by Michael Starks

Imagine if a building on every street started on fire every day.  They are small fires, which cause relatively little damage, and are usually quickly extinguished by the sprinkler system.  Every once in awhile, the entire house burns down because the sprinkler system hasn’t been updated in over a year.  Now imagine that people have come to believe that this is normal and expected, that as long as you keep your sprinkler system updated, you should be OK. And if the sprinkler system does its job, the fires aren’t a problem.

While analogies are never perfect, this is the basic situation we have today with viruses and anti-virus software.  Billions of dollars are spent in defending against viruses, with software ranging from simple desktop scanners to multi-tired, enterprise class anti-virus defense ecosystems.  When they catch viruses and other forms of malware, we judge them to be successful.  We run reports with nice graphs to show management, and as long as the viruses are being caught, we feel our information is safe.

While few dispute that anti-virus software is a necessity in a modern computing environment (particularly, one which contains Microsoft Windows), fewer still frame anti-virus in the proper context.  How many look at the number of viruses caught, juxtapose them with the effectiveness of the software in catching viruses, and make a plan to reduce the number of viruses detected?  In other words, how many ensure the anti-virus software is working as intended, then work to reduce the infection rate?

Viruses and other malware are not simple problems to solve, but there are solutions to reducing the number of infections that do not depend on the use of anti-virus software.  Among them:

-Reducing the rights a user has to run and install software.  Do your users run with Administrator rights by default?  Why?  If they’re not changing network settings, installing software and looking at logs on a regular basis, most people don’t need these rights as a part of their normal job.

-Educating users about safe computing.  When a virus is detected, do you interview the user in an attempt to determine how the infection occurred?  Viruses, at least for now, are not spontaneous phenomena.  Something happens for that infection to take root.  Usually, unsafe computing behavior is involved.

-Educating users about appropriate use.  Are your users installing personal software or games (see #1), connecting to untrusted networks or surfing to personal web sites?  To what extent are you willing to allow for these activities versus the cost of increased virus rates?

-Examining the choke points for data entering the network.  While the perimeter is becoming increasingly porous, looking at data flow is critical in determining how infections occur.  Do most occur from drive-by downloads, or are they due to e-mail attachments?  By looking at data flow, protections can be put into place to reduce the chance of viruses entering the network.

Notice that all of the points mentioned involve process, education and analysis.  None of them involve spending more money on more defense technology.  While that may at times be the natural outcome of the process, it should not be the first reaction.

Anti-virus software isn’t perfect; in fact, the ability for anti-virus software to detect modern malicious code has been declining in recent years.  While still needed, we need to look our perception of its role in protecting information. Is it our first and only line of defense or is it an alarm that something else has failed?  By shifting our thinking to the root causes of infections, and by focusing on solutions to those problems, we can reframe anti-virus software as primarily IDS, rather than IPS.  We can set goals for increasing the effectiveness of preventing malicious code, while simultaneously reducing the number of detections found. 

Virus infections are an anomaly that we have been trained to accept as normal.  By shifting our thinking towards anti-virus as a rarely activated sprinkler system, we’ll go a lot further towards keeping our information safe.

Michael is an Information Security Professional specializing in host-based security, IDS, log analysis and compliance. He believes in applying basic security principles to an ever-changing threat landscape, and is currently exploring the various ways in which human behavior affect the success of security programs.  He is a founding member of the Rochester, NY chapter of ISSA and has served for both ISSA and OWASP. He currently holds the CISSP, GSNA and A+ certifications.  In his spare time, Michael enjoys spending time with his wife and daughter, and listening to early twentieth-century blues. 

Every day, dozens of new vulnerability or virus alerts are released to warn and inform the public. The IT community, including those in IT security have become fairly numb to these alerts. For the most part, as long as patches are pushed out, and antivirus signatures are kept up to date, these releases make little impact. The occasional worm or botnet will grab headlines, but the accompanying vigilance soon fades. It’s an unfortunate consequence of the virulent Internet environment.

I have never had much interest in using my Facebook account, so when I saw the advisory relating to Facebook and Myspace virus activity, I let it fade into the background noise. In fact, my inbox was filling up with “silly” Facebook notifications to the point of annoyance, so I logged in with the intention of clearing out my connections. Taking stock of the large number of friend associations that I had led me to an AHA moment; EVERYONE uses Facebook.

Facebook isn’t just a toy for feinding teens. It is used by people of all ages on all of their computers, whether at work or at home. It is a fertile breeding ground and conduit for Web 2.0 content. In this case, it is the perfect launch pad for a worm: huge market penetration and a very large and mainly clueless wetware population.

The same can certainly be said about most other virus outbreaks. But in the case of Facebook, there are simply too many good reasons to make that fateful click. Users may think twice about falling for a phishing scam or even clicking on the dancing pig, but Facebook is the forbidden apple. I am not advocating taking any actions against Facebook use. The resulting effort would be a waste of time.

Consider the following example: A toy manufacturer announces a recall of a popular toy due to dangerous chemical contained within. Your child doesn’t have the toy, but you will probably want to make sure that his school and friends don’t have it either.

Take the time to generate an internal email blast warning all employees to be extra careful. Spend a little more time looking at security logs. Finally, take a walk over to the help desk manager and ask him to keep an eye out for increased ticket volume.

Don’t ignore this one.