Back in December, I wrote about Cisco’s 2009 Security Threat Report and made the comment that application whitelisting was “the patch for the common user”. My point was a simple one: we cannot stop our people from accessing resources, and instead we should focus on stopping the real threat: the payload.
Yesterday, Stan Schroeder at Mashable wrote a great blog about the French and German governments strongly urging users to stop using Internet Explorer and to use other browsers like Safari and Firefox. The recommendation was made because of a similar vulnerability in Internet Explorer 6, 7, and 8 that allows malicious hackers to remotely execute arbitrary code.
I do not want to cause an international incident (especially with countries that I love to ski in), but I think the recommendation is shortsighted and purely based on the status quo mentality of reactive responses to the du jour threats. Today, the recommendation is to stop using IE. When a vulnerability is discovered in Safari, Firefox or Opera tomorrow, the recommendation will be to stop using those browers.
The recommendations will be the same for every application: word processing, spreadsheets, project management, games, etc.
Folks, we need to shift our thinking. At the risk of being repetitive and to paraphrase my earlier assertion: we should not be worrying about which browers our people are using, and instead we should focus on stopping the real threat: the payload. The best way to do that is application whitelisting. With solutions like BOUNCER, malware (including those that are deposited via vulnerabilities in browsers like IE) will not be on the approved list of applications and will therefore be stopped cold.
JT, you are exactly right. Targeting vulnerable apps will always prove tedious and ineffective. Targeting the threats is much more effective. Advanced Persistent Threats can only be stopped with extreme visibility and intelligence. Swapping one application for another does nothing to improve visibility or intelligence, it simple swaps one set of vulnerabilities (possibly a bigger set) for another set (hopefully a smaller one.) Protecting the kernel and only allowing trusted applications to execute is exponentially more effective and produces zero false-positives.
So the proposed solution is to get a few billion people on this planet who have no clue what this all means, and simply want to use the Internet, to participate in some manner in an “extreme visibility and intelligence” campaign? We can’t get them to pick strong passwords.
The fact of the matter is no platform will ever be perfectly safe. And it’s a fact that Windows, with its origins in DOS and non-networked PCs, is simply riddled with holes that appear, after 10+ years of trying to fix, to be never-ending. My belief is that platforms conceived in a shared environment will be secure (e.g. MPLS networks) because they are designed that way from the beginning. Conversely, platforms conceived in a non-shared environment will rarely achieve a high level of security as they are retrofitted later on.
Recommending to users to begin using a more secure browser is decent idea. Maybe that changes from time to time. So what. If you found a new anti-virus vendor that would reduce your exposure by 95%, would you dismiss it simply because it doesn’t tackle the core problem. I hope not.
But you’re right that the browser is not the core problem. Neither is Acrobat or whatever the current vulnerable application. Windows is. Since it appears to be impossible to fix, it needs to be replaced. Unfortunately that’s not as easy as changing a browser. But it is the answer, whether we like it or not.
While realizing that the referenced articles were referring to the typical home user, my comments regarding APT were not. Having said that, I believe there has to be a shift in the way a typical user thinks about security even their home PC. Antivirus, anti-spam and every other “signature-based” technology has failed and will continue to fail as long as the effort to create malware outpaces it. We didn’t think we needed AV until we viruses became a part of everyday life. Do you really think there won’t be a technology like Application Whitelisting that can change the game and the mindset of the typical user to at least have extreme visibility, particularly when it is as simple as notifying a user when unauthorized code wants to execute? My 64 year-old mother with no technology experience seemed to understand that concept. It’s a change in thinking… but that’s marketing’s job. I hope they can get it done.
I am really amazed at people’s way of thinking. If IE is getting attacked they are telling to stop the use of it. Now hackers know that you might using firefox and they will exploit the new browser, then?
And If they believe that by stopping the use of IE they will be safe then they should say such things for PDF Reader also. Stop Adobe PDF Reader and use something else like Foxit etc..
Maybe the Europeans should take it one step further. If problems with IE is good cause for banning IE, then we should ban technicians and SysAdmins because they sometimes misconfigure systems, making them vulnerable. And what about users who, no matter how much we train them, still click on sucker links which download malware. If we ban software that has vulnerabilities (that’s almost all software), and techs and SysAdmins, and users, we’d probably have a pretty secure environment.
[...] detection of weaknesses, patching and signatures. We posted a blog on this topic last week titled: “The French and German governments agree… And they are both wrong” that has generated a lot of discussion between security [...]