Slashdot Mirror
Cisco CSO Says Antivirus Money "Completely Wasted"
mernil writes with an excerpt that kicks off a story at ZDNet Australia: "Companies are wasting money on security processes — such as applying patches and using antivirus software — which just don't work, according to Cisco's chief security officer John Stewart. Speaking at the AusCERT 2008 conference in the Gold Coast yesterday, Stewart said the malware industry is moving faster than the security industry, making it impossible for users to remain secure."
Why pay for it, when there are plenty of free alternatives?
Companies are wasting money on Windows ;)
Patching software does work though, I don't see the alternative if you have an exploitable bug in your code? You want that code fixed. It doesn't matter if no damage can be done to your system, you still want all your applications running as expected.
which is totally what she said
As a desktop linux user, has anyone EVER gotten a virus? Or better yet has any anti-virus program saved your ass?
I read this story yesterday, and the quote is a little misleading. Here's the context: "If patching and antivirus is where I spend my money, and I'm still getting infected and I still have to clean up computers and I still need to reload them and still have to recover the user's data and I still have to reinstall it, the entire cost equation of that is a waste."
"It's completely wasted money," Stewart told delegates. Exactly. If it does not work, the money spent on it is wasted. Not exactly controversial.
Floating face-down in a river of regret...and thoughts of you...
But all the money spent on Cisco's obscenely overpriced security appliances is well spent, right?
There are a lot of people profiteering in the computer security market, and Cisco is up there.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Unless he's expressing his vested interest in using hardware firewalls to keep viruses and malware away from the end user PC, this statement makes absolutely no sense.
Generally, a rational botnet creator would tend to try to pwn the low-hanging fruit first - i.e. the ones that have no updates, malware detection, AV, etc. Only if he/she is unable to get a large enough botnet after applying those tools would one resort to the higher-level techniques.
It's rather like saying that Timothy McVeigh would rather have used nuclear ordnance when a U-Haul full of fertilizer served his purpose just fine...
Most free anti-virus apps available are free for personal/non-profit use only. If you want to deploy them on a commercial network I beleive you have to pay for almost all of them.
The A/V industry is having difficulty keeping up with the ever evolving and growing malware industry, but "completely wasted"? I don't think so.
For Geeks who delete suspicious emails, use Thunderbird (so emails are not rendered in the IE engine), etc., sure, an AV may be a useless waste of CPU cycles. But for the nontechnical user, it's important. While it's difficult to keep up with outbreaks, it's important for older viruses in the wild- something Grandma may not catch.
Now, as for a whitelist. Dumb idea. It puts too much power in the hands of AV companies (who can say "$$$ to get on the list!" or if users can change it, they'll get "IMPORTANT WINDOWS UPDATE- REMEMBER TO ADD TO YOUR WHITELIST!". What about unsigned programs? Updated versions?
A whitelist might work for children, for work PCs, for other non-administrators. But people ultimately want to install their own programs without the blessing of company XYZ.
And, as a geek, I strongly disagree that it's impossible to remain secure, it just takes a little training. I know nontechnical users, I teach them for 10 minutes, and they have good habits. Don't open emails saying "A greeting card from a classmate", don't run unsolicited programs, if you get an email saying it's from chase.com "Important Account Update" visit their directly, etc.). Those habits go a long way, along with some layered protection (ZoneAlarm Free, Router w/ a firewall, Avast Home, Immunize in SpywareBlaster, and Immunize in Spybot S&D). That user still has some trouble with some tasks, but with a little common sense and some good protection, they've stayed infection free for 4 years.
(And, of course, I fix the computer as a friend, and I occasionally run rootkit detection and AV from a LiveCD just to make sure).
"And the risks and losses would be much greater."
.exe file someone emailed me" (AV software is no help at all)
Based on what? The cause of infection is pretty much the same with or without AV software:
- Application exploits (AV software only stops known ones, all the new ones constantly coming out get through just fine)
- Stupid users saying "sure I want to run this random
I'm not seeing any real world evidence that AV software is reducing the damage being done by all these viruses.
I mean really, when was the last time you had AV software catch a virus that would have otherwise infected your system?
-- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
Correct, patching your systems isn't going to protect you against state-of-the-art malware. What patching does is protect you against script kiddies running exploits that are 6 months old. The majority of the successful attacks I've seen are against old vulnerabilities, not new ones.
Additionally, patching isn't just about security. It's about fixing software bugs that could cost you time/money later.
Even if you made every OS somehow 99.999% malproof somehow. Someone would still be selling a Norton like utility that you need. Security is big business, since fear is the best motivation for buying you can have.
