The websites using OpenSSL already opened the ports that OpenSSL needed to function. The vulnerable version of OpenSSL was available for any knowledgeable attacker to compromise. Today, most attacks (and I mean 99.99%) are application-layer attacks that require user involvement to succeed. Once the user is tricked into running something, the malicious program executes in the user's computer's memory, and the firewall can't help. The badness scoots past the firewall on allowed ports and executes on the user's desktop.
Firewalls can help only if they prevent attacks against blocked ports. But everyone allows port 80 and 443 into their networks, and those are the two ports that most successful attacks will target. You can't block them because it would bring business to a halt.
Don't believe me? When is the last time you thought, "Wow, if I had just had a firewall enabled, I wouldn't have been successfully attacked"? I'll give you full credit if you can even remember the year.
A lot of firewall vendors already know my personal feelings, and they will often tell me that the problem is only with "traditional" firewalls and that their "advanced" firewall solves the problem. Their advanced firewall is always an application proxy or filter that includes an anti-virus scanner or IDS capabilities. See above. If advanced firewalls worked, we'd all be running them, and our hacker problems would be over.
Security snake oil No. 6: RedundancyThe oft-forgotten third word of the information-security acronym CIA is availability (the other two are confidentiality and integrity). As a concept, availability makes for great sales pitches. The reality, however, is that availability is more snake oil than we might like to admit.
Availability, and its sibling redundancy, drives a significant amount of hardware sales. These days, we have redundant power supplies, redundant hard drives, even redundant motherboards and CPUs. Before redundancy became a thing, I never needed the second unit. It's almost as if vendors give us components they know will fail.
I have a computer that's been running on the same hard drive, motherboard, and power supply for more than 20 years. Never had a problem. I don't even clean out all the dust. But I rarely buy a $100K server or appliance with redundant everything that I don't end up having problems with.
My first fully redundant server system ended up being a hard-earned lesson about the promise of redundancy. The system included a secondary clone of everything, with the backup unit ready to pick up where the failed unit quit, without a millisecond of downtime. I convinced my CEO to spend the extra $100K so we would never have an outage again. That promise lasted two days, when we had our first crash with the resplendent redundant system. We experienced unexpected data corruption, and that corruption was dutifully copied between the first server and the backup unit. Admittedly, the failover was flawless, with the corruption cloned impeccably between systems. My upset CEO didn't want to listen to my explanations of server system backups and RAID levels. He just knew I'd wasted his money on false promises.
Security snake oil No. 7: SmartcardsAlmost every company I know that doesn't have smartcards wants to have smartcards. Smartcards are two-factor authentication, which, as everyone knows, is better than one-factor authentication. But most companies think that enabling smartcards in their environments will significantly reduce the risk of hacker attack -- or stop all attacks outright. Or at least that's how it's sold to them.
Every company I know that's implemented smartcards is just as thoroughly hacked as the companies that don't. Smartcards do give you added security, but it's only a small amount and not in the places you really need it. Want to stop hackers? Improve your patch management processes and practices, and help your users refrain from installing stuff they shouldn't. Those two solutions will work hundreds of times better than smartcards.
Making the best of a compromising situationToday's computer security world is a crazy, paradoxical one. Computer security companies are collecting billions of dollars for customers who are still routinely hacked.
Firewalls, IDSes, and antivirus programs don't work. How do I know? Because most companies have all these security technologies in place, and they are still compromised by hackers, almost at will. Even our good, reliable, secure encryption is mostly meaningless. Either hackers go around the crypto (by directly attacking the target in its unencrypted state on the endpoint), or the cryptography is poorly implemented (the OpenSSL Heartbleed bug is an example).
As a result, we security professionals are knowingly accepting that our computer security defenses are partial at best, while our vendors tout their solutions as incredibly accurate and impenetrable. It ain't so. We're being sold snake oil and being told it's sound, scientifically researched medicine.
What's a defender to do?
Well, push for real solutions. Take a look at how your environment and systems are being compromised on a daily basis, and push for solutions that fix those real problems. Don't get lost in the myriad promises of computer security products.
Me, I trust the vendor who tells me the truth, warts and all. I understand his product won't solve all my ills, and I know his product can't be 100% accurate. Avoid vendors who claim otherwise.
Related articles
- 11 sure signs you've been hacked
- 7 sneak attacks used by today's most devious hackers
- 11 reasons encryption is (almost) dead
- Safeguard your code: 17 security tips for developers
- Security through obscurity: How to cover your tracks online
- True tales of (mostly) white-hat hacking
- 14 dirty IT tricks, security pros edition
- 6 lessons learned about the scariest security threats
- IT's 9 biggest security threats
- 9 popular IT security practices that just don't work
- 10 crazy IT security tricks that actually work
- Malware Deep Dive Report
- Data Loss Prevention Deep Dive Report
- Insider Threat Deep Dive Report
- Malware IQ test: Round 1
- Malware IQ test: Round 2
- Malware IQ test: Round 3
This story, "Security-vendor snake oil: 7 promises that don't deliver," was originally published at InfoWorld.com. Follow the latest developments in security at InfoWorld.com. For the latest developments in business technology news, follow InfoWorld.com on Twitter.
Read more about security in InfoWorld's Security Channel.
This story, "Security-vendor snake oil: 7 promises that don't deliver" was originally published by InfoWorld.