Thursday, August 21, 2008

Comments on "The State of PC Security"

I'm a fan of I met their CEO, Alan Meckler, at a conference in Singapore a few years ago, where he was speaking about the power of newsletters and blogs to create and engage an audience.

So it was with disappointment that I downloaded and read the latest white paper entitled, "The State of PC Security".

Much of the paper (in fact, the first three quarters) was up to the usual standards of research and reporting, with a solid article by Kenneth van Wyk benchmarking Linux and Mac security, and a good article on the current state of patching by Andy Patrizio, in which he quotes some interesting statistics from a recent study conducted by Secunia that showed just 5% of 20,000 surveyed computers were patched and fully up to date.

However, the final article "We Need to Rethink PC Security Software", written by Adrian Kingsley-Hughes, was rather a disappointment. He had nothing good to say about the PC security industry, or the people working in it. Instead of offering insights about how to protect PCs and users (against phishing and viruses, for example), he simply painted PC security software as unnecessary.

Fast-emerging threats, such as zero day attacks, man-in-the-middle attacks, man-in-the-browser attacks, root kits, and HOSTS file mods, were not even mentioned.

Now, I think I understand how the "sponsored white paper" works - if the sponsor is a patch management or software compliance company (i.e. like Secunia), then "reducing faith in end point security" serves an editorial purpose that serves the sponsor.

But white papers are supposed to inform, as well as serve their sponsor, and I personally think Kingsley-Hughes could have done better than simply rail against the number of alerts offered by his security suite. He could have easily supported the sponsor's argument for keeping a device and its applications fully-patched without writing things like:

"My take on the situation is that security companies have done a good job of convincing people that their products are essential if you are to keep your system free of badware (that's not true, but I'm not going to get into that argument right now), and as such the incentive to develop a good, solid product is lost."

This is simply untrue. The fact is, security software companies are innovating at a rate never seen before in the industry, and providing service at unprecedented levels.

Let me name just a couple of terrific innovations that I think have recently made the world a safer and more enjoyable for PC users: McAfee Site Advisor, Firefox v3's terrific Antiphishing and Identity Services, Authentium SafeCentral (our unique secure browsing service - which incorporates the Firefox 3 security innovations), the various Anti-Rootkit technologies produced by multiple vendors including F-Secure and Panda, SecureZIP, and in the world of business end point security, WebSense Express and the equally excellent Spector 360 (from our fellow Floridians just up the coast).

These products all provide excellent levels of utility - and a level of quality and efficacy that was unavailable years ago.

These improvements are important to note. High efficacy is much more necessary today that it was years ago - the kind of hacks we are seeing today are sponsored by criminals and involve unprecedented levels of sophistication, and not only in terms of the layered approaches we're seeing to deployment and data theft: social engineering has now reached a level of sophistication (personalized emails from government departments citing case numbers, accurate addressee information, seamless branding) where every contact with a corporation or organization is starting to become suspect.

In terms of service, when I look at the billions of emails we process in partnership with our spam-fighting friends at Microsoft, Google, WebSense and Secure Computing, and the constant improvements in process being brought online (30 minute update turnaround times, versus days or weeks years ago), I wonder how it is possible that all this hard work somehow gets missed by journalists.

At one point, Kingsley-Smith says:

"I've gotten to the point where I think I'd rather take my chances with the bad guys myself rather than bother with so-called security software".

Great. Hopefully, no one reading this article put it down and thought "that's good advice". I certainly wouldn't recommend it, and I think it was not useful for Kingsley-Smith to suggest it as the final paragraph in a white paper entitled "The State of PC Security". Computer users deserve better. So let me try and provide a different perspective.

The real state of PC security right now, from the user's perspective, ranges from "not protected" to "well protected". Advising PC owners to run even a fully-patched computer without security software is not responsible advice.

And while I agree that it is true that a perfectly-behaved, totally-informed person running a perfectly-patched PC could in theory potentially escape infection, or the exposure of their personal data or online banking credentials, in the real world, there is no such thing as a perfectly-patched PC.

Security software, such as our SafeCentral application, provides good insurance for those times when a phishing email fools you into clicking a link, or your chosen download turns out not to be the program (or content) advertised, or the bank's site gets overtaken by hackers, or your kids borrow your PC for five minutes and go somewhere without telling you.

No comments: