RSA delegates heard that vigilance is the best defence
RSA 2010: Encryption and anti-virus are failing
/v3-uk/news/1946978/rsa-2010-encryption-anti-virus-failing
02 Mar 2010, Iain Thomson , V3
The effectiveness of traditional anti-virus and encryption systems is failing, according to a panel of experts at the RSA 2010 conference in San Francisco.
Current successful detection rates for popular anti-virus packages are between 70 and 90 per cent of all samples, Ed Skoudis, co-founder of security consultants InGuardians, told delegates.
The increased use of heuristics and behavioural monitoring may be helping overall, but the outlook is not rosy, according to Skoudis. However, he urged companies to keep using such systems.
"Don't throw the baby out with the bathwater," he said. "Heuristics and behavioural monitoring helps to cut down some of the clutter, but we can't have that as a single point of protection any more."
The best defence from an IT administrator's perspective is vigilance, Skoudis said. Administrators should check outbound web proxies for excessive activity or suspicious connection points, and logs of DNS resolution failures are also a useful source.
Companies should also segment networks with internal firewalls to minimise the effect of any outbreaks.
Dr Johannes Ullrich, chief technology officer at the SANS Internet Storm Center, agreed, saying that network segmentation is vital to effective security. Computers that do not need internet access should be disconnected, he said.
Dr Ulrich also warned about an over-reliance on encryption and, in particular, Secure Sockets Layer (SSL).
"Do not rely on encryption," he said. "Encryption is becoming a losing battle. You have to overbuild on encryption now. Pick the strongest cypher you can and then re-encrypt with another package."
Dr Ulrich warned of increasing problems with SSL as an encryption tool. So-called man-in-the-middle attacks, where a hacker oversees an encrypted traffic stream, disrupts the connection and then reconnects with one side to harvest the data, are becoming increasingly common.
He also referred to the NULL character flaw revealed at last year's Black Hat conference.
Ultimately, however, the best protection for a network is the IT administrator, according to Skoudis.
"There is no silver bullet, except possibly you. Build your skills up. What if we are the defence we have all been waiting for?" he said.
© Incisive Media Investments Limited 2010, Published by Incisive Financial Publishing Limited, Haymarket House, 28-29 Haymarket, London SW1Y 4RX, are companies registered in England and Wales with company registration numbers 04252091 & 04252093
Do you agree?
Agree, totally..
It's funny how companies expect that with a couple of "tools" in place, the risk is transferred and everything is ok. Instead over- reliance on these tools blinds admins into what is really happenning on the wire or in memory, thus a great learning opportunity is lost. Because "x" or "y" applications don't see it and don't alert on it, does it mean it isn't happenning? Do you know what "normal" traffic looks like on your network? It takes all 5 senses to drive in bad weather; it takes a 6th sense to be succesful in InfoSec.
Posted by manny2times, 03 Mar 2010