Things I'd do if I ever have time

Wish list

Please help a man further his career by donating expensive hardware. Cash works too.

Security ≠ Security Software

Published: 02/03/2008

Viruses and worms are not new concepts, but with available network connectivity becoming more ubiquitous and as more people become a part of the vast public network that is the Internet, the propagation of "malicious code" (a catch-all term used to refer to viruses, worms, trojans, etc.) becomes greater. Individual computers by themselves are complex systems. If you plug them into a large network where all kinds of interactions are bound to occur, the resulting complexity exponentially grows as each additional node expands a mesh that becomes unpredictable and ever-shifting, much like the study of fluid dynamics.

Today's mainstream news media raises awareness of these network-nasties through sensationalized headlines. New terms, new "attack vectors," new vulnerabilities, new exploits... For the average user, it's a sense of overload after a while, leading to fear, uncertainty, and doubt. Rarely is there a concrete understanding or definition of what these issues really are. All we hear is that "something bad can happen," leading to identity theft or some other undesirable consequence.

This is where software companies will step in and happily offer you a product that will shield you from the malware pollution that's lingering over the Internet like smog. Everyone knows what anti-virus is, but now there's anti-spyware, anti-phishing, anti-adware, anti-yadda-yadda... Many of these software products come bundled as a suite, designed to provide an all-encompassing clearcase to ensure your safety as you step into the deep end of the network pool. You're advised to install these security products, keep your operating system updated with the latest security patches, and update your signatures.

The problem, however, is that consumers generally don't realize that they're not really buying security - they're buying software.

If you buy a house, you may consider that a burglar may eventually break in and steal / vandalize / cause physical harm to you or your property. The most common way to address this issue is to buy a home alarm system that ties into a monitoring station where, if the alarm is tripped, a patrol guard is dispatched to your location. However, what you have purchased is not security - just a perception of being more secure. The product / service is not an absolute solution to the prevention of crime. It may serve as a deterrent (assuming you have the alarm company's sign posted outside), but ultimately if someone was determined enough, a break-in can still happen.

In a technical sense, products like anti-virus software is a purely reactive solution. In order for it to perform its function, something that has been pre-defined as "bad" has to touch your system. It has to penetrate your outer walls and step foot into your computing space. If the anti-virus software is able to detect it, then it might be able to perform a quarantine, but this is dependent on the quality of the detection engine as well as an existing virus signature that matches the characteristics of the malicious code. If your signature / definition file is out-of-date, then the probability of it catching the virus is lower. As Microsoft's Immutable Laws of Security states, "An out of date virus scanner is only marginally better than no virus scanner at all."

To be secure is to be more than just dependent on some automated tool. Given the rate of technological feature expansion and expectation in the market, the complexity within the ecosystem generally multiplies faster than most users' ability to understand the alphabet soup of threats. The more complex the system is, the less secure it inherently becomes. This is an unavoidable fact because one has to keep an eye on more variables, stretching resources to their limits. The more pieces to manage, the easier it is to accidentally let something slip by.

And the attacker has to only find one small crack to set foot on your property.

The reality is that life cannot be fully secure. We don't live in a safe bubble where everyone smiles and holds hands. Threats, whether natural or man-made, are always around us. Our only defense is to maintain our awareness of the environment and do our due diligence the best we can. Having multiple layers of security (also referred to as "defense-in-depth") is the logical way to address the risk. We have to determine what the tradeoff is when implementing a security solution. What's the value of our asset(s), and how much is it going to cost us in time / energy / money / resources to secure it? Would you pay a thousand dollars for security software to protect a laptop (and the data on it) that's only worth a hundred? Probably not. But maybe paying fifty dollars for the same asset value would be worth it.

There's nothing wrong with installing anti-virus, a host-based firewall, an intrusion detection agent, and other security software. Having multiple monitoring products can increase the overall posture as well as the perception of security (at perhaps the cost of reduced computing performance). However, not all threats are based at the data layer. Having all that protection software installed ultimately doesn't secure you from someone sneaking up behind you, snatching your laptop out of your hands, and taking off. Then your ability to access your data is lost. Being able to access your information when you need it is just as important as securing it from unauthorized access / modification / deletion / theft from network attacks.

In other words, a large part of security is also dependent on the operator in front of the keyboard.

Computer security is not a trivial thing. It's not just software solutions, hardware tokens, encryption capabilities, or cable locks. It's a constantly-evolving broad subject area requiring awareness, knowledge, and proactive action to maintain the required balance between risk mitigation and cost. It's the physical environment as well as the virtual world of data that we can't smell or touch. Unfortunately, having complete awareness of all existing threats is neither realistic nor practical for most people, especially non-technical users (hence why reliance on conveniently-packaged software solutions is commonplace). There's a lot of faith placed in software's ability to provide a defense mechanism, but realize that it's not the complete picture. How you work with computing environments plays a big part in how much risk you're exposing yourself to in the grand scheme of things.

However, there are some basic approaches one can take to significantly reduce the risk. Using least-privilege (not running as an administrator), understanding the tools that you're using (like your operating system), maintaining a little paranoia, and following the advice of those that do real security work can go a long way.

I recommend reading Basic Performance and Security Health for Windows for more information..

Go back to the main articles list.