Preemtive Security - Part 1

This page is part of the "legacy" version of the HTCC online presence. It's here for continuity and reference. This old content has been semi-retired since 2009, and is seldom updated. You'll find up to date information on security and other topics at the HTCC Blog.

I've also called this plan "Bullet-proof Security", although it's more of a bullet-proof vest than a full suit of armor. Although I believe it's hella stout defense, I use a separate computer for online banking, taxes and business transactions. I do use my everyday computer for credit card purchases though. [see part-3]

Part 2 — Windows 7 (and Vista)>>>
Part 2 — Windows XP>>>
Part 3 — Banking, et al.>>>

Rethinking online defense:

Proactive defense

The motivation of online attackers has morphed from graffiti to greed. International networks of skilled Internet criminals now design, sell and deploy sophisticated crimeware. Fresh attacks begin as soon as vulnerabilities become publicly known, and sometimes long before. Botnets — networks of compromised computers — are openly rented online. Exploitable data pilfered from victims is sold at commodity prices. [examples]

Reactive security programs can no longer keep up with the flood of emerging threats. There now are literally millions of new variants of malware every year. Security software vendors can no longer add new signatures (definitions) fast enough to keep up. And the malware scanners introduce new vulnerabilities of their own.

Like many others, because conventional protection was getting out of hand, I switched to a preemtive, behavior-based defense. That reduces the number of security programs needed for an adequate defense, and with fewer intrusive programs to slow it down, my computer is more responsive. The preemtive approach also means that I am more secure than I was before.

It's time to revise our online defense approach:

We're losing the war with the 20th Century strategy
The bad news
Malware is evolving too fast for antivirus apps to keep up
"Today's for-profit malware pushers use dedicated test labs and other increasingly professional techniques to improve their chances of infecting your computer. And the techniques they employ to outpace security software makers appear to be working."
Unsafe at any speed: 7 Dirty Secrets of the Security Industry
"The certification standards confirm that devices block 100 percent of all replicating malcode. The catch is that 75 percent of malcode coming into networks is non-replicating, such as Trojans. When the standard was set, non-replicating malcode represented 5 percent of malcode. Certification means [a product] caught 100 percent of 25 percent of the bad stuff."
Anti-Virus Firms Scrambling to Keep Up
"The sheer volume and complexity of computer viruses being released on the Internet today has the anti-virus industry on the defensive, experts say, underscoring the need for consumers to avoid relying on anti-virus software alone to keep their home computers safe and secure."
Talking malware with Eugene Kaspersky
How an online security leader sees the current battle against malware.
Windows and IE are no longer the only targets
Other programs are now targets for attack -- everything from security programs to media players are vulnerable.
Microsoft Office Under Siege
"Attackers and flaw finders are pounding away at Microsoft Office applications, discovering new ways to attack millions of Windows machines."
Another approach to online security that is similar to mine
"Gizmo" Richards has also concluded that the conventional "layered" approach to security offers diminishing returns.
The good news
Microsoft made online security easier. "Whoa," you say. "Aren't they at the root of most of our problems?" The answer is, not so much any more. In fact Windows 7 has been secure enough to cause most cyber-crooks to switch away from Windows to programs that run on Windows. For example, widely used programs like Adobe Reader, Adobe Flash, Java, etc., are now favorite targets.
In 2002, Bill Gates wrote his second epic email. It was a call to get the security of Microsoft products under control. They've worked on "Trustworthy Computing" for over ten years now, and are also working with outside developers to get them up to speed on Microsoft's Security Development Lifecycle (SDL).
Windows 7 was Microsoft's other major contribution to PC security. It is completly feasible to run Windows 7 as a "Standard" user, in contrast to XP, which is very inconvient to run with reduced user rights. Windows 7 is about ten time more secure if use correctly under a Standard user account compared to running under an Administrator account
Bill Gate's first epic email message was about the threat of the Internet to Microsoft's monoply. He didn't put in those terms, but that's what he meant. That's when they put Netscape out of business by giving Internet Explorer away free. But that's whole nother story.

More security programs are not the answer:

They add more vulnerability than protection

Attackers now use "designer" malware to get past security software. They test each variant to make sure it is not (yet) detected by popular antimalware programs. The security programs fail to detect the new variants, but they increase the "surface area" exposed to attack. Installing too many signature-based programs is a liability, not an asset.

It may be time to toss out your antivirus software
Any program on your computer, not just the operating system, can be open to attack. Antivirus programs can be particularly vulnerable, since they work with files directly.
Flaw found in Symantec antivirus software
"This flaw does not require any end-user interaction for exploitation and can compromise affected systems, allowing for the execution of malicious code with system-level access," said eEye in a statement."
Why popular antivirus apps 'do not work'
They don't work because attackers test their malware to make sure the popular antivirus programs don't detect it.
Dr.Web anti-virus link checker
This Firefox extension takes the virus scanning off your computer and puts it on the Dr. Web server (online computer). Use it when you have any suspicions about a website to visit or file to download.
Attackers Take Trojans to the Bank
Focused attacks are increasing, and anti-antispyware "bank Trojans" are becoming more successful.

A new security strategy:

Proactive, not reactive

Blocking viruses and spyware by using signature-based scanning is a reactive measure. There's no way to keep signatures up to date for the new malware that's churned out every day. Some crimeware is even designed to generate a new signature for each attack. Virus scanning still has its place, but you also need something smarter.

Malware has to find a way to install itself before it can initiate harmful action. Most of these installation behaviors are well known. Why not watch for this malicious behavior instead of trying to catch every variant of the malware? If you can block installation, the malware is stymied.

There's another dimension of behavior that can be blocked too. Malware has to come from somewhere. Some websites silently install malware when you visit. Others serve up malware disguised as useful software. Why not block those evil websites?

There are now online services that screen websites for malware and other adverse behavior. The best of these services are augmented by human networks that report problem websites. McAfee SiteAdvisor and Exploit Prevention Lab's LinkScanner are prime examples of services that block malware at the website level. Firefox 3 natively blocks access to websites that are known to attack visiting computers.

If you visit the websites behind the software and services that I use in my setups, [XP] [7] you'll learn more about how they add "smarts" to security. You'll also discover that this strategy is not original with me. ;-)

Part 2 — Windows 7 (and Vista)>>>
Part 2 — Windows XP>>>
Part 3 — Banking, et al.>>>