Cisco CSO Says Antivirus Money "Completely Wasted"

mernil writes with an excerpt that kicks off a story at ZDNet Australia: "Companies are wasting money on security processes — such as applying patches and using antivirus software — which just don't work, according to Cisco's chief security officer John Stewart. Speaking at the AusCERT 2008 conference in the Gold Coast yesterday, Stewart said the malware industry is moving faster than the security industry, making it impossible for users to remain secure."

Agreed

[pak9rabid]

Why pay for it, when there are plenty of free alternatives?

Re:Agreed

[Eg0Death]

Do you know of any free alternatives that can be administered at the network/Domain level?

Stating the obvious..

[somersault]

Companies are wasting money on Windows ;)

Patching software does work though, I don't see the alternative if you have an exploitable bug in your code? You want that code fixed. It doesn't matter if no damage can be done to your system, you still want all your applications running as expected.

Problem of assessing success...

[johndiii]

If your security works, nothing happens. So it's easy to say that money is "wasted". If the security doesn't work, the problem is a little more obvious.

I read this story yesterday, and the quote is a little misleading. Here's the context:

"If patching and antivirus is where I spend my money, and I'm still getting infected and I still have to clean up computers and I still need to reload them and still have to recover the user's data and I still have to reinstall it, the entire cost equation of that is a waste."

"It's completely wasted money," Stewart told delegates.

Exactly. If it does not work, the money spent on it is wasted. Not exactly controversial.

Riiight.

[SatanicPuppy]

But all the money spent on Cisco's obscenely overpriced security appliances is well spent, right?

There are a lot of people profiteering in the computer security market, and Cisco is up there.

They want to go to whitelisting

[tepples]

From the article:

A better way of dealing with the unknown is to use whitelists -- where only authorised or approved software can execute, said Stewart.

"I'm sick of blacklisted stuff. I've got to go for whitelisted stuff -- I know what that is because I put it there," he said.

This might work for a corporate environment. But how will PC users in home environments know what to put on a whitelist and what not to put on a whitelist?

Not completely wasted...

[Coopjust]

The A/V industry is having difficulty keeping up with the ever evolving and growing malware industry, but "completely wasted"? I don't think so.

For Geeks who delete suspicious emails, use Thunderbird (so emails are not rendered in the IE engine), etc., sure, an AV may be a useless waste of CPU cycles. But for the nontechnical user, it's important. While it's difficult to keep up with outbreaks, it's important for older viruses in the wild- something Grandma may not catch.

Now, as for a whitelist. Dumb idea. It puts too much power in the hands of AV companies (who can say "$$$ to get on the list!" or if users can change it, they'll get "IMPORTANT WINDOWS UPDATE- REMEMBER TO ADD TO YOUR WHITELIST!". What about unsigned programs? Updated versions?

A whitelist might work for children, for work PCs, for other non-administrators. But people ultimately want to install their own programs without the blessing of company XYZ.

And, as a geek, I strongly disagree that it's impossible to remain secure, it just takes a little training. I know nontechnical users, I teach them for 10 minutes, and they have good habits. Don't open emails saying "A greeting card from a classmate", don't run unsolicited programs, if you get an email saying it's from chase.com "Important Account Update" visit their directly, etc.). Those habits go a long way, along with some layered protection (ZoneAlarm Free, Router w/ a firewall, Avast Home, Immunize in SpywareBlaster, and Immunize in Spybot S&D). That user still has some trouble with some tasks, but with a little common sense and some good protection, they've stayed infection free for 4 years.

(And, of course, I fix the computer as a friend, and I occasionally run rootkit detection and AV from a LiveCD just to make sure).

Re:Inadequate != Nothing

[Tridus]

"And the risks and losses would be much greater."

Based on what? The cause of infection is pretty much the same with or without AV software:
- Application exploits (AV software only stops known ones, all the new ones constantly coming out get through just fine)
- Stupid users saying "sure I want to run this random .exe file someone emailed me" (AV software is no help at all)

I'm not seeing any real world evidence that AV software is reducing the damage being done by all these viruses.

