December 22, 2007

Another point of view on IT security

I'll start this post with a strong statement:security as we know it today is 90% smoke and 5% useless crap.

Antiviruses: useless. Intrusion detection systems: useless. Encryption: useless. Firewalls: useless.

Since most of the more security-savvy people are now wondering if I've gone nuts, I'm just asking you all to follow me. This will be the first article of a short cycle of posts in which I will go through all the standard security "stuff" we all know about, and - hopefully - I'll show how it's time to rethink about almost everything.

Let's start with an old friend, and the easy pick: the antivirus.

The Antivirus is one of the oldest security measure: its usefulness has been discussed many a time, but no organization would every in its mind get rid of it.
What I think is that in a well managed organization there should be no need for an antivirus.

Enumerating from an high level perspective the main vectors a virus - and with this term I'm encompassing more than just viruses: I'm including trojans, general malware, spywares and so on - we have;

  • - Executing a file infected by a known virus. So, your users can execute any file on their machines, having the power to bring havoc to the whole network? And how did the file got there? Uncontrolled internet usage or maybe a floppy disk?

  • - Executing a file infected by an unknown virus. Idem.

  • - An unknown or known virus executing itself using some known exploit. So you're using vulnerable and unpatched software? Reminds me good old Godsend.

  • - An unknown or known virus executing itself using an unknown exploit.

While one can argue than heuristics are working better and better, the hard fact is that the virus - or the trojan or whatever - has to be known, and the antivirus signature file has to be up to date. So, I think we all agree that there is nothing an antivirus can do against new viruses. Actually, there's nothing an antivirus can do about whatever software, since it can't obviously know about the semantic of the software: in the DOS age we had format.bat files, and no antivirus could stop that. I don't see any progress since then.

Organizations spend a huge lot of money to keep corporate antiviruses up to date: cost analysis can easily show how just one virus spreading in the enterprise network and bringing the business down for 12 hours (not to mention potential data loss!) is enough to justify the expense. And after all, the managers are using antiviruses at home, too, so it's something they can grasp, something they are comfortable with.

What these analyses never include is an alternative which actually works. No matter what, you are not going to be protected against a new virus, and you have the same chance(nowaday I'd say it's MORE LIKELY, but that's just my opinion) to be attacked by a new one than an old malware. So you're spending money hoping that a new WhateVerEvil.M12 won't hit your network before the others, so you can have the time to upgrade you signatures.

I feel this is not a good idea.
Of the attack vectors I've listed before, only one - the autoexecution via 0-day exploit - cannot be prevented.
If the machines - all of them - are patched up, the virus won't be able to execute itself using an exploit.
If you are in control of your infrastructure, users won't be able to execute software - they just won't need to do so - or they will be able to do so in sandboxes and in a responsible manner (training anyone?).
And the list goes on and on.

That's it, antiviruses are not part of the solution anymore, so they most likely are part of the precipitate.