Jump to content

11 theatrical security measures that don't make your systems safer


mona

Recommended Posts

 

05_ignoring-100664109-orig.jpg

 

 

Just for show:

 

11 theatrical security measures

that don't make your systems safer

 

 

Theater of the absurd
The term "security theater" was coined to describe the array of security measures at U.S. airports -- taking off shoes, patting down children and the elderly -- that project an image of toughness without making commercial aviation any safer. But the man who came up with the phrase is famous cybersecurity expert Bruce Schneier, and it could just as easily apply to a number of common tech security measures. We talked to an array of tech experts to discover what security technologies are often just for show.

 

Splash screens
Orlando Scott-Cowley, cybersecurity strategist at email security company Mimecast, is irritated by the many ordinary (and perfectly secure) online transactions that are given theatrical window dressing in the form of boastful splash screens. "There are quite a few websites that, post-login, display some sort of message similar to 'Securely getting your account details' or 'Setting up a secure connection,'" he says. "It’s such a shame and complete theater when it comes to security." (Sometimes these messages are displayed in Flash, and having a Flash-blocker installed can demonstrate just how pointless they are.)

 

02_splash-100664104-orig.jpg

 

 

Antivirus software
Most PC users probably consider antivirus protection to be a baseline part of a secure PC. But Ajit Sancheti, co-founder and CEO of Preempt, a still-in-stealth IT security company, thinks antivirus software are mostly theater. "It does very little to stop malware and ransomware, but does a lot to inconvenience users, especially from a performance standpoint," he says. "Along with with hardware performance degradation through OS updates, antivirus is quite likely the key reason for employee PC refresh cycles."

Barry Shteiman, director of Labs at Exabeam, agrees. "Every company makes anti-malware/virus detection a top spend in its security budget," he says. "It's standard to have antivirus installed on every endpoint computer with a flashy icon in the task bar that essentially tells you, 'You are secure from malware!' Unfortunately, that is simply not true. Every piece of malware today, especially industrialized-crime driven ones, are building anti-antivirus tools as part of the payload, bypassing endpoint protection as if it wasn’t even there."


Perimeter security
Garry McCracken, vice president of technology at WinMagic, thinks that firewalls and perimeter security measures have a certain theatrical quality -- they're "something that everyone does, but it doesn’t make enterprises secure anymore," he says. "The gates have been stormed, and firewalls can no longer keep the bad guys out. Most big enterprises are in a constant state of breach, so new strategies and technologies are needed. Assume that your network is, or will be breached, detect it, minimize the impact and recover quickly." Instead of investing more money and resources in ever more elaborate perimeter defense, he advises that you work to "keep the 'blast radius' as small as possible (i.e., contain the damage any one breach can make) or backup every 10 minutes so the restore point can be very recent."

 

Alert fatigue
Nathan Burke, vice president of marketing at security incident response specialist at Hexadite, knows that too much data about potential threats can be overwhelming. "Installing multiple security products that produce an insane volume of alerts and then not doing anything with those alerts is IT security theater," he says. "There are far too many alerts for people to handle manually without automation. So security teams are hearing the alarms go off constantly, but they're only able to investigate 5% or less of the incidents that trigger them."
Philip Lieberman, president of Lieberman Software, agrees. "Most companies ignore the alerts because there is such a high false alarm rate," he says. "And nobody activates immediate countermeasures because they're scared of the consequences of user wrath."


Ignoring what your gear tells you
Cedric Caldwell, solutions architect at IT consultancy Adapture, notes that many companies want to "say that they have met the security requirements to secure their environment and their network, where they have IPS, firewall, etc. But what do you do with that data once you have these devices on your network? Are you looking at data? Someone might implement a firewall and not pay attention to the hits on that firewall."

"Big corporations are usually good about combing through data," he adds, "but I tend to see this on a smaller scale, at companies that don’t really have the manpower to do that. They check the box and buy the equipment, but they’re not actually taking the next step to say, 'OK, what is this thing really capturing?'"

 

Password shenanigans
For Dimitri Sirota, CEO and Co-founder enterprise privacy management platform at BigID, the most visible security theater is the security measure you encounter most often: passwords. "Passwords act as a front door lock to a house; get past the lock and you have free reign inside without other protections," he says. "For most people they are a weak link since users prefer easy to remember over hard to decipher." He feels a password that isn't just the first layer of a defense in depth is just theater.

