|
||
|
||
|
|
|
|
|
|
|||
|
|
|
|
|
|||
|
 
|
|
|
Recognized worldwide as a leading expert on cyber-security, Howard Schmidt is vice president and chief information security officer for global e-commerce provider, eBay, Inc. In a career divided between public service and private industry, Schmidt has made tremendous contributions to improving security policies and procedures. Schmidt joined eBay in 2003, after retiring from his White House position as special adviser to the president for cyberspace security. Before that, Schmidt was chief security officer at Microsoft and, as a recognized pioneer in the field of computer forensics, Schmidt has frequently testified as an expert witness in federal and military courts in the areas of computer crime and Internet activity. Gartner Fellow and vice president John Pescatore talked with Mr. Schmidt about the difficulties and progress of maintaining online security in an imperfect world. Interview conducted July 2003
John Pescatore: I want to start focusing on the private industry side. You were in Microsoft, what — almost four years, five years? Howard Schmidt: Five years. Pescatore: And that was one of the most attacked domain names on earth. It was stocked with developers — the inmates wanting to be in charge of the asylum. Now at eBay, you've got this really important community kind of thing, and fraud amongst the community is probably one of the most important security issues. You've been there about three months now. How are the security challenges different at eBay than at Microsoft?
Schmidt: As you might imagine, this is an industry issue, not any one particular company. So, I was not surprised when I got here to see the same things that I've seen happening at other places. At any online company that does financial transactions via credit card or user ID login, we see attempted fraud and identity theft. So, it's consistent at eBay. Pescatore: What seems to me to be different at eBay is the community model of rating people so that you need enough formal security to help, but not hinder. Isn't that a different kind challenge at eBay? Schmidt: Well, it's different only in the respect that it is done in the online world. Think about going to a real-world shopping mall, for example. You wind up in some cases doing business with strangers initially, but eventually you develop a relationship. There is some consistency between what we see on the online and the physical world except that first step is a little bit different. And that's the challenge because online, that first step of engaging with someone is not in the physical world where the customer has some real place to go back to.
Right. And there is an additional piece to the transactions at eBay where the buyers and sellers can rate each other. When someone at Gartner talked with eBay a couple of years ago, there was a discussion about ways to create better authentication or identity kind of control. That seems to be where online communities need to be heading, right? Where there is some vouching for identities versus the current kind of anonymous rating model? Or is that anonymous rating model working? Schmidt: It seems to be working very well, as a matter of fact, and I think it's the new paradigm. You know the old adage about if you do something and somebody likes it, they'll tell one person, but if you do something and someone don't like it, they will tell ten people. That same principle applies in the online world. Pescatore: There has been some press on this and some large Gartner clients have asked us about brand spoofing or site hijacking. BestBuy and Sony are among sites that have been attacked this way. It seems that would be a big concern for eBay. Schmidt: That indeed is a very big deal. As a matter of fact, once again, this is an industry issue that we've been watching increase over the past few years when I was at Microsoft and earlier, when I was at the White House. There are two pieces to fighting this problem.
Pescatore: One thing we keep running into — and have talked about with Microsoft for years — is the issue of strong authentication. Will we ever get beyond passwords? Microsoft was trying to move toward smart cards, a common access card first from the employees' side, and second from the customers' side. Does eBay see that in their future? Schmidt: Well, it's one of the things, obviously, we always talk about. With employees, you can mandate that and get acceptance because they understand. But when you're talking about the broader community, it's not an easy task. And, I look to my brother-in-law as a perfect example. When we upgraded him from Windows 98 to Millennium to Windows XP, that was pretty stressful for him because he was not accustomed to two-factor authentication. You have to understand that not everybody understands this as well as some of us do. It needs to change in small steps, and absolutely, these are steps that do need to be moved forward. Pescatore: You spent time on the government side, and it seems to me there are three root authorities who could issue some form of digital identities that might end up on two-factor authentication or a smart card sort of identification: there is the government; there is the credit card world; and then there's, probably outside the U.S., the cell phone world. Outside the U.S., everybody has a cell phone and their identity is tied up with their mobile phone number. But I think in the U.S., it is a political third-rail in the government to talk about a digital identity card. Schmidt: That's clearly one piece of it, but the whole issue technology-wise has been the scalability of it. As I was rolling out the smart card project at Microsoft which I took to the government, the issue was that we may not be able to issue identities to everybody, but we have to have the ability to trust identities that are being issued by other sources. So if you have, for example, major companies issuing smart cards or digital identities to employees, and there are policy statements and practices that guard against fraud, then we trust those cross-authentications. That will be much better than trying to issue a one-certificate authority issued to everybody in the world and handle expirations and revocations and stuff.
