THE OFFICIAL BLOG OF THE SBS "DIVA"

This morning I read an interesting post in which Susan says that in response to a 10 year old's question of "Who protects the Internet?", her response is "I would argue that we all do." Susan always looks on the bright side of things. I, on the other hand, look at the dark side of infosec and have to disagree. In a perfect world, we all SHOULD be part of the solution, but we rarely are. Every workstation attached to a network has a great influence over the security of everything else in the entire organization. Once connected to the Internet this is compounded 10 fold. Thus the security of information is literally in the hands of those using the workstation, the end-users who rarely care about security. The zombies out there used by botnets are a LIABILITY, not an ASSET. And that liability impacts me. It impacts you. It impacts us all. You see now I not only have to make infosec decisions to protect my organization from traditional risks, I have to make decisions to protect against the incompetency of lazy administrators or end-users who have no clue how to manage security. In other words, I typically have to include risk management decisions against the very same people Susan believes are the protectors. Everyone needs to be responsible for their own house. Good security practices require the effort of the community wherein everyone does their part to protect their own systems. Unfortunately reality sets in, and that rarely is the case. Don't believe me? Look back in the last few years. How many vulnerabilities were exploited due to people who DON'T have the latest patches. In many cases, the patch was rolled out MONTHS before the attack vector was utilized. Why aren't we using better patch management? And adding technology like intrusion prevention systems to aid in limiting the risks during the Exposure Window of a new vulnerability? Probably because such software is not a pancea. Recently I had my own issue in which Shavlik's HFNetChkPro? Security Patch Management software failed (due to my human error) to effectively protect me. I upgraded to ISA 2004 on my SBS 2003 box, and they downgraded back to ISA 2000. In the midst of this I requested HFNetChkPro to reinstall SP2 for ISA2000. It told me it was scheduled and it even forced a reboot. I (erroneously) assumed the patch was in place. It wasn't. Luckily for me it was found out within a couple of days, before an exploit was found for the firewall. However, even with my vigilant security practices I failed to manage the patches effectively. Patch management software needs to get easier and more reliable for us to take advantage of that. ESPECIALLY for the end-user. You know... those zombies part of that hacker botnet that is spewing forth DDOS against targets like you and me. I would like to believe we are all doing our part to protect our little corner of the Internet. Unfortunately I am a realist and know this isn't the case. If it was... the massive destructive force of malcious code wouldn't be taking down the critical infrastructure in our society. Has your head been in the sand to not know what I am talking about? Hostile code and poorly designed software has shown us the vulnerable nature of the Internet: It has taken down complete power systems It has taken down banking systems It can put our air traffic control at risk It caused 911 systems to fail These are just a few examples. Here is a quote from an MSNBC article I recently read on the subject: Although corporations, governments and other institutions have gotten more savvy at protecting their computers with firewalls and security software, millions of PCs in people?s homes are sitting ducks for invasive software. That?s why the Slammer virus was able to infect 75,000 computers in just 10 minutes. In South Korea, which has the highest proportion of broadband-connected homes?70 percent?in the world, the top three Internet service providers were shut down, bringing virtually all of the country?s e-mail and Web browsing to a halt. Slammer also disrupted the Davis-Besse nuclear power plant in Ohio, froze a 911 emergency-call-dispatching system in suburban Seattle and took down Continental Airlines? ticketing and reservation systems. The Blaster worm brought down CSX?s train-signaling system in 23 states and Air Canada?s computer check-in service?and some experts speculate that it might have been a factor in the power outage that threw much of the Eastern United States into darkness. We know about these problems, but we are having a hard time dealing with it. Worse yet is that we are exposing ourselves to more risk by connecting these things to the public Internet without the proper safegaurds. WHAT THE HECK ARE SYSTEMS LIKE NUCLEAR POWER PLANTS, TRAIN SIGNALLING SYSTEMS and 911 DISPATCH SYSTEMS DOING ON THE INTERNET IN THE FIRST PLACE? Many people in charge of these systems are just not getting it. Why? Because security is a process and not a product. (Sorry Schneier) In other words, you can't simply buy a product and be protected. The latest OS isn't going to do it alone. Nor will the latest antivirus. Or firewall. Or IDS. Or IPS. It takes a "higher level of thinking" in which we apply technical safeguards to layer security to defend against multiple attack points. We need to educate the end-user while at the same time simplifying security so that they can get it. If security is thought upon as being too complex, we have FAILED... something is wrong in the designed process. As security software engineers, we have to bridge that gap between the user and security... in a way that is seen to be CONVENIENT for the user. How do we do that? By applying infosec principles and practices in the DESIGN of secure systems while remembering who is using it... the user. We can't bolt it on later and assume end-users will welcome it. Want an example? Read my Longhorn rant from last year on adopting a least privilege stance for users. Now I know this next point is...

