Prehistoric Security

Ankylosaurus was a 4-ton herbivore that lived about 65 million years ago at the end of the Cretaceous Period. Representing the pinnacle of evolution in dinosaur defense, Ankylosaurus was a veritable tank. These wide and low dinos were covered with armor plates which were used together to form a nearly impenatrable shell. They featured triangular horns on their heads and a large, club-like tail. Their leathery skin was covered with spikes, which even covered their eyelids.

What does the Ankylosaurus have to do with modern security? There's probably some lessons we can learn from them. Their skulls were so thick that some scientists think that their brains were no larger than a golf ball, and as such, they were one of the least intelligent dinosaurs. Further, the fusion of the bones in their backs and necks helped prevent attack, but they probably couldn't even lift their heads to reach food above ground level. And despite their formidable defenses, none of them survived past the K–T extinction event.

There's been a lot of talk on the security blogs lately about the futility of AntiVirus software. For example, Joanna Rutkowska has written an excellent piece on the futility of security "built on tricks and hacks."

About two years ago I gave a presentation on positive security models, and their benefit over trying to identify all of the "bad stuff". Since then, the art of evasion has only improved, and the number of bad things has boomed.

On McAfee Avert Labs blog, Marius van Oers writes, "In 2000 we had a little over 50,000 malicious items. That figure went to 100,000 in 2003. In August 2006 we passed the 200,000 barrier and almost exactly 1 year later, august 2007 , we will be passing the 300,000 barrier. With these huge numbers appearing the handling of samples can't be maintained by humans only."

Perhaps it's time for security practitioners and vendors to step outside of the badness arms race, and look for simple and creative ways to protect assets. The best way to protect a network is to understand what is running inside of it. To that end, several vendors including Lumension have products that can control application execution. I hope to see a continual evolution in this segment.  To me the ideal client security application would include features such as sandboxing and behavior monitoring of greylisted applications and traditional HIPS and AV including buffer overflow protection for "non-executable" space.