13:00 CET, 9th May 2014 By Morten R. Stengaard, Secunia CTO.
Brian Dye, Symantec's senior vice president for information security, just recently declared antivirus "dead", estimating that antivirus now catches just 45% of cyber-attacks, according to the Wall Street Journal.
I couldn’t agree more– and it is good to have an unequivocal statement from a major stakeholder in the industry, identifying a serious problem for businesses and private users alike. What they need next is an understanding of how to make up for the shortcomings of antivirus, firewalls and other traditional technologies.
At Secunia, we have, for years, been urging both private users and businesses to take a proactive approach to security, rather than a reactive approach, which traditional security technologies such as antivirus (AV) represent. What we mean by that is that, while AV and the various behavioral malware detection technologies that have evolved over the past years focus on identifying malware already on your PC, they only detect and alert you to what has already made it on to your computer. And then you have to chase it down and deal with it.
A proactive approach, on the other hand, ensures that malware doesn’t get on to your system in the first place.
Secunia’s solution for proactive security is to patch software vulnerabilities and thereby eliminate the root cause of many security issues by closing the entry points malware uses as attack vectors. By exploiting software vulnerabilities in IT infrastructures, hackers are able to gain access to systems, compromise security and steal data, so if you can patch the vulnerabilities, and prevent hackers gaining access in the first place, you won’t need to chase 'ghosts' throughout your machines to eliminate the threat they then pose.
To be clear, antivirus is not completely superfluous. But it is not enough – a fact which we have been arguing for years.
Data control and data classification
While patch management and vulnerability management are certainly important aspects of security, these are not the combined solution to end all your security issues. Another important security measure is data control and, with it, data classification.
When it comes to data handling, to me a proactive approach to security means ensuring that the least amount of data is available on as few devices as possible, so that when – not if – a security breach happens, you expose as little information as possible to the attackers.
Essentially, businesses need to control their data better than they do today, cultivate security best practice awareness within the organization, and have a realistic approach to how employees go about their jobs and their lives. It is not an easy task, especially with the fast-paced and highly competitive industries many companies are engaged in, making business effectiveness and efficiency a priority – which does not necessarily correlate positively with security best practice– but there is no way around it.
Employees are bringing their own devices to work, and are interchangeably using private and corporate devices for private and corporate activities. While the benefits are many to both employers and employees – the mutual flexibility and accessibility, to name the obvious ones – BYOD policies represent a double-edged sword: there are substantial security concerns involved in this merge of the private and the professional spheres.
You cannot keep employees from bringing and using their own devices in this day and age, if you want them to perform. Therefore, organizations need to formulate, introduce and uphold clear security policies in order to control their data.
Employees need to have access to the programs and the information that they require in order to perform and do their jobs. But because employees' private devices operate beyond the company’s security controls, it can be assumed that these private devices are, by default, insecure. Consequently, it is advisable to limit the access from private devices to sensitive company data and programs – access should only be granted from corporate-managed devices.
In order to exercise data control – i.e. what programs and data users have access to from their various devices – businesses need to exercise ongoing risk assessment of their data.
Data needs to be continuously classified into categories, with clearly specified criteria regarding who can access it and from which devices. When do employees need access to their emails? And what are the consequences if the device is compromised? When do they need access to customer data? And what are the consequences if malicious people gain access to said data?
It is up to the individual organization to make these judgment calls. And once the data has been classified, to decide how access should be limited.
The top-level definitions could be:
No access from any private devices.
Not publically available data/information
Some access from certain private devices.
Publically available data/information
Access from private devices.
You can make you own classifications and controls, but there is no question that endpoint security – or lack of it – is a major issue and a big threat to corporate security. And vulnerable software on these endpoints is a popular attack vector with hackers.
So you need to secure those endpoints – with AV, firewalls, patch management, vulnerability intelligence, user awareness and data control.