Anti-virus alone is a poor strategy

Written By:
Content Copyright © 2010 Bloor. All Rights Reserved.
Also posted on: Security Blog

Computer viruses and other malware such as worms, trojans and spyware, are rife and can cause tremendous damage to systems that become infected. Because of this, anti-virus (AV) technology is one of the most commonly deployed security controls used by the vast majority of computer users, from individuals to large organisations. According to the 2009 CSI Computer Crime and Security Survey, more than 99% of respondents have AV technology deployed.

Having been on the market for some years, there are a wide variety of choices of AV technology, from standalone tools to AV bundled into security suites that integrate a variety of other security controls. Many standalone tools are offered for free and provide just basic protection. According to OPSWAT Inc, in its Worldwide AV Market Share Report of June 2010, free AV tools account for 42% of the total market share.

Even with the use of AV technology being so widespread, malware infections were cited as the worst security incident faced by respondents to the CSI survey and are growing in number and complexity. This is echoed in the Information Security Breaches Survey 2010 commissioned, by Infosecurity Europe, which found that 62% of large organisations surveyed had been infected with malware in the previous year, up from 21% three years previously, and 43% of small organisations, up three-fold over three years. Overall, malware infections were the cause of the worst security incident faced by organisations of all sizes over the previous year.

Such malware attacks are growing fast in sophistication and complexity, often using variants of known exploits that aim to get around defences that have been put in place. In mid-2010, technology vendor McAfee released research showing that 10 million malware samples had been entered into its database during the first half of 2010 alone, the majority of which are variants of known families of malware. For example, it states that it is not uncommon to see more than 10,000 variants of the Koobface worm, which looks to harvest information from users of social networking sites, in a single month. The complexity of new malware can be seen in the case of the Conficker worm, which combines the use of a number of advanced malware techniques to make it harder to eradicate it. Often introduced into computer networks via infected removable media, the worm blocks access to anti-malware websites, disables automatic updates that could include a patch against it and kills any anti-malware protection installed on the device. Its authors are also known to test Conficker against anti-malware defences commercially available to ensure that it can defeat them.

Factors such as these mean that traditional AV protection, based on signatures identifying and patching known threats, provide little defence. This leaves users in an endless cycle of updating their AV software with patches as they are released and cleaning up infections that have occurred, which often requires support from the AV technology vendor. And here is the rub. Very few free AV products include any kind of support from the vendor and the cost of support can add a hefty price tag. Plus, only some products provide protection based on detecting patterns of behaviour that can be used to identify unknown threats, leaving users with huge gaps in protection.

Many traditional standalone AV products–both free and paid-for versions–are also ineffective against new sophisticated threats that are often highly targeted and use a range of blended mechanisms to make their payload more successful. For example, a user may be sent a personalised phishing email that urges them to click on a link that takes them to a website infected with malware. Many standalone AV products provide no defence against such attacks as they do not include controls for protecting users from websites infected with malware or provide proactive protection against phishing attacks.

Anyone relying on legacy, standalone, signature-based AV controls is putting themselves at risk of being the victim of an attack that could cost them dearly. This goes beyond the costs of clearing up after an attack and the time and cost involved with patching devices or purchasing updated versions of the software. Javelin Strategy & Research estimates that more than nine million Americans have had their identities stolen through their personal details being harvested from internet applications or other means.

According to the UK Home Office, identity theft costs the UK economy £1.2 billion per year.

That does not mean to say that computer users should not deploy AV controls. Rather, AV and other anti-malware technologies should be one component of a layered security defence, along with a host of other tools and services. These include a firewall and intrusion prevention capabilities, web filtering and blocking, email, phishing and spam protection, and, for consumers, parental control functionality. These security controls should be integrated and should be managed through one central console or interface, in the case where the products are administered and managed for the user by a hosted service provider. For true, proactive protection against all threats affecting computer users, the provider should offer proactive threat intelligence services to identify previously unknown threats as they are encountered.

For any computer user–home users, small businesses or large organisations–the cost of the technology is a prime concern, especially as budgets are under pressure. But those costs need to be weighed against both the burden of maintaining legacy AV controls, including upgrading and vendor support costs, and the dangers of not having their systems adequately protected. The costs of remediating a security incident can far outstrip those of upgrading to better protection.

For many small businesses and consumers, a cultural change is required. The survey referenced above from Infosecurity shows that 83% of small organisations with less than 50 employees had experienced a security incident during 2009—up from 45% the year before. And the average cost of clearing up after an incident for such organisations ranged from £27,500 to £55,000. Clearly it is not just large organisations that are being victimised.

The key to lowering such costs is to purchase multi-tier protection. Rather than thinking that it is sufficient to place security controls to guard the perimeter of the organisation, the cultural change that is needed is to start thinking of security in terms of the assets that need to be protected–sensitive personal information and intellectual property and the like that can be used for financial gain.
Organisations of any size, and consumers alike, should look to gain an understanding of what impact the loss or compromise of such assets would be on their business or their personal life. Then they will be in a position to decide what controls need to be put in place to protect those assets from the whole gamut of threats facing computer users today. There are many hidden costs in anything that appears to be free or low cost and, in business, a bargain is rarely as good as it sounds.