When hackers broke in to the New York Times' network, evaded its anti-virus software and began plundering its computer systems, it highlighted a rather uncomfortable truth: Anti-virus software is not that good at keeping systems secure.
That means that any company that relies on an anti-virus package to secure its endpoints is exposing itself to a huge security risk. "To some extent the problem is the fault of the security industry who have been selling these products," says Graham Cluley, a senior technical consultant at anti-virus vendor Sophos.
Anti-virus products don't have magic powers; you still have to worry about security. While anti-virus software is good at spotting known malware by matching its digital signatures with a signature database, the type of sophisticated hackers that are believed to have masterminded the New York Times attack would likely write new exploit code that no anti-virus product would have ever seen before.
And it appears -- though this is not certain -- that the New York Times was relying on the signature matching protection of Symantec's anti-virus product to maintain the security of its systems. In a statement after the attack was publicized, Symantec said in a statement: "Turning on only the signature-based anti-virus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats. We encourage customers to be very aggressive in deploying solutions that offer a combined approach to security. Anti-virus software alone is not enough."
Most anti-virus products -- including Symantec's -- go beyond signature based protection by offering generic protection against malware types that are similar to specimens that have been seen before, and by offering behavioral protection which detects when software demonstrates suspicious behavior such as changing certain registry settings or causing a buffer overflow.
But this more sophisticated anti-virus protection is also not sufficient. Here's why: In a nutshell, whether or not a given anti-virus product will detect a piece of malware is entirely predictable.
All a hacker has to do when designing a piece of malware is run it on a computer with that anti-virus product to see if it will be detected. If it is, then the hacker can modify the code until the anti-virus software no longer detects it.
So what should a company do to protect its endpoints? The answer is to deploy several layers of security measures to reduce the risk of compromise. Some of these are included in security "suites" sold by anti-virus software vendors in addition to their core anti-virus products.
7 Ways to Discourage Hackers
These seven practices -- one of which doesn't even involve software -- should discourage hackers:
- Anti-virus software. While anti-virus software alone is not enough, it certainly has a role to play in catching known malware, spotting malicious behavior, and checking the reputation of unknown files and URLs to see if they have been blacklisted.
- Personal firewall. Most desktop operating systems include a personal firewall of some sort. It's important that this is used in addition to the corporate firewall to protect against internal threats -- perhaps from hackers who have infiltrated the network and are already inside the network perimeter.
- Encryption. Many hackers attempt to infiltrate corporate systems to steal (or modify) data such as intellectual property, proprietary information and confidential items such as tender documents. It therefore makes sense to encrypt such data so that it has no use to hackers even if they are able to access it.
- Update management software. Sophisticated hackers discover new vulnerabilities in operating systems and application software, which they exploit to get a foothold in corporate systems. But many hackers use known vulnerabilities which haven't been updated or patched to make them secure. For that reason it's vital to have an effective process in place for applying updates and patches to endpoints as soon as they are available. Update management software runs an inventory of all the software installed on a system on a regular basis and installs patches or updates automatically. It may also flag any software that has known vulnerabilities for which a security patch is not yet available.
- Data loss prevention (DLP) software. Available as a standalone product or part of many security suites, DLP software is designed to spot when sensitive data such as credit card numbers or entire databases are leaving a system and going out over the Internet. Although hackers can attempt to bypass DLP software in many ways (such as encrypting the data themselves before exfiltrating it), it is still a worthwhile layer of protection to put in place.
- Password managers. Employees should always use long, random passwords to access corporate resources or cloud services. Since these passwords are impossible to remember, it's sensible to use a password manager application which can generate long passwords, store them in an encrypted database, and enter them when appropriate after the user has supplied a single master password. An added benefit of using a password manager is that it provides an element of protection against phishing sites. That's because a password manager will automatically enter the correct password for a given intranet or Internet site, but will spot when a user attempts to access a replica phishing site at a false URL.
- Training. Arguably the simplest way for hackers to gain access to resources on corporate systems is to bypass security software. They do this by using social engineering techniques to trick users into divulging passwords and other security details. Training programs that raise awareness about these techniques and how to spot social engineering phone calls or emails can reduce the likelihood that a social engineering attack will succeed.
A determined group of skilled hackers sponsored by a foreign state such as China will likely be capable of penetrating any defenses that you put in place, given enough time and resources. But that doesn't mean there is no point in bothering with anything more than the most rudimentary signature-based anti-virus protection.
"By applying these layers of security, what we can do is reduce the risk that a system is compromised," Cluley says.
Paul Rubens has been covering IT security for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.