So often my ISP calls us up and asks to speak with the IT manager or the person who is responsible for the network.
This time it was Netvision offering me a special deal on Symantec anti-virus and a $5/month service package for virus updates.
Well, I said “We don’t use Windows, and I have not installed nor used an anti-virus for over 9 years”. The sales person asked me what we use and I replied Ubuntu. Never heard of it, she said.
So – I told her – “imagine a free operating system that installs in 15′ with thousands of world-class free software and no need to run an anti-virus and it looks like a Mac”. She said – wow that sounds good. Maybe I should check it out.
Who needs an anti-virus? If I have a solid operating system like Ubuntu 11.10, iptables, good control of the services on my notebook and practice safe email, why should I add additional layers of content security and feed the Symantec stock price?
Additional security controls do not necessarily reduce risk.
Installing more security products is never a free lunch and tends to increase the total system risk and cost of ownership, as a result of the interaction between the elements.
Many firms see the information security issue as mainly an exercise permissions and identity management (IDM). However, it is clear from conversations with two of our large telecom customers that (a) IDM is worthless against threats of trusted insiders with appropriate privileges and (b) Since the IDM systems requires so much customization (as much as 90% in a large enterprise network) it actually contributes additional vulnerabilities instead of lowering overall system risk.
The result of providing inappropriate countermeasures to threats, is that your cost of attacks and ownership go up, instead of your risk going down. This is as true for a personal workstation as it is for a large enterprise network.
The question from a security perspective of an individual user is pretty easy to answer. Install a decent personal firewall (not Windows and please stay away from Symantec) and be careful.
For a business, the question is harder to answer because it is a rare company that has such deep pockets they can afford to purchase and install every security product recommended by their integrator and implement and enforce all the best-practice controls recommended by their accountants.
An approach we like is taking standards-based risk assessment and implementing controls that are a good fit to the business.
Our 6 step business threat analysis methodology enables any business to build a quantitative risk model and construct an economically-justified, cost-effective set of countermeasures that reduces risk in their and their customers’ business environment.
More importantly, a company can execute a “gentle” implementation plan of controls concomitant with its budget instead of an all-or-nothing compliance checklist implementation that may cost mega-bucks.
And in this economy – fewer and fewer businesses have the big bucks to spend on security and compliance.
Software Associates specializes in helping medical device vendors achieve HIPAA compliance and improve the data and software security of their products in hospital and mobile environments in the best and most cost-effective way for your business and pocketbook.
Cross-posted from Israeli Software