There, that title got your attention. In same way the title of this interesting article manages it. It turns out that certain IT security professionals are not using anti malware/virus protection on their machines. I think that the pros in the article are talking about desktop machines, and not a server environment. One quote in particular is interesting and amusing:
"I've never used AV software and I've never once been infected with a virus."
My first reaction to that is - if you don't have detection capability, how do you know? OK, flippancy aside, there are some important things about this topic, which are mentioned in the article, and some that are not. It's not a secret that the current technologies for detecting malware and viruses has been increasingly bad at their job. We're no longer in the days where vendors can claim 99.999% detection rates, simply due to the fact that the signature-based approach has been out manoeuvred by the polymorphic nature of the malware out there. Amongst the problems with signatures are the fact that they take human intervention to be created, they require multiple databases, create massive databases, which impact on endpoint performance - it's well documented. So, in terms of the latest and greatest threats, sure, don't rely on what you're doing, and stick to best practices.
When it comes to the 'typical user' (this is an entirely different topic, and should be looked into further as it's an interesting concept- more on this later) the security pros in the article are right - keep your AV. However, I would say the same is true for them as the regular user. How do you know you're not infected unless you've been checked? The need for this software is there, as a baseline, and it should be used as part of a holistic strategy.
In terms of the weaknesses in the technology, these can be addressed in a number of ways. There's a shift going on in terms of the manner in which we provision for security with best practice, architecture, and so on. So, that's the holistic part. In terms of detection, there are some new and interesting technologies around that can take a look at behaviours, thus cutting out the need for the old signature-approach.
So, don't listen to IT security pros, as they very often don't practice what they preach.
> We're no longer in the days where vendors
ReplyDelete> can claim 99.999% detection rates
Incorrect, I think you'll find that vendors still claim whatever takes their fancy.
The truth is that 99.999% detection rate only ever referred to: "detecting 99.999% of specific instances of the specific known strains of known virii that their AV engine currently detects". *archeyebrows*
So, Put not your faith in AV
There are even concept viral engines using re-obfuscation schemas for which no workable AV solution has been proposed in over a decade. Detection is possible but the analysis is prohibitively time consuming.
Back to the point though
I too haven't run an AV since the late 90's up until vista yet I'd be happy to send an unpatched dusty old IE6 on an XP box deep into pornland looking for cracks and serials, hitting every single link, and getting back unscathed. In fact, I can virtually garauntee it. This box goes to CTF's all the time and is unbroken despite the deliberate vectors. I'd even let you run any existing dropper of your choice from the desktop as admin.
You don't go to a con or sit on an open CTF LAN segment with AV for protection. That's like taking an inflateable banana to a knife fight.
> if you don't have detection capability,
> how do you know?
who says he doesn't have any detection capability. Your statement seems to indicate that you are entirely reliant upon AV for detection, which is unfortunate since they have sucked since forever. Can we all try saying 'parameterised exepacking' ? Try saying it, because in the mid 80's even 14 year olds could : )
But, in defence of the SC you quote, I am still significantly better protected than if using an AV, my protection is NOT a numbers game nor does it rely on known threats and I DO have near perfect assurance. I don't gaurd myself against exposure and I've never been infected without doing so quite deliberately.
It just isn't viable as a mass market solution (security through obscurity works)
If you want 'real' tight...
I actually have a modified 486DX I designed based on an earlier mod for a 386 opencore. It exists on a Xilinx FPGA which currently sits in an old motherboard where it masquerades as the original chip.
It is mathematically demonstrable that, even given a vector, and the full nature of the protection in place, you could not inject any code into it with a greater than 1 in 524288 chance per code byte and 1 in 1.4x10^17 for any three byte sequence. Yet it hardly affects speed of the processor at all.
Security CAN be black and white!
The reason we don't HAVE security, is that it really isn't in anyones interest to solve the problems when people will pay subscriptions to manage the threat.
Welcome to ITSec, IT's trillion dollar baby.
-VXiT
This comment has been removed by the author.
ReplyDeleteI can agree with you on the zillion dollar industry and the fact that there are a few companies that have some vested interests. However, I would say that the state of the industry today is based on a complex set of factors.
ReplyDeleteOne of which can be boiled down by what McGraw rather eloquently says in his book Software Security: Building Security In. Security is a subset of reliability. As lines of code increase, the quality and reliability of the code does not necessarily follow. In addition, the code base is not the only problem we face; architectural design flaws and so on.
We're stuck with a legacy problem that is only now being dealt with (e.g. SDL) and even then it has taken some time due to the fact that *some* organisations realise that they can save money by testing as they go along instead of paying megabucks for post-design/build pen testing.