Demand More

Posted by Jon Amato on August 10, 2007 at 9:42 AM EDT.

Last week I stumbled across this, The perfect attack against your security? in my travels on the Net, and I couldn't help but think it merited a response.  In the interview, a grim-faced Patrick Runald from F-Secure makes the comment that there's "not much that can be done" to protect enterprise PCs against a socially-engineered email that contains a Trojan which in turn installs a rootkit.  He goes on to suggest that patching may be the best defense available - patching of the OS, patching of MS Office, patching of Apple Quicktime.  

Now, patching is a good idea, of course, but it's inherently reactive.  And besides,  what exactly are you supposed to patch when the vulnerability being exploited lies between the ears of the person using the computer?   You can't patch people, of course.  User education (another good idea) only goes so far, and as Mr. Runald points out, there are people who will have to open strange attachments as part of the normal course of doing their jobs.  It's a challenging security scenario, for sure.  The interviewer, Munir Kotadia of ZDNet Australia, suggests that this might be the "perfect attack".  

So, does this mean that we (the good guys) should break out the white flag of surrender?  Not a chance.  Behavioral anti-virus tools like IBM ISS' Virus Prevention System were designed to protect against this very type of attack - ones that don't exploit vulnerabilities, but instead exploit users.  Tools like VPS look for malicious behaviors, like the ones used to install a rootkit onto a host.  

He does get one thing right, though: he says that you need more than signature anti-virus. Signature AV certainly has it's place in a layered host defense strategy, but it's no longer the primary mechanism it once was.  You should demand more from your security vendors.