State of Security Questionaire

Discussion in 'other security issues & news' started by dw426, Jul 9, 2008.

Thread Status:
Not open for further replies.
  1. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Mods: If this topic is better suited elsewhere, please move it to where it is most appropriate.

    Over the last few days, I have been reading over various topics including malware breaking out of very secure configs, privacy issues, software conflicts, among other things. After doing so, I began spinning the dusty wheels in my mind and thinking about the state of computer security, where we've been and where we are going. I came up with my own opinions and decided to post a short list of questions that I tried to answer myself and wanted to see what the resident experts here thought also, so, here goes:

    1. Where are we today? Have the bad guys outran the good guys, is it neck and neck, or are the good guys winning?

    My thoughts: As a normal user reading posts here daily, I am not overwhelmed with fear, nor am I comfortable. Many more instances of malware being able to bypass completely or in some other way trick some of the strongest protection used by members are being seen every day. I realize nothing is 100% foolproof, but it seems as if the security industry can't or won't keep up. With that in mind:

    2. Is the security industry doing enough to keep up/outpace the threats facing us today? Can they do enough?

    My thoughts: This is a hard one for me to answer. I believe more can be done, like, as mentioned quite a bit lately, putting more effort into protecting areas such as the MBR. However, at the same time, threats are evolving so fast that I honestly don't know if they CAN keep up with them.

    3. Are the "tried and true" methods of protection, ie, AV, AS becoming irrelevant? Are HIPS and Virtual solutions the only reliable defense we have?

    My thoughts: I'm beginning to answer myself yes. As far as anti-spyware, I believe it may be a dying if not dead market. Now the only reason I say that is because more and more threats are focused on the deepest parts of the operating systems. if the system can be controlled, it no longer needs to be spied on IMHO. As far as antivirus, I don't believe anymore that security vendors can keep up enough to supply reliable blacklists, signatures, and heuristic approaches (I need a more expert opinion on this part), seem to be getting weaker.

    I do think that HIPS and virtual solutions can best protect now, but even they are being broken into on a more and more frequent basis.

    4. How much longer before we need to completely re-think security and need to find different solutions?

    My thoughts: Not very long, IMHO. It's obvious the "old ways" are no longer enough. Even if a user is very cautious about what he or she does, the chances of infection are rising it seems and those infections are becoming more and more complicated.

    5. Where will we be in terms of security in the next 5 years?

    My thoughts: The situation is getting worse, obviously. I believe a regulated internet is the only way to slow down the onslaught, and regulation brings with it its own issues such as privacy. I also believe that, as good as the internet and the advancement of it has made lives and helped such a great deal, it has also made us more vulnerable, not only to the malware writers, but also to more serious threats to the security of nations themselves.

    6. Is the layered approach becoming obsolete, or are suites that incorporate AV,AS,HIPS and more a better answer?

    My thoughts: While the layered approach looks great on paper and does work, for the time being at least they do, I believe suites should make a comeback. The reason I believe this, is because many times a day, we see posts on different security software conflicting with each other. Something is always trying to share a hook or some other part of the OS deep within. Also, with different apps, comes the chance of more bugs and vulnerabilities for each application. Security vendors can't/won't test their product with every other security product out there, so problems will always be there in some form or another.

    With a suite, this isn't much of an issue, if at all. Each part of the suite (generally) knows what the other parts are doing and what they need, so conflicts aren't as much of an issue. Also, even though a bug or vulnerability can affect the suite as a whole, it is one suite with one patch that "shouldn't" cause problems, where with a layered approach, different bug/vulnerability fixes can make current conflicts worse or create new ones. Another benefit of layers, vendors doing things in a different way, can be accomplished by a well-respected suite vendor just as well if not better, considering that suite vendor no longer has to worry about how other software will work. There can be competition still too, vendors can still strive to do better amongst themselves.

    7. What do you think is missing from security? What would you do differently? What do you think is the answer to current and future threats?

    My thoughts: I'm not sure what all is missing with exception to certain parts of the OS needing different applications to protect them. I just am starting to believe our current options are running dry.
     
