Security

Security is an ecosystem, not a product


People talk about security as though it's something you can buy and sell. They don't always think of it as something you can buy with money; sometimes they think of it as something they can buy with the right choices in technology and personal practices. While this is less incorrect than the notion you can buy security with money, it is not the whole story.

Usually, when people try to make their computers secure, they're looking for the right tool to make them secure. People tend to have opinions about what constitutes:

  • the right antivirus software
  • the right firewall
  • the right spam filter
  • the right browser
  • the right operating system
  • and so on

There's no such thing as "the right" any of those to achieve "security". There are, at any given time, some choices that are better than others. Some choices are more secure than others. Some impose greater costs on the user than others, as well. Some, believe it or not, may be exceedingly good (for right now) at providing security within their specific area of specialization but introduce other vulnerabilities that you may find unacceptable.

Security, on a personal level, is a balancing act where the thin beam on which you're walking keeps changing direction. You can't just pick the right answer and stick with it -- you have to maintain personal security awareness, and an ongoing ability to make good decisions based on that awareness. The best antivirus software for you today may be the worst tomorrow, and only mediocre on a different computer of yours. A week from now, it may become more of a liability than a help, and a year from now you may find that on a new system having any antivirus software at all is a bad idea.

If you think that's too complicated, you're in for a shock, because it gets worse.

Real security is not something you can have just by erecting walls around yourself, setting guards at the points of ingress and egress, and so on. You have to help others secure themselves, too, because until (nearly) everybody is able to maintain his or her own security, there will always be significant threats to yours. Poor security is both individual and collective in nature: every individual must see to his or her own security, and everyone's security is dependent to some degree on the security of everyone else.

For instance, there's the matter of spam. Spam is not a problem you can solve by guarding against it. You have exactly two options for truly protecting yourself from spam:

  1. You can stop using any communication media that allow for automation and bulk sending. This means no more IM services, no more email, and no more SMS texting.
  2. You can help others be secure, spread the word about good security, so that the spam botnets of the world dry up and the cost of spamming grows until it is no longer cost-effective to be a spammer.

Filtering spam is just an arms race, after all. You come up with a better method of filtering, so the spammers come up with a better method of getting around filtering. If you don't think spammers can keep this up indefinitely, you might want to consider that we may at some future date look back on spam as the driver of some of the greatest innovations of information technology:

  1. As people attempt to achieve the universal Turing test, they come up with schemes like CAPTCHA. Each time such a system is improved, the science of programmatic optical character recognition is advanced because spammer software "learns" to pick characters out of ever-more obscuring visual "noise". It has gotten to the point now where many of the available CAPTCHA-like options can be unreadable to humans, too.
  2. Many would claim that Linux systems are the most scalable in the world; you can link together hundreds of Linux systems in grid-computing supercomputers with relative ease. Despite this, the biggest grid-computing system in the world will almost certainly a botnet for the foreseeable future, not designed to run on a scalable OS, but on an OS whose security against infection is easy to compromise.
  3. Achieving more with less through automation is an area of advancement ruled by spambot creators and other malware makers, as well. As the technical security features of various systems get more sophisticated, the malware used to propagate botnets needs to be slimmer, sleeker, and harder to find. Notice the successes in these areas, the surprisingly minimal yet functional nature of viruses and worms propagating across the Internet.
  4. The closest thing to successful artificial life in this world did not come from a biology laboratory. It's self-propagating mobile malicious code.

In order to actually significantly cut into spam, you have to do something other than come up with better ways to filter, to react on the receiving end. The most widespread means of filtering spam will always be the first to be circumvented, and so the problem remains.

Authoritative "security from above" won't work either. Getting ISPs to be more intrusive in their monitoring and management activities because individuals won't take care of their own security is, at best, ineffective. ISPs and other "parental" overseers on the Internet have limited resources, and any solution they could employ with those resources that is sufficiently draconian to be effective would shut the majority of their customers out of the Internet. Are you willing to burn the village to save it?

