[Dailydave] The monetization of information insecurity

Dan Guido dguido at gmail.com
Wed Sep 10 15:14:49 EDT 2014


Someone I know wrote this for an essay contest at NYU-Poly CSAW in
2007 to answer whether the security industry was a lemon market. I
thought her analysis was incredibly lucid for an undergraduate student
with relatively little exposure to the security industry at the time.

In the future, I hope that education efforts in designing secure
systems (http://blog.trailofbits.com/2014/07/30/education-initiative-spotlight-build-it-break-it/)
and breaking insecure ones (https://csaw.isis.poly.edu/) will help
more people see through mistakes like anti-virus. It's clearly not the
only step necessary, but it at least addresses one of many root
causes.

------------

Trends in Security Products
November 18, 2007

Due to information asymmetries, consumers are unable to identify what
security is and how they should be protected. They are easily swayed
by market driven trends that recur on a regular basis. Such trends are
not necessarily merit based and fail to solve the security problems
that consumers face in meaningful ways. This problem has resulted in
numerous products in the form of firewalls, antivirus software,
intrusion detection systems (IDS), and anti-spyware and malware
software. These products receive a lot of attention and are marketed
as solving security problems. However, the same threats endure even
when a user is fully covered by such mechanisms. The success of such
security products on the market are a result of marketing and
advertising, the lack of reliability provided by authoritative
sources, and a lack of focus by industry professionals to create a
comprehensive approach to improving computer security. The security
industry is flooded with poor quality software products which are
driven by rapidly changing security trends rather than the real needs
of consumers.

Any new security trend introduces an influx of security offerings to
the market. The consumer market for security software reached $1.6
billion last year, according to the research company IDC. The consumer
ranges from large institutions and corporations to the owners of home
computers. Since the market share of the security industry is so large
and its targets so varied, there are considerable opportunities to
create new products as trends in the industry shift. Security
companies spend a large amount of money on marketing and advertising
campaigns for these new offerings. The goal is to convince consumers
that they are not safe unless they purchase a new product, or upgrade
their existing products to include new features. As a result,
companies and individuals are constantly purchasing new security
products and spending more money to improve the ones that they already
have.  If a consumer is unwilling to invest in products that protect
against the newest threats, they run the risk of appearing negligent.
However, new offerings cannot guarantee security and may not provide
much added value. Trend-driven advertising frightens consumers into
new purchases, adding more incentive for producers to push out more
and more products.

Another common flaw in the security industry is that many average
consumers have little or no knowledge of computer security and what it
means for them. However, most consumers are convinced that they need
to take some action to safeguard themselves against threats. As a
result, most try at least one of the following two methods. A consumer
can scour the internet for reports and reviews on security products.
They can also turn to sources of authority to provide the answers for
their security needs. Both methods will likely result in a consumer
making unfortunate decisions about a security product that is driven
by recent trends in the security industry. If a consumer tries to do
their own research, it is difficult to find clear answers since they
may not know what to look for and must sift through a lot of
misleading advertising. If a user simply turns to an authoritative
source, they might accept a bad product. For example, Columbia
University Information Technology recommends that all students and
faculty members install Symantec Anti-Virus software on their personal
computers. Many students take this suggestion to mean that as long as
they have this software installed, they are safe. However it is common
knowledge among security professional and hackers alike that
anti-virus is not a silver bullet, anti-virus does not protect against
all security risks, and anti-virus provides questionable value to
begin with. The following diagram is taken from a publication by
VirusTotal, an organization which tests the efficacy of all major
anti-virus brands to detect new malicious code.

[red: 31692, blue: 2]
Failures in Detection (Last 24 Hours)
Red: Infected files not detected by at least one antivirus engine.
Blue: Infected files detected by all antivirus engines.

This diagram is evidence that even the threats anti-virus claims to
protect against, it cannot in many cases. Most consumers do not have
the knowledge of the security industry needed to make informed
decisions on the products they are using to protect themselves.
Instead, they turn to products that protect only against the latest,
most popular security threats.

Since security products are trend driven and highly profitable,
security professionals have little incentive to address the root
causes of security threats. Creating software that only acts as a
firewall or as anti-spyware does not result in comprehensive security.
The industry leaves the market open for more trend-driven software by
not addressing entire attack classes when they become known.
Preventative measures are often not well received by the security
industry. We see this in security technologies which are effective,
but nonetheless have received little support from the commercial
security industry. An example is SELinux and the mandatory access
control framework for Linux, which was well received by security
professionals. It was not until the NSA, a government agency,
developed SELinux at a loss that it was brought to the public. This
suggests that intervention by government agencies and non-profit
organizations may be needed to break the cycle of insecure software
architectures. Security professionals must provide tools and
guidance to software developers that will allow them to architect
systems that will have long-term security benefits. In order to begin
making real strides in computer security, the entire industry must
realign its goals with the needs of consumers in order to provide
comprehensive security coverage, as opposed to temporary fixes for new
and popularized security threats.

The success of poor quality security products on the market will
continue until the security industry recognizes the need to create
products that lead the way to more secure software. Until then,
popular trends in security threats will continue to dictate software
development. The outlook for the future remains positive, as
professionals formally trained in secure product development start to
enter the workforce. This new generation can recognize risk and
encourage the use of a secure development lifecycle.  Until then, a
number of bad security products will remain on the market, and will
generate huge profits for the security industry. Advertisers and other
authoritative figures will compel consumers to purchase additional
security products, without providing evidence that such products will
work reliably or effectively. These products will continue to be
driven by the latest trends in security, scaring consumers into
compliance by playing on their fears of not doing enough to protect
themselves.

Sources
http://www.nytimes.com/2007/01/29/technology/29ecom.html
http://www.virustotal.com/estadisticas.html

-----------

-Dan

On Mon, Sep 8, 2014 at 10:07 AM, dave aitel <dave at immunityinc.com> wrote:
> So I'm heading to a conference shortly and I was going to promote them in
> this email but they're apparently not a public conference. I'm on a panel
> called "Identification of Emerging and Evolving Threats" with some non-US
> Government people who seem pretty nice.
>
> Anyways, now that I've guaranteed myself an exciting visit from security
> services, I wanted to point out the one question everyone should be asking
> when they go to any conference and a new technology of any kind is proposed
> as any kind of forward movement for defense. And that is this: "How can we
> avoid making the mistake of Anti-Virus" ever again?
>
> Because much like the Internet has been hamstrung at birth by the parasitic
> growth of the advertising industry, the information security community has
> been devastated for almost its entire existence by the dominance of
> anti-virus companies and products which demonstrably haven't worked for
> almost their entire reign, and in theory never could have scaled. They are
> broken by design. And because they sucked all the money and research and
> people from the defensive community, no actual defenses were ever created
> for IT that had a hope of working.
>
> So the only question any team of government executives working on defense
> needs to be thinking about is "How is this different from Anti-Virus in the
> long term? How can we avoid making that mistake ever again?" Because until
> you know how that mistake was made, and can avoid it for the next
> generation, "Emerging and Evolving" threats will always be beyond your power
> to stop.
>
> -dave
>
>
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave


More information about the Dailydave mailing list