Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

9 popular IT security practices that just don't work

Roger A. Grimes | Aug. 14, 2012
The security products and techniques you rely on most aren't keeping you as secure as you think

Every one of us is constantly faced with new malware that our particular antivirus engine doesn't detect. It's not a rare event. If you've ever submitted a malware sample to one of the multiple engine checking sites, like VirusTotal, you know it's fairly common for antivirus engines to miss new breakouts, sometimes for as long as days. Weeks later, antivirus engines can still bypass a particular Trojan or worm.

I don't blame the vendors. With literally more bad files in existence than legitimate files, antivirus scanning is a tough job and begs for whitelisting programs. They have to store database signatures for hundreds of millions of devious, hididen programs and detect brand-new threats, for which there is no signature, all the while not slowing down the protected host's operations.

While the Internet is too scary of a place to go without antivirus protection, they've long since stopped being the reliable programs as touted by their vendors.

Security fail No. 2: Your firewalls provide little protection As far as IT security is concerned, firewall protection is becoming even less relevant than antivirus scanners. Why? Because the majority of malware works by tricking end-users into running a forbidden program on their desktops, thus invalidating firewall protection. Moreover, the bad programs "dial home" using port 80 or 443, which is always open outbound on the firewall.

Most people are protected by multiple firewalls on the perimeter, on the desktop, and filtering applications. But all that bastion host-port isolation doesn't appear to be working. We're as exploited as ever.

Security fail No. 3: Patching is no panacea For many years the No. 1 security advice you could give anyone was to do perfect patching. All software has multiple vulnerabilities and must be patched. Despite the existence of more than a dozen patch management systems that promise perfect updates, for whatever reason, it appears it can't be done.

Often times it isn't the patch management software's fault -- it's the managers. They only patch some items, but miss the most popular targets, such as Java, Adobe Reader, Flash, and more. Or they don't patch in a timely fashion. Or they don't follow up on why some percentage of their population doesn't take the latest applied patch, so there's always a vulnerable portion of users. Even in the best cases, getting patches out to the masses takes days to weeks, while the latest malware spreads across the Internet in minutes or hours.

Even worse, social engineering Trojans have essentially done away with that No. 1 advice. Consider this: If all software had zero vulnerabilities (that is, if you never had to patch), it would reduce malicious exploits by only 10 to 20 percent, according to most studies. If you got rid of the exploits that required unpatched software to be present, the hackers relying on unpatched software for their dirty work would move to other avenues of maliciousness (read: social engineering), and the true reduction in cyber crime would probably be much less.


Previous Page  1  2  3  4  5  6  Next Page 

Sign up for CIO Asia eNewsletters.