Cisco CSO Says Antivirus Money "Completely Wasted"

mernil writes with an excerpt that kicks off a story at ZDNet Australia: "Companies are wasting money on security processes — such as applying patches and using antivirus software — which just don't work, according to Cisco's chief security officer John Stewart. Speaking at the AusCERT 2008 conference in the Gold Coast yesterday, Stewart said the malware industry is moving faster than the security industry, making it impossible for users to remain secure."

Quick linux question

[thecheatah]

As a desktop linux user, has anyone EVER gotten a virus? Or better yet has any anti-virus program saved your ass?

WTF?

[Enlarged to Show Tex]

Unless he's expressing his vested interest in using hardware firewalls to keep viruses and malware away from the end user PC, this statement makes absolutely no sense.

Generally, a rational botnet creator would tend to try to pwn the low-hanging fruit first - i.e. the ones that have no updates, malware detection, AV, etc. Only if he/she is unable to get a large enough botnet after applying those tools would one resort to the higher-level techniques.

It's rather like saying that Timothy McVeigh would rather have used nuclear ordnance when a U-Haul full of fertilizer served his purpose just fine...

Re:Quick linux question

[Anonymous Coward]

Related question:

For you Wine users, have you ever received a Windows virus or other piece of malware targeted at Windows which has proceeded to wreak havoc on your system? Furthermore, were you able to use any form of antivirus program to fix it, whether it be a Linux native program such as ClamAV or, more interestingly, a Windows antivirus solution running inside Wine?

Re:Quick linux question

[Paradigm_Complex]

http://www.winehq.org/pipermail/wine-users/2005-January/016730.html [winehq.org] Just limit wine to your ~/.wine/drive_c folder so. Should you catch a windows virus, it can't do anymore harm then messing up that one folder. I've purposefully tried to get my wine directory owned before - wine is getting pretty good, 'cuz I succeeded(ish) :D Don't know about fixing that kind of thing with some AV, I just deleted the folder and copied everything from backups, as one usually would with a VM.

Re:Not completely wasted...

[flyingfsck]

"Don't open dubious email" is bulldust. The email program should be secure. I can click on anything and everything with wild abandon and never have any trouble on both my Windows and Linux systems.

Agree somewhat

[SCHecklerX]

AV is completely wasted money. Patching isn't. Especially for systems that expose that particular service to a hostile network. Internally behind firewalls, not as much of a threat, but should still be addressed. It all comes down to risk assessment. AV simply tries to solve a user stupidity issue with technology. That will never work, while making your systems less stable and more costly to maintain in the process.

People Believe What They Want To Believe

[Anonymous Coward]

The problem is Windows, and Microsoft could have fixed much of this, but decided that having an insecure OS, and making security and virus protection a profit center really will be their downfall.
Look at high severity security exploits for XP SP2+ and moreso Vista (even pre SP1). Choose your security reporter and even though these OS's are very popular they have a very low high sev count. You can no longer say Windows is the problem; you can say Windows WAS the problem.

Re:Agreed -Free For Personal Use

[Hojima]

Just get a separate hard drive or a flash drive and store the stuff you need there. Then have a reformatting partition on your drive and press f11 during startup to clean everything out. If this process was faster and easier, anti-virus would be out of business completely.

Re:Stating the obvious..

[cHiphead]

Every XP license my clients buy thru open license /etc IS A VISTA LICENSE with the XP downgrade option.

Re:Stating the obvious..

[Lumpy]

Exactly. I had 2 requests for PC clean and repair. It would cost the Pc owner $400.00 for my cleaning and repair. I told them that they can go to dell.com and buy a new on WITH a 20" flat panel screen for less than my fee.

windows Pc's are cheapie throw-aways. Get a virus infection, toss it and get a new one.

And yes it IS profitable to me. I still get $100.00 for data backup and moving, plus I get a PC from them for free to recycle that I sell on ebay for $100.00 with a fresh reinstall of XP from it's COA sticker.

I make money, they spend the same AND get a new better machine. it's a win-win.

Re:Agreed -Free For Personal Use

[iminplaya]

Then have a reformatting partition on your drive and press f11 during startup to clean everything out.

That's a bit complex. Why not just run a liveCD then? Cache it into RAM, and it runs very fast.

Re:Stating the obvious..

[Lumpy]

Reinstalling the OS and all software and moving the data ALSO costs $400.00 because of the time involved.

90% of pc owners do not have the ability to install windows XP it's just too difficult.

Re:Agreed

[Tom]

SELinux is far too weak in reality

Come again? I've got a long list of stuff I'd wish SELinux were better in, but "weak" isn't anywhere on it and I think of myself as knowing quite a bit about it. What exactly do you mean by "weak" ?

Re:Agreed -Free For Personal Use

[Crayon Kid]

I find it very interesting, as well as sad, to see this kind of solution. You're basically saying "you can't protect against malware, let's give up and use backup as the only defense".

Is this really what it's like? Is having malware violating your personal computer the norm? Is it really impossible to design secure OS's and applications from the ground up instead of making them full of holes and relying on "solutions" that pick up the pieces? Is it really better to do damage control than prevention?

I find that very hard to believe. I think it's more likely that the current state of the software industry is based on complacency and no respect for the customer and his or her personal data.

If it turned out that the maker of your main door lock made a shoddy product that allowed anybody to unlock it and have their way with your house... you'd be mad, right? You'd hold them responsible, want your money back, never buy from them again, maybe even sue them and ask for reparations if they acted like assholes.

