Malware - "Still not getting it!"
Blogger: Diana Kelley
At the end of the film "Harold and Kumar go to White Castle," Harold, emboldened by 30 sliders and an evening of raucous adventures in New Jersey, decides it is time for him to face his fears and declare his affection for Maria. He declares his intentions to his friend Kumar, who, perhaps made sleepy rather than energized by the sliders, responds, "still not getting it!"
Like Kumar, it appears that IT is also, "still not getting it!" when it comes to malware. Case in point, the recently published CIO Insight survey reports that while only 12% of respondents reported that money or property had been stolen through electronic means, a whopping 48% of companies reported penetration by viruses, worms, and Trojans in the past 12 months.
48%. Essentially HALF of all reporting enterprises were hit by some form of virus or worm last year. In most cases, 52% success equals failure. And maybe it is for AV - but maybe not. Another data point - 33% reported that their companies had been penetrated by spyware or other malware. Now contrast these numbers with the fact that 99% of the companies spent money on AV/spyware/malware detection in 2006 and 97% plan to spend on AV/spyware/malware in 2007.
Hmmmm, we spent money on AV, it didn't work and half of us were penetrated, so let's keep spending! More must be better, right? Not to mention that many security assessments will mark down an organization for not having AV, the PCI DSS explicitly states AV must be on Windows machines in the payment ecosystem, and the generally accepted rule is that we're better off with AV than without it.
But is that true? Are we better off? What's the real cost of deploying and managing traditional AV products versus their overall effectiveness? Is AV worth that cost? I'm not talking about the standard hand waving of "oh signatures won't work," but a real shift in thinking. If the 52% represents real dollar savings over and above the cost to purchase and deploy the AV and that also outbalances the costs associated with the 48% penetrations - then it could be success from a bottom line perspective. But it might not be.
We know that 99% of the companies in the survey spent on AV last year, and half of them got hit. What we don't know is if that money was well spent. What we need are metrics that study percentage of attack for companies that use mitigating controls (such as perimeter and host firewalls, intrusion prevention and white listing) in lieu of AV and in addition to AV. We need a quantitative survey of the effectiveness of various measures. As far as I know, we don't have these yet. Let me know if you know of any.
We have an industry that continues to throw money at technology with a high penetration rate. What we don't have are numbers that tell us whether that rate is acceptable or not. What we are is, "still not getting it."
Malware security controls are just one component of a – pardon the cliché – “defense in depth” approach to security. For the most part, I think the big malware players do understand what is going on and try to offer value-add products – though a lot of it is bloat-ware.
I would argue that security governance of the desktop – or lack there of – is partially to blame for a large percentage of the machines that are getting infected in companies that have a managed AV capability. Here is a perfect example of a situation I have observed:
Company A has 25,000 employees. This company has a fairly mature information risk management in place; least privilege approach, policy exception reviews, risk reviews on everything except for when someone needs to use the restroom, etc.. - the whole nine yards. However, 10,000 employees have admin access on their local PC. Now, how can a malware vendor be held responsible if Employee B with local admin disables his AV or something unintentionally (I am optimistic today), that results in some form of malware getting on his machine because of his elevated privileges?
Now granted, this is just an example but I think it offers some perspective. Also, now that Microsoft is a malware vendor, it will be interesting to see if they find themselves in an IE-like situation in the coming years. Will their malware software hook into the OS? Will they require certain security configuration on the PC in order for the machine to be adequately protected?
Posted by: Chris Hayes | June 06, 2007 at 08:17 AM