Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Security Companies Peddle Snake Oil

Posted by Soulskill on from the but-this-snake-oil-is-in-the-cloud! dept.

penciling_in writes: There are no silver bullets in Internet security, warns Paul Vixie in a co-authored piece along with Cyber Security Specialist Frode Hommedal: "Just as 'data' is being sold as 'intelligence', a lot of security technologies are being sold as 'security solutions' rather than what they really are: very narrow-focused appliances that, as a best case, can be part of your broader security effort." We have to stop playing "cops and robbers" and pretending that all of us are potential targets of nation-states, or pretending that any of our security vendors are like NORAD, warn the authors.

Vixie adds, "We in the Internet security business look for current attacks and learn from those how to detect and prevent those attacks and maybe how to predict, detect, and prevent what's coming next. But rest assured that there is no end game — we put one bad guy in prison for every hundred or so new bad guys who come into the field each month. There is no device or method, however powerful, which will offer a salient defense for more than a short time. The bad guys endlessly adapt; so must we. Importantly, the bad guys understand how our systems work; so must we."

40 of 67 comments (clear)

  1. Holistic by dreamchaser · · Score: 3, Insightful

    No point product or product line of point products is a 'security solution.' They are part of the equation, but only a holistic approach that encompasses user training, proper design, constant vigilance, and yes the right point products can really be called a 'solution', and even then I tend to avoid the term. I'll speak to solutions for particular problems, for example web filtering or fire-walling, but I try to lead my clients to understand that only a complete top to bottom approach will even come close to providing them with the security they need. Even then, it's a game of leap frog. The bad actors will always be back with sneakier malware, more artful attacks, etc.

    1. Re:Holistic by khasim · · Score: 4, Insightful

      It all comes down to proper design and the ability to say "NO".

      Security cannot be retro-fitted to a badly designed system.

      The person who can demand that you support X in Y configuration NO MATTER WHAT is the person who controls your security. No matter what his/her knowledge level is.

      Next, understand that you will (eventually) be cracked. Someone somewhere will make some mistake just long enough. MONITOR for that. KNOW what the regular traffic on your network looks like. PLAN for what you are going to do WHEN that happens.

  2. wait, what? by Anonymous Coward · · Score: 5, Interesting

    "pretending that all of us are potential targets of nation-states,"

    umm... we ARE all targets of nation-states- no pretending required.
    maybe he meant 'priority targets' or some such...

    1. Re:wait, what? by jimbolauski · · Score: 1

      Exactly you may not be specifically targeted but your identity and financial information certainly are targeted along with everyone else's.

      --
      Knowledge = Power
      P= W/t
      t=Money
      Money = Work/Knowledge so the less you know the more you make
  3. Re:solutions by k3vlar · · Score: 1

    Oh. Dear. Lord.
    That has to be the most pronounced unibrow I have ever laid eyes upon.

    --
    Unlike porn, which yada yada rimshot hey-ooh!
  4. All "security" tech is outright fraud by Anonymous Coward · · Score: 5, Insightful

    Security isn't a product. It's really that simple. Security comes from properly implemented instruction in code. ie that isn't riddled with bugs. Unless your selling me a service which audits the software's source code I use and/or configurations (for example Apache's configuration, SSL enabled, up-to-date, good configuration for Drupal, etc ) I'm not convinced that there is any value in your security product. Your not going to be safer unless the software your using isn't riddled with bugs and poor default settings and/or configuration.

    I have to admit that I would pay for a subscription to an auditing service for GNU/Linux. I wouldn't pay for an anti-virus solution as anti-virus software is an outright fraud. The companies can't fix bugs in the code (on proprietary platforms) and at best there is a slight chance some malicious software might get picked up (the risk and costs vs reward though isn't worth it). It won't stop new malware from exploiting old un-patched bugs and most malicious software in the will get through. 99.8% detection isn't going to do shit when 98.8% of malicious software isn't actually spreading and/or has been patched years ago.

    Yea- I don't use MS Windows or Mac OS X or any proprietary software (well, except, unfortunately a proprietary BIOS, and possibly other low-level microcode, but drivers/firmware for individual components are mostly free in my systems, ie ThinkPenguin.com).

    1. Re:All "security" tech is outright fraud by Gordo_1 · · Score: 3, Interesting

      > I wouldn't pay for an anti-virus solution as anti-virus software is an outright fraud. The companies can't fix bugs in the code (on proprietary platforms) and at best there is a slight chance some malicious software might get picked up (the risk and costs vs reward though isn't worth it).

      Do you think you might be overstating the case a bit?

