A few ramblings about NT, C2, & O/S Security:
NT's C2 Security
Before people get too caught up in praising Microsoft for taking the right
step in providing a <chuckle> "secure" O/S, it is worth pointing out that
most professional O/S's are C2 compliant. (Even VMS version 4.4 was C2
compliant if I'm not mistaken - and that was about a decade ago). Microsoft
is *not* setting the pace - they are trying to catch up to the point where
most serious O/S vendors were a *long* time ago.
C2
A little clarification about "C2" ratings. C2 only means that the system
has some nifty features added to it which makes it capable of being
(relatively)
secure. It does NOT mean that the system is secure (by a long shot).
General O/S Security
It is *very* important that you are aware that vendors of COTS (Commercial
Off-The Shelf) Operating Systems do *NOT* ship their systems secure OOTB
(Out Of The Box). (Before Harris & Secure Computing get their fur ruffled,
I am referring to systems which have user accounts on them and not
firewalls). 8^)
It is also important to note that unless the system mangler/admin spends
time securing the system, it is very likely that the system will be easy
to crack. NB, I have often recommended to major computer manufacturers
that they deliver their systems secure OOTB. Sadly, these recommendations
have fallen on deaf ears and we are stuck with the security nightmare that
is prevalent in most MIS departments today. 8^(
OTOH, the lack of attention to security issues by s/w vendors is a boon
for security consultants like myself, so I probably shouldn't complain
too much. <grin>
[wishful thinking mode on]
One thing that would be nice would be tougher product liability laws
regarding software (and the security aspects thereof). It would only
take one or two successful cases to shake up the industry enough to
have them finally do the ethically right thing - deliver secure systems
(which work and are usable OOTB).
[wishful thinking mode off]
Perhaps one day, the vendors' marketing departments will seize the
opportunity and recognize that security can be made an additional
selling advantage. When this happens, perhaps systems will be
shipped secure OOTB. Until then, hackers will continue to have a
field day. <sigh>
BTW, I did a cost-analysis study for one company which indicated that
having the vendor deliver secure systems OOTB (instead of insecure ones)
would have resulted in a cost savings of @40,000+ man-days/year - minnimum
(it was a very large organization). Most companies could use that kind of
savings.
Best Regards,
Frank
Any sufficiently advanced bug is indistinguishable from a feature.
-- Rich Kulawiec
<standard disclaimer>
The opinions expressed above are of the author and may not
necessarily be representative of Fortified Networks Inc.
Fortified Networks Inc. - Information Security Consulting Phone: (317)
573-0800
http://www.fortified.com - Home of the Free Internet Firewall Evaluation
Checklist
|
|
