<<< Date Index >>>     <<< Thread Index >>>

Re: getting rid of outbreaks and spam



0.02 kroner coming up :)

> From: Gadi Evron
>
> 2. In a broader view, notifications ARE currently the
> problem rather than a solution.

I think we all recognize the fundamental truth that AV notifications are
pure marketing. They contain no instructions on removing the virus and only
serve to spread FUD. Somewhere sometime, a marketer at an AV company thought
"hey, let's get new customers by notifying people that send the virus!",
implemented it and everybody followed suit since "everybody is doing it, we
might as well also".

AV notifications have degenerated from a misguided assistance to become an
even worse problem than the viruses they are supposed to stop.


> 3. I think we look at the whole problem in the wrong way,
> allow me to elaborate:
> The AV industry is built on reaction rather than prevention.
> Adding new signatures is still the #1 tool in the fight against malware.

I couldn't agree more. We should stop wasting time on detailing the subject
lines of a new virus, what P2P folder the latest worm copies itself to or
how the latest Blaster variant changes spread algorithms on the second
Thursday of the month (provided it's raining in spain). All of this does
nothing to prevent any future reoccurences of the same threats and is mainly
of academic interest - if you're writing a paper on worm propagation
techniques or a book about "The 1001 funniest virus subject lines". We're
all curious beings, but having my mom know the subject lines of the 5 latest
viruses does nothing to prevent her from opening attachments or being
infected by Blaster.

We need to change our mindsets fundamentally and approach these threats from
a different angle. Instead of playing archeologists that are uncovering
dinosaur bones and detailing their ridges we need to become bio engineers
who analyze DNA mutation patterns and create strains of tomato plants that
can endure cold winternights. It is essential that we invest serious time
and money into analyzing and matrixing the common attack, spread and
infection vectors of the threats that our corporate networks and public
infrastructure encounter, and that we use that knowledge to create targetted
counteractions and proactive theat mitigations that can hinder the spread or
impact of generic types of threats - in advance.

This is not just a philosophy but a viable approach to applicable crafting.
We at PivX Solutions have been preaching Proactive Threat Mitigation for
quite some time now. I have been speaking about it at conferences (blame
canada), the panel members understood it when we explained it at the first
National Cyber Security Summit and we integrated our initial efforts into
Qwik-Fix which prevented dozens of threats in Q4 2003 (MiMail,lots of IE
exploits,etc).

I think we can all get lost in specifics from time to time, which is why it
is important to remember that real security is all about risk management -
how much time and money do we want to invest in lowering the inherent risk
to an acceptable level? It is only when we start diverting those resources
away from reactive solutions, such as antivirus that have not hindered any
major virus outbreak but even created the far worse problem of AV
notifications, and towards proactive appliances and proper risk management
that we can minimize our risk and shorten our window of exposure to threats.


> With spam and mass mailers clogging the tubes, causing us all to
> waste money on bigger tubes, as well as our time dealing with the
> annoyance (more money), shouldn't the problem be solved there
> (at the main tubes themselves) rather than at the end user's desktop?
>
> They are right, it isn't currently demanded of them.

ISPs and peering points should seriously consider the development and
implementation of technologies that can unintrusively and anonymously detect
threats and filter packets that meet certain risk criterias, before
governmental agencies wake up and start addressing the issue by regulations
and law that will inevitably limit their control of private property.



Regards

Thor Larholm
Senior Security Researcher
PivX Solutions
24 Corporate Plaza #180
Newport Beach, CA 92660
http://www.pivx.com
thor@xxxxxxxx
Phone: +1 (949) 231-8496
PGP: 0x5A276569
6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569

PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of
Qwik-Fix
<http://www.qwik-fix.net>