      It's not *that* bad. Believe it or not, most modern security technologies do indeed track behavior profiles and use reputation systems to catch lots of bad stuff that's never been seen before. If you take off your hate glasses for a moment, you might learn something.

      > I don't use MS Windows or Mac OS X or any proprietary software

      RMS, is that you?

    2. Re:All "security" tech is outright fraud by Anonymous Coward · · Score: 1

      Considering the big wigs in the anti-virus industry have repeatedly said anti-virus software doesn't work "any more" (I dare to say it never did, but none-the-less) I'll have to disagree. You can find multiple sources and people within the industry saying this. With a quick Google Symantec's senior vice president for information security said at least this much and he wasn't referring to just his companies software, but rather, the approach. He was originally quoted in the Wallstreet Journal here: http://www.wsj.com/news/articles/SB10001424052702303417104579542140235850578

      And what are you five? Name-calling and labelling doesn't exactly strengthen your argument (or I should say lack of argument).

      * I know I'm supposed to just ignore trolls but err...

    3. Re:All "security" tech is outright fraud by Anonymous Coward · · Score: 3, Insightful

      Having worked in a Fortune-10 (still, I think) company as a sysadmin for a chunk of their IT systems, I saw *tons* of security holes - I had a list of at least 20 things I wanted to make sure got fixed when we migrated to newer hardware(or VMs)/software, just because launching a project to fix them would have been prohibitive - why not do it all with the 'upcoming upgrade/migration' right? Nope, was taken entirely out of my hands and not only were the existing security issues that I already knew about not fixed, but dozens of "new" ones (most of which we'd already fixed in the current setup) were put *back in*. Then as various systems got security scanned, we were running around fixing *all the old bugs again*, on top of fixing a few of the easier ones I knew about with it (one's that weren't architecturally a bitch to fix once you've done it wrong in the first place).

      But hey, they've got firewalls and such right? Well... except for those pesky 300,000 internal employees that don't have to go through them...

    4. Re:All "security" tech is outright fraud by gweihir · · Score: 3, Interesting

      Security tech is not what creates security. The competent use of security tech can help to create security, and as such not all of it (but unfortunately a lot) is fraud. The basic problem is that most enterprises still try to do IT security on the cheap or by locking everything down tightly. The first approach fails for obvious reasons, and the second one fails because it prevents people from getting work done. In both approaches, "magic" boxes, techniques, policies, etc. play a key role, as the IT security people in most enterprises are incompetent and incapable of actually understanding the threats and risks. This is an invitation to a lot of more or less unscrupulous vendors to sell these "magic" things.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    5. Re:All "security" tech is outright fraud by Gordo_1 · · Score: 1

      Yes, I recall that quote. He was trying to make a big statement in front of the media and ended up leaving the company shortly after that. What I imagine he was trying to say is that signature-based AV is dead in terms of efficacy against quick moving threats. I wouldn't necessarily disagree, but even lowly Symantec has multiple layers of protection and I don't think they're all "dead" so to speak:
      https://www.symantec.com/page....

    6. Re:All "security" tech is outright fraud by Gaxx · · Score: 2

      You can carefully select software, be prudent about what you run and how it is configured and that goes a very long way towards affording you security. However, the issue remains as to how you best go about mitigating for the bugs that remain in even well-selected software.

      Presuming that you are running a relatively complex system (and most of us do) then there is no hope you can have audited out all of the bugs that might be in the code. Using security software isn't a matter of being sure you stop everything (you can't be), it's about minimizing your risk with as little negative impact as you can.

      Is a firewall sensible and practical? In almost every practical situation I've encountered the answer is yes.

      Mandatory access control (such as AppArmor) to limit the capabilities of each program? Probably wise as it limits the scope of exploited bugs and once configured the negative impact is low.

      Realtime heuristic scanning of executables and in-memory objects? Possibly - depends a bit on how paranoid you are.

      Regular scans to determine if anything has changed on the system that shouldn't have? Probably sensible as the impact on you is low.

      Virus-scanning isn't the be-all and end-all of security software. To take security seriously you need to take user education, software selection, auditing etc all into account but you can't ignore security software as if it does you no good at all. You can't treat it as a panacea and expect to install a produce (or set of products) and to declare yourself as safe but neither can your reject it wholesale. Security software is part of a rational approach to software just as seatbelt is part of a rational approach to keep you safe in a car. It doesn't solve the underlying problem but it sure as hell mitigates some of the risk.

      --
      -- Gaxx
    7. Re:All "security" tech is outright fraud by Anonymous Coward · · Score: 1

      I see you are not responsible for security at any organization, nor were you trained in security. If you were, you'd know that it's a combination of policies, standards, processes, guidance, training, monitoring, auditing, compensating controls, gaps, risks, securely written code, and investigations. Narrowing all that down to just one part of one aspect belies your naivety.

