OK, show of hands: Who out there has spent loads of money on a nifty antivirus solution for their company—you know, the kind that makes all sorts of promises as to the safety you will enjoy, the effectiveness of their antiviral software, the fieriness of their firewall, so on and so forth—only to be infected a short time later? I think it is safe to say that most of us have been there, furiously trying to figure out how to clean the virus off our machines—a virus that our new super anti-viral solution can’t seem to handle—without having to reformat the hard drive, reinstall Windows and then reinstall everything else. The question is, why?
The answer, of course, is that antivirus solutions work in much the same way as medicinal vaccines: They only work on known viruses. In other words, a given antiviral solution will protect you against an old virus, something the solution has a definition for. That can be useful, since once a virus is “released into the wild” it can linger on the Internet for years, posing a potential hazard for new machines coming online. The real hazard comes from the viruses that are being released today, viruses that have not been isolated, studied and defined.
The Failure of Traditional Antiviral Solutions
Antiviral software began its rise to prominence back in 1993, when viruses were passed from one computer to another via infected floppy discs. With the advent of the Internet to general use in 1995, the development of virus forums and kits, spyware and adware, worms and trojans; and the move from viruses being experiments or vandalism to being a big-money criminal activity, the scene has changed dramatically. Now, 15 years later, the traditional antiviral approaches are simply not effective. They just can’t keep up.
Yet we rely on this technology, always hoping that this latest version will do the trick and yet, more frequently than we’d like to think, that latest version fails. It has to fail, the odds are simply overwhelming. In 1989 there were about 30 known viruses, today there are over 200,000 with more coming online every day. To make matters worse, new viruses are tested against the latest antiviral software to make sure it can get through. Not all of them, perhaps, but certainly the major ones like Norton and MacAfee.
Given that the approach of antiviral solutions has traditionally been to close the barn door after the horse escapes, it makes sense to try an alternative way of dealing with the problem that closes the door before the horse gets out.
The Alternative: Whitelisting
The traditional antiviral (and anti-malware solutions in general) approach is to blacklist suspicious programs and keep them from working. In other words, it is supposed to identify and kill the virus. As we have seen, this only works when the solution can see the virus for what it is, a fact that leads to a high failure rate.
To address this shortcoming, a switch should be made from blacklisting suspicious software to whitelisting trusted software. In this scenario, new programs (and viruses and other malware are programs) are either entirely prohibited from operating or are placed in quarantine until they are considered trustworthy. By maintaining a strict whitelisting strategy, you could easily reduce your malware threat to next to nothing.
Lumension Security came up with this in 2000, when it became clear to them that no matter what antiviral solutions businesses were using, they were still being hit by viral attacks in ever increasing numbers. Designed to protect networks, their Sanctuary Application and Device Control suites, which were previewed at the 2004 InfoSecurity tradeshow, are proven, end-point security solutions that control both applications and peripheral devices through the use of whitelists.
Sanctuary operates by calculating a cryptographic hash for each approved executable file. This 20-byte signature, generated using the state-of-the-art SHA-1 algorithm, serves to identify the file itself instead of weaker attributes such as a file name or date. Each and every time a user wishes to open an executable, Sanctuary performs an instantaneous signature check on the file to ensure its authenticity. If even one bit is incorrect, the file will not be allowed to automatically execute.
That means a file piggy-backed to an e-mail or smuggled in on a downloaded image from a website will be prevented from running since it is not on the whitelist of acceptable applications. It also means that the sales manager’s teenage son can’t install something he downloaded onto his mother’s computer or plug an unauthorized peripheral device into the machine. This enhanced end-point security and IT policy enforcement are two additional reasons why whitelisting technology is something to consider.
The Weakest Link: People
The sad truth is that the majority of data losses come from within the company firewall, from employees. This isn’t a big surprise; it has long been known that people are the weakest link in any security-related situation. According to the FBI, 15% of people are totally dishonest, 5% are totally honest and the rest fall somewhere in between. Honesty, however, does not always translate into responsible, much less intelligent. Yep, people do foolish and irresponsible things.
From an IT security point of view, these foolish and irresponsible things are usually done in complete innocence. They include downloading unapproved software or installing such software from a disc, plugging strange devices, such as a USB thumb drive, into their computer, just to see what it is; and other, similar activities. By employing a whitelist solution that covers both hardware and software, you mitigate problems caused by well-meaning but irresponsible employee activities.
It will also protect against those with a plot to steal information. If an intruder, whether they come from within your company or from the outside, cannot plug in the media they brought to copy data—thumb drives are the most often implicated technology here—then they cannot easily steal the data. True, there are other ways of stealing data but none that leave so little evidence.
The Bottom Line
Considering the amount of money that is lost to malware and physical data loss each year, it makes sense to get serious about getting rid of this kind of threat once and for all and protect yourself with technology that does not have to play catch-up with the malware it promises to stop. Whitelisting, as demonstrated by Lumension, is a very effective way to accomplish this and an approach you should consider for your business.