Another View: Good good guys or bad good guys?
- By William H. Kirkendale
- Mar 17, 2004
William H. Kirkendale
On the information security battlefield, the conventional wisdom is that the bad guys'criminal hackers'will always be a step ahead.
A new dynamic has emerged, however, driven by money and old-fashioned capitalism. Security vendors'the good guys'are in hot pursuit of exploitable vulnerabilities. The question is, is their white-hat activity doing us any good? Not necessarily.
On Feb. 10, Microsoft Corp. released a patch for a gaping hole in Windows NT, 2000, XP and Server 2003. An attacker who successfully exploited the vulnerability could remotely install programs, change or delete data, or create new accounts with full privileges.
In its security bulletin announcing the vulnerability and safeguard measures, Microsoft expressed thanks to eEye Digital Security of Aliso Viejo, Calif., for discovering the hole. EEye, one of many security companies that have set up R&D departments to expose vulnerabilities, kept quiet long enough for Microsoft to develop the patch.
In the eyes of management, being able to offer exploit identification 'separates the men from the boys,' said Thomas Brennan, president of Data Safe Services, an eEye partner in Whippany, N.J. 'But people should understand that after a vulnerability like this is discovered, there is always a rise in malicious activity.'
Other security product and service vendors are working around the clock to be the next to announce a security flaw with wide impact'whether the flaw is in software from Microsoft, Cisco Systems Inc., IBM Corp. or Sun Microsystems Inc. The security vendors hope to maximize their stature with CIOs, security officers and senior decision-makers.
A discovery by one of these so-called white-hat hackers works well for the big software vendors because they are not caught with their pants down. And it's a huge PR win for the white hat.
But it's causing government agencies a monster security patching problem.
Only four days after the Microsoft announcement, a denial-of-service exploit began circulating, according to the SANS Institute's Internet Storm Center, at www.sans.org. Attacks are certain to follow. The Homeland Security Department's www.us-cert.gov site issued an advisory along with the solution: Apply the patch.
Sounds simple, but it keeps IT staff working endlessly, often having to visit each individual machine. Microsoft offers a free push service for patching, but that applies only to Microsoft products. And some patches cause side effects on other software, which means the patches must be tested before installation.
Although DHS and agency IT departments are evaluating commercial products to streamline patch management, it remains daunting.
The latest Microsoft vulnerability was there all along and could have been found by criminal hackers. On the other hand, those with criminal intent now need look no further than the latest announcement to prey on computers that haven't been updated.
For all intents and purposes, the good guys have shown the bad guys how to compromise our data. It appears that what the good guys did was good ... and bad. William H. Kirkendale, a certified information systems security professional, is principal security consultant for Choice Information Security of Pittsburgh.