Category Archives: Securosis

Possible probabilities

Rich at Securosis (@securityninja on Twitter) made an interesting post yesterday about the fact that, in referring to Mac security, the possibility of a threat doesn’t equate to there being a probability of it. While we can argue the toss about who in the security industry does or doesn’t have a clue about basic probability theory* the point made is none the less worth examining.

There’s definitely something in the fact that, as yet, the Mac OS has not been a great target for malware. This, as most people with any sense will acknowledge, is not due to the fact that Macs are automagically non-virusable, but rather due to the lower market penetration they currently hold, making them a somewhat lower priority for exploitation. Although there are signs that this is changing, particulary with the porting of the Zlob Trojan to Mac, to this point I agree with Rich, the risk is relatively low AS FAR AS GETTING INFECTED with something is concerned.

Where I have a problem with his post is that, in pointing out one logical fallacy, he makes another; that of confusing correlation and causation. The fact that you use a Mac may protect (to whatever limited extent) against certain types of threats, but that does not mean that you are not equally exposed to other threats – in fact, precisely because of your false sense of security, you may be even more so. Phishing, for instance is completely platform agnostic – having a Mac won’t protect you – because the thing being infected is the USER not the SYSTEM – there’s nothing to stop you getting caught out and putting your banking credentials onto a fraudulent website (unless of course you have some security suite that might warn you of the fact…oh, that’s right, you don’t need that on a Mac). To be fair, the fact that security against malware isn’t really all about getting an Anti-Virus program on your system is also something that should be emphasised more often and that’s something that probably is the fault of the industry.

Similarly, many have been predicting the rise of malware for mobile phones, with all sorts of dire prophecies of doom, however, as Mikko Hypponen (@mikkohypponen on Twitter) points out; at the moment the prevalence of mobile malware is falling because most phone OS vendors are tightly controlling the applications that go on their platforms. He goes on to point out something that should be blindingly obvious (even to the most devoted of Mac fanbois), but sadly isn’t – once you get past having the user involved in the infection cycle and start finding a way to exploit the OS itself (or an application running on it) – by discovering and exploiting vulnerabilities – the game changes.

I’ll leave you with a lovely image that demonstrates my general feeling about life, the universe and everything – http://twitpic.com/snklj/full – if there’s one thing I’ve learnt in my years in the Anti-malware industry, it’s that ‘There will be Malware”. And that’s more than just a possibility.

*For a great (and very funny/bitter) introduction to statistics and probability I recommend John A Paulos’ excellent book “Innumeracy: Mathematical Illiteracy and its Consequences”

Andrew Lee CISSP
AVIEN CEO

Security, security, security

This is my first attempt to blog using my iPhone, so forgive any inadvertent typos. I go to a lot of security conferences, and often I feel like I’ve walked into a different world when attending some. No I’m not talking about a preponderance of black sloganised T-Shirts or a penchant for colored hair amongst the attendees (though those do seem to be part of the tribal uniform for security conformistas), rather I’m talking about the way that security has become fragmented into isolated silos of knowledge. In many cases there is total ignorance of the wider security field, and issues are discussed as if they are discrete and unrelated to a wider and more complex picture. It would be nice to have a more generalist family of security professionals, but I guess the field is now so wide that specialism is almost a must. However, I would encourage other security pros to attend different conferences outside of your own specialist area. You will gain a wider view of the world, and you will surely see some funny T-Shirts too.

Andrew Lee CISSP
AVIEN CEO

Resources

A quickie (don’t get too excited!)

A tweet from Alex Eckleberry sent me to the Sunbelt blog (always worth monitoring) and hence to the Securosis blog. The blog that caught Tom Kelchner’s eye and ultimately mine was this one: “I’m tired of this whole ‘security is failing, security professionals suck’ meme” (http://securosis.com/blog/friday-summary-november-13-2009).

However, my gaze travelled over several other interesting pieces to get there: some fairly specialized like this:

http://securosis.com/projectquant/project-quant-database-security-process-framework

Others, thought-provoking opinion pieces like this one:

http://securosis.com/blog/critical-infrastructure-60-minutes-and-missing-the-point,

 Worth a look: http://securosis.com/blog/

So, was it good for you?

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://dharley.wordpress.com/
http://www.eset.com/threat-center/blog
http://blogs.securiteam.com
http://blog.isc2.org/