January 29, 2009 | 
Author 
With Guest Author and Co-Instructor: Anthony Valente, CEO of Network Defense Solutions
I think I’m on either a debunking roll, or just out right rage against the machine! Either way, I’ve about had it with these big corporations spoon feeding you a line of crap.
I’m taking the gloves off.
The name of this post is actually the name of an InfoWorld Article published yesterday. But don’t bother clicking the link, I’m going to provide you with the 7 points and quotes as I go through each one.
1. Antivirus certification omissions. The dirtiest secret in the industry is that, while antivirus tools detect replicating malicious code like worms, they do not identify malcode such as nonreplicating Trojans. So, even though Trojans have been around since the beginning of malicious code, there is no accountability in antivirus certification tests. Today Trojans and other forms on nonreplicating malcode constitute 80% or more of the threats businesses are likely to face. Antivirus accountability metrics are simply no longer reflective of the true state of threat.
First of all, that is totally not true that the antivirus programs do not catch non-replicating trojans. I have had my TrendMicro, Norton, and other AV tools I ‘ve tested catch my test Trojans. Now that may be through their heuristic capablilities, it still does catch them!
I have no clue where this guy got his information, but I’d like to see what the AV vendors have to say about this one! To me, this is nothing more than fear-mongering.
Granted, there are a ton of things wrong with AV vendors and their products, but this claim is totally misleading.
Anthony’s Note: Don’t forget that you also have packers, and down loaders that many anti-virus applications / vendors don’t detect. I can prove this because Norton doesn’t detect the downloaders, and if my LPM attaches to a machine it can cripple Norton in record time. Norton is useless. NOD on the other hand can. I also have a few techniques which help with the assurance that a Trojan not be caught by an AV application.
2. There is no perimeter. If you still believe in the perimeter, you may as well believe in Santa Claus. That isn’t to say there is no perimeter. But we need to define what the perimeter is. The endpoint is the perimeter, the user is the perimeter. It’s more likely that the business process is the perimeter, or the information itself is the perimeter too. If you design your security controls with no base assumption of a perimeter, when you have one you are more secure. The mistake we tend to make is, if we put the controls at the perimeter, then we will be fine. For many threats, we couldn’t be more wrong.
Does anyone else see the contradiction here? First he says there is no perimeter and if you believe in one you may as well believe in Santa Claus. Then he says that isn’t to say there is no perimeter. Dude! Make up your mind! Enough said?
Anthony’s Note: Regardless of a perimeter defense and whether its existence is valid or invalid, security cannot be just thrown at a borderline defense solution and forgotten. People forget about middleware and security on the servers themselves. Just saying “we will filter conditions here” doesn’t necessitate security. The point is to layer. Each layer tightening it’s vices on security. If you have packets pass a borderline defense, and it’s up to middleware its already too late to be worrying about security. There it’s not a worry that you’re insecure, it becomes a certainty.
3. Risk management threatens vendors. Risk management really helps an organization understand its business and its highest level of risk. However, your priorities don’t always map to what the vendors are selling. Vendors focus on individual issues so you will continue to buy their individual products. If you don’t have a clear picture of your risk priorities, vendors are more than happy to set them for you. Trusted security partners will provide options for assessing your risk posture and help you develop plans to make the most security impact for the least cost and complexity. Security needs to conform to and support your business priorities. Too often, vendors want your business to conform to their portfolio.
Does that go for you too Mr. principal security strategist for IBM Internet Security Systems? Whatcha selling?
I will agree that there are a lot of security vendors out there that will sell companies things they don’t need to make bucks on products they sell. But if everyone listened to me, we wouldn’t be having this discussion in the first place. *Yes, I know that was egotistical and out right rude. But like I said, I’m really fed up with all this misinformation going around. So indulge me!
But the problem is NOT with the vendors pal. It’s with the companies and the people who REFUSE to deal with the issue of security!
When our company ran our promo for our online security courses during our anniversary celebration, no one – not one person or company even inquired let alone purchased. In all of our discussions with folks on the issue of security, I heard excuse after excuse of why they didn’t want to take the time to learn about it.
They are too busy. They want someone else to worry about it for them.
And the usual question I get, “Is it really that bad?”
I’ve even given the courses away for free! Then I get a call from one of the people I offered the free course to, saying she got her third drive-by download! Has she taken the FREE course? NO! What does she do? Takes the computer to Best Buy and spends $100 bucks to get it reset.
If the companies and individuals would educate themselves about the BASICS of what they need to know regarding their security, then vendors wouldn’t be able to pull the wool over their eyes or sell them crap they don’t need.
Is it any wonder that we’ve had the Monster.com and heartland breach this week? I can give you a list a mile long of websites like theirs and commercial vendors that have vulnerabilities found by our researchers. (Right Anthony?) But do they want to hear? NO. Do they hire us to report on what we’ve found? NO.
I’m telling you what, I can make more money selling what we know to the hackers than I can get any money out of corporate tight wads! And I’m really beginning to wonder why I have a conscious about it at all anymore. But I digress.
The article goes on with the list to say:
4. There is more to risk than weak software. The lion’s share of the security market is focused on software vulnerabilities. But software represents only one of the three ways to be compromised, the other two being weak configurations and people. The latter is the largest uncovered area of risk. This is malicious code that doesn’t leverage a vulnerability but rather leverages the person. For example, downloading a dancing skeleton for ‘a spooky good time’ (this was a trick employed by Storm), social engineering, spear phishing, etc. While we still need to find vulnerabilities and patch them, we must understand that an organization is only as strong as its weakest link. And more attention needs to be paid in mitigating the other two ways beyond software.
