Security UPDATE--Another Perspective on OS Haste--July 26, 2006

A reader opines that more frequent OS releases give developers a better opportunity to respond to a rapidly changing threat landscape. Plus, get links to security news and other resources.

ITPro Today

July 25, 2006

11 Min Read
ITPro Today logo in a gray background | ITPro Today

PLEASE VISIT OUR SPONSORS, WHO BRING YOU SECURITY UPDATE FOR FREE:

Surf Control http://www.windowsitpro.com/go/whitepapers/surfcontrol/securitystandard/?code=SECTop0726

SPI Dynamics https://download.spidynamics.com/1/ad/LD.asp?Campaign_ID=70160000000CYh4

CrossTec http://www.crossteccorp.com/TryASC/?utm_source=WinITPro&utm_medium=newsletter&utm_campaign=asc072606

CONTENTS

===========================================

============================

Achieve compliance in today's complex regulatory environment, while managing threats to the inward- and outward-bound communications vital to your business. Adopt a best-practices approach, such as the one outlined in the international information security standard ISO/IEC 17799:2005. Download the whitepaper today to secure the confidentiality, availability and integrity of your corporate information! http://www.windowsitpro.com/go/whitepapers/surfcontrol/securitystandard/?code=SECTop0726 === IN FOCUS: Another Perspective on OS Haste

========

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net Last week, I wrote about Microsoft CEO Steve Ballmer's comment, "Rest assured we will never have a gap between Windows releases as long as the one between XP and Windows Vista." My perspective was that longer release cycles often help with the security aspects of OS development, primarily because they provide more time to work on features and functions. I received a response from a reader who has a different perspective on release cycles. The reader wrote that we might "be better off from a security [point of view] shipping [OS releases] more rapidly." The reader argues that "threats evolve quickly, and so must our responses. [Not to imply] that it is OK to turn out bad quality, but quick [OS upgrade turnaround times] give [developers] more flexibility to respond to changing conditions. [On the other hand,] it's hard to [create] really innovative stuff in short stages, so there also need to be some long cycles to accommodate [the truly creative aspects of OS evolution]." He continues, "Here's another wrinkle to consider: If you go a long time between releases, upgrading becomes harder, and the [end users] stay on the old version longer. [It seemed like] it was going to take forever for people to migrate [away from Windows NT 4.0.] A lot of [the migration delay was] because it was a fairly long haul between NT 4.0 and Win2K, and there were a lot of changes [including] a whole new [user interface], a whole new administration model, etc. [Because of such dramatic differences, end users kept using] the old [OS] longer, which isn't good for security. [So it appears that] if we want to optimize for security, we need to shorten the upgrade cycle, not lengthen it." The reader also offered some observations about Microsoft Office: First, Microsoft did a good job of upgrading the Office suite, including auditing the code to find faults that could have led to security problems. Because of the security focus placed on the Office suite, there weren't many vulnerabilities for roughly two years. However, the reader pointed out that a few significant changes took place in the security community in the meantime: "The attackers have a business model--vulns do sell for about $25K--and they're using some reasonably sophisticated fuzzers." (Fuzzers inject all sorts of data into applications to look for weaknesses). The reader's opinion is that effectively all the work Microsoft did on Office bought the company about two years of time. But, because of unforeseen developments in the realms of intrusion, Microsoft could have actually used three years of time without vulnerabilities because that's how long it's taking to ready the next release of Office. Therefore, "if the release cycle of Office were shorter, they'd be in a better defensive position, but then again, [Microsoft] can't [develop the really creative stuff, as seen in the new version of Office] on a short cycle." So there you have it: A very different perspective from the one I presented last week. My thanks to the reader (who wished to remain unnamed) for providing an argument that makes a lot of sense. === SPONSOR: SPI Dynamics

============================

ALERT: "How A Hacker Launches A LDAP Injection Attack!" White Paper It's as simple as placing additional LDAP query commands into a Web form input box giving hackers complete access to all your backend systems! Firewalls and IDS will not stop such attacks because LDAP Injections are seen as valid data. Download this *FREE* white paper from SPI Dynamics for a complete guide to protection! https://download.spidynamics.com/1/ad/LD.asp?Campaign_ID=70160000000CYh4 === SECURITY NEWS AND FEATURES

=======================

================================

Are you spending too much time monitoring security logs? Activeworx collects event logs from all your security devices and vendors to provide a single Dashboard view along with correlated alerts; hundreds of compliance reports; and deep forensics tools. Easy to install and use. Free White Paper or Try Activeworx yourself - 30 minute Install & Free Tech Support. http://www.crossteccorp.com/TryASC/?utm_source=WinITPro&utm_medium=newsletter&utm_campaign=asc072606 === GIVE AND TAKE

