When the Blaster, MS/SQL, and Sobig worms made their appearance on the scene in 2003, one thing became clear: none of the worms was initially stopped with antivirus software.

According to a report issued in January 2004 by the Aberdeen Group, “The Internet worms of 2003 took advantage of common network channels and system vulnerabilities to deposit executable payloads on unprotected PCs and PC servers. These worms were able to gain access to resources on the local corporate network to subsequently infect other PCs and PC servers throughout the network.”

So what does this say about the efficacy of antivirus software? Can it help fight the newer strains of virii?

John Verry, a consultant for the security firm of CQUR IT, told TechRepublic that “antivirus software by its very nature (signature-based detection) is a reactionary technology. Accordingly, any worm with the ability to replicate with the speed and efficiency of an MS/SQL will render antivirus ineffective to block the initial outbreak.”

Verry doesn’t believe the problem is with antivirus software, however, as much as it is with the Internet community’s inability to develop less vulnerable software and for the end user community’s reluctance to rapidly patch vulnerabilities as they are discovered. (For more information on improving your patching practices, read “Quickly deploy Microsoft security patches with KiXtart login scripts.”) He said, “AV is still a critical piece of a well-layered security infrastructure and brings significant benefit relating to these worms as it prevents reinfection and is often the tool of choice for removing them.”

He added that the most effective way to prevent business disruptions from these newer worm variations “is to add ongoing Vulnerability Assessments and diligent Patch management practices to existing security efforts.”

The Aberdeen group agrees that AV software is still effective as long as it’s part of a combination package; the challenge for buyers and suppliers in 2004 will be a package that delivers antivirus, PC firewalls, and antispyware. The PC firewall can “prevent inbound payloads from landing and sending unauthorized outbound communications to unknown locations.”

Other sources
A couple of TechRepublic articles recommend and explain multilayered security approaches such as the one suggested by Aberdeen.

For additional security tips, be sure to check out the member suggestions in the discussion following Mitch Bryant’s article referenced above. Member George Or suggests that a modern three or more port firewall with a stateful failover unit may be all you need as far as firewalls go. Or, as he explains, “According to Gartner’s stats, 99% of break-ins happen because of admin mistakes and overly liberal firewall rule sets. I tend to believe this because if I do an audit on all enterprise firewall installations, I’ll bet 90+ percent of them don’t have tight enough policies. For example, most people restrict inbound to their DMZ, but few restrict outbound from their DMZ.”

He ends by suggesting, “The most important thing to do is be diligent and constantly monitor your firewall logs and keep it patched for all known vulnerabilities. Having two brands of firewalls makes this more difficult, and, thus, overall security is weaker because of the human factor. Most companies are not going to hire both a Cisco expert and a Checkpoint expert. Hackers don’t need to exploit the firewalls most of the time; they exploit your servers through the holes that you open. The best solution is a well-designed single cluster with a tight policy set coupled with an intrusion detection system with shunning capabilities tied into your firewall.” You should explore the whole discussion thread to pick up some great tips.

More is better
Most IT managers are finding out that no one element alone can protect their networks from malicious attacks. A multilayered approach is the real answer.