    8. Re:All "security" tech is outright fraud by squiggleslash · · Score: 1

      I think you've just illustrated why it is, in some ways, a "product" - you've latched onto one possible hole (bugs) rather than seeing the whole picture (security models, personal interaction, etc.)

      Bugs are a problem, but a well written bug free system with a poor security model is always going to be an issue. Java has bugs. The Commodore Amiga operating system had (by the time it matured) relatively few but it did have a security model (that it relied upon) that was overly permissive. Given the choice between basing my new secure system on Java, or running it a code audited AmigaOS based appliance, I'd pick the former in a heartbeat (no offense).

      And we haven't addressed yet the notion that user requirements also need to be lead to secure outcomes.

      --
      You are not alone. This is not normal. None of this is normal.
  5. Re:solutions by Shadow+of+Eternity · · Score: 1

    Jesus christ Ed grew up to be a Computer Scientist...

    --
    A bullet may have your name on it but splash damage is addressed "To whom it may concern."
  6. Hmmm by Tablizer · · Score: 5, Funny

    the bad guys understand how our systems work; so must we.

    Excellent, I need help with a stubborn glitch we are having. How do I contact them?

    --
    Table-ized A.I.
    1. Re: Hmmm by desdinova+216 · · Score: 1

      be careful you might summon him, or worse APK

  7. Unibrow [Re:solutions] by Tablizer · · Score: 1

    So that's what he means by "integrated solution".

    --
    Table-ized A.I.
  8. this leads to losing control over our computers by Anonymous Coward · · Score: 1

    Joe Sixpack is incapable of using an unrestricted computer securely, which leads to inevitable calls to "do something". The something is to remove control of computers from their owners, because that's the only way to event begin to improve Joe Sixpack's safety - by not letting him fuck with the damned thing beyond logging onto his facebook and play some Candy Crush.

    Welcome to Computing 2.0, where everything is centrally controlled for your own good.

    1. Re:this leads to losing control over our computers by Antique+Geekmeister · · Score: 1

      Close it, no. But have you carefully examined "Trusted Computing". The idea is to enforce key based hardware authentication and data access in the boot loader that loads the operating system, the kernel itself, the applications, the system files, and in attached media. It's presented as a security stack, but the implementation is aimed at DRM at every level of the software stack. And the private keys are held in escrow, mostly by Microsoft, with retains the root keys to sign new keys or to revoke old others, so the system can be used to allow "authorized" access for others or to revoke your own access to your own data.

      The system is quite dangerous if you fear that the central escrow holding user's private keys will be handed over to abusive governments, or revoked to block access to personal data. I'm afraid I've seen no technical or political reason yet to assume that it will _not_ be abused.

  9. Been saying this for years. by Chas · · Score: 1

    "Security" isn't a product.

    It's a process, aided by tools.

    Unfortunately, the "security industry" is also abetted by "tools" too.

    --


    Chas - The one, the only.
    THANK GOD!!!
  10. Article runs in circles by bytesex · · Score: 2

    No, we certainly are not all targets of nation states. But there are more potential targets of nation states than that currently actually have proper IT security measures in place. I'm talking about you, waterworks / electricalworks / etc. To say you can 'predict' an attack is to say that you can 'predict' Putin's next move. You can only anticipate statistically. And how do you do that? By using security products to fill in a security plan.

    --
    Religion is what happens when nature strikes and groupthink goes wrong.
  11. I have a security solution by penguinoid · · Score: 1

    Install my security software at http://nsa.gov/download/backdoor.exe it is guaranteed to reduce hacking attempts on your systems by 99%.

    --
    Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
  12. Not an arms race, a race to zero! by Anonymous Coward · · Score: 1

    It is not an arms race, its a race to zero. Bad actors exploit weaknesses in network facing code. There might be 10 weaknesses (known or unknown), then 9, then 8 then 7... once the vendor gets to 0 then its fixed.

    It's not that bad actors can then get a bigger weapon to attack. All they can ever do is find previously unknown weaknesses until no more exist.

    Any grafted on product for security is just a patch over a hole, the underlying weakness is still there with software stuck over it. Worse, they add modes-of-failure all of their very own, add false positives that in turn add failures which in turn do damage like an attacking agent.

    Not so much 'hollistic' as 'homeopathic'. The fix for security is the same as the fix for all bugs.

    1. Re:Not an arms race, a race to zero! by TechyImmigrant · · Score: 2

      The fix for security is the same as the fix for all bugs.