I mean really, when was the last time you had AV software catch a virus that would have otherwise infected your system?

Re:Agreed

[morgan_greywolf]

Why pay for it, when there are plenty of free alternatives?

No, he's saying the free alternatives are wasted effort as well.

I agree. But...

[hyperz69]

Even if you made every OS somehow 99.999% malproof somehow. Someone would still be selling a Norton like utility that you need. Security is big business, since fear is the best motivation for buying you can have.

If they couldn't justify the fear, they would themselves research the holes JUST so they have something to patch or utility to sell us. While in a perfect world we could just patch our OSes for bugs and no need for anything running in the background to protect us from boogie men. Companies like Norton, McAfee, and *yes* Microsoft are going to make sure WE NEED THEM, since they see us more as $'s then end users.

clam

[Lord Ender]

Cisco is integrating ClamAV in to their "Cisco Security Agent" HIDS product. They clearly think AV is useful, just not other peoples' AV.

Re:Problem of assessing success...

[mweather]

My roof will always leak, so I shouldn't bother fixing the gaping holes?

Re:Problem of assessing success...

[Tony Hoyle]

AV is like putting more and more buckets in the attic to catch leaks, rather than fixing the holes.

If your roof isn't leaking all those buckets are wasted money.

If they're norton buckets they're also (a) glued to the floor so you can't use them anyway, and (b) full of holes themselves.

Re:Agreed -Free For Personal Use

[pak9rabid]

Whos says the alternatives have to be anti-virus applications? ;)

Re:Stating the obvious..

[jellomizer]

Well it is not completly a windows problem. If people stop using windows then malware writters will make their stuff work on a different platform. Granted Windows Need to run as administrator to do some basic tasks makes it easer to do suff. But how many newbee Linux users run as root all the time. Also much of the malware takes advantages of social hacking making the person want to click to add and hit OK for the security alerts. However if you leave a Linux server running unpached for a while chanses are someone will get in, I have seen that multible times even recently. If someone can get in then is just as possible for a virus to do the same. In some ways it may be more devistating as a virus script can login threw a unpacteched security hole, or user with a bad password... then install itself on the new system. Heck it may even have access to GCC even as non root. recomplile itself to be platform independent and spread to the next box, and often on a open intranet.

The main problem with windows is there are too many Windows users, a better security design (however more difficult to maintain) would have a more diverse set of systems. Windows, Unix, Linux, other... so when there is a problem it would be more difficult for it to spread.

It is easy to blame Windows but windows has actually gotten fairly secure over the past decade. And it is nowhere as bad as it use to be.

Re:I'm a believer

[richlv]

i don't think it can be called "hardware" prevention here. pulling out the cable, that would be hardware prevention, but in this case you have software solution, only you have pushed it to another device. this changes the layout, but the approach stays the same.

Re:Agreed

[m.ducharme]

Only if your time is worth nothing to you. :-p

Re:Stating the obvious..

[DAldredge]

140,000,000 sold copies and 5-15 times the desktop share of Linux isn't "businesses rejecting Vista in droves.

Antivirus as virus

[pubjames]

I'm sure it's a common experience to Slashdotters to have a friend/relative show them their PC that they think it has a virus because it runs so slowly, when of course the reason it is running so slowly is all the anti-virus crap installed on it.

Re:Stating the obvious..

[thermian]

The problem is Windows

Don't be naive. The problem is simply worse for Windows because windows is the most heavily used OS.

This idea that Linux is immune from viruses is just stupid. It's not the primary target of most malware, but it is a target. A poorly configured Linux server is pure gold to a spammer.

Thinking that you are safe just because you use Linux is, well, dumb.

And as for Apples various OS products? Well they have only a tiny market share. There isn't going to be the same return on investment of time and effort to attack that as much as windows is attacked.

In other news...

