Microsoft's Tipping PointBy Kim S. Nash | Posted 2004-03-05 Email Print
When do Windows security risks become too much to tolerate? Companies aren't surebecause they haven't been quantifying their security costs.As hackers continue to take shots at Microsoft business software, you'd think companies would analyze what it would cost to move other operating systems, such as Unix, Solaris or Linux.
But calculating the expense of such a move costs money as well. Cendant Hotel Group, which runs about 1,850 Windows servers, understands this. The hospitality-industry firm periodically calculates the cost to switch its 3,700 Linux servers to Windows. Last time around, 18 months ago, the expected tab was $3 million.
So Cendant didn't change a thing. "Everything starts with price," says David Chugg, senior director of hotel solutions at Parsippany, N.J.-based Cendant. "Then supportability. Generally we see [Linux servers] are easier to support."
One of the reasons the tab for running Windows is so high: the expected cost of dealing with attacks by hackers on the Windows operating system and related software. Those costs are thought to be more onerous than those for the Linux operating system, Chugg says.
That's the perception, anyway. Chugg and other technology managers may not really know. Chugg, for example, couldn't say exactly how much of the $3 million would have gone to security tasks such as patch management. And that's the rub. Companies have a tough time pinning down what they spend on security. Executives have security budgets for items like firewalls, network monitoring and authentication, but tasks such as Microsoft patch management and recovery from a worm or virus attack are often lumped in with regular maintenance costsif they are calculated at all.
Simply put, technology executives can't rely on financial fact to fairly determine whether they should minimize their exposure to Microsoft. The homework hasn't been done to quantify line-item costs of downtime or other effects of hacker attacks such as worms and viruses, says Mark Lobel, a senior manager at PricewaterhouseCoopers.
This, even though leaked Windows operating-system code lives on the Internet and spawn of the six-week-old Mydoom worm continue to infect computers running Windows-based software. Microsoft products, increasingly used for critical corporate applications, have suffered worldwide digital attacks steadily since the Nimda worm in 2001. Hackers continue to find vulnerabilities in Windows to exploit, even as Microsoft says securing its products is a top priority.
The greater the perception that Microsoft products are unsafe, however, the closer customers come to their threshold for tolerance of risk.
The lack of financial analysis won't last forever, if chief financial officers have a say. When evaluating the security costs related to Microsoft or any other vendor, technology managers should ask: How much time do systems administrators spend maintaining patches and monitoring intrusion-detection software? What does that time cost? Does patching take longer than installing a new operating system? If a hack attack has occurred, what time and resources did it take to mop up? How often does this happen each year? (See "What Security Can Do for You," June 2003, p. 82.)
One defense against hacks targeted at Microsoft is to diversify operating systems to balance your exposure. Linux generally is a less-expensive alternative that is often viewed perhaps erroneouslyas more secure, says Lobel.
The Weather Channel Interactive Inc. runs "a few" Windows servers amid 300 Linux servers and says there's no comparison regarding security, according to Dan Agronow, vice president of technology at the Atlanta company. "The number of vulnerabilities and the time-consuming nature of maintaining patches [in Windows] just doesn't make it," he says.
But rather than run from one system to another hoping to find something impenetrable, the better response, security consultants say, is for corporate customers to acknowledge the worm-a-week syndrome and swallow the responsibility to guard against it themselves.
"Companies need to continue to exert pressure on vendors. But in the same vein, they have to get over the fact that we're working with insecure products," says Matthew Caston, consulting director for the enterprise security group at American Management Systems.
Caston's bottom line? You're on your own.
Caston advocates some basic steps that are often ignored: Install the patches. Buy server operating-system updates. Activate antivirus software. Even those companies with large technology-security departments led by chief security officers don't fully track the security steps they've taken or the costs of those steps. They can't analyze whether what they're doing works or if it makes sense to try something new, Caston says.
In the meantime, "users need to willfully take responsibility for doing what the vendor tells you to do," PricewaterhouseCoopers' Lobel says.
Lobel remembers one client, after a round of Microsoft-targeted worms, studied whether to ditch Microsoft software or disconnect it from the Internet. The company opted for the latter because ditching the software and starting over with another operating system was, in its calculation, too costly. Instead, the company shielded its Microsoft applications with layers of Unix-based firewalls and authentication tools.