If they couldn't justify the fear, they would themselves research the holes JUST so they have something to patch or utility to sell us. While in a perfect world we could just patch our OSes for bugs and no need for anything running in the background to protect us from boogie men. Companies like Norton, McAfee, and *yes* Microsoft are going to make sure WE NEED THEM, since they see us more as $'s then end users.
Cisco is integrating ClamAV in to their "Cisco Security Agent" HIDS product. They clearly think AV is useful, just not other peoples' AV.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
"You are receiving HTML which speaks unfavorably about me. Cancel or Allow?
Whos says the alternatives have to be anti-virus applications? ;)
Sorry, but it is beyond laughable that this is news. Anti-virus software is like prayer. It lets you think you're doing something.
Anti-virus software is by its very nature a "post damage" measure, like closing the barn door after the horses leave. Of fixing the roof after the house is wrecked from rain.
The *only* way to prevent viruses is to understand that your computer only does what it is told and you need to control who gets to tell it what to do.
Windows, and we are talking about Windows here, is designed to allow foreign agents to control your system without your consent. Microsoft has so many holes in its system beyond just stack overflow exploits, but protocols and APIs designed to make it "easier" for application to do things "for you," and are we surprised that it is exploited?
Stewart said the malware industry is moving faster than the security industry, making it impossible for users to remain secure.
He then set his hair on fire and ran screaming from the stage.
AV is completely wasted money. Patching isn't. Especially for systems that expose that particular service to a hostile network. Internally behind firewalls, not as much of a threat, but should still be addressed. It all comes down to risk assessment. AV simply tries to solve a user stupidity issue with technology. That will never work, while making your systems less stable and more costly to maintain in the process.
i don't think it can be called "hardware" prevention here. pulling out the cable, that would be hardware prevention, but in this case you have software solution, only you have pushed it to another device. this changes the layout, but the approach stays the same.
Rich
Cisco CSO says "You are all going to die so put down the muesli bar and pick up that burger."
I read somewhere that if I didn't run Windows as an admin, that would help a lot
That's absolutely correct. If you avoid logging onto Windows as Administrator, you greatly lessen your exposure to security hazards. Especially since in the real world you can hardly run any useful software unless you're logged on as admin, therefore your using the Windows box less, and naturally, less use equals less exposure to danger. In fact if you just keep your Windows box powered off, then it will be the absolute most secure against malware.
I'm sure it's a common experience to Slashdotters to have a friend/relative show them their PC that they think it has a virus because it runs so slowly, when of course the reason it is running so slowly is all the anti-virus crap installed on it.
I have two Windows computers that I use. They are rarely used (Govt issue). In addition I have 3 Macs, two Sun boxes (Solaris 9 & 10 respectively) and a number of Linux boxes. I run Symantec on the two Windows machines (comes pre-installed) but it has never caught anything. This is not because there was nothing to catch, but rather because I have very high security at the demarcation point of my network at home. I run a router with PacketProtector (a great OSS project...if you've not tried it out, you should) which runs ClamAV, Inline SNORT, DG, TinyProxy, etc. etc. etc. which pretty much stops everything in it's tracks. I wouldn't call it ready for prime time as there are still some bugs, but implementing the same packages on a old PC would be simplistic. My point is that it's relatively easy to stop darn near everything at the entry point to the Network rather than waiting for it to make itself known on one of the PCs. Catching it on the host should be the last resort, not the first line of defense. Hopefully projects such as OpenWRT, PacketProtector and IPCop will make it easier for the average user to make this a reality. There is certainly a need for more effective anomaly based analysis and filtering vs. signature based, but there seems to be a lot of progress in that direction by SourceFire and others. Of course it would be nice if MS would stop producing virtual petri dishes, but in the mean time....
I downloaded higgeldy-piggeldy and scored 17,342 points on my first game. I'm pretty sure it doesn't have any spyware, but it's weird how IE keeps telling me I'm "pwned" or something.
My comments are my own, and do not represent the views of my employer, my spouse, my children, or my cats.
Cisco says they have a great new hardware firewall that will stop *ALL* malware. You just need to sign a contract indemnifying them should you have a malware outbreak on your network...
Just get a separate hard drive or a flash drive and store the stuff you need there. Then have a reformatting partition on your drive and press f11 during startup to clean everything out. If this process was faster and easier, anti-virus would be out of business completely.
Help fight spam
I know people who bought antivirus products for a Mac. It speaks more to their gullibility than anything else. Probably if you're dumb enough to think you need it, you need it.
