I recently read an article in one of the Security eRags I subscribe to, that asked the question: “What are the Most Overrated Security Technologies?” According to the author, Bill Brenner, Senior Editor of CSO online, Anti Virus Software, Firewalls, Identity and Access Management/Multi-factor authentication, and NAC, are all antiquated, obsolete, useless, worthless, dead…..you get the picture.
It got me to thinking.
It was not more than a week ago that I was trying to download some freeware, as many of us often do (I have no idea what is was!) when up popped my antiquated, obsolete, useless, worthless, dead Symantec Antivirus telling me that the file I wanted to grab was hostile, saving me a lot of time and anguish and maybe even worse. Thanks, Symantec! A “Security expert” quoted in the article argues: “But it won’t stop a zero-day attack”. Ok, but will it stop the other 10 gazillion malware attacks out there? Yes! So tell me again how it’s antiquated, obsolete, useless, worthless, and dead.
I run a personal firewall on my home system- (an antiquated, obsolete, useless, worthless, dead firewall) On occasion, I look at the log files to see what’s been going on and am always impressed to see how many port scans have been logged: Hundreds and hundreds. True, I don’t have any unnecessary or unsafe ports open in the first place, but that doesn’t mean that the average computer user out there who doesn’t do security for a living, is as cautious. (If you don’t believe me, go ask your Aunt Betty if she made sure to shut down her Telnet listener before jumping onto the Net…..).
In the interest of time, I won’t go through the other antiquated, obsolete, useless, worthless dead technologies that the author mentions in the article, but suffice it to say, I don’t agree with him and here’s why:
Almost unanimously, the detractors of these technologies are self-described “security experts”. One even claims that he’s never ever used anti-virus and has never gotten a virus! Bravo! I’ve never taken heart pills and have never had a heart attack (knock on wood) but what does that prove? Lucky maybe? Maybe in the AV case, it only proves that he has a little more malware-awareness (and time) than most people have. Guess what fella – not everyone is a “security expert”!
For the average computer-using-Joe-Blow, every little bit helps. “Defense-in-depth” means that you throw everything you can at would-be attacks. It’s irresponsible to imply that the average Joe should take down those firewalls, remove those virus detectors, stop using multi-factor authentication. What about passwords? Overrated? .Let’s just stop using those too. In fact, these antiquated, obsolete, useless, worthless, dead tools are often the only thing protecting the average person, and even the average company, from attack.
“Security Experts” sometimes forget that not everyone lives and breathes security. To those security-challenged Joe-Averages, their computer is a means to an end and security is just one of those things that is most often out of sight out of mind, like a car alarm or a smoke detector. (By the way, they are both reactive technologies, a big negative according to Bill and his article. But aren’t they pretty handy when your car is being stolen or your house is on fire?) And what’s so bad about "reactive" anyways? Defense, by definition, is reactive! And we all understand that even the strongest defense may not be enough at some point, but that doesn’t mean these "antiquated, obsolete, useless, worthless, and dead" technologies don’t do a pretty darn good job at what they’re intended for!
So, to those “Security Experts” out there who can apparently leap tall buildings and ward off all manner of malware without tools and expect everyone else to do the same, I say….”What’s your IP address?” To everyone else, don’t expect anything to keep you completely safe. Defense in depth means just that: Use whatever is available to you to safeguard your data, no matter how antiquated, obsolete, useless, worthless, or dead someone else says it is. It makes no sense to throw out the baby with the bathwater just because someone tells you it’s an ugly baby, especially if it's the only baby you've got!
And if, after all is said and done, you get the urge to tear down those (fire)walls, ask yourself this “Do ya feel lucky?Well do ya?”
Read Bill's article for yourself and you decide: http://www.csoonline.com/article/571263/What_Are_the_Most_Overrated_Security_Technologies_?source=CSONLE_nlt_update_2010-03-11