What We Can Learn From Science Regarding Industry-Sponsored Testing of Security Products

Robert Cialdini, a Psychology professor at Arizona State University, stated his top-notch book, Influence Science and Practice:

"Take the case of the medical controversy surrounding the safety of calcium-channel blockers, a class of drugs for heart disease. One study discovered that 100 percent of the scientists who found and published results supportive of the drugs had received prior support (free trips, research funding, or employment) from the pharmaceutical companies; but only 37 percent of those critical of the drugs had received any such prior support. "

His statement was based on a scientific paper published in The New England Journal of Medicine in 1998. Details of the research can be found here:
Conflict of Interest in the Debate over Calcium-Channel Antagonists

Wow, these results are staggering. 37% of doctors were critical of a particular form of drug. But when some form of support is involved all doctors became in favor of such drug. This and other related research cited at the end of this article scientifically proves (at least from a psychology and medicine perspective) that industry-supported evaluation or testing of security related products such as antiviruses, IPS's, etc. have an influence on the quality and outcomes of their results.

Examples of such type of research studies in the security industry are:
1. Symantec funded an antivirus testing by PassMark: Consumer Antivirus Performance Benchmarks
2. Symantec sponsored another antivirus evaluation by Dennis Technology Labs: PC Anti-Virus Protection 2011
3. Trend Micro sponsored an antivirus testing by NSS Labs:(debatable) http://trendmicro.mediaroom.com/index.php?s=43&item=749
4. Microsoft sponsored two NSS Labs tests for comparing the security of IE8 with other browsers:
http://arstechnica.com/microsoft/news/2009/08/microsoft-sponsors-two-nss-reports-ie8-is-the-most-secure.ars
5. Trend-Micro commissioned West Coast Labs Anti-Spam comparison tests: http://it.trendmicro.com/imperia/md/content/uk/whitepaper/wp06_wclantispamrpt_090317us.pdf

The results of these studies are not surprising. Symantec was ranked first by Dennis Technology Labs and PassMark. Trend Micro was ranked first by NSS Labs. IE8 was shown to be far superior than its peers according to NSS Labs. Trend Micro topped the antispam comparison tests by West Coast Labs.

The reason I am blogging this, is because I have come across a lot of CIO's and security experts who still believe and take into granted the results published by such kind of studies. Its even a pity to see security gurus from notable organizations such as SANS fall into this and cite these results.

For more information please see:

1. Study: Industry-Sponsored Research Yields Favorable Results a Majority of the Time: http://www.doctorpundit.com/index.php/2010/08/03/study-industry-sponsored-research-yields-favorable-results-a-majority-of-the-time
2. The uncertainty principle and industry-sponsored research: http://www.ncbi.nlm.nih.gov/pubmed/10968436
3. Pharmaceutical industry sponsorship and research outcome and quality: systematic review http://www.bmj.com/content/326/7400/1167.full
4. Source of funding and outcome of clinical trials - Journal of General Internal Medicine http://www.springerlink.com/content/r654521305u8547k/

2010 Cairo Security Camp

I gave off a presentation at the 2010 Cairo Security Camp at Cairo, Egypt about 2 months ago. The event was held at Nile University Smart Village. My presentation was on rootkits detection and removal. I have also talked about ADS and MBR infections.
All praise to God, according to the attendees evaluation, I was voted as both, the most liked speaker, and best event topic.

New Features Added to Startups@Ease

I have made a complete re-design of the user interface of Startups@Ease. I have also included two new additional features to help reduce unnecessary software from running every time the computer restarts, which are:

1. Installed third party services: Services are a type of startups that starts running in the background even before you log into the computer. There is a lot of unwanted services that comes bundled with some of the software you may have installed. Additionaly, these unwanted services may exist from pre-installed software whenever you buy a new computer. You can go through the Q&A wizard to see which of these services that are actively running in your computer that you do not want by clicking on the 'Installed Services' button.

2. Services that are part of the Windows operating system: Windows come with a large amount of services that start automatically and actively run in the background. Most of these services are very important for the the OS to function properly. However, there are few default Windows services that are not essential to the OS and are not always needed to be actively running. Based on how you use your computer, you can determine which of these unnecessary services that you may need by going through a questionnaire that can be accessed by the 'Windows Services' button.

If you have bought a new computer and you have used Startups@Ease, it will be a shame that the tool has not significantly boosted your computer.

