JOIN US IN THE MAKING IT TOGETHER ALLIANCE.

The strength of the global economy is contingent upon the vitality of the American manufacturer. Manufacturers of all shapes and sizes need to reinvent themselves and evaluate their markets. To help aid this process, Start magazine, in cooperation with other industry leaders and government figures will host their second Manufacturing and Economic Recovery Conference (MERC) this September in Chicago.

This event will develop a roadmap to survival in this tough economic climate and address how to overcome competitive hurdles, which will help manufacturers become more viable and profitable. The 3-day conference will consist of keynotes from industry experts, an awards ceremony, and plant tours around the Chicagoland area, among other things.

As part of our efforts to help you network and meet other manufacturers, Start magazine, with the help of others, has created the Making It Together Alliance. This Alliance is designed to help hard working individuals discover new ways of networking in the hopes if exchanging new and creative ideas that will spark change. With your participation, together we can dramatically alter the manufacturing landscape creating a stronger and safer tomorrow.

Now is the perfect time to join forces to forge even greater pathways to competitiveness and demonstrate THE POWER OF PARTNERSHIPS! Click here to discover how you can become part of one of the largest initiatives ever created to unite the manufacturing community. So, take the time now to join the Making It Together Alliance.

Business Processes and Best Practices for Maintaining System Security
Karl Schulmeisters, Technical Strategist, Microsoft

The earliest Computer Aided Design (CAD) systems ran in physically secure "glass house" machine rooms with limited access and dedicated operating technicians responsible for actively monitoring the reliability of the system. Data interchange between systems was done either by exchanging paper blueprints and drawings or by the exchange of tape reels between partners that trusted each other's environments.

As the focus of computing moved from mainframes to mini-computers, the paradigm of a limited access, physically isolated and centrally managed environment did not change very much. It was the advent of DARPANet (Defense Advanced Research Projects Agency Net), and FTP (File Transfer Protocol) that made the first changes to this model. However, to exchange data using FTP, you needed to know the machine address of the destination and you had to arrange with the administrators of that machine for an account. Individual users could not easily enable FTP services, nor could they set up accounts. So data sharing was still fairly secure, although with the advent of DARPANet, TCP/IP and FTP, the first malicious or intentional security violations began to occur.

Today, the software industry faces a very different world. The tools needed to program computers are more pervasive, radically easier to use, and the majority of computers today are not run from physically secure, centrally administered, limited access environments.

Furthermore, the business imperative for collaboration between partners often requires dynamic data sharing and interchange. We still use FTP, overnight paper documents and DVDs (the modern equivalent of tapes). But it is users, not administrators, who run these services and load the data onto their own machines. Users also use e-mail attachments, Internet portals, application sharing, instant messaging and data replication services. And, their personal workstations are highly connected to all the other servers and workstations in an organization.

These powerful tools of communication often are difficult to configure, precisely because the flexibility of these tools leads to complex interactions and often unclear security implications. The result is an industry-wide problem. No longer are "glass houses" with limited access and central monitoring sufficient to ward off security problems. In the last year we have seen news of security problems from all corners of the software industry, from Trojan horse viruses in source trees to Internet worms and viruses.

Part of the problem stems from the coding practices the industry's history fostered. These issues are being address to one or another extent by the industry directly. Texts, such as Michael Howard's "Writing Secure Code," provide a roadmap which companies have used to retrain their developers. Some companies have even taken a very active approach -- such as Microsoft halting all new development in February of 2001 to retrain its developers in these techniques. Secure coding practices are not sufficient. As long as software is developed by human beings, errors will be made. Similarly, as long as human beings maintain their diverse motivations, there will be some who try to exploit these mistakes.

This creates a race between the software developers and the hackers and requires that software developers release patches as vulnerabilities are discovered. In turn this leads to the challenge that by releasing patches, the developer provides the hackers with insight into the vulnerabilities of systems. In 2000, the time between the release of a patch for a previously unknown vulnerability and the existence of an "exploit" of this vulnerability was 47 weeks. Today that average is under 25 days.

The popular argument is that Windows is the problem, and that UNIX, Linux and other operating systems (OSs) are less vulnerable. In the recent Forrester study, "Is Linux More Secure than Windows?" the data suggests that this is an industry problem rather than a problem faced by any one particular vendor. While the mechanisms of vulnerabilities experienced are somewhat different, the ability to corrupt data, to escalate access, or to steal private data is a problem for all systems connected to other systems.

If the problems are industry wide, what are the solutions, short of unplugging the network wire and foregoing the very tangible benefits that our collaborative tools provide us with?

First and foremost is to recognize that security is not a goal or an end state. Security is a process that requires continual monitoring and maintenance. If you notice that a window in your house no longer latches properly, you repair it as soon as possible to prevent it from being a source of unwelcome entry. So too, users of systems need to apply the patches their vendors send them when they become available. It is not widely acknowledged that Microsoft released patches that countered all of the worms and viruses that have targeted Microsoft systems since the release of Microsoft Windows™ 2000.

The software industry has been diligently working on technologies that help to limit the exposure and impact of attackers. Some of the technologies available today are:

Firewalls - any machine connecting to the Internet should be protected by a firewall. Microsoft Windows clients offer a built in firewall for laptops and other personal machines that need to connect directly to the Internet. Future releases will enable the firewall by default, requiring the user to explicitly disable it.

Virus Scanners - a variety of companies provide active virus scanning solutions. These can be enabled to both periodically scan systems top to bottom, as well as to scan any new files, emails and attachments.

