How Security Companies Peddle Snake Oil

penciling_in writes: There are no silver bullets in Internet security, warns Paul Vixie in a co-authored piece along with Cyber Security Specialist Frode Hommedal: "Just as 'data' is being sold as 'intelligence', a lot of security technologies are being sold as 'security solutions' rather than what they really are: very narrow-focused appliances that, as a best case, can be part of your broader security effort." We have to stop playing "cops and robbers" and pretending that all of us are potential targets of nation-states, or pretending that any of our security vendors are like NORAD, warn the authors.

Vixie adds, "We in the Internet security business look for current attacks and learn from those how to detect and prevent those attacks and maybe how to predict, detect, and prevent what's coming next. But rest assured that there is no end game — we put one bad guy in prison for every hundred or so new bad guys who come into the field each month. There is no device or method, however powerful, which will offer a salient defense for more than a short time. The bad guys endlessly adapt; so must we. Importantly, the bad guys understand how our systems work; so must we."

wait, what?

"pretending that all of us are potential targets of nation-states,"

umm... we ARE all targets of nation-states- no pretending required.
maybe he meant 'priority targets' or some such...

All "security" tech is outright fraud

Security isn't a product. It's really that simple. Security comes from properly implemented instruction in code. ie that isn't riddled with bugs. Unless your selling me a service which audits the software's source code I use and/or configurations (for example Apache's configuration, SSL enabled, up-to-date, good configuration for Drupal, etc ) I'm not convinced that there is any value in your security product. Your not going to be safer unless the software your using isn't riddled with bugs and poor default settings and/or configuration.

I have to admit that I would pay for a subscription to an auditing service for GNU/Linux. I wouldn't pay for an anti-virus solution as anti-virus software is an outright fraud. The companies can't fix bugs in the code (on proprietary platforms) and at best there is a slight chance some malicious software might get picked up (the risk and costs vs reward though isn't worth it). It won't stop new malware from exploiting old un-patched bugs and most malicious software in the will get through. 99.8% detection isn't going to do shit when 98.8% of malicious software isn't actually spreading and/or has been patched years ago.

Yea- I don't use MS Windows or Mac OS X or any proprietary software (well, except, unfortunately a proprietary BIOS, and possibly other low-level microcode, but drivers/firmware for individual components are mostly free in my systems, ie ThinkPenguin.com).

Hmmm

[Tablizer]

the bad guys understand how our systems work; so must we.

Excellent, I need help with a stubborn glitch we are having. How do I contact them?

Re:Holistic

[khasim]

It all comes down to proper design and the ability to say "NO".

Security cannot be retro-fitted to a badly designed system.

The person who can demand that you support X in Y configuration NO MATTER WHAT is the person who controls your security. No matter what his/her knowledge level is.

Next, understand that you will (eventually) be cracked. Someone somewhere will make some mistake just long enough. MONITOR for that. KNOW what the regular traffic on your network looks like. PLAN for what you are going to do WHEN that happens.

failed industry

[Tom]

I've exited the security industry after 15 years, no longer believing that it does any good. And TFA is pretty spot on.

The issue is that security is both wide and deep. You need to cover all your weak spots, and you need to cover them completely. As an industry, we have succeeded in finding technical solutions to almost every challenge, but we've failed in creating a systematic approach to the field. Look at the "best practice" documents - they are outdated and mostly a circle-jerk. I did a quick study some months ago checking the top 100 or so for what the academic or scientific or just substantiated-through-sources basis is, and the result is pretty much: None at all.
Even the different standards, including the ISO documents, are collections of topics, not systematic wholes. It's like high school physics: This month you get taught optics, next month Newton mechanics, the third month electromagnetism. The only thing they have in common is the class room.

Nowhere is it more visible than our treatment of the user. It's clear that most security professionals treat users as disturbances, as elements outside their field of security. I imagine what roads would look like if their planners would look at accidents and say "cars are a threat to our road system. They clog it up and very often they crash into each other and cause serious issues to traffic. We need to protect the road system against cars. Can we automate roads so they work without cars as much as possible?"

We need a much more systematic, holistic view on the whole field than we have right now. In a pre-scientific field, snake oil is the norm. It was the same in medicine (where the term originates), in chemistry (alchemy), in psychology (astrologie, numerology, one hundred other primitive attempts at understanding and predicting human behaviour) and virtually every other field, even many non-scientific areas, such as religion/magic.