[saleenS281]

Cisco says they have a great new hardware firewall that will stop *ALL* malware. You just need to sign a contract indemnifying them should you have a malware outbreak on your network...

Re:Stating the obvious..

[jedidiah]

Not quite.

The fact remains that the OS vendor here is in the habit of finding new
ways to do boneheaded things with software. You could even say that you
are far less likely to have Windows malware problems if you avoid as
much Microsoft product as possible while running Windows.

This is not unlike how earlier versions of Windows were much more crash
prone if you use MS apps as well.

This brings up an interesting problem of using Microsoft software on
other operating systems. That's bound to create problems that would
not exist on a platform otherwise.

Yes, sometimes a particular manufacturer (like McDonalds or GM) just makes crap.

Re:Stating the obvious..

[bigtomrodney]

Well it is not completly a windows problem. If people stop using windows then malware writters will make their stuff work on a different platform. Granted Windows Need to run as administrator to do some basic tasks makes it easer to do suff. But how many newbee Linux users run as root all the time.

I really don't buy that targetted-system argument. It takes a lot more to damage a Unix-like system for architectural reasons. I can tell you first hand that every [linuxforums.org] new user coming to linuxforums.org is given a good earbashing on why they shouldn't run as root and 99% accept the reasons and move on. With newbie-friendly distros like Ubuntu actually preventing you from logging in as root the number really dwindles. Logging in as root is something that users only do for the first couple of days until they learn better.

Also much of the malware takes advantages of social hacking making the person want to click to add and hit OK for the security alerts.

Unix systems don't have execute-by-default permissions.

However if you leave a Linux server running unpached for a while chanses are someone will get in, I have seen that multible times even recently.

There's a difference between a directed attack and the type of stuff most Windows users are experiencing. And even with that in mind a lot of distros don't run ssh or other listening services by default. Add to that in this day and age the majority of people are behind NAT routers which require you to specifically forward a port to gain access from the WAN

The main problem with windows is there are too many Windows users

That's certainly motivation but that doesn't mean that a switch to Mac/Unix/Linux/BSD/whatever by all will let the malware follow with the same success.

a better security design (however more difficult to maintain) would have a more diverse set of systems. Windows, Unix, Linux, other... so when there is a problem it would be more difficult for it to spread.

Glad we can agree!

It is easy to blame Windows but windows has actually gotten fairly secure over the past decade. And it is nowhere as bad as it use to be.

I would certainly agree with this. I wouldn't switch back to Windows in a mad fit but I'll give them marks for effort.

Re:Quick Mac question

[Tenebrousedge]

I know people who bought antivirus products for a Mac. It speaks more to their gullibility than anything else. Probably if you're dumb enough to think you need it, you need it.

Re:Quick linux question

[HerculesMO]

It's a question of proliferation of malware.

Why would a malware writer write software that will only affect technically elite users? The goal in his eyes, is to damage as many people as possible through the least path of resistance.

That means Linux simply isn't targetted.

This is a stupid question.

"other than by trickery"

[Animaether]

okay, genuine question... who's got statistics on malware infections on windows that can be used to separate 'by trickery' versus 'by automated exploit'.

And 'by trickery' I would take anything from "double-click this exe in this e-mail to see a naked chicks!" to "you must download this program to play this audio file"; i.e. anything that actually requires the user to okay the action taken in one way or another.

Automated I would assume anything that either requires no user interaction whatsoever (somebody hacks into the machine remotely) OR happens as part of a drive-by (old outlook exploits, old IE activeX exploits), and throw in the "print list of links" exploit from a week or so ago that is an exploit of a non-default feature, but certainly a feature when enabled wouldn't give the user the impression that it might do Bad Things (as opposed to a checkbox saying "automatically load and execute any programs referenced from a web page".. or something of the sort).

IF those statistics show the latter category to outnumber the former by a large factor - yay, Go Linux/BSD/whathaveyou.
If not - I'm sorry, but other operating systems would be affected just as well. Okay, perhaps the malware can't gain root; woop-dee-doo if the purpose of the malware is to simply connect to web servers / send e-mail / do anything the -user- might do, and is allowed to do, themselves.