An interesting question "Who Protects the Internet?"
You could answer this question a number of different ways, and because most people who read this column are computer geeks, you'll probably get a computer geek answer.

But to the rest of the world which would probably include most 10 year olds, I think you could also come up with many other answers, and I assume that when this question is posed it has to do with ensuring our individual Use of the Internet and not usually asking who might protect the integrity of the Internet's infrastructure which is a different issue.

The Internet is apolitical - The Internet does not recognize normal political boundaries. Kingdom-states can claim jurisdiction, create laws which reflect community mores and and enforce those laws. So, no one can police (Protect the Interests) the Internet unless the perpetrator is located in and the foul deed is within a very narrow set of parameters.

The roots of the Internet Philosophy - Individual Freedoms. Newcomers to the Internet community do not understand the concept of true unrestricted free speech. The world still wonders at the simple power of the Blog and how it has transformed how news travels the world, for instance after catastrophies like the recent Tsunami in South Asia. What society grants these kinds of freedoms? Even in the USA, as proud as we are of the origins of our country and the principles we espouse, cannot touch the level of unfettered freedom on the Internet. And, with that vast freedom come the concepts individual responsibility, describing the scope (limits) of that freedom, ie. actions which do obvious harm to others and re-conciling how people might behave on the Internet when it conflicts with what is acceptable in the local community.

Economic - The Internet is like a concrete superhighway. It's like power and gas. It's a power enabler for commerce. And where money can be made, everyone will want to stick their fingers into it. Tradtional kingdom-states who don't want to lose traditional sources of tax revenue and greedily eye new. Big, traditional companies. Small startups. And, criminals.

Now, the reason why I mentioned these different perspectives and possible responses in response to "Who Protects the Internet?" is because before anything else you have to establish whose interest(s) your'e protecting and whose interest(s) you wish to restrict before determing if and who a someone can exert some kind of control over some behavior.

So, for instance there is a problem in prosecuting identified authors of viruses if that person is in a country with laws inadequate to describe behavior on the Internet. Countries must create quid pro quo or other cross-border agreements to find, arrest and convict child porn.

Then, even as you start to say that we need those types of social community conventions applied to the Internet we should all take a moment to pause and ask ourselves... do we really want to replicate the same types of social laws in each of our communities to the Internet? Does that really serve the common good? Do YOU really want to live according to someone else' dictates?

It's a question every individual has to answer. Of course, you'll always get a "More Policing is Better" from

- Governments
- Communities and individuals who somehow believe that they personally live their lives better than everyone else in the world and "poor, poor everyone else."
- Closed societies who do not believe in free speech

But, the rest of us should hopefully have faith that the Internet will survive as a facilitator for Human Endeavor without a need for "Protection" and as your 10 year old probably really meant, hopefully there will never be a need for some centralized "Internet Police."

Tony Su

And WHO knows when the internet is down, where it is down and why it was down? Renesys! Check it out at www.renesys.com who not only tracks where it is down, but also has a large historical database of the problems. The CEO of Renesys was formerly with Bell Labs and has his PH'D in technology.