Security Industry Faces Attacks It Can't Stop

itwbennett writes "The takedown of the Mariposa botnet and so-called advanced persistent threat attacks, such as the one that compromised Google systems in early December, were hot topics at the RSA conference last week. What both Mariposa and the Google attacks illustrate, and what went largely unsaid at RSA, was that the security industry has failed to protect paying customers from some of today's most pernicious threats, writes Robert McMillan. Traditional security products are simply not much help, said Alex Stamos, a partner with Isec Partners, one of the companies investigating the APT attacks. 'All of the victims we've worked with had perfectly installed antivirus,' he said. 'They all had intrusion detection systems and several had Web proxies scan content.'"

failed?

[Lord Ender]

the security industry has failed to protect paying customers from some of today's most pernicious threats

This is a terribly ignorant statement. The security has actually succeeded in protecting paying customers from all but the most pernicious threats. IT security is about reducing risk, and that's what it does--successfully.

Re:First

[Anonymous Coward]

How can a perfectly installed AV detect a new virus or malware that does not have a previously identified signature? Or is being implemented in an entirely new way which is not currently in the AV or security programs list of possible intrusion scenarios? Av and security programs are nothing more than window dressing allowing IT execs to say look we are doing all we can to prevent these problems what else can I do? Their bosses see the programs running and believe they are safe.

An AV program will never prevent new viruses, once a new virus is in the wild it will infect a certain amount of users, once it is recognized to be a new virus the AV companies will create a definition for it. There are always a few unlucky ones who will be infected, this is a given. But not something any AV company will admit too. At this point it is the responsibility of the IT staff to do the only guaranteed thing which will remove the virus, format the drive and reinstall the OS. Too many people feel they can remove the infection, and while this may be true in a very limited amount of cases, there is always the possibility that the virus your AV has recognized is a variant which is still unknown.

Let's face it, the only reason people realize they have a virus is because their computer starts acting "funny". A well written virus may never produce any indications of an issue and may go on working happily until either the usr renews their AV program or retires their computer.

Re:Is your shopping list executable?

[Lunix Nutcase]

As for who has the authority ... that would be the anti-virus vendor. The same people who you've given the authority to tell you what is a virus today.

So the same people that this article is pointing out that are failing to actually protect people? Oh and let's not even get to how many false positives and negatives that are well-known to happen with all the security suites.

Re:Industry slow to respond to challenges

[Jah-Wren Ryel]

I'm sure there are some exceptions to my experience, naturally. But these niche applications generally seem to be very expensive and primitive.

Back before beowulf clusters were common and most all supercomputers were priced in the 9 digits there was a phrase well known in the community - "Supercomputing is a synonym for unreliable computing."

In other words, if the market is small you suffer from all kinds of problems because there aren't enough users to generate enough bug reports and despite the high per unit pricing, volume is so low that there isn't enough money to pay for all the Q&A beyond the core functionality.

Re:I'll give you a clue...

[dave562]

It didn't go completely undetected.

http://community.websense.com/blogs/websense-features/archive/2010/01/21/security-bulletin-aurora-internet-explorer-zero-day-attack.aspx [websense.com]

FWIW - I'm not a Websense employee. We just use their products as part of a multi-layered defensive strategy. They had mitigation mechanisms in place a week before Google, Adobe, et al acknowledged that they had been compromised.

Obviously Websense isn't a magic bullet. They wouldn't have prevented the initial infection. All they did was notice the infection after the fact and then worked to contain the spread.

Re:I'll give you a clue...

[localman57]

It depends on what you're trying to do. A very targeted virus that successfully penetrates a single high value target may be a lot more valuable than yet another virus that creates yet another botnet.

Re:Yeah, read the whole thread.

[tepples]

In a whitelisting system, how do ISVs get their products and updates to their products into the major antivirus companies' whitelists? Sure, a business's IT department should handle that in a business situation, but home users often don't have a competent IT department.

OS8MT

[da5idnetlimit.com]

well, my BIND does announce itself as a win95 Beta version...
and my semi automated countermesures do ban your IP for 24 hours everytime it detects something I didn't explicitly allow
and my firewall rules begins by Deny All

I just love heterogenous IT systems... makes it moderatly harder to penetrate.

But hey, just a suggestion to all the precedent posts : /sarcasm engaged
IF OSX IS SO SECURE, WHY NOT MAKE ALL WAN FACING FIREWALLS/PROXIES WITH MACS //sarcasm ends, logic loop detected

Re:No. The core problem goes deeper.

[Lunix Nutcase]

You mean like how OSX and Linux does WITHOUT Antivirus?

And you mean like Windows has done since Vista also without antivirus? Or do you think UAC doesn't exist?