Some things can't be fixed with software

[jon3k]

The problem is the users. No matter how secure you make an operating system users will still click on every link and give people their passwords.

Re:Agreed

[cryptodan]

You're right. Maybe they could be complete operating systems not nearly as vulnerable to attack through viruses and other malware [ubuntu.com]. :-D

If it is created by man then man can break it. Can you make an Operating System that contain millions of lines of code 100% error free and 100% optimized?

Also can you make it free from errors that may allow hackers to exploit code remotely?

Tell me you can, then create it. You would be a millionaire over night. You would also have more time as you wouldnt need to patch it because it would be the perfect operating system.

Re:Viable alternative.

[Shados]

If you have that kind of knowledge and the ability to install all that stuff, there there IS nothing to catch. With the very rare exception of a media exploit or something (like the old jpeg exploit, which virtually none of the above would notice at the source), just "knowing what you're doing" will allow you to avoid damn near 99.999% of malware. I have a douzan Windows machines, used for just about everything, from gaming to work, and I download a lot of software, browse a lot of web sites...

None of my machines have anti-virus on them (I use one-shot scanning tools every couple of months to be sure all is good), and I have only ever caught ONE virus, which I noticed with my 2 eyes 5 minutes after I caught it, on a totally out of date lap-top that I hadn't used in over a year (so it wasn't updated), through the COM+ jpeg exploit. And I sure don't have anything beyond a 40$ NetGear router.

There simply isn't all that much to catch, unless you take needless risks.

Re:Agreed

[Beardo the Bearded]

Don't you get it?

The bad guys have access to all the same tools you have. They can get their hands on ClamWin, Avast, AVG, etc. They have full access to Windows in any flavour, every variety of Mac OS, and the rainbow of Linux. These aren't script kiddies farting around in their parents' basement. The "bad guys" are groups of organized professionals that know more about your computer than you do.

THE MALWARE DOES NOT GET DETECTED BY ANTIVIRUS SOFTWARE BECAUSE THE WRITERS TEST IT USING THE SAME TOOLS WE USE!

To completely harden your system against an intrusion, you have to patch every single hole and then guarantee that there are no more holes. Further, every program that you install on your computer has to be guaranteed to have no holes. Finally, all your hardware (AND its firmware, I'm looking at YOU, 2-wire!) has to pass the same test - NO HOLES! Ask MS how happy they were with the folks who made GoldenEye.

To hack into a system, you merely have to find ONE hole. That's it. You're banking the health of your computer on the hopes that not one single person has put in an exploitable bug. Nobody on sourceforge made an error. None of the "featured articles" on TDWTF are in your code. None of the lowest bidders from Elbonia pasted together snippets from codesamples.com. All your pointers are bound, all the copying templates are limited (K&R, I'm calling YOU out on this!), and your multi-threaded application is coded properly. Did someone stay up until midnight to meet an arbitrary deadline? Is your program "good enough for who it's for"?

And you, just now, said, "I want to spend as little as possible on my security systems". Now, I fully agree that the free alternatives are significantly better than the ones that come bundled with your HP-branded Staples Windows Vista Ultimate Ice-Cream PC (Printer Included with Bundle). But the attitude is, "I'll slap on a few quick and easily downloadable programs and call my system secure." The bad guys get these programs too, and they probably know them as well, or better than, the authours.

One error, anywhere, and your security becomes "by obscurity". That's really what I use at work and at home. I don't have anything valuable on my computer, and I am not a worthwhile target for phishing, exploiting, hacking, etc.

Any system is exploitable. One error. That's all it takes.

Re:Cure the viri

[jeiler]

My platform of choice is Ubuntu. And unlike the AC who started this sub-thread (or like you, evidently), I'm not enough of a moron to believe that I'm invulnerable.

