Don’t Waste Good Security Practices

Stop using anti-virus and patch management systems! They don’t work and they are a waste of time and, worse, a waste of money. OK, I’m kidding. I would never say that. But John Stewart, Cisco’s chief security officer, would. At the AusCERT (Australian Computer Emergency Response Team) conference in Australia May 19 to 23, Stewart essentially said money spent on anti-virus and patch management is completely wasted. Now, it’s true that using anti-virus and patching systems is really just the most basic first step to security and shouldn’t by any means be seen as a complete security solution. But saying that it’s a waste to even use anti-virus and patch management is sort of like saying it’s a waste to have locks on the door of your car because any serious crook can get by them. Just as leaving your car door open with the keys in the ignition is an invitation to any passing thief, unpatched and unprotected PCs are an open invitation to any viruses or malware passing by, even ones that are old and would be easily stopped by patching and anti-virus. Just because your company could still fall prey to more advanced malware and bad guys doesn’t mean you also want to have all your systems polluted by things that could have been easily prevented. Of course, Stewart’s argument was a little more nuanced than “Using anti-virus and patching is a waste.” He was making a point that companies invest money in anti-virus and patch management and yet still get infections, which at that point makes the investment a waste. My response to this is, Was it a waste for all those times that it prevented an infection? Or is it that, since nothing happened (meaning systems weren’t infected), then no one noticed the anti-virus doing its job? But the worst thing is that some CEO or chief financial officer will see the headline saying, “Cisco says anti-virus and patching is a waste of money.” Which means that some poor CSO or IT administrator will have to once again defend a necessary security budget. The other part of Stewart’s message was that the real solution is to use whitelisting, in which the only applications that can run on computers are those that the company (or sometimes some central vendor or authority) has cleared as safe. I generally like the idea of whitelisting, with some caveats (such as that it matters who gets to control the whitelist). But just like anti-virus and patching, whitelisting is not a silver bullet either. After all, just because an application is on a whitelist doesn’t mean it hasn’t been compromised or doesn’t have a bug that can be used by malware. In fact, whitelisting needs something to work with it to make sure that the whitelisted applications stay clean. Hmmm. What could do that job? Let me think. Are there tools that can scan applications for infections and make sure they don’t have holes that can be exploited by attackers? You know, some kind of virus-stopper thing and a hole patcher-upper. Oh wait, there are. I guess even with whitelisting, anti-virus and patching aren’t that much of a waste of time and money after all.