    Last edited: Jul 9, 2008
  2. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    The good have more resources and more business to lose, the bad are with fewer and are more creative. All and all its an underground/resitance war with hits of the bad occasionally and reaching the media/news. The good are winning, only because the scope of IT is growing, it seems a neck a neck race.

    Yes, but priority is business, earn out, market share, not the autonomious growth of IT usage and application (the earlier increased scope)


    Yes and NO: The old basic techniques FireWall, Blacklisting, Policy Management, white listing and will be redesigned and applied together with 'newer' techniques as virtualisation and behavior blocking in new combo's. What will be changing is the naming of this security programs (for marketing reasons)



    See question 3. Do you consider a 'new' Antivirus which also uses On execution virtualisation and behavior blocking as an evolution or a revolution? Do you consider a browser extension (warning for bad sites) turning into a software sandbox (sort partial IDS/HIPS on selected browser weaknesses with virtualisation elements), scripts mini AV (skipping blacklisted scripts) as a revolution or an evolution?



    When you compare service packs 1 of XP Home with Vista Home the following be improvements are obvious:
    - A two way Firewall in Vista (no FW in XP SP1) with only inbound made available by default, two way with a little tweaking
    - A LUA implementation with event driven elevation (you need a HIPS on XP)
    - A browser operating in protected mode (including downloaded files (you needed to buy a policy sandbox for that on XP)

    Same applies to security software: have a look at Online Armor and see its progress in security and usability, so seamless security (like policy management, behavior blocking, on execution virtualisation) add ons will make our life easy on PC's, while old security software (traditional AV blacklist) will make its way to our handhelds/mobile phones (because territory changes due to increased scope as mentioned in one/two)



    There will always be a best of breed approach adopted by people who know something of security (we used to call it layered, it will evolve to best of breed) and a suite or all in 1 approach for the masses.


    I think the maturity curve of new IT application areas (like smart phones) will always resemble former ones, only the timing will be faster. Smartphone security will start with Antivirus, what ever IT application comes next will initially have no security, why?
    It is basically a 'skimming the market' marketing approach. When new technology is expensive, you would not want to increase the threshold for early adopters by making the new device more expensive with security and a perfect OS (with lots of development hours in it). so we see repeating business patterns, which is fine for me. This will keep evolving this way until we change our society/way we live. It is not the fault of the commercial companies that they give us what we ask, we are asking for it in the first place!
     
    Last edited: Jul 9, 2008
  3. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Bad guys are already winned the war with traditional AV/AS blacklisting scanners. Only new HIPS/sandboxing technologies can allow good guys be one head ahead, but those tools are not wildly spreaded. So, right now "we" live in very interesting time when security innovations come home.

    "Security industry" is about making money, not about protecting users. Yes, they "can" do enough, but, until people still buys out-to-date, ineffective security solutions, they see no reasons to change anything. Why?

    AV/AS are ineffective as the first line defense as advertised, they are good to be cleaning up tools after real first line HIPS/sandbox defenses.

    I believe, not too long. First real-world estimated malware prevention test is coming soon.

    Security suites, containing AV, sandbox, web-based filters, anti-spam.

    See above.

    Future threats is just a reflection of future technologies. I don't know what will be the next big "killer app", so, have no clues to future threats.
     
  4. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    All a bit alarmist really. MS has been doing its bit to make Windows more secure by default (firewall on my default, IE protected mode, UAC) while blacklist scanners and heuristics leave a relatively small window of opportunity. Additionally the great majority of real world malware haven't even begun to deal with virualization of any sort. Further, a good percentage of malware use social engineering techniques to infect a computer, something safe surfing can mitigate against.
     
  5. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    The post wasn't meant to be alarmist really. I don't believe that we are yet at the point where we need to start "holding our blankies and sucking our thumbs" as far as security is concerned. They were just thoughts that went through my head after doing a heck of a lot of reading in here (sometimes I think I live in this forum) :) Though I don't seem to be too far off the mark when the developer of maybe the most highly regarded apps shares some of my concern.

