The user remains the most effective anti-malware tool you’ve got
Matthew Hackling makes an interesting observation:
Aftermarket products are sold to try and fix insecure operating systems and applications. They don’t work all that well because the signature detection/prevention paradigm can be defeated by simple obfuscation or a custom developed exploit. It’s sort of like trying to retrofit an airbag to a car with a button to press in case of an accident rather than designing a strong safety cell and crumple zones. If we were doing security well at the operating system, we wouldn’t need firewall technology at all. If we did security well at the application level, no need for antivirus !
Well, of course he’s right in general; but is he right in detail? Certainly signature-based detection doesn’t work very well because it’s so easy to change the signature. Malware does it all the time – and hey presto an old virus today is unrecognised tomorrow. That’s why AV also includes behavioural analysis: they’re not just trying to recognise known malware, they’re trying to recognise the stuff that can do bad things. And they’re quite good at that.
The other point, that if we did software well we wouldn’t need to defend it, is interesting. But I suspect it’s Shangri-La: a nice place to dream of, but somewhere we’ll never be. It assumes we are capable of writing software with no bugs, no flaws, no backdoors… That, I suspect, would be a dangerous assumption: we’d likely end up in a crash with no airbag at all.
But at this point I’d like to introduce another interesting point:
It is not that security professionals cause break-ins, but there is little doubt in my mind that, by raising the bar, we are cultivating smarter, more sophisticated and more effective forms of attack. Much as the excessive and inappropriate use of antibiotics often results in more virulent drug-resistant microbes, so we are seeing the growth of highly-professional technically-brilliant attackers against systems that have been well protected against earlier malware.
C. Warren Axelrod
The implication here is that we will never attain security. By increasing our defences, we simply develop more brilliant attackers. And that’s a bit worrying.
So maybe we’re concentrating our energies in the wrong place. Maybe we should spend less of our time, energy and budget on evermore sophisticated barriers, and more time on our users. Regardless of the technical wizardry of the contemporary hacker, all hacks still require the user to do the wrong thing, or not do the right thing, at some point or other. Maybe it would be more cost-effective to train our users to behave properly than to build increasingly expensive walls between us and the bad guys.