The security community has grown to depend on some basic technologies in the fight against cyber thieves, such as antivirus software and firewalls. But are practitioners clinging to tools that outlived their usefulness long ago? Were those tools ever really useful to begin with?
CSOonline.com recently conducted an unscientific survey on the matter, asking those questions to a variety of security forums on LinkedIn and following it up with e-mails and phone conversations. What follows are four technologies several cited as overrated in today's security fight.
We'll follow up next week with security technologies many believe are underrated. It's safe to predict that some of the technologies on this list will also appear there.
Antivirus
This one isn't a total surprise. Security experts for years have been complaining that antivirus has grown obsolete because the security vendors can't keep up with all the AV definition changes required to thwart every new piece of malware. In fact, some of the more advanced security practitioners of the world are ditching it altogether. In a previous story on the subject, David Litchfield, a leading database security expert who has authored such books as Oracle Forensics, The Oracle Hacker's Handbook and The Database Hacker's Handbook, summed up why he's lost faith in AV:
"As an experienced security guy, I have no faith in most of the AV packages out there because they're completely reactive, offer little advance protection, massively increase the attack surface and have a long history of vulnerable ActiveX controls," he said at the time. "I've never used AV software and I've never once been infected with a virus."
Most organizations are still advised to have AV software in place. But security experts generally agree IT shops need a variety of other security tools to go with it. In other words, companies need defense in depth.
"Any reactive security technology keeps failing more and more each year. AV does not work, [a fact] proven by a detection rate that degrades each year," said Ari Takanen, founder and CTO of Codenomicon in Finland. "All technologies that look for attacks can be worked around by building a tailored attack that will not be detected. Even if you take a five-year-old attack you probably see that it passes through undetected today. You just cannot keep building more and more walls around bad-quality technology."
Firewalls
Firewalls have faced equal scrutiny in recent years for similar reasons. But the biggest problem cited in our most recent poll is that the increasingly disappearing perimeter has rendered the technology obsolete.
"The firewall is the most worthless. It's dead. The perimeter is gone. We cannot afford enough firewalls to protect our devices," said Guy Hadsall, a Washington D.C.-based information security specialist. "In most cases, it's protection from ourselves. At best it's a check box on a PCI audit, at worst it's a pacifier to a user base intent on click-thru surfing."
IAM AND multi-factor authentication
Identity and Access Management and multi-factor authentication are not exactly the same thing. The latter is more a sub-category of access management. But they do have one thing in common, according to those who've become expert at using these technologies -- implementation is key.
The problem here isn't that identity and access management technology doesn't work as advertised. It's that many companies have failed to use it properly. "With any IAM solution, it takes years to get them to work correctly," said Scott Damron, a solutions engineer at Accuvant. Given the rapid evolution of malware and social engineering, companies simply don't have years to get it right, he said.
A similar point was made last week at the Security B-Sides event in San Francisco. There, presenters warned that badly-implemented IAM can be as bad as sticking with the insecure passwords it is meant to replace.
Jennifer Jabbusch, CISO at Carolina Advanced Digital Inc. in North Carolina, noted how companies implement multi-factor authentication but don't always get the implementation right. That's when the company is left with nothing but "feel-good security."
"We need to draw a line and not pursue solutions that simply offer a feeling of security," she said. "Things make you feel better don't really help."
Michael Santarcangelo, founder of the Security Catalyst Community, noted that users can diminish the usefulness of multi-factor authentication just as they've diminished the usefulness of passwords. "People will write their PINs right on their token. So have we decreased risk? We've created a bigger barrier but that's not enough," he said.
NAC
Damron, from Accuvant, fingered network access control (NAC) as overrated for the same reason as IAM: "It takes years to get it working correctly," he repeated.
Sharing that view is Tom Giangreco, information security officer at SchoolsFirst Federal Credit Union, formally Orange County Teachers Federal Credit Union.
"I would agree with the NAC appraisal. It's taken us more than three years to get it working according to our requirements and not those of a university campus, which they seem to have been designed for," he said.