Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Effect of Snake Oil Security

Posted by timothy on from the homeopathic-snake-oil-is-better dept.

Trailrunner7 writes "Threatpost has a guest column by Robert Hansen (aka Rsnake) about the long-term effects of snake-oil security products. 'I've talked about this a few times over the years during various presentations but I wanted to document it here as well. It's a concept that I've been wrestling with for 7+ years and I don't think I've made any headway in convincing anyone, beyond a few head nods. Bad security isn't just bad because it allows you to be exploited. It's also a long term cost center. But more interestingly, even the most worthless security tools can be proven to "work" if you look at the numbers.'"

9 of 110 comments (clear)

  1. In short by guruevi · · Score: 5, Insightful

    Statistics can be made to show anything, managerial and C-level executives have to be more responsible and in the end it's cheaper to just let the customers eat the costs of bad security rather than fail trying to do something about it.

    The main problem imho is that there are no real punishments when something goes bad. If somebody gets hacked the old adage of "it's happening more often throughout the industry" is used to redirect the blame from the gatekeepers to the attackers. If somebody doesn't get hacked while the competition is, the executives get praised even though they might not have done anything meaningful. Back in the day when castles (security products) were used to protect a lord (the data or the company) and the gatekeeper (managers and sysadmins) didn't do their job, the gatekeeper would get flogged, stripped naked and/or executed. The soldiers didn't blame someone else when somebody invaded their castle and they didn't pat themselves on the back as 'doing a good job' when the neighboring castles were ransacked.

    Security procedures have nothing to do with the rest of the industry. Most likely they're unique to your company and structure, and one time, you're going to be up for a targeted attack and you should be ready at all times.

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
    1. Re:In short by BobMcD · · Score: 3, Insightful

      The main problem imho is that there are no real punishments when something goes bad.

      This is quite true, but there's simply no viable alternative. Who would wield the power of 'real punishment' in the hypothetical 'fix' scenario? The government?

  2. The nature of humanity? by lightspeedius · · Score: 3, Insightful

    I think we will solve the issues of computer security about the same time we figure out how to deal with conflicts within ourselves and humanity.

  3. Re:Good, Bad and Ugly by JeffSpudrinski · · Score: 5, Insightful

    It can also be hard for folks to understand that you need layered security and that sometimes what worked at one time should be replaced.

    We recently migrated from one solution (McAfee) to another (Sophos). Company management eventually bought in, but the question has been asked "Why were we running inferior stuff to begin with?" McAfee wasn't inferior when we went to it (eight years ago)...they just simply didn't keep up with the times.

    Threat vectors change over time and it is necessary to make yourself essentially a "moving target" by not relying on a single (or even the same) solution over time. If you do an audit and find something lacking...replace it.

    Just my $0.02

    -JJS

  4. Who needs security ... by tgd · · Score: 3, Insightful

    When your webserver dumps its cargo at the first sign of an Imperial Cruiser ...

  5. Re:It's the OS, stupid by jimicus · · Score: 5, Insightful

    I'm afraid it isn't, and a bit of reading between the lines in the article would allow you to figure this out.

    The types of attack which Windows is most infamous for - true self-replicating viruses and trojans that require you to be running as a local admin for them to work - are an endangered species. Newer attacks don't self-replicate like viruses and don't necessarily require you to be running as a local admin. Indeed, you can do quite a lot on any modern OS, be it Linux, some other Unix or Windows without being admin/root. You can certainly do enough to gain access to all sorts of juicy information and then pass it on through the Internet.

    The main reason Windows is targeted by the malware authors - particularly on the desktop - is that a lot of the malware authors aren't doing it for interest, they're doing it for cash. What's the point in writing an exploit that will give access to a Linux desktop when you could write the exploit for Windows and target about fifteen times the number of potential victims?

    Let's assume a drastic drop in Windows usage. Are the world's malware authors going to shrug their collective shoulders and say "Ah well, it was nice while it lasted"? Or are they going to say "Well, there's still lots of computers out there with lots of ill-informed people using them for things like banking, even if they're not running Windows. Wonder if there's any way to exploit them?"

  6. Re:Password Post-It on the screen by Dr_Barnowl · · Score: 4, Insightful

    Well, no. Most of them are configured to remove the possibility of that choice from the user - if they detect a virus, they quarantine the file and don't give you a choice. It's more that they can't detect everything. After that, it's not the virus scanners fault if users have poor digital hygiene.

    For what it's worth, I run my personal Windows boxes without anti-malware and anti-virus, respect a few general principles, and don't have problems. But explaining this to common users seems to be impossible. They seem to be unable to apply general principles, instead needing specific directions for every little circumstance.

    People will scoff at the idea that Unix has a more secure model, but really little things - like the executable bit, like not running as admin - raise the barrier for malware. .NET tried to implement a third way - by sandboxing applications - but it was realistically too much of a faff to configure, and not much good if you could still write all your malware in plain C.

  7. Re:It's the OS, stupid by Alex+Belits · · Score: 3, Insightful

    Users will need antiviruses for linux in the event it's popularity goes up.

    Because Linux software automatically runs executables downloaded from the Internet, right?

    The idea of "antivirus" is idiotic to begin with -- analyze something you already have on your computer in hope to recognize something that already infected millions of computers before you (or otherwise how McAfee would know it?). Security comes from lack of vulnerabilities in your permissions/access model -- something that is pretty easy to accomplish as long as you develop such a policy in the first place. For example, modern Linux desktop environments handle .desktop files in an insecure manner, and this can be easily fixed by treating them as executable script files (no execute bit means you can't execute it) even though they are not scripts from kernel point of view. The fact that web browser always runs under a user ID of a user who started it is another thing that should be fixed, as it's too large to be a trusted program. However those things can and will be fixed without introducing "let's loof for 'sudo rm -rf /' everywhere" approach that only exists because Windows security model is broken and unfixable.

    --
    Contrary to the popular belief, there indeed is no God.
  8. Re:It's the OS, stupid by wshs · · Score: 3, Insightful

    Most recent attacks have been via stupid users, not buggy OS. The reason Linux hasn't been targeted is threefold: 1) next to nobody uses it, thus a waste of effort to write malware for it; 2) its users aren't retarded; 3) each distro is completely different, unlike different Windows versions.