The most underrated security technologies
- 17 March, 2010 22:00
Here are four techniques and related technologies several cited as underrated in today's security fight. Since one security pro's miracle tool is another's waste of budget, it's no surprise that a couple of the technologies panned in an article that came out early this week on overrated security technologies are praised here.
Andy Willingham, senior security engineer at E-chx Inc. and founder of AndyITGuy Consulting, believes whitelisting and URL filtering are too quickly dismissed as too difficult. "Most people think that it's too hard to limit what people can run and where they can go," he said. "We've reached the point where we can't just let people do what they want. Too many preach that if we want to attract and retain good employees that we have to allow them to install programs and surf freely but until we get virtual environments to the point where everything is its own virtual session and can be 'cleared' at will or regularly, then we have to start locking down."
Chris Young, a VP at ISM Inc., said the biggest setback for this technology has been inconsistency on the management side, but that this piece is improving. "We are at the point where this is no longer a problem and new programs can be added with minimal/no admin assistance in a secure and controlled manner," he said. "On the endpoint it should not be seen as a locking down of the system in that users won't be able to have any freedom, but it provides admin/user education in the sense that it forces admins/users to check what they are downloading first to make sure it is a legit program and conforms to company policy."
At the same time, he said, the technology is filling the holes cause by poor/accidental user behavior while protecting executables that have been authorized to run on the system. " Operation Aurora was one of many examples where whitelisting on the endpoint would have completely prevented the compromise even after a user was duped into clicking on a link that led to a website that automatically downloaded and executed malware on the host system," he said.
- Data encryptors and/or shredders
"You need shredding machines to securely dispose of unnecessary or unscanned records and data encryption to protect the necessary scanned ones," said Tony Goring, owner of Aclarado Enquiries, a South African investigative agency.
- CPU stress testers
The paper described, among other things, "practical exploitation of the CPU cache poisoning in order to read or write into (otherwise protected) SMRAM memory." Invisible Things Lab cooked up two working exploits: "one for dumping the content of SMRAM and the other one for arbitrary code execution in SMRAM," the potential consequences being the ability of the bad guys to create more insidious rootkits, launch hypervisor attacks and/or bypass defenses around the OS kernel.
"It seems that the current state of firmware security, even in case of such reputable vendors as Intel, is quite unsatisfying," the paper concluded.
Kandy Zabka, a botnet researcher and moderator for the Infosec Island Forum, said a diagnostic CPU stress utility is an "excellent" tool to flush out the exact memory address(es) used by a CPU cache poisoning exploit. "If it is run multiple times, a stop exception appears that reveals the exact block(s) of memory addresses involved," Zabka said.
- Firewalls and AV
But like any technology that comes under criticism, someone will always step up and defend its value. Firewalls and AV may no longer get the glory, but many regard them as absolutely necessary parts of any network security posture.
"I would place firewalls, AV and patching solutions as the most important technologies from an IT security perspective in our organisations," said Mark Fullbrook, a director for Cyber-Ark Software's UK and Ireland divisions. However, he added, "But are they underrated? How many companies DONT have them?"