Okay, I agree wholeheartedly with this one. And what solves this problem? EDUCATION! The one no one is buying!
5. Compliance threatens security. Compliance in and of itself is not a bad thing. But, compliance in and of itself does not equal security. At the very least it’s a resource and budget conflict, and it splits our focus. Compliance is supposed to raise the minimum standard of security, but it just gets us to do what we are required to do and nothing else.
Agreed. And it depends upon what kind of compliance you’re speaking about sir. Is it the government imposed security compliance?
Let’s look at HIPPA, shall we? Our health data is supposed to be kept private. I’ll challenge any freaking government official to go stand in a line at any pharmacy (and Wal-mart specifically, but they are not alone in this), and listen to the names being called out from the prescription counter. And I have to loudly verify my birth date and addresss. Privacy? Joke!
And don’t even get me started on the joke of PCI compliance in regards to credit cards.
Again, enough said.
6. Vendor blind spots allowed for Storm. Storm is being copied and improved. The Storm era of botnets is alive and well, nearly two years from when it first appeared. How is this possible? 1. Botnets thrive in the consumer world where there is little money for innovation, a fact Storm and its controllers know. They are making money off of everything from spam to pump-and-dump stock scams. 2. They eat antivirus for breakfast. A lot of the techniques and innovations used by Storm are not new; they are just being leveraged artfully against the blind spots of antivirus certifications and antivirus vendors. 3. Malcode does not need vulnerabilities. Most of the Storm recruitment drives have leveraged social engineering and play off of a holiday or sporting event.
EDUCATION, EDUCATION, EDUCATION
And again, the vendors don’t want to listen to folks like us. Our co-instructor was laughed at when he proposed that he had an exploit that would replace a well-known AV vendors ON button with a fake one that allowed his Trojan to operate in the background. They wouldn’t even listen!
Anthony’s Note: Attack works by writing api text to “OFF” to appear as “ON” and “ON” to appear as “OFF” confusing the consumers. However, this isn’t the only issue. It’s the fact that AV software sometimes doesn’t check to see if it’s visible when an attack is mitigated. Any application that knows the API handles can hide the window, and throw up a screenshot of the desktop. Eliminate the anti-virus (with no checking by the av apps – Norton was one of them!) and have the user completely blind for 3 seconds; while they interact with a screen that is a picture.
And if we know this possible and can prove it, what do you think the hackers and malcode writers are doing?
And finally the article concludes with:
7. Security has grown well past “do it yourself.” Technology without strategy is chaos. The security market is often far too focused on the latest hot box or technology. The shear volume of security products and the rate of change has super-saturated most organizations and exceeded their ability to keep up. Organizations realize only a fraction of the capabilities of their existing investments. Furthermore, the cost of the product is often a fraction of the cost of ownership. There was a time when you could “do it yourself.” But the simple days of Virus meets Antivirus are long gone. Highly effective organizations are embracing professional and managed security services to extend and augment their in-house expertise. By focusing your in-house expertise on what you know best — your business — scale comes from teaming with third-party expertise. This will be increasingly necessary in these tough economic times.
My only guess on this one is that IBM is selling some kind of managed service for security.
Look, I started this company a very long time when there was only McAfee and Norton as major security vendors. I started teaching this stuff because McAfee let in a known virus that destroyed my entire business computer and database. This was before back-up capabilities! That’s when I learned how it happened, why it happened and how to prevent it and led to my teaching it to help others avoid the problems I experienced.
Anthony, our co-instructor is a Certified Ethical Hacker and CEO of Network Defense Solutions, a company founded on the same principles of protecting others.
We aren’t huge corporations with shareholders to worry about. We are just trying to make a decent living doing what we do. But it’s really hard to keep plugging away at it when we read garbage like this – touted as truth, and laughed at when we confront big corporations with their lack of security.
But let us use what we know to hack the SOB’s and prove it, and then we’re the bad guys!And when other bad guys figure it out and breach data or steal identities, oh well, it’s the cost of doing business.
Anthony’s Note: The problem with security, is it’s taught with the views of “Avoid doing this yourself.” Which in a way is reverse engineering for “g’head and do exactly the opposite!” And, this can have a great division on the lines of such a topic. If corporate, America and this greedy government of ours would take their egotistical heads from out of their asses; they would see where security can be applied.
Showing home users the venues in such attacks and how easily they can be mitigated, leading up to what information can be divulged is a starting point. In addition to which, corporate America has the motto that “WE WANT THE FLASHING CISCO ROUTER WITH THE FANCY FIREWALL AND THE NIDS TO PROTECT THE NETWORK AND THE HIDS ALONG WITH THE AIDS TO PROTECT IF A BREACH IS DETECTED.” But, what really does happen? They see it, they feel it THEY KNOW the risks, however they’d rather fail to see them to put the extra few thousand back into their pockets in hopes of woosing over the secretary for one more night with a Louis Vuton bag.
Demonstrating security risks and showing their impact to get people on the bandwagon is the best route. Telling someone not to touch the security stove is basically like saying “Shower with this gasoline and play with this match.” Even if the security landscape fell in price; remember one thing – you cannot escape the almighty dollar.
I think that Anthony is more jaded than I am and he’s a heck of a lot younger!
I guess my point is, read what you will but do so with a discerning eye. The recent presidential election called out some of the networks on their bias to one candidate or the other, you have to look at technology articles the same way. Who posted the article? What’s in it for them? And is what you are reading true?
Something to think about.
Posted in 
Tags: 
 |
 |
 |
|
||
 |
|
 |
|
||
Join today and receive a FREE copy of our "Why is My PC So Slow?" eBook!