The biggest security problem with any platform is not the platform itself, but the user. If the user does something stupid (like opening up an insecure attachment), then they've got a problem. Anti-virus and patch programs can only go so far in protecting users from their own stupidity.

Re:Agreed

[Z00L00K]

It exists malware for both Apple and Linux too, but not in the same volume as for Microsoft's OS:es.

And it's not completely useless to have anti-virus software on your machine, but the problem is that they are always a bit behind so there are always a few that takes a hit before the propagation is halted by updated AV software.

Unfortunately there have been too many mistakes made throughout history with the intent of making it easy for users to work with a computer. This way of relaxed behavior is kicking back because it also makes it easy to create malware.

Re:Agreed

[Z00L00K]

If you are a malware writer you only have a few days for your application to kick in or the AV companies will keep up. So it's not completely futile to run AV software but you will get some that aren't caught. The difference is that if no AV software was employed we could have a computer pandemic.

So even if AV software isn't the best solution but merely a patch it at least protect us somewhat.

But what's needed is a completely different design of the operating systems we have. SELinux is far too weak in reality - even if it is a good step forward it is very static in it's behavior. It is also necessary to have more dynamically adapting operating systems that can see overall patterns and be able to lock down certain processes if they start to behave in an unexpected way.

Re:Agreed

[Anonymous Coward]

It's a tad naive to think that your "100% honest opinion" is automatically not a troll. I have a feeling it was modded as such since you presented the exact same tired argument that goes on twice a day, every day, and has for the past 10 years on /. and will probably keep going for the next 10 years on /.. If you choose to partake in this argument, be prepared for all kinds of disagreeable modding of your comments.

Fair warning!
(says the anonymous coward as to protect his nonexistent karma)

Re:Agreed

[Tom]

The bad guys have access to all the same tools you have.

That was 20 years ago. Today, malware is being developed for profit, for the russian mafia or some other organized crime. Unless you're a top security researcher, the bad guys have access to more and better tools than you have.

Re:Agreed

[LurkerXXX]

Personally, I'm not trying to harden every single desktop I have against all possible exploits. It's simply too much work to tempest-proof everything.

I have a air-bag in my car as well. It doesn't guarantee I'll live in all car crashes. But it will save me in some. And the risk/benifit is enough that I like to have an airbag in my car.

I'll also continue to run an anti-virus scanner on my computers. I know full well they won't save me from bad behavior and many/most nasty root-kits, etc, but they will save me from some.

Re:Stating the obvious..

[jsebrech]

There is also the danger that a program could trick me into entering my password when its try intentions are nefarious, thereby getting the required permission to trash my computer. The only way to defend against that is to be very careful about when and where I enter my admin password, but that's true of any OS.

That's not necessarily a defense. The virus could modify code that runs just after a legitimate privilege escalation, and then wait until the next time you need to perform that privileged action.

I admit it raises the bar for virus writers though.

Re:Agreed

[stonecypher]

When I was your age, this joke was still funny.

Re:Agreed

[Anonymous Coward]

You mean, apart from the one where minimum wage will always be a baseline, and if you raise it everything gets more expensive to match it?

Fact is that you're not supposed to "live on minimum wage." If you're living on it, you've done something very wrong with your career or career prospects. Minimum wage is for kids in high school or college looking to make a few bucks, or some seniors supplementing their retirements at Wal Mart. If you're not in school anymore or retired, you should not be making minimum wage.

Minimum wage increases *beyond inflation* are only political ploys to gain poor votes. Note that I'm not saying that minimum wage shouldn't increase, but it should only be adjusted every year or two for inflation. To do more would only increase inflation.

Re:Agreed -Free For Personal Use

[Hojima]

Using your comparison of malware to the real life scenario of your house being broke into, it's impossible to make a house that can't be penetrated (or would be so difficult that it's not worth it). It would be the equivalent of building a fortress and running it with the various employees. Assuming people wanted to get into your house to bug it for information (i.e. spyware), it would be much more efficient to have a cheap house that you can demolish and rebuild.