The New York Times has described in detail how it was hacked by a group looking for data on Chinese dissidents and Tibetan activists. The attack was investigated by security company Mandiant.
Note the following:
Over the course of three months, attackers installed 45 pieces of custom malware. The Times — which uses antivirus products made by Symantec — found only one instance in which Symantec identified an attacker’s software as malicious and quarantined it, according to Mandiant.
Apparently the initial attack method was simple: emails with malicious links or attachments.
Symantec made an unconvincing defence of its products in a statement quoted by The Register:
Advanced attacks like the ones the New York Times described … underscore how important it is for companies, countries and consumers to make sure they are using the full capability of security solutions. The advanced capabilities in our endpoint offerings, including our unique reputation-based technology and behaviour-based blocking, specifically target sophisticated attacks. Turning on only the signature-based anti-virus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats. We encourage customers to be very aggressive in deploying solutions that offer a combined approach to security. Anti-virus software alone is not enough.
Could the New York Times hack have been prevented by switching on more Symantec features? Count me as sceptical; in fact, it would not surprise me if these additional features were on anyway.
Anti-malware solutions based on detecting suspicious behaviour do not work. The task is too difficult, balancing inconvenience, performance, and limited knowledge of what really is or is not suspicious. Further, dialogs presented to non-technical users are mystifying and whether or not the right response is made is a matter of chance.
This does not mean that secure computing, or at least more secure computing, is impossible. A Windows desktop can be locked-down using whitelisting technology and limited user permissions, at the expense of inconvenience if you need to run something not on the whitelist. In addition, users can avoid most attacks without the need of any anti-virus software, by careful avoidance of malicious links and attachments, and untrustworthy websites.
Aside: it is utterly stupid that Windows 8 ships with a new mail client which does not allow you to delete emails without previewing them or to see the real destination of an URL in the body of an email.
This kind of locked-down client is available in another guise though. Tablets such as those running iOS, Android or Windows RT (mail client aside) are designed to be resistant to attack, since apps are sandboxed and normally can only be installed via a trusted app store. Although users can bypass this restriction, for example by enabling developer permissions, this is not such a problem in a corporate deployment. The users most at risk are probably those least likely to make the effort to bypass corporate policies.
Note that in this context a Windows 8 Professional tablet such as Surface Pro is just another desktop and no more secure.
Another approach is to stop believing that the endpoint – the user’s device – can ever be secured. Lock down the server side instead, and take steps to protect just that little piece of functionality the client needs to access the critical data and server applications.
The key message though is this. Anti-virus software is ineffective. It is not completely useless, but can be counter-productive if users believe that because they have security software installed, they are safe from malware. This has never been true, and despite the maturity of the security software industry, remains untrue.
New types of client devices hold more promise as a route to safer personal computing.