Safety Net: Outsourcing to Enhance Security
Dave Krueger and Ellen Tsotis comprise the IT department for a 300-person independent insurance company in metropolitan Chicago. One afternoon, while celebrating the successful deployment of a new Web-based system management tool, they noticed some unusual activity on one of their key servers. A casual glance showed that the system had five users on it. Krueger recognized the usernames of four of them. The fifth was a mystery to both Krueger and Tsotis.
With the machine running at 100 percent of its capacity, Tsotis had trouble getting logged in. The sluggishness of the machine made it seem more like the beginning of a week than a weekend. By the time she successfully logged in she found that the mysterious fifth user was using more than 99 percent of the server's resources, leaving only a tiny timeslice for her and the other four users. She tried to use her administrative privileges to stop the apparently runaway process. When she did, her own session was terminated. Very concerned, she considered her options and then abruptly powered the server down.
The pair decided to remove the machine from the network and restart -- only to receive the dreaded "Operating System Not Found" message when they tried to revive the machine.
A later investigation revealed that a relatively well-known vulnerability in Microsoft Corp.'s Windows NT had been used to gain access and to set privileges for a spurious account. Three months later, the two still tell the story with voices full of anger. With just two people in the IT shop, how were they supposed to keep up with all the product patches and fixes that Microsoft comes up with?
A Critical Problem
Having limited resources is a critical problem: Good security practices demand a commitment and level of resources that many companies cannot afford. In large companies, staff people can be dedicated to the tasks of applying the most recent patches, reviewing alerts and reports, and making sure business procedures don’t subvert the secure infrastructure. In a smaller company, with the combined pressures of the bottom line and limited staff, it is difficult to dedicate staff to the critical tasks of ensuring enterprise security.
A dearth of talent isn't a headache reserved only for small and medium-sized businesses. Chris Klaus, CTO of Internet Security Systems Inc. (www.iss.net), says, "There’s a huge lack of security talent and resources. With customers getting more and more paranoid, even large companies are security deficient." Some estimates show that only 20 percent of Fortune 500 companies have an appropriately sized security staff.
Even a glance at Microsoft’s security resource center (www.microsoft.com/security) leads one to believe that addressing security in a networked Windows environment is a full time job. Considering that there are many sources for Windows NT security information -- NT Security News (www.ntsecurity.net), for instance -- how can a small or medium-sized IT staff remain vigilant over numerous patches and fixes?
"I think that from our site and mailing lists, users get a ton of good information that really helps cut down their own research time," says Justin Hill, editor at large for Windows Security Digest. But he admits that subscribing to his digest isn’t enough: "Does our information replace diligent research practices? Not really, but it offsets that work tremendously."
Hill notes that there is a real security conundrum for many organizations. "If you don’t have time to research, then you probably don’t have time to fix things either. The bottom line is that companies have to decide if security is important enough to invest additional money in handling it," he says. It’s possible to reduce the amount of time needed to scour newsgroups and Web sites by subscribing to a service, but Hall admits, "A company still needs to have somebody on staff to read that information and act on it."
Window of Opportunity
It’s easy to be lulled into thinking that Windows NT environments face more vulnerabilities than other platforms. After all, it often seems that most press reports on security problems focus on Windows NT or BackOffice. Even if the same number of problems are found in Unix and Windows NT environments, some would argue, since the NT platform is much younger the problems must be more severe.
"That’s an interesting argument, but from the wrong premise," says Jeff Johnson, president of Meta Security Group (www.metasecuritygroup.com). "Suppose there are between 500 and 700 known vulnerabilities in the Unix environment and about an equal number in the Windows NT environment. The quick discovery and eradication of problems in the Windows NT environment is basically a reflection of the fact that more people are interested in NT right now."
Some believe there is something fundamentally different that makes Windows systems more vulnerable to attack. "I don’t think so," Internet Security Systems’ Klaus says. "All technologies eventually seem like Swiss cheese, not just Microsoft’s. New applications, like electronic commerce, put great pressure on the tools we count on every day. No matter what the foundation of your system is, high-volume applications like e-commerce have a tendency to highlight how vulnerable the underlying infrastructure really is."
