Does anti-virus software make things worse?
According to the handy Wolfram Alpha search engine, some 24.5 years have passed since the introduction of the first Internet virus. And the first self-replicating malware to exist on the Internet’s precursor, the ARPANET had already made waves in 1971, itself practically forced into existence by the fertile imagination of science-fiction writers of the previous decade in turn based on computer science theories dating back to the early 50’s. In all that time, malware – a term that still doesn’t have the cachet and impact of the more popular ‘virus’ – has been getting smarter, meaner and greedier.
Today, I advise businesses on matters of security and carefully listen to the concerns of their leaders. These concerns inevitably revolve around … hackers, internal breaches, lost smart phones and USBs, policies, compliance and privacy, all of which are legitimate top-of-mind issues for every organization. But I find that while not forgotten, anti-virus technology is often relegated to the end of the list and I can’t help but wonder: are today’s businesses facing a false sense of security about anti-malware?
According to a recent Verizon study, 69 per cent (and rising) of breaches are caused by new malware, yet another study, this time by (potentially biased) security firm Imperva found that the detection rates of the top antivirus products was as low as 5 per cent. The independent results of AV-Test seem to more or less corroborate such findings, showing wildly fluctuating detection rates for all the tested products. And indeed, seeing good results for some products versus others may point to technologies that should be more deserving of trust, but in many cases, year-over-year results demonstrate shaky performance at best.
The risk of commoditizing security and privacy
How to spot counterfeit software
For my part, I wrote about the impending obsolescence of traditional anti-virus technology almost 3 years ago and even then it was clear that the status quo had been insufficient – particularly for business use – for some time. At the time I said that “patterns are where it’s at”. Instead of looking for the digital fingerprints of malicious gremlins, systems needed to evolve to detect the telltale signs of mischief. Unfortunately today’s malware has evolved to rapidly and state-sponsored development has pushed the envelope so much in terms of technological advancement (as demonstrated by mysterious ‘Flame’ and ‘StuxNet’ code) that businesses need to ask some very tough questions before renewing their annual software licences. For starters, business owners need to have at least a passing interest in the threats presented by modern malware. They should know that such software:
- Often originates on legitimate but infected Web sites
- Can install itself regardless of workstation policy restrictions
- Changes every time it replicates, making signature-based detection all but impossible
- Uses internal encryption to thwart detection and inspection efforts
- May lay dormant after patching an infected system to avoid drawing attention to itself
- Can be surprisingly insidious, going as far as to monitor keystrokes (keylogging) and mouse movements, commandeer audiovisuals (RATting) and even blackmailing users to return stolen data (ransomware)
- Will execute with the same privileges as the authorized user, making its activities seem legitimate
- Can burrow so deeply within the operating system that any well-intentioned detection effort doesn’t stand a chance
So if you want your business to stand a chance, forget about signatures. Everyone is doing it and their update intervals are down in the range of a few minutes, just to ensure they don’t miss an update. Unfortunately, the same big-name studies have found that in the increasingly unlikely cases where malware is detected in the wild, dissected and its signature tabulated, updates don’t become available for weeks or even months. In the recent case of Oracle and its decreasingly pervasive Java software, the company failed to fix security vulnerabilities for the better part of 3 years, leading to numerous flavours of malware being widely released to attack it and hijack global corporate and individual computers en masse. This led to the ignominy of having the US government recommend earlier this year that businesses and users avoid using the software and remove it as much as possible.
So what should your company be looking for in light of the fact that – let’s face it – malware developers are a couple of steps ahead? Keep it simple, but understand a few basic facts:
- If your firm depends on a single product for anti-virus protection, you’re a sitting duck
- Look to adopt layered protection by combining user awareness with intrusion detection systems
- Your business solution needs to be smart enough to prevent, detect and correct breaches, so in looking at your empty scanning logs, no news may not necessarily be good news
- Integrated suites are generally a bad idea since malware developers laboriously test their creations against the top brands before releasing them. Instead, opt for a more heterogeneous solution composed of products from multiple security technology vendors
If you have the authority to make important decisions for your business, then this is about as important as they come, so ensure that everyone understands the importance of protecting sensitive business data, especially the kind that customers have entrusted to your company. By being on the same page as your team and understanding the basics of the technology, you can deploy a security program and incident management process that will stand a chance against crimes of opportunity and targeted attacks alike. Otherwise, you may look at your empty virus detection logs and continue to struggle with the nagging feeling that you might be missing something important.