Password Policies - "Human Engineering" was one of the main methods the infamous hacker Kevin Mitnick's used to gain access to systems. Password policies should include a minimum complexity requirement, periodic renewal (that prevents recycling of old passwords) and a secure business process for resetting the password (such as sending it via voicemail to the office telephone)

Public Key Infrastructure (PKI) - this is an encryption technology used by modern access management systems such as Microsoft Active Directory's Kerberos system. It is also at the core of security certificates issued by VeriSign, Microsoft and other certificate authorities. It is an extremely difficult to crack encryption mechanism that can be used as building block for broader security.

IP-Secure (IP-Sec) - this is a method of encrypting TCP/IP network traffic using PKI to initiate a dynamic session encrypted using a less secure "symmetric" or "shared" key encryption. Symmetric key encryption takes less processing time than full PKI encryption, and allows for network traffic to be very secure with only a small performance overhead.

Directory based authentication - Directory services such as Microsoft's Active Directory, provide a mechanism for authenticating users and systems securely and uniquely. It also provides a mechanism through which to apply and enforce other security policies mentioned above. This circumvents the problems caused by users who feel they should be exempt from the hassle of security policies

Patch Management Systems - Applying security patches can rapidly become both confusing and operationally distracting. To that end, various software vendors are beginning to leverage more formalized patch management and distribution systems. For Windows environments, most users are probably familiar with Windows Update, which notifies users that patches are available for installation. This still relies on users installing the patches.

Two other options that can be deployed in environments that need better control of their patch implementation policies are Microsoft Systems Management Server (SMS), which can push and remotely install patches on target systems and Software Update Services (SUS), which provides an easier to manage mechanism for providing a central repository within an organization for distribution of system updates. This latter tool is especially useful in a smaller environment where deployment of SMS is not cost effective.

As discussed earlier, computer system security is a process, not a single goal that can be achieved permanently. There are a number of best practices, that when taken in conjunction with some of the technologies discussed, will help keep your company's systems secure. Best practices include:

Exposure Limitation - Apply the STRIDE analysis criteria for evaluating risk exposure. Microsoft uses this as part of its internal analysis process:

• Spoofing Identity - An example of identity spoofing is when someone illegally accesses and then uses a user's authentication information, such as the user's username and password.
• Tampering with Data - Data tampering is the malicious modification of data. Examples include making unauthorized changes to persistent data, such as that held in a database, or altering data as it flows between two computers over an open network, such as the Internet.
• Repudiation - Repudiation threats are associated with users who deny performing an action when other parties have no way of proving otherwise. An example is a user performing an illegal operation in a system that can't trace the prohibited operations.
• Information Disclosure - Information disclosure is exposing information to individuals who are not supposed to see it. A user's ability to read a file to which he or she was not granted access and an intruder's ability to read data in transit between two computers are both disclosure threats.
• Denial of Service (DoS) - DoS attacks deny service to valid users, by making a Web server temporarily unavailable or unusable, for example. You must protect against certain types of DoS threats simply to improve system availability and reliability.
• Elevation of Privilege - In this type of threat, an unprivileged user gains privileged access and thereby has the ability to compromise or destroy an entire system. Elevation of privilege threats include those situations in which an attacker has effectively penetrated all system defenses and become part of the trusted system itself-a dangerous situation indeed

Minimize Deployment Footprint - Software vendors such as Microsoft are now shipping systems with only the minimal services enabled. This reduces the "exposure footprint" that attackers can see. When deploying new services, users should only enable those services they need to facilitate their immediate needs.

Password Policies - Enforce the password policies you set. Do not allow users to keep their passwords written down in their office. Use the tools in your Directory Server to apply machine administrator policy to user workstations

Digital Signing, Digital Rights Management (DRM) - Microsoft Outlook and other email products allow for Digital Signatures using PKI based certificates. The use of Digital Signing provides the recipients of emails a guarantee of the sender's identity. Rights management systems, such as Microsoft's Rights Management Services (RMS), provide an additional level of security by leveraging the XRML standard (http://www.xrml.org/ ) and the user's authenticated identity to determine the types of access a user may have to the contents of a document. DRM can be used to limit the lifespan of a document or email, its "reprintability" and even the ability to forward the document.

Enhance RAS Authentication using PKI Certificates - Public key certificates can be combined with devices such as SmartCards^TM to provide extremely secure remote access sessions for those users and partners that need to connect from outside the network firewall.

Since security is an ongoing process, and one that Microsoft is committed to, customers and users will continue to see advances in system security. Some of the technologies that are being developed are:

Improved Patch Management - Microsoft and other vendors are committed to reducing the impact that implementation of patches has on running systems. Microsoft has set itself a target for reducing the number of patches that require reboots by 30%, in part by re-architecting how OEM device drivers will function in the Longhorn version of the Windows operating system.

Reduced Attack Surface - All vendors are working to reduce the "attack surface" (the number of interfaces that can be attacked on a system). With Windows Server 2003 Microsoft reduced the "Attack Surface" by 50% from Windows Server 2000 (according to an independent study by Ernst and Young), and with the release of Service Pack 1 for Windows Server 2003 and Service Pack 2 for Windows XP, Microsoft is committed to reducing the attack surface even further.

Machine Inspection and Quarantine - A common source of infection of machines behind the firewall is from machines infected outside of the intranet. These can be laptops, RAS machines or demo machines. Machine inspection tests the security settings on the machine when it connects and "quarantine" refers to keeping the machine logically isolated from the corporate network until all security and health tests have been passed successfully. Microsoft provides the basics of this functionality today in Windows Server 2003 and is committed to expanding this functionality further.

In summary, security is an ongoing business process, not an end state. No one system will provide better security than another unless appropriate technologies and practices are employed. The good news is that there are some practical ways to keep your data and systems secure and reliable and Microsoft and the rest of the software industry are committed to security as a priority.