Thursday, 12 June 2014
Anti Virus is Dead..So What's Next?
When i was in GISEC (Gulf Information Security Expo & Conference) in Dubai this year, i presented demos on the BT booth demonstrating how a web vulnerability called XSS (Cross Site Scripting) can be further used to gain access to the browser as well as the systems using the art of social engineering. Through using two different exploit frameworks, i was able to demonstrate how i was able to create a payload to bypass any Anti Virus applications that was installed on the victim's machine.
After the demonstration, i showed them an online article and asked them, what do they think should be done to protect the hosts or workstations given the fact that, according to the article, Anti Virus is dead. Majority of them couldnt provide me a straight answer. Some mentioned to install firewalls, others said that patches must be properly updated and installed. While the answers might help to prevent, the solution i recommended to them was 'Endpoint Security'.
'Endpoint Security' has many definitions and one of the definitions i usually referenced to is the fact that it is a solution that consists of not just an Anti Virus but a host based behavioural blocking components such as an IDS/IPS (Intrusion Detection/Prevention Systems), a host based firewall, Anti Spyware component as well as NAC (Network Access Control). With these components installed, as i explained to them, although my payload will be able to bypass the Anti Virus and Anti Spyware components, the IPS will definitely detect it and will prevent it from being executed.
"But i have a NIPS (Network Intrusion Prevention Systems) and a firewall that will protect external attacks from penetrating my internal systems and servers." claimed a person. "But what about your own internal employees attacking your infrastructure?" I questioned him back while i showed him an online article. According to an article last last year, 58% of information security incidents were attributed to insider threat. We have seen many cases, due to relaxed policies, employees are able to bring their own devices to connect to the organization's network, able to bring external storage drives and plug it into the organization's machines and of course, users having administrative privileges to execute and install third party software in their organization's machines. These situations potentially allow malware coming into the internal networks and spreading throughout the organizations.
While there will never be a patch for human stupidity, security managers must quickly propose a solution to protect their networks from both external and internal attacks. While having security mechanisms protecting the perimeter of the organizations are able to deter external threats, most organizations fail to understand the critical need to protect for possible internal threats as well. Yes, one can argue that network based solutions can protect to the scenario i demonstrated but then again, is that really enough?