    I appreciate all replies to this, I like knowing what the people here think, keep them coming :)
     
  6. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    Not to slag Ilya but I don't think this opinion is totally unbiased.
     
  7. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    I understand your point actually, but even Ilya seems to agree that newer solutions need to be found in the not so distant future (hoping I'm not misunderstanding and putting words in Ilya's mouth). I am perhaps a bit alarmist as I think the days of slapping on SAS and Avira (just using examples) and staying on the "teddy bears and rainbows" side of the internet as a way to stay nice and safe are coming to a close, but I still don't think the panic button needs to be pushed quite yet.
     
  8. ThunderZ

    ThunderZ Registered Member

    Joined:
    May 1, 2006
    Posts:
    2,459
    Location:
    North central Ohio, U.S.A.
    Purely my opinion, however......the bad guys are and will always be one step ahead. First, the good guys get the idea for a program. Then write the code, test the program, distribute the program. Depending on it`s use, market coverage, the bad guys then go to work on it. Exploits are found\created and used. The original writers then go to work to write patches. On and on it goes.

    While many security writers are trying to find the magic one size fits all 0 day exploit prevention, sadly it may never be written. :(
     
  9. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    I don't have time right now to answer the questionaire, but I think it's important to make the difference between "real world" malware and "geek" malware.

    I agree with most of what has been said here, BUT AV and AS (while not my favourites) still have some use. When I clean other people's computers, the nastiest thing I find are rootkits (and even this is just sometimes). Most are Vundo or Smitfraud or Storm variants.
    Rogue products will always be around, because just like security business, malware business also wants to make money. And for cleaning this type of infections an AV and AS is all what you need.

    But I do agree, that just like some security developers have created GREAT tools and are not so worried about the "moneymaking", some malware developers have developed some massive destruction weapons. And is this rather small fraction of malware what causes the most trouble for security vendors to keep up.
    Maybe one can aplly the Pareto Principle to malware: 20% of malware existing is the culprit of 80% of damage, while the other 80% just does 20% of damage.
     
  10. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    I believe, you think that I advertise my product with sharing of my vision? Sorry, but you are absolutely wrong here. I do DW the way I see the future of security software. I feel this way. It's even possible to say that my vision is my software and my software is my vision. They are the same.
     
  11. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    I agree As much nasty stuff there is on the net, I believe We can enjoy surfing the net virus/malware free,for yrs to come.paranoid is a mindset.If one Feels that way why even bother with internet at all or perhaps even using a computer.In over 12 yrs of pc use, I have only been infected twice one my fault with out doubt and another was just simply missed by AV of choice then.In my first yrs, I surfed the shark infested waters Daily but that also was many many yrs ago when things where not what they are today.That said, the only time I feel I need to change my security or sufing habbits is if I continue to be a victim of malware/virus or simply like to test everything reputable.It seems to me that the security vendors and some general reports tend to lead the poor souls out spending there hard earned money on more security apps and loading down there pc with numerous products totally not needed,Of course opionions very and to each there own. My mindset is do not worry think safe be safe and have fun.
     
    Last edited: Jul 9, 2008
  12. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    You must have had your vision to create your software otherwise you cant create it.

    So it could be a biased opinion or there is a selection bias i.e. developers of advanced security software tend to be believe that the current solutions arent good enough.

    And please don't take any offense to this. Just thinking aloud.
     
  13. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    You said it :p

    Good AV + user education reduces the risk to a point so that for a home user it is negligible. For enterprise it may be different as the have so many users that actually inceases the risk.
     
  14. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hi,

    Here's what I think:

    1. Where are we today? Have the bad guys outran the good guys, is it neck and neck, or are the good guys winning?

    Nothing special, the things are pretty much the same these last 5 years or so. Today, due to the growth of alternatives to MS fuddle, the user has more freedom and ability to steer peacefully through the mud of the Internet. But on average, little has changed, because people's mindsets are static.

    2. Is the security industry doing enough to keep up/outpace the threats facing us today? Can they do enough?

    What industry? Servers? Coroprate? Home user? I guess the question is regarding home security? It's way, way overestimated. There's too much fear mongering and baseless shouts about doomsday devices.

