This article can also be found in the Premium Editorial Download "Information Security magazine: How to implement a change management that works and reduces security risks."
Download it now to read this article plus other related content.
Point: Marcus Ranum
What amazes me is that it's 2009 and the security world's response to viruses and malware is still oriented toward "detect the bad" rather than "permit the good." And, consequently, we still have viruses and malware. To me, it just seems so gosh-darned obvious that our problem is that we have lost control over our runtime environment, and regaining that control is "simply" a matter of deciding what programs we want to allow to run.
Of course, most organizations don't know (or haven't got the courage to discover) what programs they allow--and, ultimately, isn't that the root of their security problems? When I read the security news and hear that thus-and-such government agency is trying to decide if Facebook is a necessary application, it makes my head spin. In Marcus-land, where I come from, you decide what is a necessary application first, not after you have 40,000 employees who have gotten so used to it that they now think Twitter is a constitutionally protected right. Isn't a virus or malware just unauthorized execution that someone managed to sneak onto your machine? If we adopt a model whereby there are programs that are authorized (i.e., on a whitelist) and the operating system should terminate everything else, then malware and viruses are history, unless their authors can somehow fool the administrator into authorizing them to run. I don't see what's so complicated about that--after all, I've been running all of
I look at my friends who work at companies with a "must update your antivirus every month" policy and wonder what's wrong with them. I don't even patch my operating system -- I suppose that leaves me vulnerable to a memory-resident attack, but I usually shut my machines down every day. Is the only thing that's going on here that I'm willing to take the time to think for 30 seconds and list the 14 or so programs that I run on my system? Is that all there is to it? It seems to be.
Whenever I talk about execution control/whitelisting with corporate types, someone says, "But we don't really have a way of determining all the applications that we use!" Really? Wow. That sounds like a policy that's basically, "We have no idea what our computers are for." In other words: "We've given up, and as far as we're concerned, our computers are an unmanaged mess." Or to put it another way, malware heaven. Can anyone even calculate the cost of malware and viruses (as well as the occasional office time spent playing online games) to businesses? That cost, ultimately, is paid solely in order to avoid the difficulty of determining what programs are authorized -- what's the purpose of the computer an employee is provided to use?
A couple years ago, I worked with a company that develops extremely expensive and powerful robotic systems for a gigantic (and very important) application. Each of the robots cost about $13 million, and if they went down, the costs spiraled up into the $100,000/minute lost revenue range. The field service technicians who maintained those robots would plug their laptops into a port in the control network, and run diagnostic software--with the same laptops they considered their own, and often loaded file-sharing programs, online games, and other freebie apps from the Internet. You can guess what happened next, because if you've been involved with security for more than two weeks, you've heard countless variations of this story already. Why? How much of this kind of nonsense are corporate IT execs willing to put up with?
Here's why I keep talking about execution control: it's actually ridiculously easy compared to dealing with antivirus and antimalware. So why isn't everyone doing it? Because it'd dramatically cut down on our ability to goof off. If executives knew how easy it was to cut back on productivity-wasting goof-off-ware, don't you think it would be happening all over the place by now? If, instead, we tell them it's hard to know what executables we use in the office...well, what nobody knows won't hurt anyone.
Oh, and with the money I saved over the last six years when I stopped paying for antivirus/malware and dealing with system instability brought on by constant patching --I bought an Xbox and a copy of Halo. That's another way of controlling your runtime environment: special-purpose hardware.
Marcus Ranum is the CSO of Tenable Network Security and is a well-known security technology innovator, teacher and speaker. For more information, visit his website at www.ranum.com.
Counterpoint: Bruce Schneier
Security is never black and white. If someone asks, "for best security, should I do A or B?" the answer almost invariably is both. But security is always a trade-off. Often it's impossible to do both A and B--there's no time to do both, it's too expensive to do both, or whatever -- and you have to choose. In that case, you look at A and B and you make you best choice. But it's almost always more secure to do both.
Yes, antivirus programs have been getting less effective as new viruses are more frequent and existing viruses mutate faster. Yes, antivirus companies are forever playing catch-up, trying to create signatures for new viruses. Yes, signature-based antivirus software won't protect you when a virus is new, before the signature is added to the detection program. Antivirus is by no means a panacea.
On the other hand, an antivirus program with up-to-date signatures will protect you from a lot of threats. It'll protect you against viruses, against spyware, against Trojans--against all sorts of malware. It'll run in the background, automatically, and you won't notice any performance degradation at all. And -- here's the best part -- it can be free. AVG won't cost you a penny. To me, this is an easy trade-off, certainly for the average computer user who clicks on attachments he probably shouldn't click on, downloads things he probably shouldn't download, and doesn't understand the finer workings of Windows Personal Firewall.
Certainly security would be improved if people used whitelisting programs such as Bit9 Parity and Savant Protection--and I personally recommend Malwarebytes' Anti-Malware--but a lot of users are going to have trouble with this. The average user will probably just swat away the "you're trying to run a program not on your whitelist" warning message or--even worse--wonder why his computer is broken when he tries to run a new piece of software. The average corporate IT department doesn't have a good idea of what software is running on all the computers within the corporation, and doesn't want the administrative overhead of managing all the change requests. And whitelists aren't a panacea, either: they don't defend against malware that attaches itself to data files (think Word macro viruses), for example.
One of the newest trends in IT is consumerization, and if you don't already know about it, you soon will. It's the idea that new technologies, the cool stuff people want, will become available for the consumer market before they become available for the business market. What it means to business is that people -- employees, customers, partners -- will access business networks from wherever they happen to be, with whatever hardware and software they have. Maybe it'll be the computer you gave them when you hired them. Maybe it'll be their home computer, the one their kids use. Maybe it'll be their cell phone or PDA, or a computer in a hotel's business center. Your business will have no way to know what they're using, and -- more importantly -- you'll have no control.
In this kind of environment, computers are going to connect to each other without a whole lot of trust between them. Untrusted computers are going to connect to untrusted networks. Trusted computers are going to connect to untrusted networks. The whole idea of "safe computing" is going to take on a whole new meaning--every man for himself. A corporate network is going to need a simple, dumb, signature-based antivirus product at the gateway of its network. And a user is going to need a similar program to protect his computer.
Bottom line: antivirus software is neither necessary nor sufficient for security, but it's still a good idea. It's not a panacea that magically makes you safe, nor is it is obsolete in the face of current threats. As countermeasures go, it's cheap, it's easy, and it's effective. I haven't dumped my antivirus program, and I have no intention of doing so anytime soon.
I don't even want an Xbox.
Bruce Schneier is chief security technology officer of BT Global Services and the author of Schneier on Security. For more information, visit his website at www.schneier.com.
This was first published in November 2009