When Should You Deploy Vista?

When Should You Deploy Vista?
The recent announcement from Microsoft of the long-anticipated ship to manufacturers of the Vista operating system brings visions of patches and problems to the dreams of veteran infosec practitioners. Those companies large enough to hold corporate licenses will have it made available by November 30 for bulk download or via CD.

The question for us in the financial industry is – when to upgrade to Vista?

A wise CEO once noted when his IT department was clamoring to upgrade to a new OS, “Let’s let the dust settle, let others shake the bugs out, then we’ll wait until it’s a robust product before we move over.” That was back in the day of Windows 95 when customers came to your bank to transact business, or they picked up their land line telephone to call in.

In the case of Vista, many banks won’t have that luxury; as soon as the consumers upgrade to Vista, any problems they have with it will become our problems especially where online banking transactions occur. Earlier beta versions of Vista examined by security experts showed the XP code written for security products by Symantec and other companies may not jibe completely with the initial versions of Vista. While these bugs have been mostly resolved, it makes one think -- if the big players in security products are scrambling to find solutions to make their products work with Vista, what will be my first move?

It took Microsoft a little over five years to come up with this “new” Vista. Once consumers and your customers have it made available to them (retailers get to unleash it on the public January 30) it will be time to reach for that bottle of antacids and pick up the bottle of pain relievers. Office 2007 will be released in the US and Canada on December 1.

BankInfoSecurity.com talked with Aaron Turner, CISSP, CISM, who is the Cybersecurity Strategist for National & Homeland Security at the Idaho Defense Laboratory in Idaho Falls, ID. Earlier this year, Turner joined IDL from Microsoft. For the last seven years Turner was closely involved with security teams at Microsoft working on Vista’s development and its improved security. We spoke with him about how bank CISOs can take advantage of Vista’s improved security and the approach he would take when rolling out Vista across a company.

BIS: When should banks and other financial institutions look to upgrade to Vista? Can the average bank wait, or should they migrate quickly?

Turner: From a security perspective, Vista represents a significant improvement over any of Microsoft's past operating systems. But, as with any security technology, each organization will need to do a cost/benefit analysis of how Vista's improvements can best fit their needs.

If I were a CISO of the average bank, I would look to do a staged deployment of Vista, beginning immediately with my organization's laptops. Mobile workers are at the highest risk of attack, and the improvements in Vista's security architecture were implemented specifically to reduce the risk of system compromise in a non-trusted network environment.

Once my organization's mobile workers are better protected, then I would begin focusing on desktops. The main impediment to deployment in that case will be application compatibility. Vista's security improvements will likely cause problems for legacy applications. I would use an application test exercise to identify all of the applications that are not Vista-compatible. The results of that testing will be a valuable indicator for which of my internal applications have potential security problems - if an application will not run in Vista's new security architecture, it is probably a good indication that there are significant security problems with that application.

My prioritized action items would be:
- Evaluate Vista Deployment on Laptops (app testing, etc.)
- Internal LOB application testing (followed by app remediation)
- Staged Vista Deployment to remainder of workstations

BIS: What are some of the shortcomings of Vista (security, architecture, speed) and will they be overcome within the first few rounds of patches?

Turner: Any new operating system will suffer from some problems - and Vista probably won't be exempt from that rule. I would not say that Vista suffers from any specific security shortcomings generally, but it is important for organizations to recognize the security shortcomings of the x86 platform. Running on 32-bit hardware, Vista is saddled with the legacy of an architecture that was not designed to be secure. For example, the lack of a driver signing model for 32-bit systems results in the kernel-mode exploits that are popular today with the Spyware community. If given the choice, I would always prefer to install Vista on 64-bit hardware - which has significant improvements in the area of security and device driver accountability.

As for Vista updates - there will always be the need for organizations to keep their systems up-to-date. Organizations should expect that they will need to keep a robust configuration management infrastructure in place to test and deploy software updates. If history holds true, Vista will probably also have a spike in the volume of updates within the first few months of release, followed by a gradual downward trend with additional spikes as the attacker community focuses on different aspects of Vista.

BIS: Does this merit waiting to deploy Vista in the typically post-SP1-timeframe?

Turner: I would not agree with that approach. The security benefits are of such importance that I would rather bear the burden of some initial deployment problems earlier and be protected, than to continue to be at higher risk of system compromise on Windows 2000 or XP.

Definitions:

x86
The 32-bit instruction set used by most PCs. It originated with the Intel spec of the 8088, which then went to the 8086. Since then increments have come by changing the first number to 80286, 80386, "486", and then Pentium and beyond. The reason that the newer chips are actually named is because the numbers can't be copyrighted, and Intel needed to distinguish its chips from competitors' products.

32-bit
32-bit Operating Systems - Windows NT, OS/2, and some flavors of UNIX are 32-bit operating systems. Windows 95 is a 32-bit operating system running on top of a 16-bit operating system (DOS).

64-bit
64-bit Operating Systems - An operating system that is programmed to run on 64-bit processors. Some flavors of UNIX--and now Linux--are 64-bit operating systems designed to run on 64-bit chips. There are also preliminary versions of Microsoft Windows that are 64 bits so that they can run on 64-bit processors.

Kernel Mode Exploits
In computer terms, supervisor mode (sometimes called kernel mode) is a hardware-mediated flag which can be changed by code running in system-level software. System-level tasks or threads will have this flag set while they are running, whereas user-space applications will not. This flag determines whether it would be possible to execute machine code operations such as modifying registers for various descriptor tables, or performing operations such as disabling interrupts. The idea of having two different modes to operate in comes from "with more control comes more responsibility" - a program in supervisor mode is trusted to never fail, because if it does, the whole computer system may crash.

SP1
Service Pack 1 is the initial software delivered with a new Windows operating system.


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network