title: Security Notes: Ghosh on why patching isn't enough link: https://onemoretech.wordpress.com/2010/06/28/security-notes-ghosh-on-why-patching-isnt-enough/ author: lembobro description: post_id: 148 created: 2010/06/28 16:02:46 created_gmt: 2010/06/28 16:02:46 comment_status: open post_name: security-notes-ghosh-on-why-patching-isnt-enough status: publish post_type: post

Security Notes: Ghosh on why patching isn't enough

Good piece by Anup Ghosh over on his Invincea blog:

In a recent interview for episode #51 of the Silver Bullet Security podcast, Gary McGraw asked me what will be the next big application to be exploited. The context is last year Adobe Reader exploits superceded browser (Internet Explorer) exploits and has become the go-to application to exploit. So what’s next?

Instead of giving him another application, I told him the next big exploit will exploit users’ desire, fear and trusted relationships. These types of exploits don’t necessarily need a vulnerability in an application to succeed. They just need to get users to click on links and dialog boxes by appealing to basic emotions such as desire, fear, and trusted relationships.

Anup scores a direct hit with this one. Even though most people out in IT-land have come to accept that network security isn’t enough, we’re still way behind the bad guys when it comes to the “next big thing”. Sure, we now spend more on antivirus (although no where near what still goes to network “security” hardware like routers, switches and firewalls). But, as Anup forcefully asserts in the podcast, Anti Virus doesn’t work. What’s more, even the Anti Virus vendors are now admitting that. In order to defeat an antivirus solution all you have to do is attack with code that’s unique and therefore not among the many thousands of profiles in your AV software’s database. And that’s just what the current generation of bad guys have learned how to do.

The new vector identified by Anup, the desires, fears and trusted relationships of our users, is going to be particularly hard to defend against. That’s because those of us in IT have spent a decade at least catering to and enabling the fulfillment of those same desires, fears and trusted relationships.

The explosion in use of social media in business is just the tip of the iceberg here, although a very significant one. None of the current social media technologies was built for security. They all require, in one way or another, the relaxation or even elimination of enterprise security “barriers” to their use inside our corporate networks.

While Google’s still unannounced decision to purge Windows desktops from its internal corporate environment may slow down some attackers, it isn’t going to be enough to just deal with platform, or even application, vulnerabilities.

The real challenge is to make our users themselves begin to “drive defensively”. That will be particularly difficult given the reluctance of most enterprises to provide meaningful security training to users, even back in days of plenty. It will be even harder in a global corporate culture where “exceptions” to a security “rule” are often blithely approved by both technology and business management with nary a second glance.

Copyright 2004-2019 Phil Lembo