I hope you’re all prepared. This month, it is time to vent my anger. Last month, we discussed the second stage in the “Five Stages of Employment”: realism. After the ignorant bliss of idealism, and the looming clouds of realism, those clouds become the thunderheads of anger. This is the stage when one still hopes that they can change the problems in their job, and all too often exhibit frustration regarding the difficulties they face.
In the first month, we talked about one of the things that took me from idealism to realism. I was speaking with a security guy who was angry that his CEO insisted YouTube was essential for morale, despite the security problems it caused them.
The prospect of writing a single page on the things which are aggravating about security is a little overwhelming. It is a subject that could easily fill a weighty tome. But I will narrow it down to a slim five items:
1. Few companies know about or perform risk assessment, leading to appalling security holes due to neglected parts of their networks.
2. Many home users think that because CNN is not discussing virus outbreaks, malware is no longer a concern.
3. Popular opinion of anti-virus (AV) software is that it is designed to protect against all viruses and is therefore the only security you need.
4. Cybercrime law lags behind technology so it is exceedingly difficult to prosecute people who profit by creating malware.
5. Much of the information given about computer security is entirely contradictory.
The first point, I could illustrate with enough stories to fill yet another book large enough to beat whales with, none of which is particularly amusing: Everything from forgotten machines with decade-old AV products (pumping out a museum of viruses from ancient to modern), failing to keep employees from surfing porn, and failing to password-protect Wi-Fi.
The third point is probably the most controversial, and we can thank point five for that. AV software is, at its most basic and common, signature-based. That is to say, a researcher must look at a piece of malware and decide what makes it unique in order to add it to detection. That is remarkably hard to do with unknown malware, unless you’re channeling Edgar Cayce. This is why most modern anti-malware products now include some sort of behavior-based technology. This is essentially taking a step back – not looking for signatures of known malware, but behavior identified as potentially malicious based on known malware techniques. It still does not cover the “infinite space” of potential malware behavior, though it does get us much closer. You still need layered defenses to help bridge any gaps.
Arguably my other points would be less irksome if we could effectively prosecute cybercriminals, making creation of malware less profitable and desirable. But presently miscreants move at internet speed, and law enforcement officers move at the speed of law, which is to say glacially. By the time they can act, evidence is often long gone. And in cases where they have solid evidence against someone to prove sufficient monetary damage, the trail will lead to a country where we don’t have extradition agreements and successful prosecution becomes vastly less likely.