Looking For Good

Protecting IT systems from malware and attacks is a layered process with anti-virus applications, firewalls, intrusion detection sub-systems and more. However, the approach of looking for what is known to be bad in terms of malware, isn’t always the best way to stay secure according.

When it comes to keeping your IT systems secure, the current approach is to use anti-virus applications which use a virus signature database with records of known viruses, meaning you are vulnerable to attack in the time gap between when a new virus is observed “in the wild” and when your anti-virus provider updates its product with the latest virus detection signatures. So, you are vulnerable to any malware that your anti-virus provider hasn’t seen before.

This time gap could be hours or even longer. In some cases the virus companies never see the new virus if the victim doesn’t know, doesn’t report it or doesn’t want to reveal that they have been successfully attacked.

By looking for the “known bad” organisations are fighting something that is constantly changing. Virus companies report that they sometimes see as many as a 100,000 attacks a day. The majority of these attacks are easily stopped, but the ones that do get through can cause real damage.

Recognising this problem there has been a move to “defence in depth” security strategy comprised of a mix of anti-virus, intrusion detection, firewalls, that provide far greater protection than single device reliance. .

A New Approach

It’s time to consider an alternative approach to security. Instead of looking for the “known bad” or in other words known malware in a file, why not look for what is supposed to be in the file? In other words, look for “The Known Good”.

Known Bad vs. Know Good

By taking the ISO specification for the PDF standard, new technology looks at how a PDF is made. It then breaks it down into its core 1s and 0s and if anything is found which doesn’t conform to the ISO standard it can act on the variation from the “Known Good”.

The Problem Of False Positives

Originally in the anti-virus world the file may have been flagged and potentially blocked as being dangerous. The trouble with this approach is that you get too many false positives with files being held back that are of no danger to the recipient.

This new technology incorporates an intelligence engine that can recognise if a file doesn’t conform to the predetermined specifications for the file, because the PDF generator has made a minor mistake. Minor mistakes, whilst not exactly right are not a danger to recipients either. If you were to open the file it would work, it just wouldn’t look quite right. In this case new technology can repair files, reducing the risk of creating false positives and supporting business continuity.

Bypassing Dangerous ‘Rules’

There are also often issues with vulnerabilities in PDF files, such as PDFs which automatically want to be saved on to the PC hard disk. If the users allow this then the hidden virus payload is instantly installed on the machine without the person knowing.

This isn’t the sort of issue that anti-virus software is looking for. However, these new technologies look at the PDF, notice they don’t have the right values, quarantine the file and stop it saving to the hard disk and unleashing the virus.

With malware and malware creators becoming ever more sophisticated, it is time for companies to add further tools to their arsenal in the battle with cyber crime. Just as companies don’t rely on anti-virus software alone, but augment it with firewalls and usage policies, so companies need to look at other ways to stay safe. They could continue to look for the bad, however, it is more efficient and secure to look for the good.

Prior to joining Glasswall Solutions as a Commercial Director, Bob served as a 30-year US intelligence officer in the US Army and the Defence Intelligence Agency (DIA). While in the DIA, Bob was responsible for the security of over 40,000 computer systems that processed classified information in the US Army, US Air Force, the US Marine Corps and all Defence Agencies (less the National Security Agency). In 1998 Bob retired from US government service. Since then he has served as a visiting lecturer on Information Technology security at the US Defence Intelligence College, the US National Defence University, Georgetown University, George Mason University and the UK Defence Intelligence and Security School.