Startups@Ease Now Supports 64-bit Windows

I have re-written the code for Startups@Ease and now it supports both 32-bit and 64-bit operating systems using the same executable.
The tool is automatically compatible with Windows XP 32-bit, Vista 32-bit, 7 32-bit, server 2003 32-bit, server 2008 32-bit, Vista 64-bit, 7 64-bit and server 2008 64-bit.
As for Windows XP 64-bit and server 2003 64-bit, you will need to download and install this hotfix before running this tool. The hotfix would allow 32-bit applications to access the 64-bit locations native to the operating system. Without the hotfix, the tool will not function properly.

Startups@Ease has Been Released

I finally launched a freeware tool called Startups@Ease that I have been developing in the past few months. The program is mainly designed to help non-geeks to manage unwanted startups in their computers. When executed, the program searches for unnecessary startups and then displays them as a series of questions and (yes/no) answers to the user. These questions are phrased such a way that non-technically sophisticated users can understand and be able to make a judgment whether they actually need the unnecessary startups or not. The tool does NOT delete or uninstall any of your programs. All of the startup programs that appear in the Q&A wizard can be accessed either through the start menu or from the control panel. In addition, the tool automatically creates backups of any programs it has disabled from startups.

The tool is available here: http://www.startupsatease.com

To use the program, click the begin button as in the image below:

Is an Account Lockout Policy Really Worth It

I strongly agree with Jesper Johansson and Steve Riley with their point of view on account lockouts in which they have mentioned in the book that they have published many years ago, Protect Your Windows Network: From Perimeter to Data. Here is a transcript of what they have written in page 344:

The authors consider that account lockout not only provides no positive security value, but actually decreases security. As we showed earlier, only really poor passwords can be guessed successfully. Thus, the real problem if a guessing attack succeeds is really poor passwords not lack of account lockout. Turning on account lockout does not make the passwords any stronger, and a sophisticated attacker will tailor the attack to work around any account lockout settings. Hence the claim that it provides no security value.

Worse than not doing any good, however, is the fact that account lockout is harmful. It can obviously be used by an attacker in a very easy denial-of-service attack to lock out every single account on the system, rendering the system unusable. Now consider if this were to happen to your Web server it would not be much of a "server" any longer. Moreover, it is highly likely that the account lockout settings are tripped accidentally. For example, almost all vulnerability scanners will trip account lockout settings, resulting in entire data centers being disabled. Finally, even if there is a timeout to the lockout, users will generally call the help desk when their account no longer works.
....

The authors then continue to describe the futility of account lockouts from a risk management point of view. Even though, the reasons that they have provided more than 5 years ago are fairly convincing, today there is a far more important reason why you need to disable account lockout across your network. A large amount of malware today perform dictionary attacks to break account passwords. The most notorious among them, is the conficker worm which has affected tens of millions of computer last year and is still a problematic infection today.

Earlier last year, I was called to assist in an emergency downadup outbreak at a financial institute. What was found is that despite only less than 4% of the machines were affected, it was these 4% that caused a major downtime to the whole business and thousands of employees were not able to get any work done because they cannot log on their machines. The reason was very simple, these small percentage of downadup-ridden machines tried to guess the passwords of every other machine across the network. The institute had to disable the account lockout policy
in order for the business to start functioning again and employees getting back to work. Thanks to account lockout, the institute suffered financially more from this harmful policy more then the mere existence of the malware itself.

I greatly advise that the risk management team of every company that has a windows network to revisit the account lockout policy. Instead, I do recommend that failed logon attempts are logged and a warning message such as an email is sent to notify network administrators after a certain amount of failed logons have been attempted.

Existance of Malware = Vulnerable to Targeted Attacks

I have came across a couple of companies that tend to focus most of their security strategy in trying to mitigate targeted attacks on their network and given little attention in protecting their businesses from malware (automated attacks) other than a futile reliance on an updated antivirus. It is true that the impact of targeted attacks on a company is far more greater than existence of automated or commercially spread malware, for an example some computer got infected with a Zlob trojan. However, if your security vendor's management console reported a single existance of a malware file in any computer in your network, then sadly, the fact is, your business is an easy target of a potential targetted attack regardless of all the security measures or security software/hardware at your business has put in place. With exception to viruses, the existence of malware in the form of a worm, bot, trojan, exploit, rootkit, keylogger, backdoor, spyware, adware, etc. are all indicators that your business is unprotected against spear attacks.

The reason for this is that targeted attacks use the same techniques as malware to compromise a system but at a more complex level. If it's the purpose of information theft, financial theft, espionage or whatever reason, a professional hacker would attempt to gain access of a business resource either through a vulnerability or by social engineering. Since both techniques are also used by malware, we can compare by examples how targeted attacks and malware utilize these techniques as a vector for accessibility.