Companies can quantify their annual security budgets but a lot of security spending typically falls outside of the identified costs, Lobel says. Some of it is labeled basic infrastructure spending, while other portions may be buried in what systems administrators do for part of each day. Accurate cost allocation, he says, "is an art, not a science."
As for Microsoft, the company is pledging real security improvements. Two years ago, company chairman Bill Gates decreed that a new Trustworthy Computing initiative would make security first priority in Microsoft product development. Last month, Gates said in a speech that security is the biggest part of his $6 billion research-and-development budget and that Trustworthy Computing amounts to "many years of work, lots to be done, billions of dollars to be invested in it, but a very critical and worthy goal."
Certainly, making future Microsoft software bullet-resistant is necessary. But how far in the future is a critical issue to cost-conscious companies. The hacks are coming faster; the time between Microsoft revealing a software vulnerability and a related exploitation by hackers is decreasing (By the Numbers, March 2003, p. 96).
Map it out: Microsoft reported vulnerabilities in its Internet Information Server Web folders in October 2000.8 8The Nimda worm messed with those Web folders 357 days later. The Slammer worm appeared just 184 days after the July 2002 bulletin about problems in the SQL Server database. The time between Microsoft's July 2003 revelation of an Internet interface problem in Windows and the Blaster worm? 26 days.
Meanwhile, clumsy patch management from Microsoft can make matters worse. When Windows XP came out in October 2001, it came bundled with additional separate software to fix problems discovered before launch but too late to address in the core code. Since then, 30 additional megabytes of patches have been issued for XP.
And even Microsoft's hole-fix software can have holes. On Feb. 10, Microsoft revealed a "critical" vulnerabilityits highest threat ratingin a common file-library component in Windows. By exploiting that flaw, intruders can run code on unprotected XP and Windows Server 2003 systems. Companies with Windows NT servers, meanwhile, aren't affected unlessand here's the twistthey have previously installed certain patches for other, older problems.
Michael Cherry, an analyst at independent research company Directions on Microsoft, says Microsoft is doing an excellent job communicating security problems to customersbut not managing the fixes. "The weak area is still deploymenthow patches are installed," says Cherry, a former manager at Microsoft.
For instance, consumers are expected to go to Microsoft's Web site to download patches, but not all have broadband connections. "If you go into Fry's or CompUSA, you can pick up a marketing CD to show you how wonderful XP is," Cherry says. "Why can't they do that with a CD of patches? They have the wherewithal."
Microsoft's response to current patch frustrations is a "service pack" due this summer to address several issues. On the disk will be tools to track, for example, which patches are installed and which aren't and whether antivirus software is present and turned on. A more-secure version of the Internet Explorer browser and a new firewall to protect Internet-facing systems will also be included. Gates said in his speech that the service pack demonstrates Microsoft's commitment to security first, new product features second.
Still, customers are annoyed at Microsoft's tendency merely to fixrather than preventproblems, says an executive at a major consulting firm. "They say, 'Develop secure code. Don't give me an automated solution for patching your code after I've already bought it,'" he says.
Scott Charney, chief strategist for Microsoft's Trustworthy Computing plan, says the ultimate goal is better initial software. "We have a large installed base with software that was not designed with today's threat model in mind," he says. "You have to have R&D, coding, testing, getting software into market, adoptionit takes time."
Agronow of The Weather Channel Interactive says Microsoft is making the right noises about security.
He likens it to Microsoft's response to the Internet in the mid-1990s. Microsoft at first dismissed Web software. But when customers flocked to an Internet browser from Netscape Communications, a start-up company built on the ideas of a 24-year-old programmer, Gates noticed. Microsoft created its own browser and wrote support for Internet standards into all products. Gates initiated the turnabout with a companywide missive about the Internet tide and turned around the S.S. Microsoft behemoth to surf it. "If they put as much effort into that as they have into other initiatives, like the browser wars, they could win the security battle," Agronow says. "But it's not there today."
additional reporting By Deborah Gage and Larry Dignan