Security “for free”?

As security
professionals, we are continuously facing the challenge of smaller and smaller budgets
allocated to maintain and improve the IT security. That’s probably the main
reason why there is always the temptation of “Free”. Many people, sometimes
even professionals, think that they can achieve a good security for free. “For
free” means in this context that some programs used to achieve and improve
security don’t cost any money to acquire.  Unfortunately, the analysis of the costs stops
at the acquisition and it ignores other costs like the installation and maintenance costs.

But, is it
possible to cover all the possible attack vectors with free security products?
I made a short analysis of the most common ways used to endanger the IT
security and if it is possible (to my best knowledge) to cover them with free
tools. I am ignoring the social engineering techniques as they, most of the
time, can’t be combated with tools.

The security
landscape changes continuously and you have to be fully protected against the
most common attack vectors:

  1. infections through files carried on USB sticks, memory cards, mobile
    hard drives, downloaded files
  2. network attacks (spoofing, DOS)
  3. vulnerabilities that get exploited in common software
  4. drive-by downloads
  5. identity and financial theft through phishing websites
  6. spam and phishing emails

There are definitely other components
that influence the security of a computer or a network. I can’t cover them in
this article, even if they are straightforward. For example, backup. I consider
this a special category as not directly related to malicious attacks. Even so,
there are plenty of free offline and online backup programs.

The most basic security solution has to be able to protect the computer in real time
against all types of malicious software that get transmitted as files (most
common malware).

A free antivirus solution does this job without any problems (covers attack vector 1).

Enhancing this solution with the Windows Firewall or other free firewalls adds a second layer of protection against network attacks (covers attack vector 2).

In the last two years one of the most common infection paths was through vulnerable
software.  There are good free solutions available that help you at least to know that you have vulnerable software installed on your computer (covers attack vector 3). Some even patch the
vulnerable software for free.

Covering the attack vector 4 and 5 is possible as well. There are tools (available as toolbars
or browser plugins) that filter the websites visited before the user is able to
become infected.

The tech savvy user can even use a free DNS filtering solution in order to prevent your computer to even be able to address many of these threats. However, these solutions don’t protect you against all the possibilities that exist to get a malware on your computer through an infected website.

Unfortunately, I don’t know any free solution available to filter emails against spam and
phishing emails and malicious files attached in the emails.

So, it seems quite easy to protect a computer and not pay anything.

At the first view.

 

There are,however, hidden costs, which many people tend to ignore. These costs are not
acquisition costs. They are even not easily visible.

Usually, the free solutions don’t contain all security features that the paid solutions
contain, so you can’t benefit of the full security offered by the product if
you are using the gratis version. Sometimes, the updates are either delivered
with some latency compared to the paid versions, in other cases the free users
are used as testers until the software is stable enough for the paying
customers. So, your computer will become a test object for a security solution
which should provide security.

Another aspect is the maintenance of all these independent solutions which can be pretty
intensive and sometimes also extremely complex (updates, upgrades from one
version to another can be problematic if you have to do them for each product
individually). Having separated solutions means also that these programs will
consume more resources (CPU, RAM, HDD) than when they are in one solution (as a suite of
products). This also means that there is no global knowledge of the threats
shared between the components that are protecting individual areas. In other
words, the scanner will not know that the file that is being scanned was just
downloaded from a website and it is potentially dangerous. This has as
consequence the fact there is no entity that puts the pieces of information
together, thus resulting in your computer getting infected.

Sometimes there is no official support whatsoever for the free solutions or there is no
guarantee that the authors of the software will help solving possible issues.
So, if you have a problem or a question, your only solution is to check if
there are some free forums where somebody already posted a solution to your
problem or to ask yourself and hope that someone helps. This might be very time
consuming and sometimes impossible to implement if you are not into technology.

There is no guarantee that the free software will not be discontinued at some point in time.
Not paying anything means that you have no rights to require extended support
or any guarantees.

Last but not least, the free solutions are sometimes ads sponsored. Even if this is starting
to become generally accepted because of the
millions of free apps for mobile devices, some people see this as unacceptable.

As a general conclusion, it is true that it is possible to achieve a decent degree of
security without any acquisition costs. However, there are drawbacks and there
are hidden maintenance costs. For those who are interested in having software
that works for them and not the other way around, it is advisable to get a paid
security solution that covers all the relevant attack vectors and offers a
decent quality of service.

 

 

Sorin Mustaca

CSSLP,Security+,Project+

via (ISC)2 Blog http://feedproxy.google.com/~r/isc2Blog/~3/SNmo9C1HZbA/security-for-free.html


© Copyright 2013 Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity


Check www.endpoint-cybersecurity.com for seeing the consulting services we offer.

Visit www.itsecuritynews.info for latest security news in English
Besuchen Sie de.itsecuritynews.info für IT Sicherheits News auf Deutsch