In my last post, I talked about the dangers that the humble USB port can pose to the unsuspecting security administrator. I also suggested some possible ways of dealing with this often overlooked vector.
This time, I want to talk about one of my suggestions — whitelisting. It’s a technology that’s been around for a while now, but it’s something that antivirus companies probably don’t want you to know too much about.
Whitelisting takes a different approach to the malware problem. It involves the recording of all valid programs and prevents those not recognized from executing. As such, it can be used effectively not only against viruses and worms — but also against spyware and unauthorized applications.
Taken a step further, whitelisting can be applied to device control as well, preventing unauthorized devices from being connected to corporate PCs and laptops.
Think about it: If you went out shopping for a new burglar alarm today, what kind of features would you look for? Would you purchase one that triggers only when it detects a known burglar or felon in your house?
Or would you go for one that will sound the alarm whenever it detects someone moving about that it doesn’t know about?
The failure of traditional antivirus products
The white paper “The Extraordinary Failure of Anti-Virus Technology” quotes a Yankee Group report that 99 percent of companies have antivirus technology installed, yet 62 percent of companies suffered successful virus attacks. According to AusCERT (Australia’s Computer Emergency Response Team), the two most popular and deployed antivirus products failed to stop 80 percent of new viruses.
As I explained last time, it’s a trivial matter to first test a custom malware against the most popular antivirus scanners around. Certainly, this is what a black hat hacker with an assignment to penetrate the defenses of a corporate competitor and a vector to load the malware in will do.
The problem with a purely traditional antivirus approach is that the “virus definitions” that they work from relies on trying to recognize code sequences or known virus behaviour traits. As such, their detection abilities remain consistent, and new malware tends to get through.
This is not to say that we should immediately discard all our antivirus products. Current generation of antivirus scanners remain useful as part of a multilayered defense against known and old malware that might remain “in the wild” for years yet.
What I am suggesting, however, is that complete dependence on antivirus products need to be re-evaluated, and other options such as whitelisting need to be examined in light of the rapidly evolving malware situation that the proliferation of the Internet has brought about.