I recently attended a professional development event in Birmingham run by OWASP and the Institute of Information Professionals (IISP). One of the topics on the agenda was how to evade anti-virus (AV) software packages.
Shock horror. The breaking news is that AV software is not going to stop cyber attacks on your organisation, as has been blogged on before here on Cyber Matters.
However two aspects stood out for me.
Anti-virus detection lags
The first was that the presenters, Pen Test Partners, revealed some shocking stats on the massive time delays that some AV software packages had in responding to known malware.
In April of last year they had uploaded various malware samples to Virus Total, a free virus, malware and URL online scanning service. The AV vendors receive samples of every file uploaded where more than one product flags the file as malware. Virus Total checked against the most popular AV packages, 53 in total.
The results were:
File 1: Meterpreter output to Visual Basic for Applications (VBA) to run under Office macros
• 2013 – 4 AV packages detected it
• 2014 – 14 AV packages detected it
File 2: Hyperion packed Meterpreter
• 2013 – 19 AV packages detected it
• 2014 – 33 AV packages detected it
File 3: Molebox packed Meterpreter
• 2013 – 10 AV packages detected it
• 2014 – 29 AV packages detected it
Or put another way, even though the AV vendors had been given the file, a considerable number of them ONE YEAR on still hadn’t updated their software to detect it! (You can read the full details in this blog post)
So you might as well not bother with using AV then?! Perhaps not just yet. It is one of the 10 Steps to Cyber Security after all and also covered in Cyber Essentials. Why? Because AV will stop things that are historically known to be bad, at an early entry point into your organisation. All good security systems need defence in depth approaches and this is just one layer. Yes, you need additional defences and mitigations for stuff AV does not detect, but that is not justification for no AV at all.
User behaviour
So we’ve seen another example of how AV packages are not infallible. As one of the delegates at the forum remarked. ”This is just getting the file to the user, right? So generally it still needs to be activated by the user?”
Spot on. So another layer of a defence in depth strategy is user education, or as I’ve heard it called recently, user engagement.
That’s precisely what the next IISP East Midlands forum will be tackling. Jim Shields from Restricted Intelligence, specialists in engaging staff in user education, will be leading on this topic. He’ll be joined by Geordie Stewart from the John Lewis Partnership who has experience of implementing change behaviour programmes in a variety of organisations.
Hopefully you’re convinced of the importance of user engagement now, if you weren’t already.
I’ll expect to see you in Leicester on September 18th.
Once Upon a Camayoc 