Anti-virus, as we all know, is designed to watch for properties of a virus/worm. When it detects a match, we can choose to delete the offending file or move it into quarantine. The key is that traditional anti-virus products have to know about the virus characteristics to work. If not, then they're basically useless in a containment strategy. Here is where we find our weakness in this model.
Currently, the groups developing the latest versions of viruses and worms are targeting specific companies by their particular characteristics, such as IP addresses, patch levels, locations, etc. A simple Google search can turn up what some may think is harmless information, but these details are creating viruses and worms that only attack a specific group of systems.
Now step back and think about this in greater context. Many companies are calling up their anti-virus support trying to find out when a new definition file will be out. The problem is that even though the anti-virus signature may mirror the offending virus technically, some of the characteristics don't. The anti-virus company will need to make many different definition files that will work specifically in one, two, maybe a handful of companies. If you are a small shop of 50-100 workstations, how long do you think it will take to get even a beta definition out into your organization to contain the problem?
Some industry reports note that it can take up to 48 hours to get reverse engineering departments to build a list of characteristics to even start making a definition. That many hours in today's exploit-happy world is a lifetime.
Thus, to keep response time low and containment success as high as possible, many companies are reviewing their contracts and service level agreements with major anti-virus players. They're adding conditions on prioritization during an actual incident and including expected turnaround times for levels of support.
Companies simply can't take their anti-virus for granted and assume it does its job. In the near future, this may not be the case, so other security controls also should be discussed and prioritized.
Today's risks and their possible impact to businesses are just too high not to.
Richard Lawson is chief IT security officer of a company which wishes to remain anonymous.
30 SECONDS ON...
A brief history
The first anti-virus software was created in 1981 by Peter Tippet. His company, Certus International Inc., was sold in 1992 to Symantec Corp., which incorporated his software into its product, Norton AntiVirus.
The Australian Computer Emergency Response Team (AusCERT), which provides computer incident prevention and mitigation strategies, claims that popular desktop anti-virus applications miss 80 percent of new viruses.
The right tools
At 53 percent, the need for anti-virus tools is near the top of the list of in-demand items by IT security personnel this year, according to a Forrester report: "Fear Factor: Information Assets and Viruses and Worms Top IT Security Threat List."
A July 2006 Osterman Research report, "Messaging Security Market Trends, 2006-2009," showed that viruses, trojans and worms have penetrated 84 percent of the more than 100 medium-to-large organizations polled.