As security professionals, we are continuously facing the challenge of smaller and smaller budgets allocated to maintain and improve the IT security. That’s probably the main reason why there is always the temptation of “Free”. Many people, sometimes even professionals, think that they can achieve a good security for free. “For free” means in this context that some programs used to achieve and improve security don’t cost any money to acquire. Unfortunately, the analysis of the costs stops at the acquisition and it ignores other costs like the installation and maintenance costs.
But, is it possible to cover all the possible attack vectors with free security products? I made a short analysis of the most common ways used to endanger the IT security and if it is possible (to my best knowledge) to cover them with free tools. I am ignoring the social engineering techniques as they, most of the time, can’t be combated with tools.
The security landscape changes continuously and you have to be fully protected against the most common attack vectors:
- infections through files carried on USB sticks, memory cards, mobile hard drives, downloaded files
- network attacks (spoofing, DOS)
- vulnerabilities that get exploited in common software
- drive-by downloads
- identity and financial theft through phishing websites
- spam and phishing emails
There are definitely other components that influence the security of a computer or a network. I can’t cover them in this article, even if they are straightforward. For example, backup. I consider this a special category as not directly related to malicious attacks. Even so, there are plenty of free offline and online backup programs.
The most basic security solution has to be able to protect the computer in real time against all types of malicious software that get transmitted as files (most common malware).
A free antivirus solution does this job without any problems (covers attack vector 1).
Enhancing this solution with the Windows Firewall or other free firewalls adds a second layer of protection against network attacks (covers attack vector 2).
In the last two years one of the most common infection paths was through vulnerable software. There are good free solutions available that help you at least to know that you have vulnerable software installed on your computer (covers attack vector 3). Some even patch the vulnerable software for free.
Covering the attack vector 4 and 5 is possible as well. There are tools (available as toolbars or browser plugins) that filter the websites visited before the user is able to become infected.
The tech savvy user can even use a free DNS filtering solution in order to prevent your computer to even be able to address many of these threats. However, these solutions don’t protect you against all the possibilities that exist to get a malware on your computer through an infected website.
Unfortunately, I don’t know any free solution available to filter emails against spam and phishing emails and malicious files attached in the emails.
So, it seems quite easy to protect a computer and not pay anything.
At the first view.
There are, however, hidden costs, which many people tend to ignore. These costs are not acquisition costs. They are even not easily visible.
Usually, the free solutions don’t contain all security features that the paid solutions contain, so you can’t benefit of the full security offered by the product if you are using the gratis version. Sometimes, the updates are either delivered with some latency compared to the paid versions, in other cases the free users are used as testers until the software is stable enough for the paying customers. So, your computer will become a test object for a security solution which should provide security.
Another aspect is the maintenance of all these independent solutions which can be pretty intensive and sometimes also extremely complex (updates, upgrades from one version to another can be problematic if you have to do them for each product individually). Having separated solutions means also that these programs will consume more resources (CPU, RAM, HDD) than when they are in one solution (as a suite of products). This also means that there is no global knowledge of the threats shared between the components that are protecting individual areas. In other words, the scanner will not know that the file that is being scanned was just downloaded from a website and it is potentially dangerous. This has as consequence the fact there is no entity that puts the pieces of information together, thus resulting in your computer getting infected.
Sometimes there is no official support whatsoever for the free solutions or there is no guarantee that the authors of the software will help solving possible issues. So, if you have a problem or a question, your only solution is to check if there are some free forums where somebody already posted a solution to your problem or to ask yourself and hope that someone helps. This might be very time consuming and sometimes impossible to implement if you are not into technology.
There is no guarantee that the free software will not be discontinued at some point in time. Not paying anything means that you have no rights to require extended support or any guarantees.
Last but not least, the free solutions are sometimes ads sponsored. Even if this is starting to become generally accepted because of the millions of free apps for mobile devices, some people see this as unacceptable.
As a general conclusion, it is true that it is possible to achieve a decent degree of security without any acquisition costs. However, there are drawbacks and there are hidden maintenance costs. For those who are interested in having software that works for them and not the other way around, it is advisable to get a paid security solution that covers all the relevant attack vectors and offers a decent quality of service.
CSSLP,Security+,Project+