Pub. 7 2010-2013 Issue 3

September/October 2012 17 Extraordinary Service for Extraordinary Members. Antivirus Software: Misplaced Trust? Stephanie Chaumont , CISA, CISSP, Security+, CoNetrix A NTIVIRUS SOFTWARE HAS LONG been accepted as the corner- stone of any healthy security program. As online security threats continue to rise and pose a sig- nificant risk to the financial industry, you have, no doubt, implementedmany technical controls. Perhaps, in the back of your mind, you’ve thought if these controls failed, well, at least you have antivirus. Now, however, the discovery of the Flame virus earlier this summer has everyone wondering if their trust was poorly placed. Flame is a highly complex (arguably the most complex) piece of malware that has been recording audio, key- strokes, network traffic, screenshots, Skype conversations, and documents from infected computers for at least two years. That’s two years of antivirus definition updates and two years of potentially weekly or daily virus scans that never detected this very large, very complex, very nosy virus. Flame’s sophistication, along with its targets, supports the widely accepted notion that a government or group of govern- ments is responsible for its creation and distribution. A large majority of the infected machines were discovered in Iran, but infected machines also were found in several other locations, including Europe and North America. It would be naïve of us to think that perhaps our own government or an ally was the creator of such a complexity, and thus, we are immune to its danger. A malware program designed for a particular purpose is still a program that is capable of spreading to unin- tended targets as well as landing in the hands of someone who is no ally of yours. Also, the most direct implica- tion to you is what Flame did to blow the antivirus industry’s cover. Until recently, antivirus leaders andmalware creators were engaged in a cat-and- mouse game of sorts where malware creators introduced new viruses and, shortly thereafter, antivirus companies discovered these and updated their virus definitions so that your computer would not fall victim. This routine has more or less worked for years until the late Flame discovery that has left the antivirus industry scratching their heads. Industry talk suggests simplis- tic signature-based antivirus software is not adequate and puts an emphasis on more expansion into behavior or anomaly-based products. What does this mean for you as a consumer of antivirus products and as a highly targeted industry? Well, you have little (or no) control over the ability of the antivirus industry to catch all, especially targeted, attacks. The answer to this security issue, and the answer to most security issues, is that you have to implement a layered security program: • Keep software (including Adobe and Java) and browsers patched. • Remove local administrator privileges on workstations. • Implement technical controls on the use of USB storage devices where possible. • Implement and monitor an intrusion detection/prevention system. • Expand Internet content filtering such that only sites needed for banking are allowed. • Regularly review security logs, so that changes in the norm will stand out. • Train, train, train—including teach- ing users not to click on email links, TECH TALK  Trust — continued on page 19