The Myths Revealed
Computer security is a common topic in the popular press these days. Many people dread using their PCs, because they are afraid that someone will try to take advantage of them if they make a single mistake -- and they are unfortunately right! Computer hackers have evolved from maladjusted “kids” working alone to impress other maladjusted “kids” with their feats, to sophisticated networks of off-shore and domestic racketeers.
But some people still think: “I don’t use the computer often enough, or long enough, to be concerned.” Or: “My computer is one of millions out there – no one’s going to find me.” And: “I only open emails from people I know, and I delete the rest, so I’m safe.” Unfortunately, these folks are wrong.
When I first started using the broadband Internet over ten years ago, I was required to use software that tracked “probes” against my PC. I was scanned by bad guys for a security hole every fifteen minutes; imagine the number of scans an unprotected PC would see today! And, if the PC of someone you know, or the PC of someone who knows someone you know, is compromised, it’s easy to be fooled by an email “from address.” The most common attack these days is "spoofing": the mailer pretends to be from an organization you trust that they are really not representing.
Most users concerned about computer security think that the answer is simple: buy a product, for instance a popular antivirus application; or use a different Web browser; or use a different operating system (for the truly independent!); and … voila, your security problems are solved!
Those users who have experienced a problem despite following the above advice, or those who have researched computer security a little, think the solution lies in more boxes: certain Internet service providers, anti-spam products, firewalls, anti-spyware, VPNs (Virtual Private Networks), security appliances, etc. We are encouraged to think this by aggressive marketing in our consumerist society.
But, it’s what the advertisers DON'T tell you that makes the difference. And here’s the unvarnished truth: products alone are NOT the solution.
The unfortunate truth is that relying on a product strategy is doomed to fail: each of the major antivirus companies has had major flaws revealed in the last year (as of this writing on 12/11/2006) that enable the very compromises that they were designed to prevent! And, unfortunately, the antivirus vendors’ historical response to spyware (hidden software that tracks your Internet activity to pop-up ads, or worse, records your keystrokes or probes your private files) was to first ignore it, and then when it became an outrage, to try to use it to sell more products, rather than incorporate protection against it in the existing products. While the number of flaws mentioned above is a bit unusual, the buzz in the security industry is that antivirus products will be the target of hackers for years to come, just because so many people rely on them alone for protection!
Switching Web browsers is another often recommended but very questionable security practice: Mozilla Firefox, the major alternative to Microsoft Windows®’ included Internet Explorer® browser, has been patched six times in the last six months as of this writing! Those who propose switching to another browser miss these obvious truths: 1) Internet Explorer is still installed (and can’t be removed from operating systems after Microsoft Windows® 98); 2) it is still required for many valid uses and certain Web sites; and 3) thus it still needs to be patched for security purposes. Even worse: many of the plug-ins used to add features (Flash, QuickTime, etc.) for Firefox are installed separately from the equivalent ones used in Internet Explorer, so they need to be patched separately as well! Adding a second browser application simply increases the amount of attention to patching required, and increases the need for user training in secure practices.
As for alternate operating systems ... that's the topic of a whole other discussion. Suffice to say for now, for most businesses and many homes, it just isn't a relevant option.
Professional Thinking
Serious information technology people, like VB Expressions, think and talk a lot about computer security. We have a wider perspective. In addition to preventing the direct siphoning of cash from financial accounts of our customer/partners through stolen credentials, we have to consider additional types of potential harm.
At the lowest level, poorly written(!) or partially blocked spyware can make a system run poorly, so that it doesn’t perform its intended functions efficiently. Or, the attempt to invade may result in a machine that crashes and won’t start up at all, and requires a total rework.
Worse: if the “bug” is network-aware, it may affect PCs other than the one first compromised. If the worm is aggressive enough, it may infect networked storage, requiring restoration of clean data from a backup.
When the attack is subversive enough, it may send our partner customer’s financial data to places unknown. (What would your customers think if it was revealed that a compromise of their privacy happened because they did business with you?)
Or, the attack may use our customer's site as a base for stealing OTHER’S data (many of the “phishing” emails I get link to hijacked home computer sites on a cable or DSL connection.) I attended a conference where a FBI cyber-security agent stated the burden of proof is on the OWNER of the PC involved in theft to show that THEY are not involved in the crimes.
The Better Way
Information technology folks SHOULD tell you: computer security is a PROCESS; products are part of the equation, but must be matched with updates and monitoring to be truly effective. Note the mentions above of patches/updates: as part of a successful security process, updates are at least as important as products, since all software products have exploitable flaws.
There are three major types of security patches/updates that must be periodically applied: 1) patches to the underlying operating system, most often Microsoft Windows®, and its included applets or libraries; 2) patches for widely distributed and often-attacked applications, such as Microsoft Office®, antivirus and antispyware products, Adobe (Acrobat) Reader®, Adobe Flash Player®, Sun Java® Virtual Machine, media players (Windows Media Player®, RealPlayer®, QuickTime Player®, etc.; and 3) anti-virus and anti-spyware definitions that allow these (required) applications to respond to newly discovered threats.
Operating system patches are the most important patches one can do. The operating system is like the foundation of the house; if it crumbles, no amount of above-ground improvements matter.
Microsoft has a sophisticated multi-level patching strategy for its operating systems and applications to mitigate business interruption; they also do more internal testing for compatibility than most vendors. Microsoft updates are typically released on the second Tuesday of each month from a centralized update source to facilitate planning and testing.
Automatic installation of patches/updates is the ideal, but cannot always be realized. Restarts of computers after patches are almost always required, so completely automatic patching risks loss of data and/or user state. And, unfortunately, incompatibilities between patches and third-party applications and hardware can result in PCs that do not restart successfully. Professional monitoring of update and patch installations is always recommended to minimize this sort of potential problem. And if all your PCs do not start as a result of a "safety measure" that may never have affected you, how much better off will you be? For small businesses, a test run on a single PC with professional supervision is the most practical operating system update strategy.
Each application vendor has some sort of patching strategy as well. Some are well-thought out, but many consider the PC to be used for only their products! Some leave the old versions installed, or do not test thoroughly, causing crashes. Therefore these patches can be problematical and time-consuming. Obtaining updates can also be a problem, requiring proof of purchase logins or the like to obtain the patch for testing and distribution. Are you expert enough to follow this process, and handle resulting disruptions, or should a IT pro be on your team?
Anti-virus and anti-spyware definitions can normally be applied automatically without issues, but they need to monitored periodically for success. Sometimes in the course of acting against a threat, these security tools themselves become damaged, and their effectiveness is limited or destroyed, Worse yet, they may LOOK like they’re in place and working, and instead they are not.
Therefore you can see: computer security is a proCESS, not a proDUCT. If you rely on a process instead of a product you will have better results; if you are able to develop that process and service it by yourself; more power to you! If you need help, information technology professionals like VB Expressions are more than willing to help you.
I hope that this discussion has helped clarify the problems and solutions available. Please feel free to contact VB Expressions for further discussion.