Preemtive Security - Part 1
This page is part of the "legacy" version of the HTCC online presence. It's here for continuity and reference. This old content has been semi-retired since 2009, and is seldom updated. You'll find up to date information on security and other topics at the HTCC Blog.
I've also called this plan "Bullet-proof Security", although
it's more of a bullet-proof vest than a full suit of armor. Although I believe
it's hella stout
defense, I use a separate computer for online banking, taxes and business
transactions. I do use my everyday computer for credit card purchases
though. [see part-3]
Part 2 — Windows 7
Part 2 — Windows
Part 3 — Banking, et
Rethinking online defense:
The motivation of online attackers has morphed from graffiti to
greed. International networks of skilled Internet criminals now
design, sell and deploy sophisticated crimeware. Fresh attacks begin as soon as
vulnerabilities become publicly known, and sometimes long before. Botnets
— networks of compromised computers — are openly rented online.
Exploitable data pilfered from victims is sold at commodity prices. [examples]
Reactive security programs can no longer keep up with the flood of
emerging threats. There now are literally millions
of new variants of malware every year. Security software vendors can no
longer add new signatures (definitions) fast enough to keep up. And the malware
scanners introduce new
vulnerabilities of their own.
Like many others, because conventional protection was getting out of
hand, I switched to a preemtive, behavior-based defense. That reduces
the number of security programs needed for an adequate defense, and with fewer
intrusive programs to slow it down, my computer is more responsive. The
preemtive approach also means that I am more secure than I was before.
It's time to revise our online defense approach:
We're losing the war with the 20th Century
The bad news
is evolving too fast for antivirus apps to keep up
- "Today's for-profit malware pushers use dedicated test labs and other
increasingly professional techniques to improve their chances of
infecting your computer. And the techniques they employ to outpace
security software makers appear to be working."
at any speed: 7 Dirty Secrets of the Security Industry
- "The certification standards confirm that devices block 100 percent of
all replicating malcode. The catch is that 75 percent of malcode coming
into networks is non-replicating, such as Trojans. When the standard was
set, non-replicating malcode represented 5 percent of malcode.
Certification means [a product] caught 100 percent of 25 percent of the
Firms Scrambling to Keep Up
- "The sheer volume and complexity of computer viruses being released on
the Internet today has the anti-virus industry on the defensive, experts
say, underscoring the need for consumers to avoid relying on anti-virus
software alone to keep their home computers safe and secure."
- Talking malware with
- How an online security leader sees the current battle against
- Windows and IE are no
longer the only targets
- Other programs are now targets for attack -- everything from security
programs to media players are vulnerable.
Office Under Siege
- "Attackers and flaw finders are pounding away at Microsoft Office
applications, discovering new ways to attack millions of Windows
approach to online security that is similar to mine
- "Gizmo" Richards has also concluded that the conventional "layered"
approach to security offers diminishing returns.
The good news
- Microsoft made online security easier. "Whoa," you say. "Aren't they at the root of most of our problems?" The answer is, not so much any more. In fact Windows 7 has been secure enough to cause most cyber-crooks to switch away from Windows to programs that run on Windows. For example, widely used programs like Adobe Reader, Adobe Flash, Java, etc., are now favorite targets.
- In 2002, Bill Gates wrote his second epic email. It was a call to get the security of Microsoft products under control. They've worked on "Trustworthy Computing" for over ten years now, and are also working with outside developers to get them up to speed on Microsoft's Security Development Lifecycle (SDL).
- Windows 7 was Microsoft's other major contribution to PC security. It is completly feasible to run Windows 7 as a "Standard" user, in contrast to XP, which is very inconvient to run with reduced user rights. Windows 7 is about ten time more secure if use correctly under a Standard user account compared to running under an Administrator account
- Bill Gate's first epic email message was about the threat of the Internet to Microsoft's monoply. He didn't put in those terms, but that's what he meant. That's when they put Netscape out of business by giving Internet Explorer away free. But that's whole nother story.
More security programs are not the answer:
They add more vulnerability than protection
Attackers now use "designer" malware to get past security software. They
test each variant to make sure it is not (yet) detected by popular antimalware
programs. The security programs fail to detect the new variants, but they
increase the "surface area" exposed to attack. Installing too many
signature-based programs is a liability, not an asset.
- It may be time to toss out
your antivirus software
- Any program on your computer, not just the operating system, can be
open to attack. Antivirus programs can be particularly vulnerable, since
they work with files directly.
found in Symantec antivirus software
- "This flaw does not require any end-user interaction for exploitation
and can compromise affected systems, allowing for the execution of
malicious code with system-level access," said eEye in a statement."
popular antivirus apps 'do not work'
- They don't work because attackers test their malware to make sure the
popular antivirus programs don't detect it.
- Dr.Web anti-virus link
- This Firefox extension takes the virus scanning off your computer and
puts it on the Dr. Web server (online computer). Use it when you have any
suspicions about a website to visit or file to download.
Take Trojans to the Bank
- Focused attacks are increasing, and anti-antispyware "bank Trojans" are
becoming more successful.
A new security strategy:
Proactive, not reactive
Blocking viruses and spyware by using signature-based scanning is a
reactive measure. There's no way to keep signatures up to date for the
new malware that's churned out every day. Some crimeware is even designed to
generate a new signature for each attack. Virus scanning still has its place,
but you also need something smarter.
Malware has to find a way to install itself before it can initiate
harmful action. Most of these installation behaviors are well known.
Why not watch for this malicious behavior instead of trying to catch every
variant of the malware? If you can block installation, the malware is
There's another dimension of behavior that can be blocked
too. Malware has to come from somewhere. Some websites silently
install malware when you visit. Others serve up malware disguised as useful
software. Why not block those evil websites?
There are now online services that screen websites for malware and
other adverse behavior. The best of these services are augmented by
human networks that report problem websites. McAfee SiteAdvisor and Exploit
Prevention Lab's LinkScanner are prime examples of services that block malware
at the website level. Firefox 3 natively blocks access to websites that are
known to attack visiting computers.
If you visit the websites behind the software and services that I use in my
setups, [XP] 
you'll learn more about how they add "smarts" to security. You'll also discover
that this strategy is not original with me. ;-)
Part 2 — Windows 7
Part 2 — Windows
Part 3 — Banking, et