An article from Webuser online magazine in the United Kingdom today reported that 98% of home PCs are not secure. I don’t doubt that number, in fact I am surprised that it’s not higher. What I do disagree with is the definition of ”secure”. In this report, secure is defined by measuring whether or not the system was up-to-date on current patches. In reality, “secure” is a relative term and it involves a little more than just patches.
I lied, it’s a lot more than just patches. Consider this: if I had a system attached to the network that was configured by the firewall running on that system to block all incoming traffic, and yet it was 100% not patched, is the system still secure? That’s a foggy question.
The more relevant question, and this will help you better approach your organization’s network security strategy (psss, here’s how the real risk management pros look at it), is what is the actual risk? What are the controls that reduce that risk? The lack of patches for example create risks that a firewall can help reduce, but not completely eliminate. Even patching a system entirely doesn’t eliminate all possible risks. At the end of the day there will be some residual risk no matter what. At that point you should be asking yourself is the degree of residual risk acceptable according to company policy and standards? If not, then that system is not “secure”, if it is then it is “secure”. Not to over simplify things, but that’s about it.
–Kevin
3 Comments
You’re right about the patch thing. When we dissected the components of “security” to assure a thorough test can be made for the OSSTMM, one of the first things we realized is that the model and definition for security was off. We ended up going with very specific definitions which actually fits to what you write here. Security is a physical separation between a threat and an asset at a determined vector. Safety is how a threat or its impact is controlled. So to be secure from lightning you would move into a mountain. To be safe from it, you would put up rods and stay indoors, away from windows.
From there we break it down even further but what we find it allows us to handle things like whether patch is or isn’t security.
Interesting discussion; *when* is any system deemed “secure” ?! In my personal opinion, as long as we humans operate them; probably never. There will always be new angles of attack to a system, because this is human nature; exploration, discovery, challenges, overcoming obstacles and conquering. Security only exists at a high level, when the operator fully understands every aspect of a) the system’s workings, and b) the consequences of any action taken on the system.
Now, to the origin of the article this blog was based on. We (Secunia) used data from our PSI Patch Scanner, as the basis of a blog of our own: http://secunia.com/blog/37/
Note that we do not, ever, state that a computer is secure when patch management is in place. This is a media spin on things, mostly because they do not fully understand the complexity of “security”.
True, the numbers are probably worse than the data from Secunia reveal. To quote the blog post:
“Please note. Due to the way data is collected by the Secunia PSI all results presented here are to be considered “best case” scenarios, the real numbers are likely to be worse.”
So, to back up Kevin’s statement: yes the numbers are probably worse.
The consensus is that full security is difficult to achieve, and would rely on a number of things (Vulnerability Management, AV, FireWall, Policy management/enforcement, end-user education) but core to the effort is patch management. This is also by far the cheapest, and easiest step in the process. With at least Patch Management in place, an important step has been taken towards relative security.
Stay Secure
psi.secunia.com
Just to be fair to Secunia.com, it’s the media that typically skews data like this and makes unfound states indicating that something is “secure” or “not secure” — not Secunia.com. Just in case anyone felt that I was trying to jab at Secunia.com. They have always been a great source of information security insight and knowledge so I would always encourage listening to what they have to say.
–Kevin