Jul 24Internet Security: An Oxymoron?
If you’re insecure about Internet security, Richard Adhikari’s article on technewsworld.com (Go to this link for his complete article.) won’t help you sleep any better. However, it could alert you to challenges that have to be overcome to keep the bad guys at bay. The following has been excerpted from Adhikari’s piece and edited to fit our format.
Security products are built around using outdated techniques, Randy Abrams, a research director at NSS Labs, told TechNewsWorld.
Information security has evolved over the past 40 years “in a way that has created a layered model that has added capabilities but deviates little from its core design,” he said. Security “chases the last known problem, while attackers focus on the next possible vector.”
Are vendors serving up flawed software?
[Roberto Martinez,] a security researcher at Kaspersky Lab, [said software] developers have to maintain a balance between security, functionality and ease of use when developing an application. “If priority is given to the functionality instead of application security, then the risk of a compromise is elevated. The complexity in requirements and architecture to run a program can be a factor too….”
[Chris Morales, practice manager, architecture and infrastructure, at NSS Labs added,] “The primary reason why applications are insecure is because developers generally are not security experts.”
Many parts make life hell
Many widely used PC applications and operating systems have millions of lines of code, and “it’s a statistically proven fact that new vulnerabilities are likely to get introduced per few thousand lines of code,” Rahul Kashyap, chief security architect at Bromium, pointed out.
Size is one issue, and the complex interactions between systems constitute another, Seth Hanford, manager of Cisco’s Threat Research Analysis & Communications, told TechNewsWorld.
Further, researchers constantly are discovering new ways to attack existing systems, “not because computers are better or faster, but just because of new investigations, insight or inspiration,” he said. We could be discovering more security flaws because we’re now paying more attention to security.
As for Pass-the-Hash [a hacking technique], that’s “an architectural part of Microsoft Windows,” Hanford stated. “Truly fixing that problem will require a change in the way Windows works.”
Other issues affecting security
Inadequate security training for developers, along with deadlines and budget constraints, may contribute to the existence of security flaws, Jerome Segura, senior security researcher for Malwarebytes, told TechNewsWorld.
Further, quality assurance testing “is often focused on finding typical bugs but not necessarily security vulnerabilities,” he pointed out.
Third-party libraries that may contain vulnerabilities themselves are a problem, Segura remarked, pointing to the Heartbleed flaw in OpenSSL that impacted hundreds of applications.
The nature of multipurpose OSes “makes it nearly impossible to effectively secure them,” NSS’ Abrams remarked.
Security and risk professionals are considering replacing third-party AV tools with native OS AV augmented with one or more third-party alternatives such as application whitelisting, application privilege management, and endpoint execution isolation, according to Forrester.
However, “blacklisting is too reactive” and whitelisting “is not practical for end users,” Bromium’s Kashyap told TechNewsWorld.
“We need tools — programming languages, Web frameworks, even configuration guides — that make it hard to do the wrong thing,” Cisco’s Hanford suggested.
“…. As a security community, we need to do more … to identify the things that are hard to get right, important to solve, and critical to Web security, and ensure they are well and widely supported.”
In the meantime, enterprises should implement systems to monitor their networks and servers, detect anomalies, and identify any security incidents, Kaspersky’s Martinez suggested. Existing applications should be constantly audited for flaws. And, of course, systems should be patched and firewalls maintained.