Wednesday, April 15, 2009

AntiVirus is like a CD Player

Your anti-virus client on your computer is much like a CD player these days. It was cool, at first. Everyone got one. They were "cool" for a while. Now your car comes with it and you can't figure out where to plug in your iPod.

I know there have been many, many blogs and articles that have said this, and even I have over the past year or so banged this drum too - but AntiVirus is simply a relic technology. Want proof? Go read the Verizon 2009 Data Breach Investigations Report (summary here).  One of the things that immediately stands out to me is that a staggering percentage of cases (38% of the total investigated) were "hacked" by malicious software (malware).  That's a mind-boggling number.

Couple this with the fact that both SRA International, as well as Heartland Payment Systems were "hacked" by what was referred to as "malicious software strategically placed on their systems"... and you have a very, very serious problem brewing.  The issue is exacerbated by the fact that corporate security still sees "antivirus" as a reasonable stop-gap for combating these types of threats.

I can't tell you how many people simply nod their head and smile when they hear me rant about how I hate the agents that continually get added to my corporate laptop.  AntiVirus was the first, then because I research nasty things more often than most I added a few things on my own like "Anti-Spyware" and "Anti-Spam" and other stuff... then I doubled-up on my Anti-Virus protection and I think I've now got around 5 disparate agents which are all anti-.

Guess what folks - odds are that if your company is going to be the target (and I specfically say "target" here for a good reason) of a malware plant - you're still screwed.  I specifically mention that if your company is a target because the run-of-the-mill malware that's circulated for days or weeks typically *can* be caught by standard anti-malware agents these days... but targetted attacks such as custom-written malware... you're screwed.

The answer?  I don't know of a good one, unfortunately.  I can tell you that best-practice including locking your users from being local admin still works pretty well.  Filtering and limiting people's access from their office computers works pretty well.  I'm sure there are many other counter-measures out there too... but education wouldn't hurt.

Bottom line is this... stop adding anti- agents to your machines... if the battle is on your doorstep, it's lost already.

No comments: