Back to Top

Friday, September 26, 2008

What you are willing to pay for

Disclaimer: as always, these are my own opinions, and don't necessarily reflect the opinions of my past or current employers.

To be read with Eminem - Loose Yourself in the background

I've just finished an intervention at a large company. They had a major virus problem and we were brought in to offer expert advice. Broadly, the situation was as follows:

  • Somebody brought in an infected USB stick with one of those autorun worms on it (from which a dime is a dozen)
  • It infected their computer
  • Their working environment consisted out of filservers sharing out programs which the clients mapped out as (writable!) drives. The infection quickly spread to these shares (the worm just saw them as drives and copied itself there).
  • As other clients started connecting to those shares, they too got infected. Now different people have to run different applications from different servers, meaning that the infection quickly spread (through infected clients which had mapped drives from more than one server) to around (we were told) 300 servers around the country.
  • To make matters worse, this was a slightly advanced version: it had file infecting capabilities (so simply deleting the dropped file from the root of the share didn't solve the problem, because in the meantime it infected the other - writable! - executables from the share), making its spreading even faster. It also injected itself in other processes and killed off security solutions

We offered up several solutions, from which they choose a suboptimal one, but even so, they will manage to eradicate this infection in a couple of days. However, it was a truly eyeopening (in the worst possible sense) experience. Mind you, I'm talking here about a company which has enough cash to buy a large portion of the country!

  • They were more interesting in buying a somewhat effective solution than implementing an internal solution which - although would have needed some work from - would protect them from this and many other possible problems.
  • The IT guys seemed generally clueless. Their level of knowledge didn't change much as we went up the hierarchy, but they arrogance went up and their willingness to listen declined dramatically...

In general, the situation (and their level of expertise) wasn't much different from what I saw over at a smaller company I've helped out with some IT advice, even though they were bigger by a factor of 2-3.

This go me thinking: do we know what we don't know? How much are people willing to trust summaries and sound-bytes while putting critical thinking on hold? In the area of IT-security (and probably in all other areas, but this is where I have first hand experience) it seems that everyone (and I mean everyone - even more technical people who should know better) lives on the few quotes got from the even fewer researchers. And even they can not be trusted entirely, because those of them who like to give quotes the most are media junkies who will spin (almost) anything just to get in the news.

You just need to apply a little common sense here. Its easy, like 1, 2, 3. Here it goes: police didn't eradicate crime. You pay your police forces (wherever you might be) some amount of money (indirectly, through taxes most probably) some amount of money, which is probably more than 20 EUR / year (the approximate price for an AV license). So why do you think that smaller organizations (security companies - even combined - are smaller than police forces - and this assumes that they cooperate, not compete - which is not the case) for less money can keep you safer in the virtual world than police forces can do it in the physical world? And remember: crime happens even though we have police forces!

Or take an other simple demonstration: what type of security product is the most widely used currently? The known malware scanner (Anti-Virus). What does this mean? It means that the company has to have a sample of the malware (or a variant of it) before it can add detection for that. Where do the companies these samples? From infected customers mostly! Now, it may not always be their customers (they may get it through sample exchange from an other company), but still, somebody has to get infected. So today, it might not have been you who provided the new warning sign of a disease (the outbreak of a malware family), but tomorrow you maybe the one. This is far the shiny reality the security product makers advertise to the public.

So who do we turn to? To experts of course. For example the AV-Comparatives organization is quite a well regarded one. If you look at their results, you should see almost all products scoring above the 90% mark, while most scoring above the 95% mark (the top one scoring between 97% and 99%). Sounds great, doesn't it? But lets apply just a little critical thinking. How many different types of malware is out there? Hard to say (given that there is no universally accepted (or easy for that matter) definition for malware family, but a number 1 000 000 is a good start. So, with one million malware families out there, even the best AV fails to protect you from 10 000 of them! In my opinion there is a co-dependence between testing organizations and AV vendors which prevents them from coming out and giving the straight news: even with AV, you have a good chance of getting infected. Still, you can crunch the numbers yourself.

Or here is an other expert: a pony tailed media junky who is available for phone interviews on virus and security -related questions and speaks English with a funny accent. Of course he works for a great company which has labs all over the world. But take a look at their flagship product. They are licensing most of the technology from Kaspersky Labs (a thing they usually omit to mention). Still, in tests (like the one published by AV-Comparatives), they manage to get smaller scores that the ones of Kaspersky (hey, they supposed to add detections to the already present ones, not remove them!?) and have slower scanning speed. In fact their score was lower than the one of two free products (Avast! and AVG).

Of course, you can manage risk. It's simple, even a forth grader should understand it: risk = probability * loss. But how do you calculate it when your experts have no or almost no idea what the probability is? You can only hope... All you need is love faith, because only blind faith can explain how leaders from large companies all over the world became to believe that their IT security problem can be solved with less money, in less time and fewer people than their physical security for example.

It will be a rude awakening, but until then: sweet dreams. And to the other side: happy hunting (if you can even call this a hunt - it is more like a massacre with the pray lying at your feet without moving)...

4 comments:

  1. Anonymous1:13 AM

    are they (the company you mentioned) protected against autorun-malware now or simple desinfected?

    I bet you said it couldn't be happen if they they worked w/o admin rights.

    They said it is easy to buy some software which install drivers and hook the windows instead to teach everyone security.

    ReplyDelete
  2. In my experience, about 1/2 of the people that work in information technology are unqualified.

    ReplyDelete
  3. To clarify some things for anonymous: the users were running without admin rights, but the shares they used (where the executables were located) were mapped with read/write rights, because - supposedly - some programs didn't run if they didn't have write permissions.

    I'm not really sure what the current status is. My impression was that their final plan was to install AV software on all the client and server machines. While this will solve their (current) problem, it is suboptimal in the sense that until the whole network is cleaned, clients might be blocked from running the software - for example in the case when a client has an AV software and the server doesn't and the files on the server are infected.

    Some of the alternatives we've offered were some registry settings to push to all the desktops to prevent programs running through autorun.inf, but supposedly "they have already done it".

    ReplyDelete
  4. Daniel C.2:46 AM

    FSecure doesn't have all the KAV technologies and I don't think that the free AV products were tested at AV comparatives (there are "profesional" versions of them that you pay for ... avast, avira and avg have them ). As you said (in different words :P), computer viruses are like biological ones : they are known of after they infect hosts( in the 18th century we didn't know about HIV ), so we may as well try to prevent than clean. Prevention is supposed to be a requirement for the user, which should have a more careful of the health of his computer as his own health ( considering the things that could be stolen or exploited off his computer ).

    ReplyDelete