Wednesday, January 23, 2008

Ten Common Security Myths

While browsing and in discussion with friends, I have come across many 
misconceptions regarding security. Some of them are planted by the marketing division of software companies, some are the result of fanboyism and some are due to plain ignorance. The following are some of the most common:

Myths regarding the OS:

  • Windows is insecure because of its popularity : Perhaps the most widely repeated myth, since it was propagated by Microsoft to lessen the perception of its own failures. The older Windows was insecure because it was not a multi-user system with privilege protection. Windows XP is insecure because of the user running as administrator by default, with the additional burden of ActiveX. Windows Vista has been made far more secure, and it is highly unlikely to face the same security problems to the same extent that dogged its predecessors.

  • Vista is the most secure OS ever : However, once Microsoft does something even partially right, its marketing machine goes into overdrive. Microsoft Vista is the most secure version of Windows for the desktop, but it lags behind many Linux distros or BSDs as far as implementation of its security features is concerned. User Account Control with protected mode offers incomplete security, and can be bypassed. Linux users have a one click system to reduce the user-days-of risk for all software. Furthermore, Linux and BSDs have a more transparent security process which greatly aids security. For a more detailed discussion of Linux vs Windows security, 
    look here

  • If you use Linux, you cannot be compromised : It is true that many Linux distros are more secure than Windows, but that does not make it impregnable to intrusion. The truth is that Linux is insecure if improperly used, some Linux distros do use insecure defaults, and it would be a betrayal of the ideals of transparency and openness if such a fact were to be obfuscated from a new user by blatant fanboyism. The security of a system depends primarily on the user, and if any user forgets patches or is caught off guard, his or her system may be destroyed. There are too many web server exploits to even think of saying that Linux is inviolable.

  • For total safety, you need anti-viruses on Linux : Linux desktop clients operate in a much less hostile environment than Windows. The diverse environment of Linux is itself protective. There are as yet no widespread Linux viruses. Furthermore, the viruses need root permission to run. Now, if you are going to run an untrusted program as root, then the major vulnerability of your system resides in you. As yet, there is no need for a Linux anti-virus, just keep the basics right, i.e do not run untrusted programs as root (in fact, do not use root at all other than for updating your system or very essential work), keep your software up to date, and that is that. Desktop Linux does not need (and probably won't need, at least in the near future) any anti-viruses.

  • Keeping up to date with all the vendor patches will keep you secure against vulnerabilities : While this is true for most Linux distributions with programs downloaded from their repositories, this is certainly not true for Windows. You have to update each and every non-Microsoft program individually in order to be safe. In fact, some of the biggest exploits in the recent past have directed non-Microsoft software. Do yourself a favor if you are using Windows, download Secunia Personal Security Inspector and run it regularly. For Linux users, download your software from the repositories, if by any chance the software you need is not present in the repository, make sure to add the source of your software to your Software manager, or be sure to update it manually.

Myths regarding measurement of security:

  • A product having a higher vulnerability count is more insecure. As put nicely by Window Snyder, formerly a Senior security strategist at Microsoft, presently head of security at Mozilla: “Number of vulnerabilities identified is a function of how many bugs are present, but is probably more influenced by things like who is looking, and how good they are at finding security issues. That makes it a misleadingmetric” Vulnerability comparisons between Open and closed source products have an added confounding factor in the philosophy of their disclosure, with closed source products commonly hiding internally found vulnerabilities to fix it along with a major update or service pack. What is more important therefore, is how fast the vulnerabilities were fixed by the vendors and how fast the user downloaded the vendor released patch. Therefore, always ask these two questions: I) Does the vendor release the patches quickly for each and every vulnerability? ii) Does the Software have a mechanism by which the vulnerability may be notified to the user and the security updates downloaded and installed simply and fast?

Myths regarding browsers

  • You will be protected from malware/spyware if you use such and such browser : A totally misleading fanboyish statement. Browsers, be it Firefox or Opera , do not intrisically protect against spyware, (even though a majority of the spyware attaches itself through Internet Explorer). The main protection against spyware and other malware is through safe browsing practices and keeping your computer updated. No graphical browser is totally safe. In fact, no software is totally safe, but I am digressing.

Myths regarding Anti-Viruses:

  • An anti-virus having a higher detection rate is always a better anti-virus : Not necessarily. While a high detection rate is a necessary feature of a good anti-virus, other features like the number of false positives, features like boot time scanning, proactive network and e-mail scanning and consumption of system resources are also important indicators. The choice of anti-virus has to be made keeping all these features in mind.

  • Two anti-viruses are better than one : Using more than one anti-virus causes extra consumption of system resources, software conflicts, system instability and crashes, i.e precisely the same things you were trying to prevent when you installed the anti-virus in the first place. There are chances of false positives from one anti-virus scanning another. Besides this, an extra anti-virus will increase the vulnerability footprint of your system. If you already use a good anti-virus, a second one will not increase the detection rate by much, but may cause more harm than good.

  • Keeping an updated anti-virus and anti-spyware with regular scanning is enough to keep you secure : Anti-viruses and anti-spyware are one of the last lines of defense, but the primary defense is the user. Anti-viruses and anti-spyware are actually flawed security tools, depending on a blacklist of signatures (Good security is whitelist based, rather like a firewall passing only packets that are explicitly defined, and blocking all others). Therefore, some viruses or worms will be missed by even the best of these tools. Furthermore, antiviruses certainly do not help you in the event of phishing. Computer attacks have become increasingly sophisticated, and anti-viruses and anti-spyware (even though they remain important) increasingly find themselves on the fringe of the action.