Sunday, May 16, 2021

Bashing IIS: Bad For Security, Bad For Business

One of the debates to spring up in the wake of September
11’s terrorist attack on the World Trade Center is how, and indeed whether,
to rebuild the destroyed symbols. Should they be replaced on the same massive
scale as the originals or with a renewed design? Should the center of world
capitalism be reconstituted at all, or should lower Manhattan be transformed
into a memorial park, human-scale and without commercial purpose?

For the most
part these questions are healthy, but if there is a paranoia to guard against,
it’s an echo of “the bigger they are, the harder they fall” heard in some pundits’
musings about whether the towers’ collapse heralds the end of the Age of Skyscrapers.
Implicit in this argument is the sense that ostentatious success deserves to
be punished, so the successful had better keep a low profile.

This is called blaming the victim, and it’s a dangerous capitulation to the
real bad guys, who after all are the people who knock down buildings and not
those who build them. It doesn’t matter that in the case of the twin towers
the victim happens to be rich beyond the dreams of Croesus. Leveling the playing
field is one thing, and vigrous debate about urban architecture and economics
is a perquisite of freedom. But laying low to appease terror is something else
again.

Asking for it?

Which brings us to Microsoft-bashing in the wake of recent cyber-terrorist
attacks on the Internet. After two self-propagating worms – Code Red in August
and Nimda in September – afflicted thousands of Microsoft Web servers, a well
connected IT analyst issued
an advisory
criticizing Internet Information Server (IIS) and recommending
that companies running it switch to alternatives, notably Sun Microsystems’
iPlanet Web server. Shortly afterward, Sun began citing this recommendation
on its iPlanet
Web site and discounting its Web server to take advantage of anti-Microsoft
sentiment.

What’s wrong with an analyst asserting his opinion and a vendor leveraging
it to gain competitive advantage? Two things, in this case. First, the analyst
opinion is unfounded and, as it happens, flat-out wrong. We’ll get to that in
a moment. But even if it had a modicum of merit, steering the market away from
Microsoft in the wake of cyber-terrorist actions would be grossly wrong-headed,
as the following sequence should make clear:

“You got hit by Code Red? Guess you shouldn’t have been running IIS.”

“You got mugged? Guess you shouldn’t have been walking through Central Park.”

“You got raped? Guess you shouldn’t have been wearing that dress.”

The appropriate response when a crime has been committed is to support the
victim and punish the perpetrator. In the case of cyber-attacks, the crime is
against the Internet and free communications generally, with the potential to
erode confidence in e-Business and depress the economy long-term. Scapegoating
and opportunism are outrageous responses to such a threat. The right response
to Code Red, Nimda and other computer crimes is for the community of good-willed
professionals to close ranks and work together to ensure network integrity.
And integrity begins at home.

Lies, damned lies and statistics

As it turns out, besides being mean-spirited, the charge that Microsoft products
are somehow to blame for the Internet’s security problems is demonstrably false.
Consider that the top 10 Internet
security threats
identified by the scrupulously vendor-neutral SANS Security
Institute have for years been distributed between Unix and Windows systems.
In fact, if there is any lean in the stats it’s this: “Nine of the ten threats
apply to a UNIX environment.”

That’s right. According to SANS, the lion’s share of risk on the ‘Net is due
not to IIS but to Unix systems and the software layered on top of them. Not
that Microsoft is anywhere near clean; SANS hosts plenty of articles detailing
flaws in Windows software. But when they take the long view, Microsoft is not
the bad guy.

Not familiar with SANS? Try another vendor-neutral source: the FBI. In December
1999, the FBI’s National Infrastructure Protection Center (NIPC) issued
an alert concerning massed attacks on networks by machines infected with
a new class of Distributed Denial of Service (DDoS) software. The alerts cite
“known Sun RPC vulnerabilities” as the primary source of DDoS attacks. In May
2000 the NIPC identified
additional DDoS exploits
attributable to “Linux and Unix computers” generally.
Yet any suggestion that users should abandon those operating systems and switch
to Windows would rightly be met with derision.

How about worms such as Code Red and Nimda – are they uniquely at home in the
digestive tracts of Microsoft systems? Far from it. According to a definitive
report by Carnegie-Mellon’s security clearinghouse, CERT, “Automated
attacks have historically targeted and leveraged vulnerabilities in UNIX-based
operating systems.” Thus this August, while Code Red
was munching on Windows PCs, a
worm called “x.c”
was exploiting a buffer overflow vulnerability
in the telnet daemon of FreeBSD-derived Unix systems, including Sun Solaris,
IBM AIX, and several versions of Linux.

Such tit-for-tat listings of the bugs in various software systems can go on
forever, but ultimately it’s a fruitless exercise. Every non-trivial program
has bugs. Given the complexity of e-Business systems and the demonstrated presence
of hostile forces hell-bent on damaging them, we can expect the number and sophistication
of attempted cyber-attacks to continue growing.

As with the WTC disaster, fear and the urge to scapegoat are understandable
reflex reactions. But we must not act on them. The necessary response, in the
case of cyber-attacks, is to support the victims and to raise the level of security
awareness and dialogue throughout the professional community. We all have a
stake in curing this problem, analysts by telling the truth and offering constructive
criticism, customers by diligently applying patches, and suppliers by resisting
the exploitative impulse and recognizing that in some areas a rising tide raises
all boats.

Scapegoating by self-interested parties who know better is especially ugly.
Don’t buy into the shameful opportunism of hucksters who stand to profit by
telling you Microsoft products are to blame for the Internet’s security problems.

Gordon Benett is a technology strategist with more than 16 years’ experience analyzing, architecting and developing information systems. He is currently with Aberdeen Group in Boston, where as a senior research analyst he follows the Enterprise Java and middleware markets. Gordon founded Intranet Journal in 1996 and remains a reader and contributing author. He welcomes your comments at [email protected].

Similar articles

Latest Articles

How IBM has Changed...

Think is IBM’s big annual conference, and again this year, it was digital. I’m noticing a sharp quality difference in shows like this where...

Database-Tuning Platform Launches and...

PITTSBURGH — A team out of Carnegie Mellon University is launching its automatic database-tuning product today with the help of $2.5 million in funding.   OtterTune,...

Top 10 Professional Services...

Professional services automation (PSA) software aims to offer service-based companies most of the software they will need to run their businesses in one package....

What is Data Aggregation?

Data aggregation is the process where raw data is gathered and presented in a summarized format for statistical analysis. The data may be gathered...