The Future of Computer Security

General Category Melih's Corner - CEO Talk/Discussions/Blog
1

The Future of Computer Security

People keep asking me:

Is AV dead? Is HIPS the ultimate solution? Are we going to need to have chips surgically implanted in our…”

Okay, let’s not degenerate this in the first fifty words. I’d like to start with some facts about the state of software security for PCs.

  1. The world does not protect itself against Zero Day attacks. The majority thinks it does, but reality begs to differ.
  2. People buy AV products because they don’t know any better. Ignorance is bliss, but not in security. Security checks have been bumped up since 9/11 – enough said.
  3. People are lazy, myself leading that pack. We want things done, but we don’t want to lift a finger. It’s 2007, so we shouldn’t have to!

Let me expand on these points.

1. The world does not protect itself against Zero Day attacks.
Our primary protection is the use of software products called AV (antivirus). These products essentially create a signature for the malware, which functions much like a mug shot does for a criminal, but only after the crime has been committed. In PCland, AV can never be used as protection against Zero Day attacks because the virus signature (a.k.a. the mug shot) has not been created yet; hence, no protection. In an ideal, if not idiotic, world, virii authors would be kind enough to submit their malware to AV vendors, wait for them to create signatures and update their AV users, and then release their malware to the public so that we could catch zero day attacks. We can expect that about as much as we can expect the criminal to go to the police and say “hey, I’m going to commit a crime”, and the police to prevent the crime. My point: we just don’t protect ourselves against Zero Day attacks.

2. People buy AV products because they don’t know any better.
People buy a lot of AV, so it must be the best protection available, right? Wrong. This is not a good argument. People buy a lot of cigarettes, too. This is not to discredit AV; it does what it was designed to do, but it just isn’t enough by itself. Fraudsters and their toys are a force to be reckoned with, and AV alone isn’t up to the fight.

3. People are lazy.
Look around you: we built washing machines because we got tired of hauling our laundry and the washboard to the river and back. We built dishwashers so husbands wouldn’t have to wash dishes (and spot on, I say!). From cars to nappies, humans demand easy-to-use, painless solutions that give us more time for ourselves and deliver the desired outcome with minimal effort. We want the same from our internet security. We can clap our hands and turn on a lamp, so we should be able to “plug and protect” our PCs just as easily.

The future, from my point of view.
Our houses have doors, burglar alarms and insurance. Well, most do, at least. If you don’t have a door, a burglar can walk in and steal your PC; thus, the door prevents the burglar from entering.

But Melih, doors can be kicked in!

Yes, they can, so continuing to get stronger doors isn’t much of a solution. This is why we should never rely on just one layer of security. The door to the house isn’t enough, so we install a burglar alarm. If he can get in, at least we can detect him – prevention plus detection, two layers. Let’s say he cuts your electric wires or manages to turn off the burglar alarm in another way (They make it look so easy on TV, don’t they?). He walks away with not only your computer, but your priceless stamp collection, too. This is why we have insurance, to recover the value of stolen items. Thus, insurance is the cure, the third layer in our layered approach. Stacking up these layers, in order, to protect the PCs in our homes, we have:

  1. A door for prevention
  2. A burglar alarm for detection, and
  3. Insurance for the cure.

I thought you were going to tell us how to secure our PCs, not our homes, Melih!

I just did. The layered approach can be just as easily applied to our PCs. We use AV as our main source of defense, but is AV prevention? No, it’s detection, the veritable burglar alarm for a PC, but it must have the malware signature – the burglar’s mug shot – or it won’t sound the alarm. A new burglar, however, has a free pass, and no alarm goes off. This, my friends, is the infamous Zero Day attack, which our AV allows to happen. Now relax, AV devotees. I’m not saying AV is ■■■■; I’m just pointing out its weaknesses, so calm down. With AV, our PC “house” has a burglar alarm but no door. Ridiculous, right? But that’s how it is! Some of us employ Firewalls too, but that’s also a form of detection, with a little prevention thrown in, if it’s a decent Firewall that doesn’t leak. If a firewall does leak, it lets the burglar (malware) take something out of the house or, in firewallspeak, make a call to the Internet with your sensitive information. A good firewall sounds an alarm in the form of a popup when this happens, and a really good firewall gives you advice on what to do next. You need both the AV and the firewall to detect someone coming in and things going out. So now our PC house has a decent burglar alarm (detection), but no door. Yikes!

Dude, where’s my door?
This is where we are challenged and need to change the model altogether. We are backwards when it comes to our default settings, but we can overcome this. Today, it’s fair to say that PCs are running with the “default: allow” function, which means they are allowing everything to run and hoping to catch the bad stuff before it executes. It’s more of a swinging gate than a door, and can’t really provide the prevention we seek.