Right. We don't seem to have made a lot of progress towards that, have we, in the last ten years? Schmidt: It is surprising. A lot of the European countries have become more confident and at ease with using smart cards. As a matter of fact, when I was over in Europe last week at a NATO meeting, the question they asked me is when will the U.S. start doing that? Pescatore: Right. Tell me, from your perch now at eBay and what you saw previously on the government side, what do you think is the one thing the government could do to help industry become more secure or continue to improve security? If you could wave a wand, what one thing would you want the government to do? Schmidt: To help — primarily in the research and development area. There are a lot of pieces out there that can help with authentication and I think there is some R&D the government can do. It could be help create a strategy for research and development of what we need to do to make things more secure. Pescatore: Now, if you would put your government hat back on — when you were on the cyber security office side — if there was one thing you could have gotten private industry to do to help the national defense and the government mission in trying to improve cyber security, what would that have been? Schmidt: I think clearly it would be the response center concept, particularly larger companies in the IT space as well large enterprises not in the IT space such as trucking companies. They have tremendous tools and tremendous insight as to what goes on not only on their networks but the networks that support them. That information, in aggregate, could be tantamount to the hurricane warning center in Florida that looks at the things that go out there in a very consolidated manner. Pescatore: Yes. When you look at some of the larger managed security service providers — a Guardant or a Symantec, now it's Ribtech — the one mega-valuable piece of information I've seen them be able to provide, is to tell somebody, "This was an attack only against you," versus just some broad attack. Schmidt: That's correct. That's extremely valuable and you could start doing some of the event correlation which may be a prelude to attack. There are a lot of things that that sort of visibility can give you. The example I used in my White House days was that it's a difference of looking through the end of a straw and seeing just what goes through there as opposed to getting a holistic view. Pescatore: Now one thing eBay, as a global company, must run smack into are the number of different laws and privacy regulations. How does eBay deal with that? Schmidt: Well, I think once again it's an industry issue. Making sure that what we're doing as a company is consistent with not only the laws but just doing the right thing in all these different countries. So, it just takes a lot of legal work. Pescatore: Yes. If somebody exposed my buying and selling history, that would be a considerable breach of my privacy. So that must be pretty important information to protect from eBay's side. Schmidt: Yep. Pescatore: Now, here's a question I love to ask Gartner clients: If eBay president and CEO, Meg Whitman, came to you and said, "Hey Howard, here's a hundred dollars per eBay employee to spend on security," and if you had to spend it in one, or at most, two places to get the biggest bang for your buck to make eBay more secure, where would you put it? Schmidt: I think two places. The first one would be authentication and the second would be to the IT on that whole issue of patch management and configuration management. Pescatore: It's funny. We had this debate internally at Gartner, and all of us who spent time in operational security said "authentication," and we'd pay extra for software that didn't need the patches. All the people who never spent the operational time said, "We'd spend it educating the users." Schmidt: Well, if you had given me a third bucket, that would have been education. You've probably seen some of the stuff that I've either written or talked about — the four buckets: authentication, configuration management, training and education, and the fourth — which I generally break out separately from configuration management — is patch management because that is so crucial. Some of the statistics the Department of Defense has come out with show that 98-point-something percent of intrusions into the network were as a result of not anything other than a patch not being applied in a timely manner. I recently did an install for a friend of mine, a brand new install of a desktop, bought off the shelf, and went live on the network to the Internet. I hooked it up and everything worked beautifully and I immediately went to the update site where, I think at that point, there were something like 38 security updates needed to be done. It took a few hours to do this. And, that was a brand new box, with someone doing it — me — who understands security. Can you imagine how many times people go out, buy something, connect to the network, and don't know about the need for updates right away? So, it's critical to automate these processes — as we used to call it, the self-healing, self-repairing systems. Pescatore: If I remember correctly from dealing with eBay, don't you have tens of thousands of servers — some phenomenal number? Schmidt: Yes. I don't remember the numbers, but there are a lot of servers to deal with. The thing that I've seen evolve over the years — and I go back to code red — after code red occurred, we had some discussions with CIOs around the world. The number one reason they said they were affected was because they didn't know they had that particular service running. Obviously, it was installed by default, turned on by default, which is changed now. The second reason was they knew they had it running, but they didn't think anyone would come after them because they were not a notable target. The third reason was the fact that they knew it, they knew they were vulnerable. But, they scheduled maintenance every third Saturday of the month or something like that. Pescatore: One last question: Two years from now, what one thing do you hope has happened, or do you think will have happened, to make security directors' jobs easier? Schmidt: I think that whole issue around automation of not only configuration, but patch management will be the thing that will really make it easier. Pescatore: In that process, it seems to me, there are three key pieces and we've seen progress in shortening only two of them: first, discovery of a patch and the last piece — pushing out the patch. The middle piece, making sure the patch doesn't blow away your legitimate applications, hasn't been shrunk much at all. Schmidt: If you look back to the strategy we put out at the White House, one of the R&D agendas was a sort of UL — an underwriters' laboratory, if you will — of software patches. And we thought, once again, that would be a crucial role in which the government has experience and could be helpful in setting standards and setting up an environment where some real-time testing could be done. There is only a limited amount you can do as the vendor because your environment doesn't mirror what everybody else is doing. You don't have their key line of business applications. But, even without those, the benefit would be an understanding of what happens when you install this patch. What sort of memory space it's allocating would really be helpful to give someone a greater level of confidence as to whether this will blow something up or work okay. Pescatore: Thank you, Howard.  |
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
