Protect Your Assets

Neal B. Custer: Your antivirus can't guard against all attacks

President of Reveal Digital Forensics & Security, a subsidiary of Custer Agency Inc. and an adjunct professor at Boise State UniversityMay 21, 2014 

0314 BI Neal Custer.JPG

Neal Custer

STATESMAN FILE

Since the dawn of the Internet, antivirus software has been a staple of the computing environment.

From the moment that malware evolved to propagate itself not over floppy disks but through the Web, having something around to catch and remove those nasty digital diseases has been a necessity.

Users trust their antivirus products to keep them safe. After all, why run them otherwise?

However, this sense of trust may be misplaced. Users often assume that they are secure if they run the latest versions of their antivirus of choice. This could not be further from the truth.

To understand this, it is important to know how an antivirus actually identifies malware.

It doesn't matter whether a piece of malware is a rootkit (which allows someone to take control of a computer without detection), a trojan (a destructive program that appears benign) or a worm (which replicates itself to spread to other computers). It's still software. On the most basic level, it makes specific requests from the processor, allocates memory in certain ways, and requests that the operating system perform certain functions.

It is necessary to deem that behavior as "malicious" before it can be picked up by an antivirus. This is not an easy process. It requires either a manual review by a professional malware researcher, who examines a previously unknown sample and then adds it to the antivirus program's database, or a heuristic analysis, where the software automatically analyzes programs for behavior patterns that have been seen in previous viruses.

Considering that more than 300,000 new viruses are released each day, the manual-review process is a permanently uphill battle. For every virus found and documented by a researcher, thousands more go undetected. Likewise, heuristic analysis may be automatic, but it still relies on documented attack vectors used by previous viruses.

New malware using previously undocumented methods of exploitation will not be detected through heuristic analysis, and unless a sample is submitted to an antivirus vendor and manually examined, will likely exist in the wild - potentially for years - before ever being picked up by a virus scan.

With these facts in mind, it is easy to see why simply relying on the presence of antivirus software does not constitute true security. If an organization is specifically targeted for a cyberattack, and if the attackers feel the target is worth investing some effort and resources into, they will likely use a custom virus specifically for that event. If this custom virus does not share code or attack methodology with previous viruses, it will walk right through the metaphorical front door with a nod and a wave from the antivirus.

True security involves much more than simply keeping a program up to date and hoping that it will guard your digital activity. Businesses need to consider every possible angle of attack that cybercriminals can use to exploit them, and software is only one. Relying on antivirus alone is like riding a bicycle with gloves but no helmet. We might be protected in certain ways in the event of a catastrophe, but by no means are we completely guarded against injury.

So what other angles of attack can cybercriminals use? Hardware, physical, social and psychological, to name a few.

A hardware-based attack might involve physical devices installed on your network, or hardware keyloggers connected to key machines.

A physical attack could be as simple as walking through the front door, distracting the receptionist and inserting a malware-loaded thumb drive into her machine.

A social attack is the result of poor or nonexistent information management on the part of a company, leading to a situation where an attacker can do extensive research to plan the attack.

The fourth angle of attack mentioned above - psychological - is where most of the weaknesses exist in the overall security of any given business. This is the realm of social engineering.

Suppose an attacker wants to get a trojan on the internal network of a particular business. He obtains a list of 500 company employees by checking the "likes" on the company Facebook page (a social attack), determines the email format as "first_last@company.com," and crafts a list of targets. Instead of sending an email from his own email address, he takes the name of the head of IT - available on LinkedIn - and creates a Gmail account that appears to belong to this person. Then he sends out an official-looking request to the 500 targets, asking for remote access using a legitimate program for routine maintenance. If just one target falls victim to this exploitation of trust, the attacker can install a more robust remote access tool and begin to compromise the network, just from that one infected machine.

This psychological attack uses all legitimate software, and it has no exploit vector that can picked up by antivirus. It manipulates trust. Providing social-engineering training is an a absolute requirement in the modern age. Employees need to be given the skills and knowledge to stay vigilant against threats.

Likewise, business owners need to be aware that cybersecurity is a battle that does not take place on one front alone. The most advanced antivirus in the world is powerless against attacks that are not purely software-based.

Keeping an antivirus installed up to date is important, but focusing on software solutions alone is like building a house with one wall.

You might be protected in a single direction, but unless every possible angle is addressed, there is no security whatsoever.

Written in collaboration with information security expert Dylan Evans, Reveal's vice president of operations.

neal@custeragency.com

Idaho Statesman is pleased to provide this opportunity to share information, experiences and observations about what's in the news. Some of the comments may be reprinted elsewhere in the site or in the newspaper. We encourage lively, open debate on the issues of the day, and ask that you refrain from profanity, hate speech, personal comments and remarks that are off point. Thank you for taking the time to offer your thoughts.

Commenting FAQs | Terms of Service