So we should run with the “deny all” function and only allow the good stuff, right?

Bingo. With the “default: allow” in place, we operate on a system of “blacklisting”, blocking only the things that we know ahead of time are destructive. By reversing that and only granting entry to those names on the “whitelist”, we save ourselves the hassle of trying to figure out who’s good and who’s bad. If you aren’t on the list, you’re not coming in, period. Thus, we have a door, it’s solid, and it’s locked.

But Melih, who wants to deal with all the popups asking us if we trust ‘this or that’?

Frankly, no one, but why are we making the assumption that the whitelist database will be limited? It is feasible to create a very cogent whitelist security layer which will be virtually noise-free for the average user, and that is exactly what we are doing.

The days of going to bed without locking the front door are long past. PC security is, or should be, just as important as the security of our homes and personal belongings. We deserve to live our lives without the constant worry of burglary and vandalism, and only a layered approach will give us that peace of mind in regard to our computers.

Melih’s prediction: prevention will become the first line of defense!

thank you

Melih

2

Thank you for this extensive message, it’s kind of a compilation of the advice and opinions you often give in your posts. There are really quite a few people who could have use of reading this, to understand a little more on what they need, to protect themselves.

Where I live, in Sweden, we are among the most “internetized” people in the world. We shop and we make our banking matters on the net. But the awareness of security problems are not in proportion to the measures taken. What I mean is, that “everybody” know they need an AV, quite few knows about prevention, and quite few are truly secure.

Almost every week there is something on the news, concerning internet and banking related frauds. The whole thing is exploding. This far, the banks have (in the very most cases I believe) compensated their customers, but there is a discussion on how long they can continue - when, in which kind of cases, will it be the consumers/customers responsibility to have a secure PC? Related to this there are always some kind of PC security experts, who talks about the importance of an updated AV. Always an updated AV. You don’t hear much more! Oh, sometimes they mention “an updated firewall” as well. But the advice from the TV news are always very simple, and unfortunately, not really sufficient.

Sadly, I think the job of informing people - and from that making them truly secure on their computers - is close to impossible… sorry for being pessimistic. It’s a result from what I hear on the TV, read on the net, and hear from people. There isn’t knowledge enough among people, to secure the computer world.

Now, luckily, one don’t have to be an expert to be safe, with the best software. Comodo is advancing fast here! Already with, most likely, the very best prevention. You’ve heard it before and I can only say it again: Keep up the good work Comodo!

Regards,
LA

3

Melih forgot one important thing : The Pitt Bull dog in the house called CBOClean ;D Waf waf grrrrr … :stuck_out_tongue:

Greetz, Red.

4

No one could explain it better, EXCELLENT WORK COMODO!!!

and a special thank you to Melih!

5

Thank you Josh :slight_smile:

Melih

6

Another interesting article sharing our vision.

Melih

7

Interesting. I particularly like this little paragraph

So even if AV technology was capable of stopping viruses effectively, which it isn't, it would have no contribution to make to the management of executables. Whitelisting software does because, aside from stopping all malware stone dead, it can prevent the use of old versions of software or software that violates corporate policy.

Did you read through the posted Comments, Melih? I’m most interested in your thoughts on the post by “Dr. Vesselin Bontchev” about the # of executables generated. Is this realistic, or is the source smokin’ something funny?

I realize the solution to a massive database is posted further down, as you have already discussed at other times here - you only validate what you need. The level of detail to what is checked (exe, dll, sys, etc) combined with Exceptions seems to me to eliminate the rest of the issues. Exceptions with detail is really the key; similar to v3, but (IMO) going even further than the six categories we can currently apply it to - I’d like to see Exceptions across the board on all Defense+ categories (so they’re not “global” for any application).

LM

8

number of executable and number of Applications are two different things. it could be one application but have thousands of executables. once you trust the source of the application, its fair to assume to trust the components of that application. I am sure there are many executables being generated, but what is of interest is how many of them make it to public. those are of interest to us. There are few more little features that will make Defense + virtually noiseless. they should be launched soon with the beta.

Melih

9

I don´t think I agree the statement of white listing being the final solution. I believe that a layered solution is always going to be the best solution Isn´t that your opinion Melih. It’s not a quote but I think it’s close. A combination of AV and a Firewall/HIPS program similer to what I hope CPF V3 is going to turn out to be and a hardware firewall is always going to be my option.
You can see my post as to why here

By the way Melih has said that down the road there will be a network management console for CFP v3. We will have to see exactly what it´s capabilities will be included in the future. Hope you don´t mind my mentioning this Melih
I’m really hoping to get in the beta or alpha of this when it comes out (:WIN)

Yes it might work as a large part of the solution in a corperate environment and maybe a very desirable part of that solution would be absolute control over applications. However that is achivable only with windows controls so why would a company see that as an advantage if they are not already enforcing that option.