Nigel Stanley, practice director in cyber security at OpenSky, the IT consultancy arm of TÜV Rheinland, is particularly miffed at passwords that ostentatiously demand to be changed once a month. "Why 30 days?" he asks. "What happens at day 31 to create a security risk?"


Security training by the numbers
Stu Sjouwerman, founder and CEO at KnowBe4, thinks that security theater happens at the training level too. The example he gives is a company that “sends simulated phishing attacks, but only once every 90 days, and not preceded by interactive, engaging, web-based training that really explains the risks on the Internet. Result? Employees feeling hassled and no measurable decrease in phish-prone percentage."

 

Tough talk
OpenSky's Stanley sneers at the tendency of some security companies to sell their products with military-sounding adjectives, which may sound tough but don't actually represent more secure systems. "I include terms such as 'military-grade encryption,' 'flash to bang,' 'kill chain,' and 'detonate,'" he says. "WTF? Not descriptive, not helpful."

 

Stonewalling
J. Colin Petersen, president and CEO at J Digital Identity, thinks that when IT staff reject any and all user requests in the name of security, that's a kind of performance. "For instance," he says, "an end user might request access to a certain resource, and instead of figuring out a secure way to grant the user access, the IT professional will just stonewall and say something like 'Sorry, that compromises security and I can't allow that.'"

 

Information sharing
Shlomo Touboul, CEO at illusive networks, says that the tendency to share data about breaches you've experienced can amount to a performance as well. "When a new massive attack on a specific sector is discovered, other companies within that sector are immediately alerted. But this doesn't make them safer," he says. "Every enterprise has different attack vectors embedded in its network and nearly all are invisible to them but discovered and utilized by attackers. While sharing information about specific attacks might help patch some systems, they do nothing to expose hidden attack vectors, leaving enterprises feeling secure when they're not."

 

Post-breach PR
It's not just technical folks who get on stage in the wake of a breach, says Mimecast's Scott-Cowley. "The most heinous of crimes is the glib post-breach statement that 'we take security (of data/of our customers/of our service) seriously," he says. "This is trotted out by CEOs and PR departments in the press release they issue once someone has managed to breach their obviously very unserious security. Often they’ll use the phrase 'sophisticated and coordinated attack' as well, which to me is also complete nonsense. Those two phrases go hand in hand to cover up the fact that weak security was breached and hackers gained access to resources of data in the face of little or no resistance."

 

Sometimes the play's the thing
We'd be remiss, though, if we didn't offer a contrarian view from BigID's Sirota "Security theater isn’t all bad," he says. "It does act as a deterrent. Police forces in cities aren’t arresting people 24/7. However, their presence acts as a deterrent. You see the same effect with military forces. We’re not always fighting someone but running drills reminds enemies of capability." Sometimes, in other words, a weak password or firewall is still better than nothing at all.

 

 

 

Source

 

 

Link to comment
Share on other sites


  • Replies 12
  • Views 1.4k
  • Created
  • Last Reply

Antivirus are useless, so, I am a fool that I have been using AVs for so long and haven't been infected. Kaspersky, Eset, Norton your future stands bleak, you have fooled people enough, you are going out of business soon. :tooth:

 

Link to comment
Share on other sites


1 hour ago, Jogs said:

Antivirus are useless, so, I am a fool that I have been using AVs for so long and haven't been infected. Kaspersky, Eset, Norton your future stands bleak, you have fooled people enough, you are going out of business soon. :tooth:

 

 

You basically just gave CPU time to your AV that an other program would have used instead. It's like calculating all the time spent sleeping or pooping considering lost due to not "lived" for other things.

 

You can transpose that to a few thing like all the ms lost due to the change of DNS server, or the time gained thanks to your adblock, boot time thanks to your SSD, etc.

 

I'll let you judge if it's really relevant or not. :P

Link to comment
Share on other sites


1 hour ago, Jogs said:

Antivirus are useless

Agree. Have not used a resident AV in 2 years, and no malware.

