[ISN] Antivirus Inventor: Security Departments Are Wasting Their Time

From: InfoSec News (alerts@private)
Date: Thu Feb 07 2008 - 02:32:28 PST


By Tim Wilson
Site Editor
Dark Reading
February 6, 2008

WASHINGTON -- Computer Forensics Show 2008 -- Peter Tippett thinks it's 
time for security professionals to wake up and stop wasting their 

In a presentation here yesterday, Tippett -- who is vice president of 
risk intelligence for Verizon Business, chief scientist at ICSA Labs, 
and the inventor of the program that became Norton Antivirus -- said 
that about one third of today's security practices are based on outmoded 
or outdated concepts that don't apply to today's computing environments.

"A large part of what we [security pros] do for our companies is based 
on a sort of flat-earth thinking," Tippett said. "We need to start 
looking at the earth as round."

For example, today's security industry focuses way too much time on 
vulnerability research, testing, and patching, Tippett suggested. "Only 
3 percent of the vulnerabilities that are discovered are ever 
exploited," he said. "Yet there is huge amount of attention given to 
vulnerability disclosure, patch management, and so forth."

Tippett compared vulnerability research with automobile safety research. 
"If I sat up in a window of a building, I might find that I could shoot 
an arrow through the sunroof of a Ford and kill the driver," he said. 
"It isn't very likely, but it's possible.

"If I disclose that vulnerability, shouldn't the automaker put in some 
sort of arrow deflection device to patch the problem? And then other 
researchers may find similar vulnerabilities in other makes and models," 
Tippett continued. "And because it's potentially fatal to the driver, I 
rate it as 'critical.' There's a lot of attention and effort there, but 
it isn't really helping auto safety very much."

Similarly, many security strategies are built around the concept of 
defending a single computer, rather than a community of computers, 
Tippett observed. "Long passwords are a classic example," he said. "If 
you take a single computer and make the password longer and more 
complex, it will be harder to guess, and that makes that computer 

But if a hacker breaks into the password files of a corporation with 
10,000 machines, he only needs to guess one password to penetrate the 
network, Tippett notes. "In that case, the long passwords might mean 
that he can only crack 2,000 of the passwords instead of 5,000," he 
said. "But what did you really gain by implementing them? He only needed 

Tippett also suggested that many security pros waste time trying to buy 
or invent defenses that are 100 percent secure. "If a product can be 
cracked, it's sometimes thrown out and considered useless," he observed. 
"But automobile seatbelts only prevent fatalities about 50 percent of 
the time. Are they worthless? Security products don't have to be perfect 
to be helpful in your defense."

This concept also applies to security processes, Tippett said. "There's 
a notion out there that if I do certain processes flawlessly, such as 
vulnerability patching or updating my antivirus software, that my 
organization will be more secure. But studies have shown that there 
isn't necessarily a direct correlation between doing these processes 
well and the frequency or infrequency of security incidents.

"You can't always improve the security of something by doing it better," 
Tippett said. "If we made seatbelts out of titanium instead of nylon, 
they'd be a lot stronger. But there's no evidence to suggest that they'd 
really help improve passenger safety."

Security teams need to rethink the way they spend their time, focusing 
on efforts that could potentially pay higher security dividends, Tippett 
suggested. "For example, only 8 percent of companies have enabled their 
routers to do 'default deny' on inbound traffic," he said. "Even fewer 
do it on outbound traffic. That's an example of a simple effort that 
could pay high dividends if more companies took the time to do it."

Security awareness programs also offer a high rate of return, Tippett 
said. "Employee training sometimes gets a bad rap because it doesn't 
alter the behavior of every employee who takes it," he said. "But if I 
can reduce the number of security incidents by 30 percent through a 
$10,000 security awareness program, doesn't that make more sense than 
spending $1 million on an antivirus upgrade that only reduces incidents 
by 2 percent?"

Subscribe to InfoSec News

This archive was generated by hypermail 2.1.3 : Thu Feb 07 2008 - 02:44:59 PST