    3. Are the "tried and true" methods of protection, ie, AV, AS becoming irrelevant? Are HIPS and Virtual solutions the only reliable defense we have?

    They are not irrelvant because, as I said, people think pretty much the same the way they did 5 or 10 years ago and it's not going to change soon. But it's an outdated, even boring mindset that can be so easily evaded.

    Call me naive or anything, but the mere fact you use an alternative browser, you render all of the above solutions simply unneeded.

    4. How much longer before we need to completely re-think security and need to find different solutions?

    The security is being rethought all the time, especially regarding the friendly, permissive Internet-for-all trusted users, trusted computing concept. As to different solutions, they are there. You just need to look for them.

    5. Where will we be in terms of security in the next 5 years?

    In the same place.

    6. Is the layered approach becoming obsolete, or are suites that incorporate AV,AS,HIPS and more a better answer?

    Both approaches are obsolete.

    7. What do you think is missing from security? What would you do differently? What do you think is the answer to current and future threats?

    Licensing computer use. I would ban 90% of computer users. Answer to current and future threats is modular, permission based, deny-all approach, best represented in the Linux formula.

    Mrk
     
  15. ThunderZ

    ThunderZ Registered Member

    Joined:
    May 1, 2006
    Posts:
    2,459
    Location:
    North central Ohio, U.S.A.
    Agreed 100%. But many would argue the point of user education.

    More users + the users attitude that it is not their machine so they just do not care. That is when a well educated IT Dept. accompanied by locked down\reduced user privileges along with a strict usage policy come into play. Software\security apps. just will not totally fill the need in this instance I`m afraid.
     
  16. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Hi dw426,

    The bad guys have been winning the fight for quite some time now and will continue to do so in the immediate future. The problem is not with the quality of the solutions that are available as many of the latest offerings are truly amazing products that are designed and supported by uncommonly talented and dedicated people.

    The problem is due to an inability to change tactics and adapt quickly, especially now that we have entered a new phase in the war where the bad guys are getting organized and using industrial development/deployment models.

    In my opinion the first is an emphatic no and the last is a qualified maybe. They have an interest in their current product lines and design approaches so are slow or resistant to radical change. For the larger providers this is understandable as it is extremely difficult to simply "retool" their production to stop development on the old way of doing things and buy into a totally new approach. Though the smaller players can be more flexible, they base their approaches on the same models the big companies use because the big companies have been successful so there is less incentive for them to seek radical alternatives.

    I agree with your thoughts to a certain extent but disagree that traditional blacklist/signature solutions are totally irrelevant. They have a purpose, but have been irrelevant as a front line defense for a long time now that most, if not all, of the unique sample databases have been scooped up. This means that you do not need multiple scanners to fulfill the purpose that a consistent AV should have in your strategy IF you continue to use AV in your strategy. As the top tier AV solutions include AS capabilities, separate AS programs have become irrelevant except in specific targeted cases.

    My next comment must be qualified because I do have an obvious bias towards virtualization over HIPS approaches. In the hands of an expert, HIPS is an extremely effective and appropriate tool, but in my opinion they fail for the new/average user who does not have the technical knowledge to make the right decisions. The fatal flaw with HIPS alone is that if the user makes the wrong decision, the game is up.

    To be fair however, virtualization alone is vulnerable to execution of malicious content until it is removed with a reboot of the computer. So the decision here should not be either or; rather it should be how to efficiently combine the strengths of each approach so that the weaknesses of one are covered by the other(s) via layering. This does not mean multiple versions of scanners, HIPS, and ISR as you should be concentrating on the risks you actually face and then deploying a strategy that best addresses these risks.

    Do you need an AV if you already use HIPS? For most I would say that AV and HIPS cover similar territory but in different ways; Detection and blocking/filtering. So the decision should be one where these considerations are best addressed in your individual environment and what you feel most comfortable using on a regular basis.

    That time came and went quite some time ago. You can see this from the posts and experiments that go on here at Wilder's every day.

