As security
professionals, we are continuously facing the challenge of smaller and smaller budgets
allocated to maintain and improve the IT security. That’s probably the main
reason why there is always the temptation of “Free”. Many people, sometimes
even professionals, think that they can achieve a good security for free. “For
free” means in this context that some programs used to achieve and improve
security don’t cost any money to acquire. Unfortunately, the analysis of the costs stops
at the acquisition and it ignores other costs like the installation and maintenance costs.
But, is it
possible to cover all the possible attack vectors with free security products?
I made a short analysis of the most common ways used to endanger the IT
security and if it is possible (to my best knowledge) to cover them with free
tools. I am ignoring the social engineering techniques as they, most of the
time, can’t be combated with tools.
The security
landscape changes continuously and you have to be fully protected against the
most common attack vectors:
There are definitely other components
that influence the security of a computer or a network. I can’t cover them in
this article, even if they are straightforward. For example, backup. I consider
this a special category as not directly related to malicious attacks. Even so,
there are plenty of free offline and online backup programs.
The most
basic security solution has to be able to protect the computer in real time
against all types of malicious software that get transmitted as files (most
common malware).
A free antivirus solution does this job
without any problems (covers attack vector 1).
Enhancing this solution with the Windows
Firewall or other free firewalls adds a second layer of protection against
network attacks (covers attack vector 2).
In the last
two years one of the most common infection paths was through vulnerable
software. There are good free solutions
available that help you at least to know that you have vulnerable software
installed on your computer (covers attack vector 3). Some even patch the
vulnerable software for free.
Covering the
attack vector 4 and 5 is possible as well. There are tools (available as toolbars
or browser plugins) that filter the websites visited before the user is able to
become infected.
The tech savvy user can even use a free
DNS filtering solution in order to prevent your computer to even be able to address
many of these threats. However, these solutions don’t protect you against all
the possibilities that exist to get a malware on your computer through an
infected website.
Unfortunately,
I don’t know any free solution available to filter emails against spam and
phishing emails and malicious files attached in the emails.
So, it seems
quite easy to protect a computer and not pay anything.
At the first
view.
There are,
however, hidden costs, which many people tend to ignore. These costs are not
acquisition costs. They are even not easily visible.
Usually, the
free solutions don’t contain all security features that the paid solutions
contain, so you can’t benefit of the full security offered by the product if
you are using the gratis version. Sometimes, the updates are either delivered
with some latency compared to the paid versions, in other cases the free users
are used as testers until the software is stable enough for the paying
customers. So, your computer will become a test object for a security solution
which should provide security.
Another
aspect is the maintenance of all these independent solutions which can be pretty
intensive and sometimes also extremely complex (updates, upgrades from one
version to another can be problematic if you have to do them for each product
individually). Having separated solutions means also that these programs will
consume more resources (CPU, RAM, HDD) than when they are in one solution (as a suite of
products). This also means that there is no global knowledge of the threats
shared between the components that are protecting individual areas. In other
words, the scanner will not know that the file that is being scanned was just
downloaded from a website and it is potentially dangerous. This has as
consequence the fact there is no entity that puts the pieces of information
together, thus resulting in your computer getting infected.
Sometimes
there is no official support whatsoever for the free solutions or there is no
guarantee that the authors of the software will help solving possible issues.
So, if you have a problem or a question, your only solution is to check if
there are some free forums where somebody already posted a solution to your
problem or to ask yourself and hope that someone helps. This might be very time
consuming and sometimes impossible to implement if you are not into technology.
There is no
guarantee that the free software will not be discontinued at some point in time.
Not paying anything means that you have no rights to require extended support
or any guarantees.
Last but not
least, the free solutions are sometimes ads sponsored. Even if this is starting
to become generally accepted because of the
millions of free apps for mobile devices, some people see this as unacceptable.
As a general
conclusion, it is true that it is possible to achieve a decent degree of
security without any acquisition costs. However, there are drawbacks and there
are hidden maintenance costs. For those who are interested in having software
that works for them and not the other way around, it is advisable to get a paid
security solution that covers all the relevant attack vectors and offers a
decent quality of service.
Sorin Mustaca
CSSLP,Security+,Project+
company fullz for sale unic cvv