A remote scan from a Linux system with Bitdefender, F-Prot or Avast, or from a USB with Kaspersky once a week and I'm pretty sure my machine is clean.

Resident AVs just hog resources, do not ID the zero-days, can datamine you (just read the TOS), and can be used as a vector to compromise your PC.

Suspect a file ? Quarantine it for a week then upload it to Jotti or Virustotal.

As to Firewalls, they are essential. Specially the ones that monitor OUTGOING traffic.

Link to comment
Share on other sites


perlinpinpin

@Pequi : You wrote " As to Firewalls, they are essential. Specially the ones that monitor OUTGOING traffic. "

Can you give same advice what kind of firewall, without AV ?

Thanks.

Link to comment
Share on other sites


15 hours ago, perlinpinpin said:

Can you give same advice what kind of firewall, without AV ?

Depends on your OS

http://www.techsupportalert.com/best-free-firewall-protection.htm

Take your pick. The annoying ones that nag you every time a program changes it's checksum and allow you to make rigid rules for applications are the best.

 

Linux is a PITA to set up. I usually just monitor with WireShark, and add anything suspicious to my hosts file. Or if it's an IP, block it with the inbuilt firewall.

Link to comment
Share on other sites


those here saying antiviruses are useless, needs a reality check.

i have been working in infosec for over 5 years now, and i still believe we need antiviruses. Why? Just because not everyone of your "normal" user is geeky enough to know what he should do to protect from viruses.

As a security analyst, your first job is to close as many gaps as possible, reducing the attack surface. Antiviruses just do that, and they do it good. You are safe from a targetted attack from a script kiddie, safe from all those pesky small viruses which linger on your relative's usb devices who need an urgent photo from your pc, and well, if you are targetted by a seasoned hacker, then dumping your pc would only be a viable option to secure them, as they'll jump to social engineering if they don't get any network access to your system. Yes i do agree that av's today have a negative impact on your system's performance, and can snoop on your data, but that's the risk you need to take, as come on, we all are using windows already, using android phones, we all are already giving our data to a 3rd party.

If you really care so much about viruses, your data and all, then best way is to follow the lifestyle of Richard Stallman, keep your digital footprint to a minimum and live a healthy offline life, but if you wanna use M$, use your pc as actually a pc, then you need to be security cautious, as they say, most users are not that tech savvy when it comes to security.

Link to comment
Share on other sites


6 hours ago, lordnsane said:

i have been working in infosec for over 5 years now, and i still believe we need antiviruses. Why? Just because not everyone of your "normal" user is geeky enough to know what he should do to protect from viruses.

I agree with you. People just HAVE to click on those attachments labeled "dirty pics I took of you last week". Even if they do end in CPL or EXE.  And AVs will block most of of the malware, so AVs are a good thing. Except for the 3-4% they don't detect.....

 

I'd feel utterly frustrated working in your field, telling people NOT to click, and then watching them click anyway ...

Link to comment
Share on other sites


19 hours ago, lordnsane said:

Those here saying anti-viruses are useless, need a reality check.

-Useless? No. :uhuh:

 

-Inadequate? Yes. :yes:

Link to comment
Share on other sites


I honestly think the main idea is there really is no 'set it and forget it' piece of software or system.. nor any system out there that you can react with or connect to that can be trusted. With that being said, no safe method of connecting, that is actually considered safe.

 

Spoiler

So not saying that antivirus programs and suites safer is not actually saying that they do not help with detecting threats. Nothin is safe because each moment of each day there is someone attempting another attack vector.. This result can be as focused as one company and the code written to secure their network but right out and as wide as to encompass every system in use.The thing is even with your antivirus software, are you even looking at the logs.. what about the HIPS and HIDS logs? AND what are you doing with that info? If anything...Are you simply installing.. circumventing its own feature set.. with 'medicine' or such.. and never looking back.. cleaning detections or allowing them and blazing on. Or even using a VPN?How many people here have scanned with something like Tenable Nessus to check for system vulnerabilities.. holes in your network or even your router or other network devices, then taken proactive measures to secure those holes or issues? ( How many of you set on your network, and play White Hat/Black Hat with your own systems? How many of you turn on a new option option in your system ( Like NETBIOS, Bluetooth, or even Homegroup ) and then scan the 'surface area' for exposure clarification... and have investigated the protocol or service for security vulnerabilities? How about when a program installs new files or runs? How many of you have checked this in 'Patched Files' which some trust to replace those in which it came with... What other dangers can come from turning on a service like 'LOCATION' besides someone knowing where you are... My question is can it be used to circumvent something else?Fact is since Windows 95.. that I know of.. it can make you FEEL safer... be dramatized to make you FEEL like an idiot... and THOSE I.T. GUYS really get the upper hand. Once a written program makes it down the chain.. those in the 'NOW' have already been looking at other angles for awhile and have made other attempts. But really... what can the average USER do?