As for the home user, anytime the user hase the option to select Accept or Deny there will be a problem with viruses also In a pure white list environment downloadable by the web. The Coders are going to turn all their attention to trying to get their code on the white list in some way or another the list will have to be accessable to the web or network unless it is machine based and managed by a central console or both. Do you really belive users are going to be willing to give up that much control of their machine where if a program is not on the whitelist they can not run it how may users will screem out when they can not download and install that cool Web Screensaver that their friend showed them and if they have the option to allow it thay will!!! or as was said by Dr.

And you can't offload the decision whether something should be allowed to run or not to the user, either - because the user is even more incompetent and will make mistakes even more often. After all, if the users could really decide whether a program should be allowed to run or not on their computers, they wouldn't get infected in the first place!

In the words of another forero on anouther forum
Just my 10 cents

OD (R)

10

here is a little something i wrote about layered security
https://forums.comodo.com/melihs_corner_ceo_talkdiscussionsblog/layered_security_why_this_is_the_only_way_forward-t10172.0.html

thanks
Melih

11

Is CFP defense+ one key of future to prevent against activities of malware?

Andreas

12

yes

Melih

13

Melih,

Don’t know if you’ve seen this:

http://news.com.com/2010-7348_3-6195322.html?part=rss&tag=2547-1_3-0-5&subj=news

He seems to be on the same lines as you.

Peter.

14

I think the voice of demanding a new solution (CFP v3 :slight_smile: ) is getting louder by the day…

So we will see many more people writing about this.

Lucky we have CFP v3 to solve all this :slight_smile:

Melih

15

Very Intersting Article…but like so many I’ve read and researched… Long on what doesn’t and isn’t working anymore…And Short on where to go from here…No common/collective direction and strategy from all components/professionals in the “Internet Security” battle!!
Having said that, I believe in and support COMODO. (:KWL)

16

Forgive me for my blunt ignorance, but why doesn’t a Firewall fall under the Prevention category? Yes, it may seem as a layer where “allow:all” is given access to the firewall, making the firewall a detection device… but so is any vanguard layer of protection. Whatever your door might be, the public is bumping into it in an “allow:all” fashion, even if the door itself is configured “deny:all”.

The question remains; why can’t a Firewall be that door?

Or better, why can’t an AV with firewall-like abilities to system resources be considered a door?

Both technologies exist with a White-List, if the software is worth its weight.

17

Are you suggesting to use firewall to deny all incoming traffic, hence creating a door? If so then yes, but then again, this would be putting a brick wall to where the door was and you are stuck inside and its not practical. (if i have misunderstood your question pls forgive me and will be happy to recieve a further explanation). Also, a firewall is not aware of the content of the traffic as such. It doesn’t know whether its allowing pure data or executable file when it allows things. Hence it won’t be able to prevent things according to threat levels. This is why you need to build a Kernel firewall (which is what CFP v3 is) that protects the kernel itself against any executable running. And when you ask the question: “…firewall-like abilities to system resources be considered a door”, you are describing CFP v3 :slight_smile: So CFP v3 is the Door we have been waiting for.

Melih

18

I guess your blog post was just a little confusing. You explicitly stated that Firewalls cannot be used as a front-line defense. I can’t imagine what you would call that something then; if not a firewall, then maybe a router? We’re splashing about in a puddle of security techniques that can and have been bundled into one.

Packet shaping is no new technology. Spying on packets for sensitive content isn’t either.

Naturally, whatever you call this software (or door), it’s going to have a handle, lock and key so that it can be opened when appropriate. From this point on, it’s really meaningless what we call it.

Anti-Virus-Firewall-Memory-Manager-Rights-Auditor-Packet-Monitor-Freeware-Suite-Pro

19

here is a write up i had done about firewalls https://forums.comodo.com/melihs_corner_ceo_talkdiscussionsblog/what_is_a_firewall_here_is_the_laymans_explanation-t10489.0.html
where i explain 2 main purposes of firewalls (Personal firewalls).

I think we are getting stuck on what to call this new thing that could do “firewalling the kernel” etc…

so v3 is that thing, and we call it a firewall, even though its different than what firewalls are today :slight_smile:

Melih

20

Don’t most anti-virus deploy the same preventative measures?

BTW, if you want a really GOOD feature for Comodo, consider gobbling up a Startup Monitor. There are a few of them, but I’m not entirely sure the source of mine. I think it installed with AutoPatcher. It’s a powerful defensive tool that really SHOULD have been implemented with Windows 3.1-- prompting the user whenever an application tries pushing itself to run at startup.

There are many places to monitor; not just the registry \Run[Once] keys, but libraries and anything that modifies the \Startup folder as well as legacy autoexec.bat, win.ini and system.ini.