Security Advancements at the Monastery

“The wave of the future is not the conquest of the world by a single dogmatic creed but the liberation of the diverse energies of free nations and free men.” — John Fitzgerald Kennedy

Sorry for not posting for awhile. I was working on a post involving the Request Tracker (RT) software installation. I ran into a problem under Mac OS X, and had to backtrack in that section. The problem does not exist under FreeBSD, so I wanted to include both operating systems. That posting is still a work in progress until I have some time and can get back to it. Today’s post does tie in, for it was inspired by a recent article involving Mac OS X on an Apple XServe.

It warms my heart this holiday season to see the Mac and PC guy exchanging a hug in the spirit of cooperation. That is what this post is about; bringing Macs and PCs together. Andy Greenberg, Senior Reporter at Forbes.com, reports in an article, “Apples For The Army,” that the US Army is shifting more of its IT infrastructure towards the Mac to thwart hacking attempts. The article quotes Lieutenant Colonel C.J. Wallington, a division chief in the Army’s office of enterprise information systems, as saying that the military is quietly working to integrate Macintosh computers into its systems to make them harder to hack. That’s because fewer attacks have been designed to infiltrate Mac computers, and adding more Macs to the military’s computer mix makes it tougher to destabilize a group of military computers with a single attack, Wallington says. To quote the article:

The Army’s push to use Macs to help protect its computing corps got its start in August 2005, when General Steve Boutelle, the Army’s chief information officer, gave a speech calling for more diversity in the Army’s computer vendors. He argued the approach would both increase competition among military contractors and strengthen its IT defenses.

Apple Mac OS X is not new to the army. Apple’s Xserves have been running army.mil for a couple years now. The reason this story is getting press is because of an upcoming release of software that will allow Mac OS X machines to work with the Army’s Common Access Card (CAC) smart card system. Wallington reports, “[The Army's Xserves] are some of the most attacked computers there are. But the attacks used against them are designed for Windows-based machines, so they shrug them off.”

Not to give the false impression that there is an Apple on every desk in the army. In fact, Wallington estimates around 20,000 of the Army’s 700,000 or so desktops and servers are Apple-made. He estimates that about a thousand Macs enter the Army’s ranks during each of its bi-annual hardware buying periods. The development of the software should help clear one barrier to Apple desktop deployment.

Jonathan Broskey, a former Apple employee who now heads the Army’s Apple program, argues that the Unix core at the center of the Mac OS makes it easier to lock down a Mac than a Windows platform. Whether you accept Broskey’s statement or not, it is certain that the Mac OS will face growing targeted attacks. A end-of-year data security wrapup by F-Secure highlights the growing number of attacks targeting Apple systems with malicious software. To quote from the report, “at the start of 2007 — our number of malware detections equaled a quarter-million. At the end of 2007, the estimates are to be equal to half-a-million.” This graph demonstrates the rise:

The report goes on to state:

Windows Vista was on the horizon at the end of 2006 and the question was — would Vista be the end to malware threats? Not this year at least — The year 2007 ends with Windows XP still dominating the world’s installed base leaving Vista little opportunity to make an impact. The potential strength of Vista has not yet been tested in full force. And much of the malware in the wild running on XP machines is stronger than ever. We predict that the situation will not change very soon looking at Vista’s current sales.

The article does go on to state, “In the past two years, until this October, F-Secure found only a small handful of malicious programs targeting Macs. In the past two months, the company has found more than a hundred specimens of Mac-targeted malicious code.”

The article quotes Charlie Miller, a software researcher with Independent Security Evaluators, as stating that the Army’s diversification plan isn’t enough to thwart the bad guys. He sees a two-platform system as a “weakest link” scenario, in which a determined cyber-intruder will seek out the more vulnerable of the two targets. “In the story of the three little pigs, did diversifying their defenses help? Not for the pig in the straw house,” he says.

Now, neither Windows or Apple could be considered a straw house. Both operating systems have their strengths and weaknesses. In the end, the question comes down to whether you believe diversification is a valid security tactic. This is a debate that has existed for a long time in security. Two often quotes papers argue this point: “CyberInsecurity: The Cost of Monopoly” (PDF) and its counterpoint “The Flaw of Security Through Diversification.”

Generally the arguments against diversification is over the difficulties of the complexities involved to mitigate risks. Could not this same argument be applied to many approaches in security? Practicing defense in depth adds layers of complexity, which in turn adds to the level of security. With Christmas just past, maybe we all want to believe in Santa and an operating systems that will never have any security flaws. Kids read no further. In the world I live in there will be flaws. We can sit around hoping that some company will secure our operating systems and our networks so we can go back to the days when we could telnet in as root to our systems thinking we had no security concerns. Or we can face reality. Apple and Microsoft can help, but they can only be part of the solution. As we wage the war to secure our systems against very clever adversaries (not script kiddies!), our solutions become ever more complex. The only way to avoid is not to play, and that is not really an option. We can say “No!” to the latest IT technological advancements. In so doing, we fail to capitalize on technology that can help our company/government be more productive. In a competitive world, that is not an acceptable solution. Life is complex and my prediction for 2008 is that it is only going to get worse.

I wish all good security professionals the best in 2008. May your future consist of understanding managers that realize mitigating risk is tied to complexity. For it will be the top managers that will determine what level of risk is acceptable. These wise men will know the true meaning of risk; mainly that risk is “the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization“. With that determination of acceptable risk will come responsibility. My only other prediction for 2008 is that it’s going to be an interesting year. Happy New Year to all.