The security software and antivirus industry continues to struggle to release secure products, a sure sign that a radical rethink of computing platforms is needed for businesses and enterprise users.
Last week, Symantec was caught shipping an entire range of enterprise and retail products with holes big enough to drive a horse and carriage through.
What’s worse, the vulnerabilities weren’t discovered by Symantec itself, but by a researcher working for Google who took an interest in the products and decided to analyse how secure they were.
You would be correct to question Google’s motives in letting its geek hounds of hell loose upon security vendors. The reality, however, is these gaping holes exist, and with every flaw that is patched, a new one appears.
That’s down to software and hardware design decisions made over decades. The Symantec case simply reaffirms that general-purpose operating systems running on personal computers are not secure.
Part of the reason for the PC platform becoming so popular is that it allows unfettered access to every part of the system - hardware and software - on the assumption that users know what they’re doing.
The truth, however, is that your average user doesn’t actually know what they're doing. But bad people with the time and motivation do, and they can and will get access to users’ systems.
Hardware vendors have tried to shore up PC architecture by adding hardware protections. But it turns out that the Systems Management Mode feature can be abused to simply switch these protections off, providing full access to the operating system.
Enterprise customers fed up with band-aid antivirus software may need to re-evaluate whether or not their users actually should operate general-purpose computing devices like PCs, which are almost impossible to keep safe.
Perhaps it’s time to sidestep the asymmetric digital warfare waged by attackers and go with a more restricted platform where the operating system and applications are tightly controlled by one vendor committed to security and privacy, like Apple’s iOS, coupled with the cloud?
The vast majority of tools and applications that normal users need are found in Apple’s App Store, which has by and large stood the test of time security-wise.
Nothing is totally impenetrable, not even iOS, but when even the United States law enforcement struggles to break into iDevices, it tells us that Apple’s security design decisions and policies went in the right direction.
Ironically enough, considering the effort Google puts into embarrassing security vendors by exposing an ever-increasing number of vulnerabilities in their products, the online giant’s Android operating system and devices seem to be as holey as Swiss cheese.
For instance, malware was discovered in Google Play that’s capable of rooting nine out of ten Android devices to plant payloads with full access to the system and user data. Many Android devices won't be updated with patched versions of the OS, so here's hoping Google tightens up its security measures for the Play app store or users will suffer.
And the US Feds probably don’t have to go to court to force Google or one of its hardware partners to unlock devices, as it turns out Android’s hardware-backed full disk encryption is breakable due to flaws that’d require a redesign to fix.
Add to that the fact that Apple pushes users to upgrade to iOS as fast as possible when a new version is out and stops supporting older devices, and you have a platform that other vendors should emulate for security reasons if they want to sell into the enterprise.
That's the kind of thinking enterprise IT solutions vendors should show, rather than fobbing off customers with an antivirus or security product that lulls customers into a false sense of security.