It’s not just the infrastructure. "Applications on top of Windows NT represent an enormous opportunity for wrongdoing," Klaus says. "The big risk is a database with easy-to-guess passwords, which defeats all the well-intentioned efforts of a properly secured operating system."
Kevin Lynch, a Lotus Domino product manager specializing in security at IBM Corp., agrees: "For those of us building enterprise-class applications, all of the major platforms provide nearly the same security set. We don’t see any serious distinction between the relative features of Windows NT and Unix, for example." Instead, Lynch points to a more serious problem: "No matter what platform you deploy on, the weakest link is the administrative toolset."
It’s more likely that a business will use its security tools if they are integrated and in one place, Lynch says. When they aren’t, administrators have to "Look all over their system for their tools, and that leads to the most common security problem of all -- a problem common to all platforms -- holes that can be exploited because of administrative neglect."
Many intruders focus attacks on systems that are understaffed or run by network specialists who don’t have time to research vulnerabilities and update their systems. Many attacks on weakened systems succeed because the defenses aren’t current. Others succeed when configuration changes that are taken for granted have unexpected consequences.
A traditional option has been to look outside the enterprise for help. But the cost of arranging security consulting from a qualified networking company can be a daunting prospect. Daily consulting fees, travel expenses and per diems are often a barrier to using outside help. Even when finances for outside help are found, the contractor will eventually leave. In the end the organization is often in the same quandary it faced prior to the arrival of the consultant.
New alternatives to the standard model of outsourcing crucial security tasks are emerging. Meta Security Group’s Johnson says, "What’s needed is a refinement of the delivery mechanisms for security management. Rather than bring expensive staff into the organization, what about doing the security analysis remotely?"
Meta Security Group’s strategy is to conduct most of the security and business analysis remotely. "Once the analysis is complete, we can provide a plan for addressing vulnerabilities and incident response requirements. Making that plan operational means transferring enough knowledge so that the company can do the needed monitoring and use us to keep the operational part of the security up-to-date," Johnson says.
Looking Out for Outsiders
Can outsourcing critical security tasks work? Some companies couldn’t make their site secure any other way. Consider Blueline Online Inc. (www.bluelineonline.com), a company that manages engineering and construction projects through Internet-based services. According to Ashok Segu, vice president of engineering at Blueline Online, "It is practically impossible for us to keep up with developments in security in our mixed Windows NT and Unix environment. Because we’re a small online company, we need security support seven days a week, 24 hours a day. Even if we could have found the people, the cost would have been prohibitive."
Blueline contracted with Pilot Network Services Inc. (www.pilot.net) to outsource around-the-clock security services. "For us, it’s almost like they are our own internal security group," Segu says. In a business that includes sharing engineering drawings for casinos in Las Vegas, security is crucial. "In our case, the economics were crucial: We factored in the cost of designing and implementing the security for our network, the ongoing body of knowledge and experience to keep the security current and the cost of having independent evaluations of Pilot’s services. The combined cost was still cheaper than trying to do it ourselves."
Segu is happy with the outsourced security service, but he warns companies that think signing a contract with an outside vendor is the end of their work. "People really need to have a clear understanding that you can’t just throw all your security over-the-fence and say that’s it. It’s your network and ultimately your responsibility. When you bring in someone from the outside you need to put in a continuous effort until you’ve reached a steady state."
Counter Intuitive Security
The evolution of security to outsourced -- often remote -- services generates a dilemma for the small or medium-sized business: Isn’t putting security in the hands of an outsider a huge risk?
To be successful, security vendors have to develop a trust relationship with their clients. That process, not the technical tasks, is often the most difficult part of using an external vendor for supplying secure network services. "You have to build that trust over time," Blueline Online’s Segu says. "You don’t have that on day one. We found that we had to ensure that the lines of communication between the vendor and ourselves were as open as possible. The better we communicated, the fewer surprises there were. Still, that was a lesson that took us some time to learn."
Even though outsourced security services represent a way to accomplish something that wasn’t economically possible in the past, many businesses are reluctant to explore that option.
After her experience with a break-in and the subsequent cleanup effort, Ellen Tsotis briefly considered using an outside security service to help manage her network vulnerabilities. So far she continues trying to make her network secure on her own, not yet trusting those attractive outside services. When asked why, she quoted an old American proverb: "You know, the only way to be safe is to never feel secure."