Those who advocate genocide deserve every protection afforded by law, and none afforded by common human decency.
okay, genuine question... who's got statistics on malware infections on windows that can be used to separate 'by trickery' versus 'by automated exploit'.
And 'by trickery' I would take anything from "double-click this exe in this e-mail to see a naked chicks!" to "you must download this program to play this audio file"; i.e. anything that actually requires the user to okay the action taken in one way or another.
Automated I would assume anything that either requires no user interaction whatsoever (somebody hacks into the machine remotely) OR happens as part of a drive-by (old outlook exploits, old IE activeX exploits), and throw in the "print list of links" exploit from a week or so ago that is an exploit of a non-default feature, but certainly a feature when enabled wouldn't give the user the impression that it might do Bad Things (as opposed to a checkbox saying "automatically load and execute any programs referenced from a web page".. or something of the sort).
IF those statistics show the latter category to outnumber the former by a large factor - yay, Go Linux/BSD/whathaveyou.
If not - I'm sorry, but other operating systems would be affected just as well. Okay, perhaps the malware can't gain root; woop-dee-doo if the purpose of the malware is to simply connect to web servers / send e-mail / do anything the -user- might do, and is allowed to do, themselves.
The problem is the users. No matter how secure you make an operating system users will still click on every link and give people their passwords.
My platform of choice is Ubuntu. And unlike the AC who started this sub-thread (or like you, evidently), I'm not enough of a moron to believe that I'm invulnerable.
The biggest security problem with any platform is not the platform itself, but the user. If the user does something stupid (like opening up an insecure attachment), then they've got a problem. Anti-virus and patch programs can only go so far in protecting users from their own stupidity.
If you haven't been down-modded lately, you aren't trying.
Sacred cows make the best hamburger.
Then have a reformatting partition on your drive and press f11 during startup to clean everything out.
That's a bit complex. Why not just run a liveCD then? Cache it into RAM, and it runs very fast.
What?
I find it very interesting, as well as sad, to see this kind of solution. You're basically saying "you can't protect against malware, let's give up and use backup as the only defense".
Is this really what it's like? Is having malware violating your personal computer the norm? Is it really impossible to design secure OS's and applications from the ground up instead of making them full of holes and relying on "solutions" that pick up the pieces? Is it really better to do damage control than prevention?
I find that very hard to believe. I think it's more likely that the current state of the software industry is based on complacency and no respect for the customer and his or her personal data.
If it turned out that the maker of your main door lock made a shoddy product that allowed anybody to unlock it and have their way with your house... you'd be mad, right? You'd hold them responsible, want your money back, never buy from them again, maybe even sue them and ask for reparations if they acted like assholes.
But when your personal computer gets broken into you don't make a peep, you just sigh and use a backup, if they have one. Then it's back to the torture of finding and paying for antimalware, knowing full well that one day you'll get shafted again.
Someone please explain this self-abuse to me. The only explanation I've come up with is that people are ignorant and/or brainwashed into thinking there's no alternative so they'll put up with anything and think that's how it's supposed to work.
Software industry needs to grow a spine, take responsability and stop all the "no guarantees" crap. Than maybe, just maybe we'll see some improvement on the malware front.
i ate crayons when i was a kid and now i have two braincells and the blue ones taste nicer
Following the "virus" metaphor from biology, if the computer is an organism, and AntiVirus is part of its immune system, we should realize that at some point, just like any biological organism, the system will die.
A healthy system may have the latest and best immune system known to man, but this does not guarantee and should not be construed to mean that the system is invulnerable or immortal. It is merely immune or resistant to the diseases that it has been exposed to or evolved resistance or immunity to.
We don't expect medical science to ever eradicate all disease and make us perfectly healthy; why do we think it's possible for computers? (Or conversely, why do we think that building an immune system is wasted effort?)
Then again, perhaps turing/von neumann machines and biological organisms aren't so similar after all. It's hard to assess whether this extended metaphor is too forced to be useful or not.
You see? You see? Your stupid minds! Stupid! Stupid!
The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
Using your comparison of malware to the real life scenario of your house being broke into, it's impossible to make a house that can't be penetrated (or would be so difficult that it's not worth it). It would be the equivalent of building a fortress and running it with the various employees. Assuming people wanted to get into your house to bug it for information (i.e. spyware), it would be much more efficient to have a cheap house that you can demolish and rebuild.
Help fight spam
AC didn't say malware. There has never been a Mac OS X virus. Ever. Period. And by your own admission, even worms and trojans are incredibly rare. Feel free to cite a virus if you can, I'd love to read about the thing if it were to exist.