Ultimately, your individual security -- as demonstrated by the spam situation -- is not just a matter of your individual security. It is a matter of everybody's individual security. Improving your security involves not only choosing the best tools and techniques for yourself, but advocating them for others as well, and educating those others. This is why, in addition to an IT security industry full of people whose real goal is not security but is instead profit and market dominance, there is also a strong and vibrant security community full of people willing to argue and discuss and disseminate freely and at great length. Any security professional neck-deep in the security industry (who knows Symantec) but disconnected from the security community (doesn't know Bugtraq) is not the security professional you want.

Security is protection of both privacy and resources -- and not just your own privacy and resources. It is protection of everybody's privacy and resources. The moment you allow someone else's resources to get abused (botnet infection), yours get abused as well (spam). The moment you allow someone else's privacy to get abused (intrusive Internet activity tracking), yours gets abused as well (harvesting contact information about you from other people's communications).

Security is only possible with freedom (and privacy is a big part of freedom), because the more you impose restrictions on people the more you create conflicts of interest in those who maintain those restrictions. Freedom is the only thing you cannot have if you do not grant it to others -- and security follows suit. Freedom, in effect, *is* security of privacy and property. If you want to be free (of spam, of infections, of identity theft, and so on), you have to help others achieve that freedom as well.

Security is an ecosystem -- not a product. You cannot buy it except at the cost of giving it away.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

40 comments
blockb
blockb

Mr. Perrin, excellent job. What is becoming apparent is that Internet and systems security is the civics lesson schools have abandoned. Thank you for writing a succinct and poiniant article.

boxfiddler
boxfiddler

"Security, on a personal level, is a balancing act where the thin beam on which you're walking keeps changing direction. You can't just pick the right answer and stick with it - you have to maintain personal security awareness, and an ongoing ability to make good decisions based on that awareness." Perfectly stated. Too many end users don't bother to keep up with the 'state of the art'. Too many of these same end users can't figure out how their credit card number, or bank account, or worse yet, entire identity was stolen. Thanks for an article that I hope to share with many students over the semester! edit typo

louiseoneal1972
louiseoneal1972

Or computer users who think security means updating their firewall and anti virus software occasionally can wait until they get hit by the nasties their infested systems have been spreading to everyone else. Then these users can experience the joy of having to wait to get online or to type a document until a friend or family member takes pity. They can count the work hours it will cost to replace their ruined systems, and they very well may develop a-security-as-obsession philosophy rather than a wiser, less tardy security-as-ecosystem philosophy. Would I be speaking from current, woeful, typing-this-on-someone-else's-computer-because-mine-got eaten experience? Mmm. Maybe.

shardeth-15902278
shardeth-15902278

I enjoy most of your articles. This was no exception. In fact this was one of the most thought provoking reads I have had in quite some time. Thanks.

perezjonestsisah
perezjonestsisah

Real like this one. But where are the "bad guys" hiding, can't they be found to prevent them from spreading malware.

zcbor
zcbor

Very good. The best definition.

michael_orton
michael_orton

In the 80s we were told that if you stuck to IBM PCs (PS/2 Microchannel) and genuine Microsoft products you had no problems!!!! Then in the 90s I was informed by an "expert" that as they weren't connected to the Internet, they had no problems! Then I finally became enlightened. the firm appoints an IT security manager. Doesn't matter if he knows B...A. ..about the subject, send him on a three day course! He will write a "Security Policy" that he copied from the course, which everybody will only pay lip service to. Then WE have no problem.Its HIS problem! The article is really good, but firms will still adopt variations of the above "security solutions"

Jaqui
Jaqui

is that we all know people who refuse to pay any attention to security issues and just click yes on anything presented to them. [ these are the ones that cause the "dumb end user" comments ] Until no system is sold without a service contract for regular monthly servicing. [ malware cleaning, backup, etc ] There will be no way to reduce the number of insecure systems. Unless it is illegal to sell a system without such a contract, there will be no way for that to happen. Since, despite Microsoft's efforts, it still is not illegal to sell a computer without an operating system, I really do not see it being made illegal to sell one without a service contract. Then there are those who would refuse to actually use the service even if it was legally required. [ which most of us here would fit into. ;) ] Maybe the only solution is to make insecure systems prohibitively expensive.. such as a summary offense with a minimum of 15 years in prison, no parole before 15 years. That would make everyone pay more attention to their systems. those creating / spreading the malware would have to get even harsher punishment.. like being chained to a post in a gay village with a "sperm bank" sign tattooed across their butts.. a day for each system infected by their malware, in each gay community in the world.