      The fix for security is architectural simplicity, good cryptography and formally analyzable behaviors.

      That's why TLS and X.509 must die.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    2. Re:Not an arms race, a race to zero! by dreamchaser · · Score: 1

      Fixing all of the bugs in the world won't stop methods like social engineering. That is why I also included user training. Sure it'll never be 100% because people are flawed and often stupid, but it's an important part of the equation.

  13. An entrenched mindset by Dega704 · · Score: 2

    So many users (and a lot of IT departments, unfortunately) viewed their anti-virus products as a magic forcefield to protect them from threats. That's how they were marketed always will be. It's not just security vendors; salespeople from any vendor will tell you that it dishes out soft-serve ice cream if that's what it takes to get you to buy it. What amazes me is how so many companies still buy into it and turn to new security products looking for that same non-existent magic force-field. I had hoped the mindset would get better in the current threat landscape, but I'm not so sure it is. I still hear customers asking "Why didn't product X protect me?" in situations where they should have already known full well that it wouldn't do jack sh*t against the particular threat that was encountered, and they didn't have other crucial pieces of the security puzzle in place. (Social engineering, anyone?).

    1. Re:An entrenched mindset by Akaihiryuu · · Score: 1

      Some antivirus utilities are better than others, but even the best of the best are only around 60% effective at detecting threats. That said, in a corporate environment having one of the better ones is a good idea and certainly better than nothing. But I've noticed a lot of companies buying TERRIBLE antivirus "solutions" that not only never detect anything, but are horribly expensive. CA Etrust and Trend Micro OfficeScan are the worst I've seen in this category (ie, in the 7 years I've worked for companies that use one of those 2, I've never once seen either one successfully detect or remove anything). Actually I take that back, I DID see Etrust flag *itself* as a virus once and remove itself. That was rather amusing. On another note, I was on a gaming forum (where you'd think people would be a little bit more tech savvy than the average person), and someone was arguing on the tech support forums, saying they couldn't possibly have a virus because "they pay for virus protection".

  14. Re:first? by davester666 · · Score: 1

    no. that ship sailed a long time ago.

    you're just a dupe.

    --
    Sleep your way to a whiter smile...date a dentist!
  15. failed industry by Tom · · Score: 4, Interesting

    I've exited the security industry after 15 years, no longer believing that it does any good. And TFA is pretty spot on.

    The issue is that security is both wide and deep. You need to cover all your weak spots, and you need to cover them completely. As an industry, we have succeeded in finding technical solutions to almost every challenge, but we've failed in creating a systematic approach to the field. Look at the "best practice" documents - they are outdated and mostly a circle-jerk. I did a quick study some months ago checking the top 100 or so for what the academic or scientific or just substantiated-through-sources basis is, and the result is pretty much: None at all.
    Even the different standards, including the ISO documents, are collections of topics, not systematic wholes. It's like high school physics: This month you get taught optics, next month Newton mechanics, the third month electromagnetism. The only thing they have in common is the class room.

    Nowhere is it more visible than our treatment of the user. It's clear that most security professionals treat users as disturbances, as elements outside their field of security. I imagine what roads would look like if their planners would look at accidents and say "cars are a threat to our road system. They clog it up and very often they crash into each other and cause serious issues to traffic. We need to protect the road system against cars. Can we automate roads so they work without cars as much as possible?"

    We need a much more systematic, holistic view on the whole field than we have right now. In a pre-scientific field, snake oil is the norm. It was the same in medicine (where the term originates), in chemistry (alchemy), in psychology (astrologie, numerology, one hundred other primitive attempts at understanding and predicting human behaviour) and virtually every other field, even many non-scientific areas, such as religion/magic.

    --
    Assorted stuff I do sometimes: Lemuria.org
    1. Re:failed industry by danaris · · Score: 1

      Try this, "drivers are a threat to our road system." They clog it up and very often they crash into each other and cause serious issues to traffic. We need to protect the road system against *drivers*. Can we automate *cars* so they work without *drivers* as much as possible?"

      Lo and behold, Google and any number of other entities are working on this very problem.

      Except that that's not a valid analogy.

      Automobile-based transportation systems (consisting of road, car, and car occupants) will, indeed, work just fine once we have made the cars run without drivers.

      But if you remove the user from the equation of computer security, suddenly all you have is a bunch of perfectly secure computers that no longer have any purpose to their existence.

      The reason we have computers is so that people can use them to perform a variety of tasks. It is fundamentally impossible to remove the user from the equation while still achieving the desired result—unless you have become so skewed with tunnel vision as to believe that the desired result is a perfectly secure computer.

