4 Unreasonable Security Practices You're Probably Following

Source

SNIP

/SNIP

I agree with just about everything this guy says, especially the part about so-called "anti-virus" software, which is notoriously ineffective. If one uses AV software, one has a completely wrong mindset about security.

 

I think this chap is just grasping at straws in order to find a reason to include AV in his 4 unreasonable security practices, although his point on attack vectors is valid.

One 'unreasonable security practice' not given the attention it deserved was 'education' and/or 'common sense' - usage of these can be just as effective as any AV or firewall.

 

I can agree with most of the article. In spite of the enhacements, AVs are an idea that past its prime years ago. I gave up on AVs in 2006 and don't miss them. There's better ways than trying to identify an almost infinite quantity of undesired code. IMO, the only reasons AVs are still in security packages is financial. AV signatures are their cash cows. It's the vendors way to keep users paying on a regular basis by not offering solutions that can protect them proactively.

Never saw the sense to an intrusion detection system either. Like AVs, it's a reactive technology that does nothing until an intrusion takes place. Intrusion prevention always beats detection.

 

So what's the alternative to AV?

Some sort of supra-intelligent HIPS that is easy enough for your average joe (or josephine) to use?

User-friendliness for the normal punter is the key here.

At the moment, AV is more user friendly than HIPS is - well, IMO when looking from the perspective of a normal, non-tecchie user.

 

My preference would be not to use Windows. But since most enterprises have an expensive Windows addiction, I would say a good alternative to AV would be limited user accounts, AppLocker, memory space protections (such as DEP, NX, etc.), browser sandboxing, and frequent updates. These together are far and away more effective than using only AV. It's not even close.

Unfortunately Microsoft doesn't have a built in MAC or "HIPS" system (they do have a built-in MIC, but it's just there for brownie points since one cannot configure it). One must rely on expensive third party solutions. But, yes, I think MAC systems are excellent if the user knows how to configure them. I can't comment on any specific software here because my experience with MAC's comes solely from SELinux and other similar patches to the Linux kernel.

A user should know to set-up a user account first thing. Unfortunately Microsoft still doesn't make this clear even with Windows 7. In the enterprise an admin can force user account creation, use AppLocker to enforce his software policies, turn on DEP, and he can schedule frequent updates, etc. After all, I think this article was more aimed at enterprise admins.

Maybe. But even without HIPS, the setup I described in the first paragraph is infinitely more secure than the usual scenario of "surfing safe websites" and using AV.

 

*facepalms*

Have you used Windows 7?

 

The alternative to AV is using your computer wisely.
Mrk

 

Education / common sense

But still even then, there are folks who through no fault of their own, will always be at risk because their 'net savvy level is not up to the same level as their ability to build houses, tear part and put back together diesel engines or paint the most wonderful portraits (three things that I would not know the first thing about - you get my drift )

 

Unfortunately, the major number of users doesn't know these things, and that is why AV's will still be useful on next years...

We need to share the common sense with our family, friends, etc., and then, maybe, we can have a better use of our systems and less infected ones...

The main problem is that users doesn't take a "course" before use a computer, like we need to do when want to drive a car for example, and even this doesn't guarantee success as we know, but at least could improve a lot this situation...

 

I agree with the education bit ... unfortunately, some folks who need to use computers will never become even semi-literate with them. Back when I was working and the company's "wiz" (in DOS days), most of what we used I'd written myself in dBase. I figgered that way, if we changed our minds abut what we wanted from the computer we'd be ahead of the game as compared with buying off-the-shelf software for, e.g., inventory or accounting, or hiring someone to come in and write fresh stuff for us.

And I learned the hard way that 90-plus percent of programming work for an in-house system is setting up halfway decent error trapping. I could never convince my boss that when running dBase, Esc was a no-no that required a lot of time to clean up from. Finally I hit on the idea of requiring a login to get into dBase, and disabling the Esc key if he was the one logged in.

Wandered a little (maybe a lot) OT there, sorry, but my main point still stands, there will probably always be users who just can't be educated. And if they're top-level management, have fun.

 

IMO, the ideal setup would be to have the core of the OS protected by a default-deny policy and run all the user software in a sandbox. Unknowns would only be permitted in the sandboxed environment. It would probably require a savvy user to set up the base policy and sandbox environment, but after that, the user could do most anything they want, save for modifying the OS itself.

 

The question would be is, if the average user got rid of his/her scanner, how is he/she supposed to know if a file is clean or not?

 

Well, that's a problem for sure. The way I see it, in a perfect world, no ignorant users would be allowed to have admin/root access to any machine. Once you give a clueless user admin/root on any OS, it's probably game over at any time they do something stupid. Unfortunately since, in modern times, computers tend to be made for individual users (as opposed to the old mainframe/terminal paradigm where one knowledgeable admin is able to control user access) there isn't any practical way to protect Joe Sixpack from doing something stupid. For instance, there is no way to stop him from installing malicious stuff or browsing the web as admin.

Even with Linux, where most software is tightly controlled via repositories, bad things can happen. For instance, there was a trojan discovered just yesterday for Ubuntu that was being passed around on gnome-look.org. It was a screensaver that required root access to install itself. The fact it needed root would have been a huge red flag to most veteran *nix users since a screen saver will never need root, but I'm sure some newbs went ahead and installed it. (This is one reason it isn't wise to install software outside of the repos, but it's impossible for the repos to have everything everybody will want, so there will always be some of this). But I digress..

Linux/BSD, OS X, Windoze, it doesn't matter -- all of them can be relatively secure as long as clueless users don't get root. In the enterprise this is easy to control (especially with Linux since it allows numerous user logins at once). The whole key here is privilege separation -- something M$ has only begun to take seriously in the home versions of Windows. The *nixes have a huge advantage here, but they are still not immune from bad habits Windows converts will surely bring over.

 

Please never repeat that sentence again, It simply makes want to go out and kill someone.

As for security the problem will always be between the Chair and keyboard for that Microsoft has no patch.

 

That is wrong. Do you care to explain how one can "use a computer wisely?" How do you do that when many perfectly legit websites are now compromised? I agree that AV itself is worthless, but a user needs more than just "being wise."

 

Actually, I support Mrkvonic's statement. For example, I don't use real-time av and the other day I got one (second time in last month) of those fake "you may be at risk, you need our antivirus" alerts when Googling for automobile wheel balancing info, where it goes on to "scan" and present the user with several "infections", click here to fix pages. Well, I run a limited account (wise way to use a computer) and instead of proceeding to download and install the rogue app, I closed the browser (wise thing to do) and that's the end of that

 

Using computer wisely is very simple:

* Run an alternative browser and despite all the hype about IE8, this is still the single most valid change you can make to make a difference.
* Do not download crap.
* Scripting control.
* Updates.
* Limited account.

Any which one works, combined, they work even better.

Ask yourself: when did I last seen a browser prompt for some download or such? When is the last time I downloaded something that might be suspicious? When is the last time your AV rang a bell?

You do not need more than being wise, but people will replace patience, discipline and knowledge with monetary compensation. In other words, they will dish 50 dollars to keep them from thinking for a year. Typical behavior of non-aspiring average. Instead you can save money and computer resources by using your head. But that's an effort not everyone is willing to take.

Mrk