 

It is all a good point though in my opinion...

Link to comment
Share on other sites


  • 1 year later...
knowledge-Spammer
On 15/06/2016 at 5:08 PM, lordnsane said:

those here saying antiviruses are useless, needs a reality check.

i have been working in infosec for over 5 years now, and i still believe we need antiviruses. Why? Just because not everyone of your "normal" user is geeky enough to know what he should do to protect from viruses.

As a security analyst, your first job is to close as many gaps as possible, reducing the attack surface. Antiviruses just do that, and they do it good. You are safe from a targetted attack from a script kiddie, safe from all those pesky small viruses which linger on your relative's usb devices who need an urgent photo from your pc, and well, if you are targetted by a seasoned hacker, then dumping your pc would only be a viable option to secure them, as they'll jump to social engineering if they don't get any network access to your system. Yes i do agree that av's today have a negative impact on your system's performance, and can snoop on your data, but that's the risk you need to take, as come on, we all are using windows already, using android phones, we all are already giving our data to a 3rd party.

If you really care so much about viruses, your data and all, then best way is to follow the lifestyle of Richard Stallman, keep your digital footprint to a minimum and live a healthy offline life, but if you wanna use M$, use your pc as actually a pc, then you need to be security cautious, as they say, most users are not that tech savvy when it comes to security.

Richard Matthew Stallman  smart man

about those here saying antiviruses are useless, needs a reality check.

no the real check needs to be av   developers

i have a  old utorrent ransomware exe  what beats some if not lots of av programs

as u are security analyst,  u want to see the exe and say whats best av to stop it ?

 

Link to comment
Share on other sites


  • 2 weeks later...

I use ESET low on system resources and the popups are not bad.  As windows expert mark russinovich says antiviruses take care of what it knows about and helps reduce the attack surface by eliminating all the malware it can detect from you having to worry about it.  Some antiviruses are inadequate some are not windows defender is INADEQUATE thats why I say get rid of it and replace it with EMET.  Also ESET uses barely any resources you dont need to worry about CPU time and it also helps to have a iseven quad core cpu with hyperthreading with eight threads no need to worry about cpu time.  As for antiviruses and vulnerabilities well everything has vulnerabilities group policy has vulnerabilities and malware does to you cant escape vulnerabilities.  You can reduce the amount of vulnerabilities as much as humanly possible and thats what definition and program updates are for.

Link to comment
Share on other sites


On 6/19/2017 at 3:50 AM, knowledge said:

Richard Matthew Stallman  smart man

about those here saying antiviruses are useless, needs a reality check.

no the real check needs to be av   developers

i have a  old utorrent ransomware exe  what beats some if not lots of av programs

as u are security analyst,  u want to see the exe and say whats best av to stop it ?

 

no need to see the exe, as it's really easy to bypass any av in the market, you'd be surprised that a simple XOR stub and some mathematical operations in assembly are enough to bypass any AV signature detection these days.

If you read my previous reply, antiviruses serve as a first wall of defense for the novice users, which i'd say is almost 90% of the PC market. I can't stop my dad to download those pesky attachments from the mail, or ask him not to insert any USB's from his friends into the PC, even though I have told him so many times not to do it . Antiviruses do a good job in keeping his PC clean, while I can just relax and do seldom manual checks on his PC.
We here at nsane distribute cracks and test it, av does a clean job in detecting any malicious code in there by a script kiddie.

I never say AVs are a one-stop solution for your security, but saying that they are useless, is just completely messed up. As I say, the best way to remove virus is to go offline from digital world, or, use Linux :rockon:(which has it's fair share of 0-days as well).

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...