apotheon
apotheon

That's high praise. I appreciate the feedback on the article -- and I think this is the first time anyone has called one of my articles at TR "poignant". I'm glad I was able to bring you out of lurker mode to offer that compliment.

apotheon
apotheon

I know I've done a good job when one of the instructors here tells me (s)he's going to share an article I've written with his/her students.

Tony Hopkinson
Tony Hopkinson

pieces of software up to date. For a start define up to date. I don't think he's saying you should sit around waiting for all those other types to grow a brain. Here's something to think about how much have you compromised security in return for accessibilty. Javascript enabled on your browser for instance.

apotheon
apotheon

My (non-TR-employee) personal editor told me she thought this was one of the best articles I'd written. I've been getting high praise on this one from people whose opinions I trust and value. Thanks for adding your opinion as well.

Tony Hopkinson
Tony Hopkinson

Wednesday cure all illness Thursday, solve world poverty Friday Win the war on drugs Saturday stop malware, adware and spam. Yours Sincerely A Deity Come on tell the truth, you're a commie aren't you. Do you know how much profit there is in malware, adware and spam and systems to combat it? Most of the crooks are 'hiding' in mansions not basements. We aren't talkng about a couple of aging students rolling a joint and tittering to themselves here. Not even at my puzzled expression at the daily email offering me the chance to buy a sceptic tank, for a f'ing year!

syost16
syost16

perezjonestsisah, The problem is that these botnets have become so huge that I don't believe there is a single human or computer on the planet that could identify their source/sources. So no, I don't believe we could find the "bad guys". Back to the subject, the ISPs "parenting" isn't a bad idea in theory. But it runs into two major problems. 1. It breaks a few US laws 2. Although there are still plenty of security holes in most OS's, it is still good enough that they wouldn't be able to monitor if their AV is installed/up to date, or if their firewall is up.

DanLM
DanLM

Security is responsibility I think you are saying, and you can not force responsibility on anyone. Just like you can't make anyone stop drinking. They have to decide for themselves. Now, you just gave the best argument I have seen yet why ISP's shouldn't be the guardians against spam. I have never seen it said better, makes my previous post mute.. Still am of the opinion that if the ISP's become more strict(as a parent can be) with education to help(as a parent should be)... That it would go along way to assist in this war. For, it really is a war. Your point about botnets being the largest grid computing network is very true. Just be afraid if they ever harness that ability for something other then spam. Such as cracking hash's. Dan

royhayward
royhayward

I had an IBM XT at college. I was one of the only people in our appartment complex with a computer. And I got a virus. (Stoned Monkey B if I recall correctly) There was no internet hookup, and I had yet to receive my first email. (what simpler times those were) This virus was spread by promiscuous floppy usage in the computer lab. The lab came up with an innovative idea. Scan all floppies entering the lab. and boot anyone using a floppy that hadn't been initialed by the lab assistant. I wager that today's floppy virus infection rate is rather low, (not relating in any way to the computer lab policy.) And that the rate most PCs get infected is over the internet. Thus, instead of proposing draconian monitoring, or oppressive service contract laws. Lets examine something the government calls 'burden shifting.' We shift the burden to the ISP, but in this way. The ISP must certify that PCs that are connecting meet a level of security. There are companies that are already doing these types of sweeps of web sites, and posting their logos to assure consumers that there data is safe. ISPs now are required to do this type of monitoring to periodically validate that a connected system is protecting itself, and if it is not, the connection is severed, and the only page they get is one telling them of the vulnerability that was found and advising them to fix it before reconnecting to the internet. The connection is then flagged for constant checks on each connection attempt until it passes the test and then is only polled on the normal schedule. Sites could also invert this processes by only allowing connections from 'safe' ISPs and thus I can say, "Hey, I am safe, but I don't think you are. Lets limit your access until you come from a safer location.' So this is a rough idea. It may not be workable. But it is better than throwing our hands up and lamenting, "We can't be safe until everyone else agrees to be safe too. Waaaagh!"

