Safety alert: data security is everyone's problem

When it comes to the systems management tools that safeguard enterprise data, Jack Cate wants more elegance and control. As director of IT for DCX-Chol Enterprises, he is responsible for running 40 servers throughout the company's five locations, including its Los Angeles headquarters. It's a big job and one that requires 10 hours a week of maintenance, including distribution of patches and updates to nearly 300 desktops.

Since the aerospace & defense industry supplier's IT systems are Windows-based, Cate uses a server-side software product from Microsoft called Systems Management Server (SMS) to distribute software patches and updates to PCs. In the ongoing battle to shield corporate data from viruses and other threats, a range of technologies—including firewalls, intrusion-detection solutions, and systems management software—are being called upon to do more.

Given the fact that Microsoft's Windows operating system is the most dominant PC platform in the world, Microsoft has been a target of viruses and worms. In other words, malicious developers don't target obscure systems.

Yet experts and end users alike question whether Microsoft or any other single software company can make computing risk-free. For instance, Cate says even though Microsoft has made security a top priority, the adoption rate in the field typically lags new enhancements. "Sure, companies might be moving to the latest platform, but that can take years," Cate says. "In the meantime, what's Microsoft going to do—individually call all the millions of people using their software, and explain each step they have to take to make their systems safe?"

Microsoft has acknowledged some data security issues and is working to address them through enhanced capabilities in products including SMS, as well as educational efforts, but some experts point out the computing giant has a legitimate problem on its hands. "Certainly, in the past, Microsoft's basic coding practices and techniques were not focused on security," says Lance Travis, VP of core research for Boston-based analysts firm AMR Research. "But data security is not a problem unique to Microsoft—there are security risks in every other system. It's just that Microsoft's problems have been more visible."

At DCX-Chol, which uses SyteLine, a Windows-based ERP system from MAPICS, Cate says the use of SMS alone has helped the company "stay ahead of the curve" on security risks, but he also believes SMS could use some improvements. In particular, Cate says, he hasn't found a controlled or reliable method of centrally checking patch installations, so as an extra measure, the installations are manually verified.

"Microsoft is not doing a good job of controlling the patching process," Cate says. "The company hasn't listened to customers very well, and its methodology in managing and distributing patches is lacking—there isn't a solid way to centrally manage the process."

One concern, says Cate, is that SMS assumes updates should be delivered to all systems. "We don't always need or want every single update that Microsoft sends out, but we are forced to distribute them to all our systems," he says. "Then we go to each PC to double-check that the patch was installed correctly, and then reboot the machines. It's a major task because systems must be shut down to perform the Windows updates."

Cate says some other platforms have more elegant patch management capabilities than what he has seen from Microsoft. "Other platforms such as Linux and Solaris [a Sun Microsystems platform] have automatic reporting and patch management that highlight the most vulnerable systems, so users know which ones need a patch and which don't," he says.

But according to Bill Anderson, Microsoft's lead product manager, Enterprise Management Division, SMS allows a "collection" of computers to be created by an administrator based on a set of rules, which facilitates targeted updates. Microsoft also touts new enhancements to SMS, including the ability to deploy patches during planned downtimes.

In practice, say experts, while systems-level software can shield against risks, it can't eliminate them at the source. Certain features of office productivity applications, for instance, carry risks. Travis notes that feature-rich applications such as Microsoft Word are vulnerable to virus attacks simply due to their dynamic nature. "Each macro that is added to Word or other programs increases the security risk. Very static, basic applications are very secure, but they are not something anyone wants to use."

David Cahn, CEO of Y2G Associates, an Atlanta-based IT advisory firm, believes it is virtually impossible to totally secure any operating system or application due to the pervasive nature of viruses. "Even if Microsoft ensured the security of every system, a user could be running an older version of Windows Office and open an e-mail with an executable attachment, or someone could load malicious code as part of the software distribution process to infiltrate a system. The onus really falls more on users and network managers to know which version people are using, keep the antivirus software up-to-date, and distribute patches in a timely manner."

