I frequently hear security professionals and pundits proclaim that such and such a technology “is dead.” Lately, I’ve heard that “antivirus is dead,” “Intrusion Prevention Systems (IPS) are dead.” A while back it was “firewalls are dead,” and “SSL is dead.” People who utter phrases like this are doing a disservice to the security community.
I say this because when you say “XYZ is dead,” unless you are talking to a like-minded individual who has comparable training and experience to your own, as well as a comparable point of view, all they are doing is telling less-savvy individuals that they do not need the aforementioned “dead” technology.
For instance, if I tell you “firewalls are dead.” What is your first response? If you’re like most of my clients, you’ll think “I guess we don’t need to put in that new firewall this year.” I wouldn’t blame them for thinking that!
I think, when security pros who say “XYZ is dead,” what they should say is “XYZ alone is not going to keep your network secure.” Here are some examples.
- Instead of saying “SSL is dead,” how about “An SSL certificate alone is not going to keep your website secure.”
Why? Because it does nothing to protect from cross-site scripting, cross site request forgeries, SQL injections, form injections, and other attacks.
- Instead of “Firewalls are dead,” how about saying “A firewall alone is not going to keep your network secure.”
Why? Because a firewall won’t protect you from a virus spread by email, code embedded on a malicious website, or an attack against your web and email server when web and email traffic are allowed through.
- Instead of “Anti-virus is dead,” how about “Anti-virus alone will not keep your desktops and servers secure.”
Why? Because there are advanced techniques which can be used to bypass anti-virus software. AV must be combined with other best practices, such as firewalls, disabling unneeded services, and lowering user rights on systems.
Imagine a CFO hearing over the course of a few weeks that firewalls, IPS and anti-virus are all “dead.” Would you be a bit surprised that he would want to slash security budgets as a result? I wouldn’t.
For an elaboration on these points, please see my previous post on Defense in Depth and how it pertains to small businesses.
I urge security professionals to wake up and realize that statements like “XYZ is dead” are not doing any good and should be avoided. If you, as an end-user hear someone say this, be sure to push them for clarification and more information. You may find that “XYZ” isn’t as “dead” as they first led you to believe.