Security Q&A: Are Companies Doing All They Can?Security Q&A: Are Companies Doing All They Can?

Two financial-industry consortia, BITS and the Financial Services Roundtable, in April issued a software-security policy (http://www.bitsinfo.org/bitssoftsecuritypolicyapr04.pdf) that lays out specific steps their members would like IT vendors to take to improve the security of the products they sell. The recommended actions deal with software design and testing, the upgrade and patch process, support for older products, communication of software vulnerabilities, and specific requests for features such as automatic patch management and the ability to roll back, or uninstall, a patch that's been deployed. information invited a few key technology suppliers to the financial industry to respond to some of the items on the BITS/Financial Services Roundtable wish list.

The Questions:

Question 1: Has your company made available patch guidelines that include instructions on what to do in the event of a business or security crisis?

Computer Associates: Yes.
Cisco Systems: Yes.
Microsoft: Yes. See Microsoft's patch management guidance at http://www.microsoft.com/technet/security/guidance/secmod193.mspx. Additional information, guidance, and training are available at http://www.microsoft.com/security/guidance/default.mspx and via the Microsoft Security Guidance Kit CD orderable from the same site.
Oracle: Instructions for specific security incidents are included with security alerts issued by Oracle. Oracle's patch guidelines also include workarounds, when available, that can be used to mitigate known threats before or in lieu of patch application.
nLayers: No. nLayers InSight is a passive appliance, which in no event can cause a business or security crisis.
Hewlett-Packard: No. We give security bulletins that are broadly distributed, with security impact information, but do not address business-continuity issues in those documents.
Entrust:Yes. Our Security Bulletins are created in response to business/security crises and include full instructions on patch application. As a proactive measure, Entrust provides 24 by 7 by 365 support, which allows customers to raise critical (high-severity) reports to Entrust. These reports are acted upon immediately.

Question 2: Do your patches include an automated back-out capability?

Computer Associates: Yes. Some patches generate changes in configuration that can not be changed through a "back-out." In these situations, we provide routines to return systems to their previous state.
Microsoft: Microsoft installers allow patches to be uninstalled. Whether a specific patch can be uninstalled depends on the specific of that particular patch.
Oracle: Question is unclear.
nLayers: No.
Hewlett-Packard: In general, yes.
Entrust: Yes.

Question 3: Will your patches work without rebooting the system?

Computer Associates: Whenever possible to apply a patch without a reboot, we provide that capability. Based on the operating systems, there are changes that can only be completed with performance of a reboot.
Cisco Systems: It depends on the specific product and on the specific vulnerability as to whether it requires a reboot.
Microsoft: Many patches do not require a reboot on patch install. Microsoft has made progress on reducing the number of patches that require reboots and is working on technology to do in-memory patching of the operating system and smarter installer technologies to minimize the percentage of patches that require reboots. For more information see http://www.microsoft.com/technet/security/topics/patch/patchmanagement.mspx.
Oracle: Some patches can be applied "hot," while other patches may require system downtime, depending on which components are affected.
nLayers: Most of them.
Hewlett-Packard: This may not be a yes/no type of answer because sometimes many flaws that are deep into the system or affect system files will require a reboot and that may not be able to be avoided.
Entrust: Yes.

Question 4: Do you notify key customers of security vulnerabilities prior to the general public?

Computer Associates: Yes. We provide priority notifications to key customers immediately prior to sending the release.
Cisco Systems: Yes; we provide scripts in many cases, not all. It depends on the vulnerability.
Microsoft: Microsoft does not make information about security vulnerabilities available before the release of security bulletins.
Oracle: Oracle notifies all customers of security vulnerabilities at the same time, via a security alert that includes a description of the issue, severity, products affected, workarounds if available, and patch availability. We believe that all customers' systems are worthy of the same level of protection, and thus all customers should be notified at the same time.
nLayers: Yes.
Hewlett-Packard: No. All customers are informed at the same time.
Entrust: Yes.

Question 5: Do you provide an automatic, user-controlled patch installer?

Computer Associates: Yes.
Cisco Systems: Yes; we provide scripts in many cases, not all. It depends on the vulnerability.
Microsoft: Microsoft provides the MSI (Windows Installer) for applications and the Update.exe installer for operating system components. Both have command line access and can be invoked by a user.
Oracle:Yes. Patch application is usually fully automatic (no additional manual steps beyond running the patch tool itself).
nLayers: Yes.
Entrust: Yes. Each patch uses a "wizard" style installer.

Question 6: Do you conduct independent security audits of your patch-development and patch-deployment processes?

Computer Associates: Yes.
Cisco Systems: Yes. We have an independent group, separate form the engineering team, that goes and checks patches. It's an independent security assurance group.
Oracle: Oracle has a formal policy for security bug handling that includes the requirement for producing and testing security patches.
nLayers: Yes.
Entrust: Yes. Internally, Entrust has an independent Security Assurance Team, which audits product life-cycle development and deployment processes, including verification of the products and patches themselves. Externally, Entrust's Security Assurance Process allows for third-party security evaluations, specifically Common Criteria EAL 3+ and 4 evaluations (Common Criteria being more process-oriented than FIPS 140-2 validation or the UK CESG program). In addition, Entrust allows customers to audit products and deployment processes upon request.

Question 7: What other steps is your company taking to address security concerns raised by your business customers?

Computer Associates: We perform application security reviews as a part of our development life cycle and build security into the product from design through quality-assurance testing. Reviews include tests of database access calls, network access controls, and application design and code.
Cisco Systems: Cisco has been working hard with standardization, such as with its Network Access Control technology (which checks on the security state of end points), and will also expand to check additional authentication credentials. Cisco would like a standard way to do this and is targeting the IETF standards body as one of the standards bodies to make the proposal. Cisco SAFE Blueprint is an ongoing effort to help educate the consumer community about best security practices, how to configure a network to increase security posture. And we also offer services to go out and audit networks, and we train partners to do this as well.
Microsoft: Microsoft remains committed to building software and services that will help better protect our customers and the industry. Security is an industrywide issue and although there is no one solution, our approach to security spans across both technology and social aspects. In technology, we're focused on: building greater isolation and resiliency into the computing platform; providing customers with effective, advanced updating; enabling new business scenarios through integrated authentication, authorization and access control options; improving quality by enabling engineering excellence. Spanning across the efforts in these four technological categories is our underlying commitment to delivering prescriptive security guidance, supportive tools and responsiveness. This involves helping both business customers and consumers to be both aware and empowered to help make their IT environments, their PCs--and by extension the Internet at large--more secure.
Oracle: Oracle has a formal development process that addresses security during requirements, design, and test phases. We have formal coding standards for security that address application security vulnerabilities, we have an ethical hacking team that conducts penetration tests and product assessments on selected modules, and we conduct extensive training on secure coding practice across development organizations. We believe that security must be part of the development culture to be effective, and we continue to enhance our development processes to embed security through every phase.
nLayers: Other than using third-party security audits, nLayers took the following steps: We run firewall service and hardened Linux on the appliance. We made sure that no specific transaction is stored on hard disk. The detailed data is processed in live memory, and only aggregated information that does not include Social Security numbers or login information is stored in the database. This way, even if appliance was penetrated or stolen, there's no valuable information on it.
Hewlett-Packard: Each issue raised is given careful consideration, and represented to the product team by HP's Software Security Response Team. That group works closely with our customers to ensure that any issues they raise are given careful consideration. In addition, as a company, HP is taking a proactive stance in security management by delivering best practices and creating new technologies and processes that detect vulnerabilities, assess risks, and have the ability to adapt and respond to new threats.
Entrust: Entrust has been working with its customers to highlight that information security is no longer a set of technical issues to be addressed by the company CIO, but a corporate-governance and management responsibility held by the CEO and board of directors. As such, investment and risk assessment must be addressed through a management lens versus solely a technical lens. Today's security implications, while too often vague, are inevitable and potentially catastrophic to operations, shareholders, customers, and, ultimately, your brand.

Increasingly, corporate and government executives are facing the challenge of how to continue to leverage the Internet for productivity gains and cost efficiencies, while at the same time protecting the critical information assets, brands, and public trust that the online applications can be vulnerable to. Through a series of town-hall meetings and engagement on the public-policy front, Entrust has been working to make the business case for information security audits, risk assessment, and reporting, and having these processes incorporated into companies' overall corporate-governance programs. Additionally, Entrust has established a service for our customers to engage this process immediately.

The needed security technologies exist. Industry does not need to orchestrate the information age equivalent of the Manhattan Project, but senior management and boards of directors must be engaged or they risk becoming vulnerable to a host of uncertainties in terms of liability, increased regulation, and brand erosion.