====================================

SECURITY MATTERS BLOG: Who Is Connected to Your Systems? by Mark Joseph Edwards, http://www.windowsitpro.com/securitymatters WhoIsConnected is a nifty tool that lets you see what connections are open on your systems. The tool goes beyond the functionality found in Microsoft's staple Netstat command-line tool. http://www.windowsitpro.com/Article/ArticleID/92722 FAQ: Security Assessment by John Savill, http://www.windowsitpro.com/windowsnt20002003faq Q: How can I perform a high-level security assessment of my company's computing environment? Find the answer at http://www.windowsitpro.com/WindowsSecurity/Article/ArticleID/92696/92696.html FROM THE FORUM: Network Drive Folders A forum participant would like to hear the pros and cons of putting passwords on individual files that are shared among users in multiple locations around the country. http://forums.windowsitpro.com/web/forum/messageview.aspx?catid=42&threadid=48424&enterthread=y CALLING ALL WINDOWS IT PRO INNOVATORS Have you developed a solution that uses Windows technology to solve a business problem in an innovative way? Enter your solution in the 2006 Windows IT Pro Innovators Contest! Grand-prize winners will receive airfare and a conference pass to Windows and Exchange Connections in Las Vegas, November 6-9, 2006, plus more great prizes and a feature article about the winning solutions in the November 2006 issue of Windows IT Pro. Contest runs through August 1, 2006. To enter, go to http://www.windowsitpro.com/AWARDS/innovators_2006.cfm TAKE THE WINDOWS IT PRO SALARY SURVEY We need your help! Windows IT Pro is launching its third Windows IT Pro Industry Salary Survey, and we want to find out all about you and what makes you a satisfied IT pro. When you complete the survey (about 10 minutes of your time), you'll be entered in a drawing for one of five $100 American Express gift certificates. Look for the survey results--and how you stack up against your peers--in our December issue. To take the survey, go to https://websurveyor.net/wsb.dll/12237/WITPSalarySurvey06.htm SHARE YOUR SECURITY TIPS AND GET $100 Share your security-related tips, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions to [email protected]. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. === PRODUCTS

=========================================

by Renee Munshi, [email protected] More Security Events Managed Faster eIQnetworks announced the general availability of Enterprise Security Analyzer (ESA) 2.5. eIQ says the performance of this latest version of its event management application has improved 100 percent: ESA 2.5 can process 15,000 events per second on one server and tens of thousands of events per second across multiple servers. ESA 2.5 also adds Oracle and Microsoft SQL Server event management, support for Payment Card Industry (PCI) guidelines, and compliance modules for major federal and industry mandates including Sarbanes Oxley (SOX), the Gramm-Leach-Bliley Act (GLBA), the Federal Information Security Management Act (FISMA), and the Health Information Portability and Accountability Act (HIPAA). The entry price of $7995 includes licensing for five devices and five hosts. For more information, go to http://www.eiqnetworks.com Tell Us About a Hot Product and Get a Best Buy Gift Card! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Best Buy Gift Card if we write about the product in a Windows IT Pro What's Hot column. Send your product suggestion with information about how the product has helped you to [email protected]. === RESOURCES AND EVENTS

=============================

=============================

On average, enterprises spend $10 million anually on IT compliance. How much is your company spending? Learn to streamline and automate the compliance life cycle and reduce your costs today! http://www.windowsitpro.com/go/whitepapers/scalable/compliance?code=0726featwp === ANNOUNCEMENTS

====================================

Invitation for VIP Access Become a VIP subscriber and get continuous, inside access to ALL content published in Windows IT Pro, SQL Server Magazine, and the Exchange & Outlook Administrator, Windows Scripting Solutions, and Windows IT Security newsletters--that's more than 26,000 articles at your fingertips. You'll also get a valuable one-year print subscription to Windows IT Pro and two VIP CDs that include the entire article database and are delivered twice per year. Order now: https://store.pentontech.com/index.cfm?s=1&promocode=eu2767uv Save $40 off Windows IT Pro Magazine Subscribe to Windows IT Pro magazine today and SAVE up to $40! Along with your 12 issues, you'll also get FREE access to the entire Windows IT Pro online article archive, which houses more than 9,000 helpful IT articles. This is a limited-time offer, so order now: https://store.pentontech.com/index.cfm?s=1&promocode=eu2068uw

===========================================================

Security UDPATE is brought to you by the Windows IT Pro Web site's Security page (first URL below) and the Windows IT Security newsletter (subscribe at the second URL below).

http://www.windowsitpro.com/windowssecurity

https://store.pentontech.com/index.cfm?s=1&promocode=eu255xsb

Subscribe to Security UPDATE at

http://www.windowsitpro.com/Email/Index.cfm?action=archive

Unsubscribe by clicking

http://list.windowsitpro.com/u?id=%%SUBSCRIBER_ID_TAG%%

Be sure to add [email protected]

to your antispam software's list of allowed senders.

To contact us:

About Security UPDATE content -- [email protected]

About technical questions -- http://www.windowsitpro.com/forums

About your product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]

View the Windows IT Pro privacy policy at

http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy

Windows IT Pro, a division of Penton Media, Inc.

221 East 29th Street, Loveland, CO 80538

Attention: Customer Service Department

Copyright 2006, Penton Media, Inc. All rights reserved.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like