Musings About Computer and Network Security

Gary C. Kessler
October 2002


A version of this paper with the title "Computers, Networks and Security" originally appeared in the November 2002 issue of the Champlain Business Journal. Similar sentiments also appeared in Mich Kabay's Networld World Security Newsletter.


I have been asked to share my thoughts about information security. The challenge of discussing such a broad topic in such a short space is in choosing just what thoughts to convey — and how to make that information immediately practical and useful for the reader. As I put my fingers to the keyboard, I realize that my current rant is that everyone, post-9/11, seems to now say that they recognize how important security is... yet few are willing to put their money where their mouth is. And for this reason, we continue to have — and will continue to have — security incidents and information at risk.

As it happens, nothing we do with respect to information security will eliminate all of the risks inherent with using computers and networks. At best, we can mitigate the risks and bring them down to an acceptable level.

But what is an acceptable level? Every network manager has to decide that for themselves and it will vary by industry, organization, perceived and real threats, the software in use, and many more factors. The point is that security is a balancing act.

Often the balancing act is between security needs and the culture of the organization. Some companies pride themselves on allowing the employees a great deal of freedom within the work place and that "freedom" is often extended to the network — even though most companies have a stated policy that the network is for business use only and that there should be no expectation of privacy for any network activity, including e-mail. Applications such as instant messaging (IM) and peer-to-peer services (e.g., KaZaA music downloads) are known to have security implications yet their use is allowed even though there is generally no good business reason for them.

This has been the subject of a recent debate amongst some information security managers on the InfraGard e-mail list here in Vermont. When IM software is blocked by a firewall, users often scream that they "can't do their job without it." But IM is used more for chatting than it is for bona fide work. And if there really is a business purpose for an IM-type tool — e.g., real-time communication with a customer while examining information in a database — why would you want to use software that exposes your business data to a possible security breach? Perhaps, instead, you should consider purchasing a secure version of the proper application rather than using non-secure (albeit free) software that only approximates the right functionality — and provides a significant exposure.

And that points to another balancing act, namely the specious argument about "productivity" versus security. Many companies use software that they know are security nightmares — but they use them anyway, ostensibly for "user productivity." Consider the use of Outlook as an e-mail client. For what reason do so many sites use Outlook when it is known to be hard to secure, rarely used in a secure fashion anyway, and is a major target of attacks? When one considers the features and functionality needed by most users, Outlook is not necessarily the best client nor is it the only software that provides a shared calendar function.

The same can be said about Microsoft's Internet Information Service (IIS) Web server software. IIS is not the best nor most feature-rich Web server — nor is it the only free one. It is, however, susceptible to the most HTTP attacks. So why are you using it?

There are a number of good reasons where Outlook and/or IIS might be the software-of-choice but all too often I find that these applications are used for no other reason than because it is easy to do so. Or because they come recommended by a networking consultant — who also sells and/or supports this software.

Before anyone accuses me of using this space to bash Microsoft, let me say two things. First, I am not bashing them, I am merely reporting the headlines.

Second, and even more important, are the concepts of defense-in-depth and biodiversity. Microsoft has long claimed that the computer world and cyberspace would be safer with monolithic software — i.e., operating system, browser, and application suites all from the same source. But this flies in the face of best practices amongst security professionals.

Let me elaborate by way of example. Nearly everyone knows that they should use anti-virus software to defend against viruses and worms. Many sites employ anti-virus software at the mail server as well as on client systems. This is an excellent approach, yet viruses still sometimes make it through, particularly if the virus is newer than the anti-virus signature files.

I take a three-tiered approach to protecting myself from viruses. First, I use anti-virus software and update the signatures as often as possible. Second, I use an e-mail client that does not employ the main mechanisms of virus/worm transmission today — namely, the Microsoft Message Application Program Interface (MAPI), the Microsoft viewer, and auto-execution of attachments or embedded code. Finally, I use personal firewall software that informs me when a new program is executing on my computer or trying to access the network. Using multiple approaches to defend against viruses is defense-in-depth.

As it happens, the three programs that I use are Norton Anti-Virus (with Automatic Live Update), Eudora, and BlackICE PC Protection, respectively. I mention these products not to endorse them but to demonstrate that the operating system and these three defensive software products are designed and coded by different vendors. This is biodiversity. And just as biodiversity protects forests and farm crops from the devastating effects of a species-specific disease, using multiple vendors for security products can protect computer systems and networks from the weakness of a single vendor's weakness.

There are still many things to say but space is limited so I will end with these observations. First, information security is not an add-on to a network, project, or application — it is something that should be considered throughout the design and implementation phases. Second, security takes time and some money — but not as much as some would make you think!

Finally, a widely-stated mantra in the security field is that "security is a process not a product." Even if you have the best, most comprehensive security hardware and software available, it is soon useless unless it is maintained, updated, and integrated into the larger system.

Or, put another way, there are no secure sites on the Internet, only vigilant ones.


Gary C. Kessler is the Program Director of the Computer Networking major at Champlain College (http://neworking.champlain.edu/), Security Projects Director for the Vermont Information Technology Center (VITC, http://www.champlain.edu/corporate/vitc/), and chair of the Vermont InfraGard chapter (http://www.vtinfragard.org). He can be reached via e-mail at kumquat@sover.net. More information can be found at his Web site at http://www.garykessler.net.