CyberSecurity Institute

A plan is under way in the ever-evolving National Cyber Security Division of the DHS to extend the tenure of Andy Purdy, the group’s interim chief, and augment the position with a part-time outside consultant with direct ties to the private sector. The move, observers say, would enable the division to tackle head-on such prevalent issues as security vulnerability.

The effort is the result of a power vacuum created when Amit Yoran resigned last month as NCSD director. Subsequently, Purdy, one of Yoran’s deputies, was appointed interim director of the NCSD. It now appears that top DHS officials are content to leave him in that position for now and, contrary to early reports, are in no hurry to find a permanent replacement for Yoran.

Purdy, a longtime veteran of federal government service, is known for his ability to work inside the Beltway and get things done—a skill vital to moving the National Strategy to Secure Cyberspace forward, insiders say.

“That is a solid move,” said Alan Paller, director of research at The SANS Institute, based in Bethesda, Md. “They wouldn’t have done that if they were going to bring in someone else right away.”

But Purdy will not be going it alone. Howard Schmidt, former chairman of the now-defunct President’s Critical Infrastructure Protection Board and now chief security officer at eBay Inc., is working with US-CERT as a consultant to the DHS and will be advising Purdy and others.

Schmidt, who also served as Microsoft Corp.’s chief security officer and is a former federal agent, is among the more respected members of the security community, both inside Washington and in the private sector. His involvement with the DHS will be indirect and on a part-time basis, but his presence gives the department a trusted conduit into the private sector, a necessity to implement its strategy.

One area where cooperation with the private sector is key is in the effort to reduce vulnerabilities.

http://www.eweek.com/article2/0,1759,1677370,00.asp?kc=EWRSS03119TX1K0000594

“Enterprises are more exposed than a year ago.The hackers have won!” said Eli Barkat, managing director of venture capital firm BRM Capital, who has been involved in investing in security firms. Barkat cited a lack of innovation in the security industry as why the situation has not improved.

Mike Dalton, president of McAfee in Europe, the Middle East, and Africa, agreed that the security situation is dire, but said that innovation was not necessarily the roadblock. A major problem is a lack of integration in security products, he said.

And while all the experts predicted further consolidations among security companies, that will not necessarily lead to more comprehensive, integrated products, they said. “Today the security business is very diverse and very complex,” said Phillip Dunkelberger, president and CEO of encryption company PGP. “You have four or five different point solutions and they don’t all work together.”

Yanki Margalit, president and CEO of digital rights management provider Aladdin Knowledge Systems, agreed that enterprises are more exposed than ever, but did not put the blame squarely on security companies’ shoulders. There are so many threats,” Margalit said. Part of the remedy would be widely available tools that help developers check the security of the applications they are building, commented Barkat, adding that he hopes Microsoft takes a leading role.

On the subject of the software giant, the experts were divided on the work the company is presently doing on the security front. “Microsoft is clearly not doing a good job at security. Most people in this room who work in security have their jobs because of Microsoft,” Dalton said. They did a horrible, terrible job (in the past) but now they are serious. I believe that they will be a very strong security player and force the rest of the industry to be niche players,” Margalit said.

While the speakers gave no clear direction on the path the industry needs to take to truly alleviate companies’ security woes, they did have some words of advice.

Invest in integrated security products and avoid security appliances whose architecture changes after a few years, Barkat said.

Forget about white lists, which normally refers to a list of e-mail address from which you agree to get mail, thinking they are safe.

You will fail if you try to define everything you can do, Margalit said.

“We need to get out of the defense mode and allow companies to go on the offensive,” Dunkelberger said.

Despite the various opinions, on one point at least everyone seemed to agree. “The existing security situation sucks,” Barkat said, to resounding nods from attendees.

http://www.nwfusion.com/news/2004/1012etreent.html

Among the more than 20 patches that Microsoft released Tuesday, none were for the aged operating system, which saw its security fix support end June 30, 2004.

Microsoft will only release free fixes for OSes like NTW4 when a vulnerability is actively exploited on the Internet.

“Microsoft is being shortsighted in not publicly releasing fixes for critical holes in NTW4,” wrote Gartner analysts Michael Silver and Neil MacDonald in an advisory published. “[It] risks a public-relations nightmare if an attack based on the unpatched vulnerability shuts down a major corporation or government agency.”

The pair urged that Microsoft “set a higher standard for the security support of older products” by extending fixes to NTW4. That’s doable, they added, since such fixes are already available.

Companies that have signed $200,000 custom support contracts with Microsoft receive security patches on older, non-supported operating systems. “Microsoft has already developed NTW4 patches for customers that have paid for custom support,” Silver and MacDonald wrote.

“But [it] says it does not want to give users a false sense of security by breaking its policy and releasing these fixes publicly.”

Microsoft should rethink that policy, the pair concluded.

http://www.techweb.com/wire/security/50500146

The bulletins aim to patch a total of 22 newly discovered vulnerabilities — a new record for the software maker’s monthly Patch Tuesday program, according to a Microsoft spokesperson.

Experts said IT managers should act fairly rapidly in getting the patches tested and deployed, because any number of the vulnerabilities — especially those that affect Internet-facing systems — could be quickly exploited by newly created or updated network intruders.

Mark Loveless, lead security researcher at the BindView Corp., a Houston-based security and patch management vendor, said he’s not trying to be an alarmist when he suggests that admins act fast in deploying the patches. It’s just that the time it takes from the discovery of a bug to the introduction of a virus or worm that exploits that bug has narrowed considerably in recent years.

Patch Tuesday — or Black Tuesday, as many administrators have taken to calling it — is the second Tuesday of each month, when Microsoft releases the newest fixes for its Windows operating system and related software.

The bulletins released on the most recent patch cycle affect Windows NT, XP and Server 2003, as well as the Excel and Internet Explorer applications. Microsoft on Tuesday also re-issued patch MS04-028 from last month, outlining critical vulnerabilities in the way some applications read and display .jpg picture files.

Loveless explained that the vulnerabilities most likely to be exploited are those that affect public or Internet-facing systems. These include, but are not limited to, the newly discovered vulnerability within the Network News Transfer Protocol (NNTP), a potential exploit within the Windows Server 2003 SMTP (Simple Mail Transfer Protocol) component, and a flaw in NetDDE, which allows different applications to share documents across computers.

They suggest that IT managers take the commonly recommended steps of prioritizing, conducting a risk assessment and testing out all of their non-Microsoft applications for compatibility with the new patches prior to mass deployment.

http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1015690,00.html