jump to navigation

Fighting the Wrong War on Security April 23, 2010

Posted by Peter Varhol in Software platforms, Strategy.
trackback

I thought my post earlier this week was old news; turns out it was prescient.  The tale of the McAfee virus definitions update that mistakenly identified the Windows svchost process as a malignant virus and prevented Windows from booting has put at least tens of thousands of computers in no-man’s land.  McAfee has posted a fix on its website, but if you can’t boot your computer to get to the website, that’s another story.

This monumental screw-up (I don’t know how else to describe it without using inappropriate language) brought our current approach to fighting viruses and other malware into question.  This article questions whether malware developers are winning the war for our computers.

I would put it a slightly different way, one possibly more in keeping with Microsoft Research scientist Cormac Herley’s paper on our misdirected security efforts.  It’s not that malware developers are winning, but rather the rest of us are fighting the wrong war.  With McAfee’s blunder (and others have been guilty in the past, too), we are paying more, in time and money, for (sometimes false) protection than any incursion would cost us.  Because IT staff had to fix each computer individually, the McAfee infection (another way of looking at it) came at enormous cost to subscribers.

Anti-virus software with frequent updates doesn’t seem to be cutting it any more.  Part of this is due to the overwhelming nature of new threats.  Antivirus vendors can’t identify all of them specifically, so folks like McAfee define characteristics and rules, and let the software make the choice (that’s one reason why this event points to a distinct lack of testing of those rules).

But is there an alternative?  Herley points to one, but it requires a lot of work and a leap of faith.  Let’s continuously analyze the threats, and tell users what they can do in response to specific threats.  And, I think, don’t treat the users as people who don’t know or care anything about security.  They do, and they want to do the right thing.  Let’s do some organizational protections, and give the users regular updates on threats, tips and tricks, things to watch out for, and how to make sure your computer is healthy.

We might be pleasantly surprised at the result.

Advertisements

Comments»

No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: