If you’ve ever worked as a front-line security professional in any organization, at some point in time you’ve been asked what certification or standards compliance would guarantee security. Then, away from the office, you’ve probably directed countless friends and family members to protect themselves using some of the various anti-phishing toolbars like Netcraft, or those built into your antivirus suite.
As this story (picked up from Slashdot) proves, there isn’t a checklist or toolbar in the world that can make that promise. The tools are only as good as the last scan and the up to date knowledge of the research team behind them. Certifications and compliance checklists are even less likely to be current.
Bad guys are creative, and constantly coming up with new techniques to make money. We haven’t eliminated crime in the physical world, so there’s no reason to think we can eliminate it in the virtual world. It’s just a consequence of being social creatures, living in a world where collective trust and cooperation is essential to survival.
“Trust” services like Netcraft, SiteAdvisor, Google, Microsoft, or pretty much any security suite will never be perfect and always miss the latest and greatest attacks. They are reactive, depending on scanning and fraud reports, and like antivirus rely on some people getting compromised early to defend the rest of us. Just because they call a site “clean” doesn’t really mean much. On the other hand, I feel comfortable trusting them when they say a site is dangerous.
If there’s a lesson to learn from incidents like this, it’s one that even you non-security experts probably already know. Never rely on any single layer of defense, certification, or trusted source to secure your organization and yourself. Security is, by its nature, more defensive than offensive, and when you’re always on defense you’re bound to get hit eventually. That’s okay, since our risk management also includes steps to reduce the impact when we do get compromised; make sure you don’t neglect that part.