Security lies #1: "You're protected from newly-infected web sites"

From time to time, I hear security vendors make claims that make no sense.

In fact, let's not mince words: I sometimes hear security vendors lie. There, I said it.

This week on Security Levity, I want to talk about one such example. One of the lies that's on my mind at the moment often comes from the mouths of URL filtering vendors: "Our product protects you by preventing access to all infected, phishing and compromised sites." Such statements -- if we take them literally -- are all too often untrue.

To be protected from a web threat by a URL filtering product, that product needs to have lightning fast reactions. It needs to detect newly emerging threats on the web, such as new malicious sites or legitimate sites that have been hacked to spread malware. And it needs to do it quickly: a product that claims to be real-time needs to be ready to protect against all threats that a user might encounter, no matter how recent the threat is.

That's a bold claim.

So let's be charitable, and assume that what these vendors really mean is simply that they're quick to react. Quicker than, say, 80% of their competitors, perhaps? That's not quite such an aggressive stance, but it's still pretty hard to verify.

But there's a simple way to test how good your URL filtering web security product is. It's hardly scientific, but it can give you a reasonable feel for how quick and accurate the protection is.

Disclaimer: you follow these instructions at your own risk; don't do this on a live network; only use a PC that you subsequently completely re-image.

Try accessing any newly infected or compromised site via your URL filtering product. Does your security product prevent you from reaching the site? If so, does the security product correctly categorize the type of threat?

(You can find such sites in lists produced by some security vendors; in fact, you should easily find some in your own spam quarantine.)

Once you've found a malicious link that your security product misses, how soon before it does react? If you were to repeat the test in an hour's time with the same link, would the test pass this time? What about after a day? How about a week?

Rinse and repeat until you feel you've gathered enough data.

I'd be interested to hear your experiences, if you're brave -- or foolish -- enough to try this experiment. Let me know in the comments. Again, only do this if you understand the risks and can deal with them. Otherwise, it might be safer to think of it as a thought-experiment.

You might be surprised how poorly some URL filtering products perform in the real world. The problem is that today's threats are very dynamic, especially where botnets are involved. I'm sure you've heard this mantra hundreds of times from other security companies, but perhaps this thought-experiment will bring it home.

 
I want to make this an interactive place: where I can answer questions and cover topics that you suggest. Feel free to add comments and ask Amir!

 
When he's not suggesting dangerous experiments, Amir Lev is the CTO, President, and co-founder of Commtouch (NASDAQ:CTCH), an e-mail and Web defense technology provider. MORE...