Each year Bit9 conducts a survey into server security, and has just published its 2013 results. It finds, in a year of continuing and successful attacks against some of the world's leading companies, concern over server security is growing among security professionals.
The top 2013 concern among 800 IT and security professional respondents is 'targeted attacks and data breaches'. In 2011, this was the chief concern of 27% of respondents. Last year it rose to 52%, and now it has increased further to 55%.
This concern is explained by Bit9: "In 2013, Adobe, LivingSocial, Evernote, Twitter, NBC.com, and NYTimes.com fell victim to cyber attacks. These attacks all involved compromised servers that either resulted in defacing or shutting down a website to stealing millions of customer records."
But the survey also highlights an anomaly that is frequently found: professionals are worried about security in general, but fairly confident in their own security. 72% of respondents were either somewhat or very confident in their ability to stop advanced threats targeting their servers – something all the more surprising since almost a quarter of those who were very confident also admitted to having already been hit by advanced malware.
Furthermore, 25% of the respondents cannot say whether or not they have been hit by advanced malware. Given that APT attacks can sit undetected on company networks for many months, this is probably a realistic response. Bit9 implies that this is the result of an over-reliance on anti-virus technology as the primary defense technology.
“It is alarming to see that in 2013, 92 percent of IT and security professionals still rely on old-fashioned security solutions – particularly antivirus – and only a quarter of those surveyed have deployed a new generation of server security that doesn’t rely on signatures and is much more effective at detecting and stopping advanced threats and targeted attacks,” said Nick Levay, Bit9 chief security officer.
The problem with anti-virus technology is that it is predominantly a blacklisting approach to security: it stops what it recognizes and allows what it does not recognize. Completely unknown malware is simply allowed onto the network, and the security professionals have no indication that this has happened. Bit9's approach is predominantly whitelisting; that is, it allows only what is known to be 'good', and stops everything else whether it is known malware or not.
This approach has the effect of 'locking down' the network. "Servers, which typically do not need the flexibility to dynamically install a wide range of potentially untrusted applications," says the report, "should – for the most part – be locked down. Failure to do so invites trouble. Older server security solutions that rely on signatures to identify malware leave large gaps in protection against unknown zero-day attacks – among other known untrusted software not yet registered on AV blacklists."
But while the Bit9 report can be taken as a strong argument for the addition of a whitelisting defense, it should not, nor does Bit9 suggest it, be taken as a reason for dumping anti-virus – defense in depth is the best defense. "I don’t think it’s wise to rely on any single solution," David Harley, an ESET senior research fellow told Infosecurity. "Companies who were attacked with malware that used stolen Bit9 certificates back in 2012 would probably agree."
Graham Cluley, once with Sophos and now an independent security researcher, is one who agrees. "Irony of ironies," he told Infosecurity, "when the hackers used the certificate they stole from Bit9 to sign their own malware, Bit9 waved it through without a worry – whereas regular anti-virus could have stopped it." The truth is, he added, anti-virus technology long ago abandoned simple blacklisting signatures. "The advent of polymorphic viruses which changed their appearance on each infection put an end to such a rudimentary way of malware detection."
Harley takes a very pragmatic view of security. "I don’t think any security researcher worth listening to would claim that anti-malware catches all malware, let alone all sophisticated and highly-targeted threats. What it does do is detect a whole load of threats that might or might not be caught using other security methodologies." In short, he said, "Organizations should consider application whitelisting as part of their security strategy" in addition to, not a replacement for, anti-malware.
"Yes," added Cluley, "anti-virus software should never be used on its own. Similarly, application white-listing software should never be used on its own."