I am pretty savvy, try to stay away from sites and links that I am not familiar with and don’t remember the last time I saw a warning from my AV product. I run scan regularly and patch when I am supposed to as well. So do I really need AV? If so is there any value to actually paying for one?
It was an intriguing question because no doubt many of us who are security savvy have asked ourselves the same thing – especially if our AV scanner is consuming resources or introducing latency that becomes noticeable. When security gets in the way, it’s often the case that we tend to want to end-run around it. At least I do, and I assume I’m not the only way to think that way. That’s especially true when it appears that the security solution isn’t really doing anything. The three-fold security strategy Alan references – patch, scan, and avoid unsafe sites/links – is a common mantra amongst security professionals. But it’s that last part that is most likely to trip us all up: only visit “safe” sites.
Is there any such thing today?
“70% of the top 100 most popular Web sites either hosted malicious content or contained a masked redirect to lure unsuspecting victims from legitimate sites to malicious sites.” (Websense, 2009)
A study conducted last year by Microsoft found that over 2.2 million PCs in the U.S. were part of botnets, and that the U.S. is the “number one country consumed with botnet PCs.” Certainly some of those were being operated by techneophytes and it’s likely that many of them were infected while browsing what they thought were “safe” sites – or perhaps sites shared by “friends” or “followers” on a social network or other Web 2.0 application that were assumed to be safe because, well, friends wouldn’t share unsafe sites, would they? Of course not, at least if they knew the site was unsafe. But that’s the problem, isn’t it? It’s nearly impossible to tell these days which sites are safe and which ones are not. Alan’s strategy – and the advice often given by other experts – is a sound one, but it requires knowing whether a site is “safe” and that, today, is nearly impossible.
And even if it was possible, if you could avoid being infected via the web, that’s the not the only means of infection available to miscreants today. There are a plethora of other attack vectors leveraged by the bad guys that result in infections. Anti-virus scanning, when configured to do so, is also a means to detect malware, viruses, and other nasty pieces of software that might be located in various other document-types that are commonly sent even to consumers – Word documents, PDF documents, archives containing family photos, executable programs. Whether via e-mail or shared via the corporate or home network or found on a USB key shared amongst family members, malicious software has many ways in which it can be deposited on a device and anti-virus is one way in which to prevent such pieces of software from taking up permanent residence.
THE ALTERNATIVE ACCESS CHALLENGE
This isn’t just a problem for Grandma and consumers.
Given the increasing number of folks who work from “home” and use alternative devices and machines from which to access corporate networks and resources, it should be an imperative to leverage technology not only capable of enforcing some level-set of security measures but also to take into consider the very real danger that a bot or virus presents to the organization. Yes, the VPN protects data in transmit, but what about the documents saved and stored on that machine while the user “works” on them? A bot with unrestricted access can easily obtain them and ship them off to who knows where, without detection. Combined with the alternative access avenues leveraged by miscreants, there are a plethora of possibilities for a device to become infected, and spread that infection to everyone to which we are digitally connected.
Given the exponential leaps in processing power and memory available on desktops and other end-user devices, the resources consumed by an AV scanner are minimal. While a safe, savvy web browser may in fact avoid be able to avoid infection and render such scanners little more than overhead reality is that it only takes one infection, one click, for your desktop to become a remote-controlled security nightmare with ramifications that go far beyond your own domain. A single infection by a trusted friend, co-worker, or relative can easily become the launch point for a massive, corporate or family-wide infection with little effort on the part of the miscreant. AV scanners don’t just protect against web-based attack vectors, they are a valuable tool in protecting against infection via e-mail and other common methods of sharing data (photos, programs, documents) as well as providing the means by which corporate information security strategies can be implemented to secure both local and remote access to corporate resources.
So do you still need AV on your desktop? You betcha. Just because your house hasn’t yet been broken into doesn’t mean you stop locking your doors.