for hackers worldwide.
Additional consideration must also be given to the social impact caused when technology increases faster than education of the people required to maintain these systems. Microsoft has done an excellent job certifying people through the many certification programs available.
The MCSE program alone has certified over 300,000 people. Of these 300,000, how many actually have the years of technical experience normally required to maintain systems securely? I'm not sure, and I doubt Microsoft knows either. What I do know is that the Microsoft products, as well as all other systems, require maintenance and care, such as applying software patches, maintaining the registry and upgrading when necessary. Although Microsoft provides TechNet and other avenues of assistance, they cannot provide years of experience gained by working in the industry.
My personal experience with Microsoft products has proven that systems administrators with certifications but no experience typically miss many of the common management practices that other experienced administrators take for granted. Thus, we have added the human and social impact to the overall problem. Included in this equation for failure are the many software patches and other relevant information from Microsoft released monthly. These patches have proven difficult to track, and even the most experienced person can make a mistake and miss one, as recently discovered when a Microsoft employee forgot to apply a patch to one server, making the whole Microsoft Internet presence vulnerable.
Microsoft has helped the last 10 years of computer server technology advancements by providing an excellent product, certifications programs and continued support for both. Human nature and social impact have provided the people to maintain these products by offering advancements and financial gains. The failure, as in the latest FBI/NIPC alerts, typically viewed by the public as a Microsoft issue, needs further evaluation. This issue is not caused by software patches, but instead by lack of experience or time to follow up as necessary when new patches are released. As in the Information Security world, experience is the key to ensuring proper systems management of all products used within a company.
The computer industry as a whole needs to stop pointing fingers and instead inspire proper information security methodologies and tools to ensure all products are properly maintained and updated. Experience, or the lack thereof, should never be a security issue if the proper security procedures are in place and company executives informed in real-time, not only when incidents occur. Use of information security professionals and technologies can greatly decrease the risks now present in newspaper headlines today. Experienced information security engineers are an excellent resource to counter the impact of inexperienced or uninformed managers at the systems and executive levels today.
About the author:
Edward P. Yakabovicz currently works for Fortrex Tech in Md. He has 19 years of experience in computers with a focus in security and engineering. He holds certifications in CISSP, MCSE, CCNA and CNA.
This was first published in April 2001