Back to Top

Sunday, July 08, 2007

Computer immune system

Disclaimer: this post (as all the others) are my personal opinion and do not necessarily represent the opinions of any of my past or current employer.

From time to time I get questions from people like: how to best secure my computer? or which security products to use?. Other times they me is product X any good? or argue that product Y stops 99% of the threats, so it must be good!.

My first response is: look at the independent tests. But the actual response it much more complicated:

One thing that all people should realize that there exists no such thing as perfect security. Unfortunately this is something that is quite shocking at first (although it is not so shocking it you stop to think about it a bit: for example in the physical world there is no perfect security either). Every measure you take is only a risk reduction measure. So don't expect to solve the problem of computer security by throwing a lot of money at it!

An other surprising factor: security by obscurity is a valuable risk reduction strategy in computer security. While you should not rely on it as your sole defense, it can improve your (computer) security considerably, because the bad guys are capitalists themselves and want to optimize their revenue / effort ratio, which usually means: target the most common configuration. So here is (a no way exhaustive list) of the characteristics of a common setup (this may be biased because its based on the system I've seen lately):

  • It runs Windows XP
  • It uses Internet Explorer
  • It runs as administrator or at least an user with Power User privileges
  • It uses Windows Media Player or Winamp for media playback
  • It uses Yahoo! Messenger or MSN Messenger (which I think is now called Live Messenger) for chatting. Skype is also common.

This means that the following steps reduce your risk. Of course you have way the costs against the benefits of every item you may or may not implement.

(All the enumerated software is free for personal use - most of time also for commercial use, but please do check - and/or open source)

Here are some additional steps you could take to improve your security:

  • Disallow scripting on web pages (entirely, or selectively)
  • Block the execution of programs from all paths, except those which are needed.

I've put these items separate because they need a more active intervention during their execution and also need constant adjustment. One thing I want to emphasize here that many of these measures work not because they inherently improve security, but because they create a playing field the attacker did not anticipate.

One very good example for this is the fairly recent ANI exploit, where many security experts advised to turf off javascript as a way of preventing exploitation. The thing is that it worked, not because the vulnerability had anything to do with Javascript, but because the attackers counted on Javascript being enabled on most computers and used it to obfuscate the exploit code. Later many more exploits appeared which made no use of Javascript and thus worked perfectly with it turned off!

This is one of the reasons why alternatives are more secure than the thing used by the majority. If all the computers were using the same software, a vulnerability found it it could bring down a very large percentage of them (as the Morris worm demonstrated). This is also why the Microsoft market dominance is such a big problem.

A final thing I wanted to mention: with security products the attacker has the upper hand most of the time. S/he can test the malware against it as many times as s/he would like to ensure that it's not detected / prevented. This is why the big two (or three) AV companies have usually slower reaction times than smaller ones. Although they can write generic detections for classes of malware as good as less known ones, malware authors will usually tweak their malware until it's not detected by them (and before you ask, detecting malware generically is mathematically impossible, although there exists a perfect antivirus :-)). This is also why smaller security vendors seem to provide seem to provide better protection, however it is likely that if they would face the same situation they would perform the same (or worse) as the big players.

In conclusion: diverge from the mainstream where possible, however keep your eye on the cost (if you're responsible for the IT in a company, take into account the time and cost it would take to re-train your users to handle the changes). When evaluating security products ask yourself: is this effective because the way most other products work or does it provide transparent security (as opposed to securtiy by obscurity)?. Because this is a hard question to answer (if you don't work in the field), try asking the following (mostly) equivalent question (which is somewhat easier, although still hard): can I think of any way to circumvent this system?

These things need to be considered because there are targeted attacks out there (and by targeted I don't mean necessarily you or your company, although that is the worst case because then the attacker can perfectly adapt her/his strategy to your counter measures, it can mean all users for a certain country, all users of a certain service/product and so on).

1 comment:

  1. Another big tip:

    If you're running Windows, you're probably running somewhere between 5-25 services that you don't need, shouldn't want, and ought not to expose to the network, especially if you're on the public net (e.g., your laptop on a coffee-shop wireless hotspot).


    are good resources to get you started there.