apotheon
apotheon

I think a great way to dramatically decrease the percentage of systems with Swiss-cheese security would be, simply, to put Microsoft out of business. The problem is that, like "security industry" corporations such as Symantec, Microsoft's goal isn't to produce secured (or even securable) systems; it's to dominate markets. You'll never get security as good from someone who only pays enough attention to security to make people think they're getting a good deal as you would from someone who actually pays attention to security for security's sake. The Microsoft Windows codebase is [b]still[/b] a crappy, unsecurable architecture, fundamentally. If that disappeared from the security ecosystem, a significant chunk of the problem would disappear. I'm . . . not even going to comment on the suggested punishment in the last paragraph.

boxfiddler
boxfiddler

at the level at which I teach. Particularly as regards personal PC security. There is a lot of very informative reading out there, but too much of it gets extraordinarily technically detailed. Once the 'techno-babble' gets flowing, my students lose interest. If a piece is too long, my students lose interest. While this piece has its multi-syllabic complexity, it doesn't go over the edge with totally 'geeky' terminology. Length is perfect - they will actually read it. I wish that I could find more like it without spending days scrounging the 'net. I'm watching for more! edit the usual typo/s

santeewelding
santeewelding

Aside from opinion you do not trust or value, I agree wholeheartedly with the governance of security you espouse. I recognize the approach. It is the same bigger picture that probably relegates your 40 S&W to a like incidental and subservient role. It's what I meant by getting back -- way back -- and looking over the top of your thumb. How farther can you go and still make sense?

michael_orton
michael_orton

The problem with spam blocking is how do you define what is spam! My ISP Tiscali does provide spam blocking, but each day I have to look through the spam folder and mark as "Not Spam" e-mails that I want, usually ones on IT security and hacking. And the V1_agrA and infinite variations and the p****s enlarging pills and potions are usually put in the spam folder, but not always. At least the botnets have correctly figured out that I am male. Who knows, when I am a little older I may need such products and then I will have to go to the trouble of marking them all as "not Spam". The definition of Spam is probably just in the mind of the reciever!

shardeth-15902278
shardeth-15902278

Something along the lines of NAC? The users computer comes online in a quarantine network, where it is analyzed for critical patch levels, key exploits, with no access other than what is necessary fix any problems, then once they meet the minimum requirements, they are moved to the active network? But, how do you determine the appropriate list of patch levels? Do you require AV software, anti-spyware? How do you create a standard that appropriately and comparably covers the various flavors of windows,Linux, BSD, MAC, and variety of other OS's? How do you achieve that with overstepping bound in regards to privacy? Or am I reading too much into your proposal?

Tony Hopkinson
Tony Hopkinson

All most a trust, the other way round. Who say's they are safe or not, on what basis, what commercial biases could possibly creep into such a system. The resonsibility for security is ours. Give one away you give the other. Your safety is only compromised by those you trust and of course your own action. I agree about the waaagh, but your idea is way too rough or me. Am I going to have to pay for my ISP to keep me safe from all but them and those they trust?

DanLM
DanLM

I have always stated that ISP's should disconnect connected machines that are infected. But to do that, as your sugestion, there would be some type of monitoring that would have to be performed against the user's machine. Be it the trafic that is generated from that machine or some other form of monitoring. Now, I agree with your idea. But I also can understand the point that others make about invasion of privacy. I think that it could be done based on volume of trafic over specific ports and protocols. Ie: What bloody home machine sends out 200 emails a day. But, you will have those that will call this an intrusion. Just like what is happening with the p2p thing. I will just say I disagree with their argument, but I do understand their argument. That would not fly is what I am trying to say. At least not in the near future. Dan

Sterling chip Camden
Sterling chip Camden

... was also via floppy (5-1/4"). I wondered at the time if anyone made a condom for those things.

apotheon
apotheon

I'll keep your needs in mind and look for opportunities to serve those needs in the future, as I continue to write for TechRepublic's IT Security weblog, then. I actually prefer to write stuff like this over much of the rest of the material I write, because I think the principles that are conveyed are some of the most valuable things people can learn about IT security. I'm trying to serve a very diverse market here, though, so of course I have to provide other types of articles as well -- and, frankly, it's easier to provide regular updates when I can write something easier, like technical howtos and software evaluations, from time to time. Thanks again for the feedback. This kind of clear, unequivocal explanation of what a reader values is very important to someone serving readers' needs.