      The result we should all be aiming for is a computer that can perform the tasks required of it by its users without them running the risk of compromising security through their activities.

      Dan Aris

      --
      Fun. Free. Online. RPG. BattleMaster.
    2. Re:failed industry by Tom · · Score: 1

      That is exactly what I mean. I would even go one step further at the end: Without the risk of the computer compromising the user. Because the computer in itself is worth its scrap metal value and that's it. Everything of actual value is in the user - the data, the communication, the access to 3rd party networks and services. Not that one particular user in front of the machine, maybe, but a user.

      --
      Assorted stuff I do sometimes: Lemuria.org
  16. Neither must we by GroeFaZ · · Score: 1

    Our enemies are innovative and resourceful, and so are we. They never stop thinking about new ways to harm our country and our people, and neither do we.

    --
    The grass is always greener on the other side of the light cone.
  17. Not Nation-States by Jason+Levine · · Score: 1

    For most companies, there are two main threats:

    1) Script Kiddies who are running programs against your network looking for security holes. If your network is secured enough, these attackers will just move on to the next target.

    2) Internal Employees who are either disgruntled, looking for "side income", or just careless/clueless These are the people who, with access to your HR database, download a list of your employees and their SSNs to sell for cash. They also are the people who know they are going to be fired and so sabotage systems. Finally, these are the people who open NEKKID_PHOTOS_OF_CELEBRITIES.ZIP.exe in their e-mail, who give out their passwords when "IT" calls them out of the blue from a non-company number, or who take their laptop (connected to the company's network) home but leave it in the car visible to all so it gets stolen.

    In the case of internal employees, you can lock down access so they only have access to systems they need for their job and educate your users as much as possible about security threats and how to react. If an employee is a chronic security threat, you can take corrective action. Of course, this becomes difficult when said employee is also a company executive. (e.g. The CFO insists on connecting his virus-laden personal laptop to the network and has enough political pull to fire anyone who tells him that's not company policy.)

    --
    My sci-fi novel, Ghost Thief, is now available from Amazon.com.
    1. Re:Not Nation-States by golgotha007 · · Score: 1

      I would add one more threat: a sophisticated, targeted attack. While very rare, these threat actors represent a serious risk. It's important to note that smaller, less known companies are typically not at risk

    2. Re:Not Nation-States by Jason+Levine · · Score: 1

      Right, but as these are rarer, I didn't list them as a "main threat." A random company has more to fear from a roaming script kiddie or disgruntled employee than being targeted by a highly sophisticated hacker. Of course, if the company is a big name organization (Microsoft, Sony, etc), they are bigger targets and this possibility get much more likely.

      --
      My sci-fi novel, Ghost Thief, is now available from Amazon.com.
  18. Honestly? by DougOtto · · Score: 1

    I couldn't get past his unibrow. Jesus man! Don't you have a mirror?

    --
    Solving Unix problems since 1989...
  19. I blame upper management by msobkow · · Score: 2

    Upper management at most companies view IT as a set of tasks or items you can check off as "done", requiring no further investment or maintenance. I blame them for the sorry state of affairs that allows these "security" companies to advertise and sell "in a box" products that are supposed to "take care of your security."

    If upper management would realize that things like security and infrastructure are things that need constant maintenance, enhancement, and upgrades, we wouldn't be in this pickle. Nor would we be stuck with applications that are running on three-major-revision-old vendor products, subject to a whole raft of security issues that could be addressed by upgrading them.

    --
    I do not fail; I succeed at finding out what does not work.
  20. Re:solutions by gmhowell · · Score: 1

    If you can't find a picture of me online with 30 seconds on the googles, you need to stop eating the paintchips.

    --
    Jesus was all right but his disciples were thick and ordinary. -John Lennon
  21. secure platforms were attempted; market rejected by Kishin · · Score: 1

    Companies did that repeatedly. The Burroughs B5000 (1961) had bounds checks, pointer protection, and code/data separation. The System/38 and Intel 432 were capability secure from hardware up. There were type-safe platforms for high level languages such as LISP or Java. There were (are) highly secure systems designed under Orange Book B2/B3/A1 or Common Criteria EAL5-7. What do these have in common? People ignored them to buy PC's, DOS, Windows, UNIX, and so on. Intel and Siemens lost around a billion dollars building secure, maintainable stuff for the market. So, with the market trading away security for everything else, why should anyone spend several hundred million building a whole stack? That's why they peddle Win/UNIX/Lin-compatible bullshit instead of stuff that's secure, which has to be clean slate.

    Nick P, High Assurance Security Engineer/Researcher