    Contrary to your thoughts I feel that the next 2 - 5 years will see an explosion of new ideas and strategies. Necessity is the mother of invention and I think we have established that change is not only essential, it is critical as we go forward. But as has been shown time and again, it will not be the large companies that do this, rather it will be someone with a small, lean, and adaptive company that will force change in the wider industry...

    The layered approach is not dead, in fact it is the future in my opinion but not necessarily with the use of suites which to me are just loose aggregations of current products and no different really than using selective applications from different providers. The problem with most of them is that they focus on adding the basic traditional solutions inside a single GUI rather than having any real strategy. So they are convenience products rather than targeted security products.

    So what should you be looking at? The first thing to do is to think about the categories you need and then selecting the programs (one each) that cover the most ground with a minimum of overlap.

    EX: Having a separate AS and then incorporate a Firewall with AS capability. This is redundant and a good strategy should not only protect but eliminate useless redundancies...

    The main categories to think about here are:

    1) Prevention - This part of the overall strategy is about keeping content from getting to your system in the first place.

    2) Detection and removal - This part of the strategy is to ensure that your system is clean.

    3) Cure - This part of the strategy is about making sure the system remains clean and reduces the importance of #2 over time and increases the importance of #1.

    So a possible layered approach here could be the following:

    1) Router with HW firewall between the LAN and WAN with the Windows firewall used to control communications within the LAN.

    2) A traditional AV and/or strict White listing- For the AV direction take your pick as they are all essentially the same. White Listing can be cumbersome but in combination with strong policies, they can be extremely effective.

    3) Virtualization and imaging - Either System level or a combination of System/Application level virtualization depending on your expected risk and a reliable imaging solution.

    The most important thing missing from PC security in my opinion is an efficient overall strategy that eliminates redundancies. The way things are now, we spend too much time debating about which scanner detects which threat at any given time rather than looking at how structural deficiencies in the products we use can be closed without resorting to bloat.

    The answer to the problem is to evaluate your actual risks and deploy the best solution(s) appropriately. I have given one example but it is not the only example. One resource I would tap into here at Wilder's would be to read BlueZannetti's posts regarding potential configurations and strategy. He has a good mind and knows what he is talking about...

    Regards
    Mike
     
  17. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Guys I really appreciate all of your replies, they are being very helpful to me by making me sit down and re-think things through, like deciding what threats are POSSIBLE and what I'm more likely to face on a day to day basis with my normal computing habits. I especially appreciate two of the most well-respected vendors here providing input. I admit I am still concerned that the "mbr killers", "dogs" and the like are going to become the "norm" in the not too distant future rather than the rarity, and that it's possible most security vendors are not prepared enough for it yet, but I can still have hope that they can stay at the very least a step ahead if not two or more of the bad guys.

    At the very least, I see this back and forth war going on for the foreseeable future, again, unless some regulation is put in place. Hehe, MrkVonic, I don't think banning 90% of users is going to help much. It would more likely bring about the end of the internet or restrict it so greatly that we would be transported back to the days of the internet being used by a select number of computers in a few universities. Now that's not so fun, is it? :)
     
  18. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    What have not changed over the years are the principle methods used to infect systems with malware executables:
    1) Remote Code Execution

    2) User gives permission to install
    The first is the easiest to protect against. I'm finding more people relying just on

    ==> a router/firewall

    ==> a properly configured browser

    ==> configuring CD/USB drives not to execute code automatically

    The second method is more problematical.

    In one category are those attacks which appeal to what in recent times is politely called "social engineering,"
    which in the past we called "user stupidity."

    Recent examples of this are the Storm attacks, which, by some accounts, are some of the most successful exploits of all time. They utilize the email attachment method of delivery. Think on that!

    Another category is installing software which the user thinks is OK, but turns out to be infected.

    I find many people protect successfully against these categories in the second method by

    ==> properly configured user habits

    ==> installing only legitimate software acquired from known good sources


    --
     
    Last edited: Jul 9, 2008
Loading...
Thread Status:
Not open for further replies.