Absolutely
Absolutely

" ... canned anti-spam ..." The rest is truly sad.

shardeth-15902278
shardeth-15902278

An acquaintance of mine works for a company that supplies products to several drug manufacturing companies, including Merk. They implemented a canned anti-spam solution, and then had to scramble to shut it down, as it was blocking legitimate emails from their customer. Who knew that "Viagra" could stop the flow of business?

DanLM
DanLM

When you are at that age where you need the penis pills. Lol, just too funy. Your right, it can be in the eye of the beholder.... But, what both you and I probably define as spam right now sit's on websites that I wouldn't trust anyones browser to go to. How may of them infect more computers that enlarge the botnets? Dan

royhayward
royhayward

"The definition of Spam is probably just in the mind of the reciever!" I have to dissagree. Spam is unsolicited email from partys that you don't know. Just like marketing calls and junk mail are what they are. The fact that you may actually make a purchase or participate in the activities the spam or junk mail has offered you, does not change the nature of the communication. If, 1. The purpose of the email is to illicite participation or gain business. 2. The sender is not someone or some company that you know/have dealing with. Then it is spam. When I began to finance my first house, I started to get gobs of email wanting me to refinance. I know that someone in the chain of contacts had sold my address, or been careless with it. Even though I was in the market for financing. These were spam, and most seemed to be a little sketchy. So even when you reach the point where you want to buy V!@gr@, these email messages will still be spam. I don't think anyone who is trying to find one of these companies will have any trouble as long as Google is still on the web.

apotheon
apotheon

That was part of my point -- if you try to detect security software, you're going to be screwing with users' ability to use the software they want to use. The best you can do is search for malware and do port scans, basically. Anything more is a violation of privacy or bound to end up punishing people for things they aren't doing.

royhayward
royhayward

I have been attempting to come up with a workable idea that isn't a Big Brother approach to security. Being careful not to work into a system of security, conditions that would keep any end user from doing what they want with their own system. While at the same time preventing users making poor security choices from interacting with, and thereby exposing, other peoples systems to those choices. And so far I just don't know. It looks like two thirds of the original article were about email. And email is one of the largest ways to spread viruses and collect personal information. Maybe what I am describing is 'computer use profiling.' And so maybe it won't work. If a user is like my nephew, and is detected running Kazaa, but not getting any virus updates from any know vendors. We could profile him as high risk. We shouldn't have to intrude on his system to find out. But this may flag people has high risk who are using a virus update that is not know or detected. Or who have some other means to deal with and contain virus intrusion. Darn, yet another variant of this idea that won't quite work. I don't expect you to have these answers, I am just interested in the criticisms of these ideas to see how they can be better.

apotheon
apotheon

"[i]Ok, but security is not just about email[/i]" I didn't say it was just about email. What about my comments was email-specific? "[i]so here is thing. If we can port scan, and see traffic that is know to be botnet, or code-red, or etc to determine a machines secure-ness. Why can't the ISP?[/i]" I think you missed some of what I was saying -- like this: "At the gateway, however, signatures-based malware scanning is a good way to provide an extra layer of security. It's also not very intrusive, using a strictly signatures-based malware detection system at the gateway -- unlike anything that actually checks what's on the 'protected' systems." "[i]Can't the ISP have a 'honey pot' that is audited to see what local IPs are trying to infect it?[/i]" It could. What makes you think anyone thought a honey pot was a bad idea?

