Disclaimer: as always, these are my own opinions, and don't necessarily reflect the opinions of my past or current employers.
To be read with Eminem - Loose Yourself in the background
I've just finished an
intervention at a large company. They had a
major virus problem and we were brought in to offer
expert advice. Broadly, the situation was as follows:
- Somebody brought in an infected USB stick with one of those autorun worms on it (from which a dime is a dozen)
- It infected their computer
working environmentconsisted out of filservers sharing out programs which the clients mapped out as (writable!) drives. The infection quickly spread to these shares (the worm just saw them as drives and copied itself there).
- As other clients started connecting to those shares, they too got infected. Now different people have to run different applications from different servers, meaning that the infection quickly spread (through infected clients which had mapped drives from more than one server) to around (we were told) 300 servers around the country.
- To make matters worse, this was a slightly advanced version: it had file infecting capabilities (so simply deleting the dropped file from the root of the share didn't solve the problem, because in the meantime it infected the other - writable! - executables from the share), making its spreading even faster. It also injected itself in other processes and killed off security solutions
We offered up several solutions, from which they choose a suboptimal one, but even so, they will manage to eradicate this infection in a couple of days. However, it was a truly eyeopening (in the worst possible sense) experience. Mind you, I'm talking here about a company which has enough cash to buy a large portion of the country!
- They were more interesting in buying a somewhat effective solution than implementing an internal solution which - although would have needed some work from - would protect them from this and many other possible problems.
- The IT guys seemed generally clueless. Their level of knowledge didn't change much as we went up the hierarchy, but they arrogance went up and their willingness to listen declined dramatically...
In general, the situation (and their level of expertise) wasn't much different from what I saw over at a smaller company I've helped out with some IT advice, even though they were bigger by a factor of 2-3.
This go me thinking: do we know what we don't know? How much are people willing to trust summaries and sound-bytes while putting critical thinking on hold? In the area of IT-security (and probably in all other areas, but this is where I have first hand experience) it seems that everyone (and I mean everyone - even more technical people who should
know better) lives on the few quotes got from the even fewer researchers. And even they can not be trusted entirely, because those of them who like to give quotes the most are media junkies who will spin (almost) anything just to get in the news.
You just need to apply a little common sense here. Its easy, like 1, 2, 3. Here it goes: police didn't eradicate crime. You pay your police forces (wherever you might be) some amount of money (indirectly, through taxes most probably) some amount of money, which is probably more than 20 EUR / year (the approximate price for an AV license). So why do you think that smaller organizations (security companies - even combined - are smaller than police forces - and this assumes that they cooperate, not compete - which is not the case) for less money can keep you safer in the
virtual world than police forces can do it in the physical world? And remember: crime happens even though we have police forces!
Or take an other simple demonstration: what type of security product is the most widely used currently? The known malware scanner (
Anti-Virus). What does this mean? It means that the company has to have a sample of the malware (or a variant of it) before it can add detection for that. Where do the companies these samples? From infected customers mostly! Now, it may not always be their customers (they may get it through sample exchange from an other company), but still, somebody has to get infected. So today, it might not have been you who provided the new
warning sign of a disease (the outbreak of a malware family), but tomorrow you maybe the one. This is far the shiny reality the security product makers advertise to the public.
So who do we turn to? To experts of course. For example the AV-Comparatives organization is quite a well regarded one. If you look at their results, you should see almost all products scoring above the 90% mark, while most scoring above the 95% mark (the top one scoring between 97% and 99%). Sounds great, doesn't it? But lets apply just a little critical thinking. How many different types of malware is out there? Hard to say (given that there is no universally accepted (or easy for that matter) definition for
malware family, but a number 1 000 000 is a good start. So, with one million malware families out there, even the best AV fails to protect you from 10 000 of them! In my opinion there is a co-dependence between testing organizations and AV vendors which prevents them from coming out and giving the straight news: even with AV, you have a good chance of getting infected. Still, you can crunch the numbers yourself.
Or here is an other expert: a pony tailed media junky who is
available for phone interviews on virus and security -related questions and speaks English with a funny accent. Of course he works for a great company which has labs all over the world. But take a look at their flagship product. They are licensing most of the technology from Kaspersky Labs (a thing they usually omit to mention). Still, in tests (like the one published by AV-Comparatives), they manage to get smaller scores that the ones of Kaspersky (hey, they supposed to add detections to the already present ones, not remove them!?) and have slower scanning speed. In fact their score was lower than the one of two free products (Avast! and AVG).
Of course, you can
manage risk. It's simple, even a forth grader should understand it: risk = probability * loss. But how do you calculate it when your
experts have no or almost no idea what the probability is? You can only hope... All you need is
love faith, because only blind faith can explain how leaders from large companies all over the world became to believe that their IT security problem can be solved with less money, in less time and fewer people than their physical security for example.
It will be a rude awakening, but until then: sweet dreams. And to the other side: happy hunting (if you can even call this a hunt - it is more like a massacre with the pray lying at your feet without moving)...