3

How to explain to traditional people why they should upgrade their old Windows XP device? <- The interesting point made in the highest upvoted answer to this Q is that a fully patched OS is largely insignificant for the security of an 'average home elder'. On the other hand, regular backups and AV software are essential.

While I do understand the point about backups, the point about patches vs AV is surprising for me precisely because I was usually being told something opposite.

Usually, I was being told that for the security of a home user, the first points to consider are: Full disk encryption (defense against device theft), password managers that allow one to abandon reusing passwords (defense against hacked websites), fully patched software and enabled firewall (defense against malware, especially the kinds that infect the computer without a person's knowledge and consent), backups (defense against hardware failure and attacks that somehow slip through the other lines of defense).

Antivirus software, while still important, nonetheless is dead last on the above list because:

  • The main purpose of AV is to defend against well-known, indiscriminate threats. This, as I understand, often means threats that would be stopped either by fully patched software or user's diligence (do not run unknown executables, do not click on links in phishing e-mail, ...) in the first place. Even worse, fully patched software paired with user's diligence will be able to stop far more threats than AV.
  • AVs slow the computer down and open up their own attack vector.

Sources (examples): 1, 2, [3](

Of course user's diligence cannot be relied upon (many claim the human is the weakest link in any security system), especially in the case of home elders, so I'm not going to argue AV software is not important. It's just that I cannot see how can fully patched OS be less important here?

Note that since we're talking about the 'average home elder' I do not consider it a realistic scenario that they are personally targeted. However, I should note that I've been told about such a case that a hacked website of a parish was installing malware on its visitors' computer. For this reason I'm not sure if it is possible to rule out drive by download.

gaazkam
  • 5,607
  • 11
  • 24
  • 37

3 Answers3

6

Your thinking is correct when considering this from a technical information security perspective. Your post states It's just that I cannot see how can fully patched OS be less important here?. It's not.

The question you linked is about communication, not the technical best practices for securing an endpoint. The upvoted answer to that post is trying to address the problem of communicating to a user that an ancient, unsupported OS is a bad idea.

To a relatively skilled attacker, AV on an XP device in 2020 would be a minor hurdle/nuisance (if I were the attacker I would consider it basically a non-issue), while a fully patched endpoint with the latest OS release and the security best practices you mention (backups, local firewall, pw manager, etc.) would be a far greater challenge to own. I also agree with you placing AV last on the list.

deletehead
  • 632
  • 4
  • 9
  • I'm sorry but I'm reading and re-reading your answer and the answer to the question I linked over and over again but I can't see your point. That answer, as I understand it, repeatedly makes the point that for an 'average elder home user' fully patched OS is **indeed** far less important than AV, so these 'average elder home users' are **right** to refuse to upgrade. – gaazkam Jan 23 '20 at 14:39
  • I don't 100% agree with the entire answer, just the high level. It may help to consider the simple form of the issue: Q: "How to explain to traditional people why they should upgrade their old Windows XP device?" A: "Forget talking about security, [and discuss the compatibility/usability of the device as that is what will convince them]" The focus of the Q and A is about communication, not security best practices. Personally I believe it was upvoted so much because the simple answer to the communication question was addressed. I understand the confusion indeed! – deletehead Jan 25 '20 at 15:55
  • Also, I can't speak for whoever upvoted that answer, but I did not upvote it because of the confusion it introduced causing you to ask a clarification question, and because there are many things that I don't agree with based on my hands-on experience. _If_ the answer simply stated "To communicate the need to upgrade XP to an elderly individual, discuss with them the usability/compatibility disadvantages such as XYZ" instead of making claims about risk (some of which are, in my experience, false), I would have upvoted it because it addressed the question of communication. – deletehead Jan 25 '20 at 16:12
1

For the typical security-illiterate, the biggest threat to their local machine security is from Trojans, not worms. A fully patched system provides no protection whatsoever against people who go to download some porn or warez, see a link for <title-of-the-thing-you-are-downloading>-fast-downloader.exe, and run it. Then there's the toolbars, the "hot dancing teens on your desktop"-style things, and of course the cracked software (or tools to crack software) itself.

When such people do get worms, they're usually not delivered through vulnerabilities but rather through social engineering. To use a highly-dated but still painfully relevant example, no amount of OS patching would have saved people from the "ILOVEYOU" email worm. People subject their online accounts to the equivalent of this every day; you ever seen friends posting a Facebook ad for unreasonably steep sales on brand-name products at really sketchy URLs? Patching their OS (or their browser) isn't going to save them from installing a malicious FB app or browser extension.

AV isn't going to fully solve the dancing bunnies/dancing pigs problem but it'll go a LOT further than mere OS patching will. That's not to say OS patching isn't important, of course - it absolutely is - but if you block all incoming connections and most third-party web content such as ads, use a browser with support for reasonably-modern TLS protocols and stick to HTTPS, avoid the sketchier parts of the web, and don't download anything executable from any but the most trustworthy sources, you could probably still safely use XP today. It'd be a stupid risk, but you'd have a decent chance. AV isn't a substitute for all those precautions, of course - even a full "security suite" doesn't come close - but it aims to be.

CBHacking
  • 40,303
  • 3
  • 74
  • 98
1

For the average user, an up to date anti virus is essential, because the main threat usually lies between the keyboard and the chair. Having up to date and patched OS and software is important regarding external threats when the system is only carefully used. On server systems, having only few active services and no direct user, an antivirus is rather useless, and only make sense to protect other users against uploaded files.

But most end users cannot refrain from clicking on a link that promises the best game that they have ever played. And the most up to date system will not prevent the user to install a rogue software, because in addition, most end users have admin priviledges.

So my advice is that the relative importance of anti malware tools and a patched system depends on the education of the user regarding security best practices. The more the user will respect best security practices, the less important the anti malware tools.

Despite seeing myself as a well educated user (regarding IT security), I still have an antivirus on my system. And it detects far less that one threat a year...

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84