royhayward
royhayward

I understand that was the focus, and I apologize for getting off track. But here is my example that made me think about this. My nephew downloaded and burned a copy of a piece of software that he wanted me to look at. I forget exactly what it was supposed to do, but he wanted to buy it and wanted my opinion. He also ran kazaa and apparently had no firewall/virus/etc. So I popped the CD in to my machine, and it launched. Immediately, my network disconnected and our security dude for two cubes down came running over and asked what I had just done. We examined the app and discovered that it had multiple nasties on it that had immediately started looking for machines to infect. Our security saw this, and killed my IP on the system. so here is thing. If we can port scan, and see traffic that is know to be botnet, or code-red, or etc to determine a machines secure-ness. Why can't the ISP? And why would this be an intrusion? (unless I am developing a bot net or a trojan, or something at home. Do I really need to be running one? Can't the ISP have a 'honey pot' that is audited to see what local IPs are trying to infect it? I dunno but you haven't convinced me this is an unworkable idea. Just a rough one that needs more work to get the kinks out. As for this 'protecting people from themselves' yes of course this is. Most people on the internet now are not IT professionals. Just like most people on the road are not automotive engineers. But that does not mean that we don't try to make the roads safe, and it is not all about education. We still put airbags in cars, and don't remove them after defensive driving course completions. And we should look for ways to put the proverbial airbag out there for the internet traveler as well. I just know that I don't know how to do that yet. But I like talking about it.

JCitizen
JCitizen

but their antivirus solutions was worse than the viruses, and we took them all off. A guy just can't run a business like that. People seem to like google browser services; maybe if something like that would be acceptable and mitigate the problem. I'm still of the opinion that people hosting botnets should be shutdown, but in the spirit of education a "LOUD" noticable email expounding the virtues of local security might work. Especially if it is individually targeted. I've never seen an ISP try that simple concept!

apotheon
apotheon

I'm sure you've heard about "gateway scanning" for antivirus systems. This is common to many corporate networks, where any traffic in and out of the gateways (between subnets and between the larger intranet and the Internet) is scanned using signatures-based malware detection. For individual system security, a need for signatures-based malware scanning is a sign you're using crappy software. At the gateway, however, signatures-based malware scanning is a good way to provide an extra layer of security. It's also not very intrusive, using a strictly signatures-based malware detection system at the gateway -- unlike anything that actually checks what's on the "protected" systems. Rather than detecting the presence or absence of a firewall, simply scanning for open ports and informing the account holder for that host is also relatively unintrusive -- at least, it is if it's an opt-in system, part of a "security check". It's not platform-specific, it doesn't actually tell the ISP anything about what's running on the customer's system except insofar as open ports might give hints, and any further concerns should be allayed by the fact it's opt-in only. This is all "trying to protect people from themselves", to some extent, though. The really critical factor in security is education. We need people to learn about the security implications of their system configuration and software choices. The easier we can make it for people to find out what they need to know to keep themselves safe, the better. Ultimately, the choice of how secure someone is going to be is the responsibility of that person, and there isn't anything we can do about that other than preventing them from making full use of their computers -- which is counterproductive.

royhayward
royhayward

I am not sure I would want to susbscribe to my own plan. That's why I said it was rough and possible, fatally flawed in the proposal. So, what is your idea? Is there a way to make the roads safe. Or do we have the best we can get now? Not that I'm implying that you can't shoot down my idea without proposing your own. But I want something to shoot back at. ;)

apotheon
apotheon

"[i]But, how do you determine the appropriate list of patch levels? Do you require AV software, anti-spyware? How do you create a standard that appropriately and comparably covers the various flavors of windows,Linux, BSD, MAC, and variety of other OS's? How do you achieve that with overstepping bound in regards to privacy?[/i]" You don't. It's an unworkable idea. "[i]Or am I reading too much into your proposal?[/i]" I read it the same way you did.

Jaqui
Jaqui

would have to do content scanning for malware specifically. and that brings up the whole privacy issue again.

steve
steve

You asked the following: "What bloody home machine sends out 200 emails a day." I average about 160 emails a day (send/rec). I run my consultant company out of my house. So yeah some of us are legit....