But when your personal computer gets broken into you don't make a peep, you just sigh and use a backup, if they have one. Then it's back to the torture of finding and paying for antimalware, knowing full well that one day you'll get shafted again.

Someone please explain this self-abuse to me. The only explanation I've come up with is that people are ignorant and/or brainwashed into thinking there's no alternative so they'll put up with anything and think that's how it's supposed to work.

Software industry needs to grow a spine, take responsability and stop all the "no guarantees" crap. Than maybe, just maybe we'll see some improvement on the malware front.

Re:Agreed

[Coldmoon]

Not goofy at all. Virtualization has benefits that traditional security can't offer and never will be able to offer.

A new/old method is to use Instant System Recovery (ISR) solutions. Though they require some adjustment in thinking and deployment, once set up you can get rid of any unwanted content (Malware certainly falls within this category) with a simple reboot of your computer.

The largest stumbling block to general acceptance of these solutions has been their complexity and cost. Things are changing however with the recent developments in what has been coined "Light Virtualization" solutions like the Returnil Virtual System (returnilsoftware (dot) com) that supports entering "shadow" mode without requiring a reboot of the computer.

Though ISR will not detect or block Malware it will ensure that the computer is clean after a restart and all System Partition changes are gone. No improper removals,, missed detections, or left over junk to track down...

Though I disagree with Stewart's assessment that AV is a "waste of money" I agree that it has been ineffective as a front-line cure to the problem.

AV's are necessary if only to provide negative feedback on the effectiveness of your security configuration...

Mike

Facing metaphorical mortality of your OS

[Junior J. Junior III]

Following the "virus" metaphor from biology, if the computer is an organism, and AntiVirus is part of its immune system, we should realize that at some point, just like any biological organism, the system will die.

A healthy system may have the latest and best immune system known to man, but this does not guarantee and should not be construed to mean that the system is invulnerable or immortal. It is merely immune or resistant to the diseases that it has been exposed to or evolved resistance or immunity to.

We don't expect medical science to ever eradicate all disease and make us perfectly healthy; why do we think it's possible for computers? (Or conversely, why do we think that building an immune system is wasted effort?)

Then again, perhaps turing/von neumann machines and biological organisms aren't so similar after all. It's hard to assess whether this extended metaphor is too forced to be useful or not.

Re:Agreed

[Thelasko]

Yes! exactly. I'm no sysadmin, but I understand that running a virtual machine firewall on a host that is insecure makes none of it more secure. To be secure, it has to be the other way around. The host has to be the secure machine.

This whole thing makes me wonder why there isn't a lightweight Linux distribution thats sole purpose is to run another OS in a virtual machine. A user could then run a firewall/etc on this hypervisor to protect the guest.

I know Vista is supposed to do this, but let's face it, it's a big target, and it's created by Microsoft.

Re:Agreed

[testcase61]

Actually, security is not about technology at all. It's about economics.

We get hung up on the minutia of security, and toss around old chestnuts about obscurity and user responsibility, but that kind of thinking has finally run us aground. It has no future.

At the end of the day, cracking systems is work, and crime is a business. The only systems that are really at risk are the ones that can be exploited profitably in some way, and only in that way.

This means in practice that we don't have to protect all conceivable access points, we really only have to deny an exploiter a profit from their troubles.

If you think about it, there are many very simple and creative ways that you can deny a criminal a profit without in fact limiting your own utility. For example, I can create a throw-away instance of a machine on a grid that will do everything I want it to do, and then when it's done, I simply shut it down. So a black hat has maybe 20 minutes to crack my system and exploit it to hell and gone before I throw it away.

Now maybe I've got the entire credit card database for the world's largest bank on that machine, or maybe not - the bad guy has to *pay up front* to find out, and he has to move fast. Even if he's made a good bet, he can still be denied his profit because I might shut down before he's found what he needs. He only has to try this a few times before he works out his ROI from attacking me is a big fat negative number, and gives it up as a bad joke.

Who cares that this is "security by obscurity?" That's just a slogan. What I'm saying is that we are thinking of security in the old Cold War way, Spy vs Spy, treating it like it was an arms race. Well, nobody ever wins an arms race except the arms merchants.

We need to stop obsessing about plugging holes. By all means, we should do the obvious. But flip their ROI and it's all over. This is the universal vulnerability of all computer crime.

Re:Not one of those is a virus...

[MacDork]

I don't have to cite thousands of potential malware infections to prove the claim false--one will suffice.

AC didn't say malware. There has never been a Mac OS X virus. Ever. Period. And by your own admission, even worms and trojans are incredibly rare. Feel free to cite a virus if you can, I'd love to read about the thing if it were to exist.

Re:Agreed

[billcopc]

The way the virtual machine does it thing is quite simple. Here goes nothing:

You disable TCP-IP on the physical network interface, so the Windows box can't talk to the internet. This forces it to route its junk through the virtual machine, which exposes a private network between the host and VM. The VM, in turn, has a second virtual network interface that's bridged to the host's physical interface. Since the VM runs its own TCP stack, it can still talk to the world even though the host is deaf and dumb.

Conceptually, the VM gets inserted between the ethernet level and the TCP level. Barring any freak hypervisor weaknesses, the worst that can happen is for someone to root the VM... they can't break through to the host.