Internal Vs. External Attacks Myth

After encountering a lot of IT representatives from different companies, I am surprised to find that the majority of them still believe that most of the security breaches originate from inside the company.
Michael Kassner has written an excellent article, definitely worth reading, at the Tech Republic last year on why such a belief no longer applies today. Kassner references the CSI/FBI Computer Crime and Security Survey which asks organizations to estimate the percentage of internal attacks they encountered. The results of survey is displayed in the following graph:After doing some statistical analysis, the estimated overall average of security breaches that originate from internal attacks is less than 16%. The difference is overwhelmingly significant that likely any margin of error such as the "different point of view" 's in Kassner's article would still have little effect in proving contrary beliefs.
Hence, allocating your IT security budget of your organization can be calculated by a simple risk management formula. Let,
E = the average financial impact including losses that may result due to an external attack on your organization. The impact may include financial or information thefts, reputation, loss of productivity, recovery, etc.
I = the average financial impact including losses that may result due to an internal attack on your organization.


Further readings:
http://www.pcworld.com/businesscenter/article/147098/insider_threat_exaggerated_study_says_.html

The Myth of Patch Management

From an old video recording of a security session held at Technet:

http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=991

“The Air Force had an environment where they standardized , based on a limited number of server build and client build using images and vhd files.. and then they allow them to make another decision. They did a risk assessment of patch delays and came to the following conclusion...

If we delay installation of a patch because we have to test it, then there is a time window between patch download date and install date, of when their machines are vulnerable to attack…

and their risk assessment concluded, that getting attacked in that time window, is much more likely than immediately installing the patch and see if an application breaks. That was their risk assessment. So they have done what I have been begging people to do for years. They have turned their patch management over to Microsoft (outsourced it to us). When we issue a patch, they install it right away.”

- Steve Riley, Former Senior Security Strategist - Microsoft Trustworthy Computing

Book author of "Protect Your Windows Network, from Perimeter to Data"

However, there is one point I would disagree with the Air Force. Newly released operating system service packs and IE versions must be tested in a business environments first regardless how small or large the business is, and if there is a testing team or not. At the same time, I do not recommend delaying installing those updates. I have seen security experts who test the new service pack updates even for their home environment.

Note: Steve Riley is now with Amazon Cloud Computing. He can be found here: http://stvrly.wordpress.com/

Barnes & Noble Sucks! The Rogue Online Bookstore.

A very close friend of mine was ordering books online and I asked him to order 2 books (a business book and a windows security book) with him since I couldnt find them in the bookstores in my region. He noticed that the shipping options at Barnes & Noble were very attractive compared to other major online stores. In addition we had a discount coupon. So he decided to try it out and little we did know that the experience we were about to get was extremely horrible.

During the order the discount coupon was accepted and clearly indicated that $xx was successfully deducted from our total purchase. Everything seems great and placed our order. A day later we received a notification that our order is being shipped. The next day, my friend received an unexpected email from B&N and that's where several problems started to appear.

He received a no-reply email that one books in the order has been canceled without any justification:

We apologize, but despite our efforts, we weren't able to fulfill some or all of the items in your order, as noted below. These items have been canceled from your order.

We apologize for any inconvenience this has caused and look forward to your next visit to Come back and visit anytime at http://www.bn.com.

I am not sure why they canceled the shipment of one of the books. I doubt it is availability issues, since all the books we ordered clearly indicated on their website that they are in stock. Anyhow, when my friend reviewed his paypal account, he found that the new B&N transaction charged far more than the total order details on B&N site. There was a clear inconsistency between what they charged for and what they display in thier total purchase details.
We decided to do some calculations and found that the price difference equals to all the discounts that he was entitled to including the members discount. Nevertheless, my friend contacted them to clarify with them why an item was canceled and why they charged more than the B&N account indicates. Four business days has passed and they have not responded. My friend will call them tomorrow morning to straighten things with them. At worst case, we will likely cancel all purchases with them.

In summary, B&N sucks because:
1. They cancel items in the order without justification or warning
2. They charge more than the total shipment price that they display to you on their website and via email without notification or consent
3. They show that your discount coupons are in use, but once they cancel one of the items without your consent, all your discounts will go as well without your notice.
4. They do not respond to 'customer care' emails.

Personally, I will stick to Amazon as I have been always been doing, despite their pricy international shipment options. I have purchased over a $1000 worth of books from Amazon, and I am completely satisfied with their excellent and transparent service.