Security is not an "optional extra", it's obvious, so why am I bothering to mention it? Because there are so many cases where security is left out for various reasons.
"Let's get it running first, then make it secure" This is the pioneering attitude that has produced a lot of the Internet as we know it. It is a great way of moving forwards when trying to develop TCP/IP on isolated networks, or inventing the World Wide Web in a European nuclear physics research institute, it doesn't matter when experimental systems are unreliable. However, production systems should be better. Too often, the move to a more secure version is delayed, and, as it is delayed, it becomes a more difficult and complex problem. We face a slow move towards IPSec and IPv6; and SSL is still not used everywhere it should be.
It is more difficult to understand why the same attitude is accepted for systems that were always intended to be production systems. Open email relays and web servers exhibiting old vulnerabilities fall into this category; the installer or administrator seems to assume that, because it works, their job is done. There would be a lot less high-profile webpage defacements or spam if lockdown was a standard part of installation.
Unfortunately, application developers may require operating systems to be configured less securely. For example, Windows 2000 has many restrictions on members of the Users group (intended for ordinary users), preventing them from changing registry settings or deleting important system files. However, many "legacy applications", including ones from Microsoft, require additional "Power User" rights, that give them (or the viruses they may, inadvertently, be running) more freedom to damage the system. You can lock down Windows 2000 very securely, but you will get a lot of user complaints.
"The users cannot do that, so it is not a problem" This attitude is usually a misstatement of a fact, 'the users have not been given a way to do this", and the difference between them leaves an opportunity for an innovative ab-user. This gives us flaws like web "Shopping Baskets" that allow a user that understands cookies and HTTP to modify the prices charged to their credit card. The webpage forms that allow malformed input to result in arbitrary requests to a back-end database can be counted in this category too - yes, the CGI application should have validated the input, and handled potentially dangerous characters, like '," or ; - but there should be defence in depth. Why should a CGI script have user rights in the database to do anything it likes, including list all credit card numbers? It does not need the rights, but often it will have them, because it is easy, and the script does not give the users a way to do it.
"Users education is a waste of time" This attitude points at the many mistakes that users make, and claims that, because users continue to make mistakes, they are incapable of learning and therefore cannot be trusted with any aspect of security. An alternative attitude that is functionally equivalent claims that we are responsible for security, and if we ask the users to learn something to protect themselves, we have failed - users should not be required to learn about security. User education, however, is an essential part of information security management. Without it, users will be very inventive at circumventing protective measures; they will be your worst enemy. Education can change them into your best ally.
Security, then, is not optional; it should be considered and built in from the earliest stages, unlikely attacks should be considered, and defence in depth implemented, and the users should understand their part in the security, and be taught to fulfil their responsibilities.
EICAR Conference
This year, the European Institute of Computer Anti-Virus Research conference was held in Berlin at the Forum Hotel. This was the eleventh EICAR conference, and also the first time they held a Doctoral Consortium. This idea of Tugkan Tuglular was an innovation aimed at helping M.S. and Ph.D. students produce Anti-Virus or e-Commerce related theses, and to enter the job market. The seminars in the Consortium included the hot issues in computer security research, general advice on Ph.D.s, and the opportunity for the students to discuss their projects.
Interesting aspects of the EICAR conference are its' academic leaning, now strengthened by the Doctoral Consortium, and its' involvement with European Community initiatives, including the EC Convention on Cyber Crime.
AVAR Conference
The fifth Anti-Virus Asia Researchers (AVAR) Conference will take place in Seoul, Korea on the 21 and 22 November 2002. This year, the papers include reports from China and Japan, an outsider's look at the state of protection in Asia, a new virus naming convention, and others ranging from the highly technical to management concerns.