Slashdot Mirror

← Back to Stories (view on slashdot.org)

Antivirus Inventor Says Security Pros Are Wasting Time

Posted by Zonk on from the think-outside-the-para-digum dept.

talkinsecurity writes "Earlier this week Peter Tippett, chief scientist at the ICSA and the inventor of the progam that became Norton Antivirus, had some interesting things to say about the state of the security industry. In a nutshell, Tippett warned that about a third of the work that security departments do today is a waste of time. Tippett goes on to systematically blow holes in a lot of security's current best practices, including vulnerability research/patching, strong passwords, and the product evaluation process. 'If a hacker breaks into the password files of a corporation with 10,000 machines, he only needs to guess one password to penetrate the network, Tippett notes. "In that case, the long passwords might mean that he can only crack 2,000 of the passwords instead of 5,000," he said. "But what did you really gain by implementing them? He only needed one."' Some of his arguments are definitely debatable, but there is a lot of truth to what he's saying as well."

3 of 282 comments (clear)

  1. Valid points from article by whitehatlurker · · Score: 4, Informative
    1) Not all "vulnerabilities" are dangerous. Yes, there are a lot of junk security warnings out there. Part of the security officers' duty is to separate the chaff from the kernels.

    2) You're only as secure as your weakest password. We knew that.

    3) This guy shouldn't talk about seatbelts.

    --
    .. paranoid crackpot leftover from the days of Amiga.
  2. "Attack trees" by Bruce Schneier by khasim · · Score: 5, Informative

    http://www.schneier.com/paper-attacktrees-ddj-ft.html

    Bruce also wrote about "attack trees". Having long passwords ONLY helps if the attacker has unlimited access to crack them. A simple WordNumberWord combination can give you enough security as long as each login attempt is noted and tracked.

    If there is a 15 minute delay between every 3 attempts to login, and a HUMAN reviews the logs every work day, your online security should be sufficient.

    You only need the 1024bit security when the attacker can download the file and crack it at his leisure. But then, the failure is that you did not prevent the attacker from downloading that file.

    There will ALWAYS be some risk. What's to stop the attacker from kidnapping your CEO's daughter and demanding that he let the attackers use his laptop to access your databases? The key is REDUCING the threat. If 99.99% of the attackers out there are not skilled enough or motivated enough to get through your security, are you "secure"?

  3. Re:What did I gain? by c_woolley · · Score: 3, Informative

    I think people are missing the point of a very single and important statement the OP made. He said that all he needs is to get 1 password to compromise thousands. Much of security depends on a weak product...People. How many times in a movie have you seen those security guards watching a perimeter with those eagle-eyes of theirs, and spotting someone immediately. Well, usually in real life, after a few weeks on the job, those eagle-eyed guards turn into the other type of guards you see in movies...the ones with donuts and are asleep. The point is that people become lazy and do things like leave a password out in view, or easily found (ie. ANYTHING not memorized). People talk on the phone when troubleshooting and give out passwords to "help" get back into systems, and then are slow to change them afterwards, or don't change them at all. People are...human. They make mistakes. The point he is making is that he only needs to exploit a single user who fails to be vigilant from day one. After that, the network becomes his playground. Also, although I agree that security is a mindset, it is a product as well. There is a dollar figure attatched directly to it. If you did not purchase it, you don't have it. That's why I get paid. Also, don't think I am picking on you for it, but SSH timeout is almost worthless. All it does is slow you down a small bit. Yes, if I fail login three times, it will boot that session, but unless you have other things set up for reporting/detection and response (again something that you most likely have to pay for), all that needs to happen is that script run continuously, establishing a new session each time, until it sees a prmopt appear. Do not stop using VPNs. VPNs can greatly enhance your network security from site to site. What you should enforce is visibility before reaching your LAN. In other words, terminate your VPN above a firewall, IDS/IPS, etc. Have a security plan that includes public facing IPs that are protected by another router or firewall as well. Yeah, it can be costly, but the security provided is greatly increased as well, and you can effectively communicate and control traffic both inside and outside of your LAN. It isn't without flaw, but as the article is pointing out, there really isn't anything out there that is without flaw.