« The NAC Fog Begins to Clear | Main | Covering your SaaS: Does it make sense for security? »

June 01, 2007


Chris Hayes

Malware security controls are just one component of a – pardon the cliché – “defense in depth” approach to security. For the most part, I think the big malware players do understand what is going on and try to offer value-add products – though a lot of it is bloat-ware.

I would argue that security governance of the desktop – or lack there of – is partially to blame for a large percentage of the machines that are getting infected in companies that have a managed AV capability. Here is a perfect example of a situation I have observed:

Company A has 25,000 employees. This company has a fairly mature information risk management in place; least privilege approach, policy exception reviews, risk reviews on everything except for when someone needs to use the restroom, etc.. - the whole nine yards. However, 10,000 employees have admin access on their local PC. Now, how can a malware vendor be held responsible if Employee B with local admin disables his AV or something unintentionally (I am optimistic today), that results in some form of malware getting on his machine because of his elevated privileges?

Now granted, this is just an example but I think it offers some perspective. Also, now that Microsoft is a malware vendor, it will be interesting to see if they find themselves in an IE-like situation in the coming years. Will their malware software hook into the OS? Will they require certain security configuration on the PC in order for the machine to be adequately protected?

The comments to this entry are closed.

  • Burton Group Free Resources Stay Connected Stay Connected Stay Connected Stay Connected

Blog powered by Typepad