Data security solutions function at different levels of the organization and perform various functions. Systems management servers, such as Microsoft's SMS, distribute software and manage patches and updates. Besides Microsoft, other computing vendors offer systems management tools, including Hewlett-Packard's OpenView, and Unicenter from Computer Associates.

Solutions such as antivirus, intrusion detection, and vulnerability tools all perform a defensive role in attempting to block unwanted network traffic (see table, p. 19). Other products such as virtual private networks (VPNs) focus on securely allowing in network traffic, and on controlling the traffic.

Microsoft Chairman Bill Gates has called SMS and another product—Microsoft's Internet Security and Acceleration (ISA) Server 2004—two key products in Microsoft's effort to ensure secure computing (see sidebar below). Microsoft describes ISA Server 2004 as an advanced application layer firewall, VPN, and Web cache solution.

Microsoft stepped up the level of commitment around security with the kickoff of the Trustworthy Computing Initiative in 2002, and again last October when the software maker redoubled its efforts after watching the sharp increase in criminal attacks on computer systems. "The popularity of broadband means viruses and worms can spread incredibly fast, and no software is immune from these attacks," says Jeffery Jones, senior director of the Microsoft Security Business and Technology Unit. "We continue to learn from security experiences and use them to improve our efforts. We've made great progress in understanding the multiple factors that allow malicious attackers to impact users and we're working to improve users' ability to protect themselves."

Jones advises all users to follow the steps outlined in the Protect Your PC campaign to ensure they have the highest level of security possible for their machines. He also recommends verifying firewall configuration, requiring employees to take steps outlined on the Microsoft Web site with home PCs or laptops, and subscribing to the company's free security notification service.

According to Microsoft's Anderson, Microsoft's lead product manager, Enterprise Management Division, Microsoft also has addressed some of the past problems with SMS Server and with patch development. "In the past, some updates caused errors within the system being maintained, which was traced to a patch quality problem. Over the past year, we have reduced the size of patches by 75 percent, had a 10-percent reduction in reboots, and extended out test processes prior to release."

Not every enterprise, however, has the IT resources to run the latest systems management, firewall, or VPN applications. Microsoft's free Software Update Service (SUS), downloaded from its corporate Web site, allows users to search for Windows updates and apply patches directly to their operating systems. At least for some manufacturers, SUS helps them take security measures without upping IT costs.

Brittain Machines, a Wichita, Kan.-based machining and stamping manufacturer for the aerospace industry, uses Microsoft's SUS for critical security updates for its Windows NT and 2000 servers. The company uses Vista, a Windows-based EPP system from Epicor.

"SUS is much simpler and easier to implement than SMS, and for our purpose and our size company, it's the best solution," says James Kellogg, information systems manager. "The SMS is more feature-rich and does have added management benefits, but we wanted an affordable, easy way to perform updates. With SUS, I have control over critical updates without visiting every machine, and we can test patches before deploying them everywhere."

Kellogg has heard about SUS and SMS causing new problems during the patch management process, but has not run into those himself. One word of caution from Kellogg is to "ensure NT patches are installed in the right sequence because it can bring the server down if they are not installed in the right order. If you have newer software, you don't have to worry about it."

Although most viruses are aimed at Microsoft's technology, other vendors know their systems are not immune to attack. "We haven't had a rash of security flaws, but with more than 1,000 products, we cannot afford to rest on our laurels," says Ian Hameroff, senior security strategist for Computer Associates. "Security can't be viewed as a bolt-on, after-the-fact remedy, and it's not dictated by a specific system, platform, or application. But it should involve proactive measures, such as prioritizing the risks and vulnerabilities of your infrastructure, and trying to determine the impact an attack would have on your network."

Computer Associates' line of security management tools is called eTrust, and includes nearly 30 products, from antivirus and access control to intrusion detection and vulnerability. All systems are managed via the Security Command Center, which acts as the central nervous system to manage disparate systems and networks. Although the company does not bundle eTrust components with Unicenter, the products can work in tandem to protect and manage networks, concludes Hameroff.