Here is my latest article for the NCSL newsletter:
Anti-Virus Doesn’t Matter Anymore
By Jerry Gamblin, Security Specialist, Missouri House of Representatives
It hurts to say that, because, as the security specialist for the Missouri House, I spend a lot of time managing our anti-virus system and making sure all our systems have the latest definitions. It had a good 15-year-run, but the days of just detecting, what the “bad guys” have written and then not letting it run is a practice that has outlived its usefulness. “Bad guys” have gotten far faster at writing new viruses and malware than anti-virus makers can write definitions to stop them. So what will replace anti-virus?
User Education. We have done a poor job of educating our users to the real risk of viruses and malware because we often fall back on “the AV will stop it” mentality. A paradigm shift has occurred in the technology world that makes it impossible to protect our users without their help. Our users carry their data with them on smart-phones, jump drives and in the cloud. Cisco said it best when they said the borderless network is here. As with real borders, our network rules do not apply on the outside.
We must give our users a good foundation in security awareness so they can be a partner in our security programs. All organizations need to implement a security awareness program. If you have not started, I would suggest you start by looking at http://securingthehuman.org.
Patch Management. This just is not Windows updates anymore. Hackers have (mostly) moved past attacking the operating system and have been focusing on what everyone loads on top of their systems but does not update. Adobe Flash and Reader are at the top of hackers’ hit lists because of their widespread use.
A good test to determine how secure your systems truly are is to download the Secunia Personal Software inspector at http://secunia.com/vulnerability_scanning/personal and install it on your computer and your bosses’ computer to see how up-to-date your software is.
Heuristics. I have been running the beta software of the new Symantec Endpoint Protection 12.1, and it has moved from relying on its definitions and more to watching your system and making sure nothing out of the ordinary is happening. This is the anti-virus of the future. It will watch your machine, and if you try to replace some dlls in SYSTEM32 or write something to the registry, it will stop it from happening. It’s not perfect (yet) and there will be a steep learning curve, a lot of false positives, and the urge to turn it off as you did with UAC in Windows Vista.
Good luck. It will take a little good luck to get through the next two to four years in the security world unharmed until some of these new technologies mature into fully functioning products.
If you have questions, you can contact me at firstname.lastname@example.org or on twitter @jgamblin. Until then, I will be patching software and hoping our good luck continues.