Foolish Reliance On AntiVirus Software

I recently received an email from another Sys Admin pushing the idea of a single corporate  Anti Virus Solution and the importance of getting it in place ASAP and having a single Management console for Reporting, Management etc etc.

Now knowing what I know about this guys company I had to compile a little list of things he might think about or consider implementing before he puts all his eggs in this really rather ‘hole’ y basket.

As far as I know this guys company has few if any of the following suggestions or security polices in place, and I’m sure this is true of many companies in the world.

Several factors can influence the rise of Malware detection, below are points that need to be considered before the Anti Virus Software and a single point of management can be considered effective.

1. You cannot rely on AV software to clean the network – This is the LAST LINE of DEFENCE.
2. Admin Rights need to be removed from all clients – This removes many of the ways Malware enters the systems.
3. Software Patching, not just Microsoft via WSUS, but other 3^rd party applications, Adobe Reader, Flash, Shockwave and Java Runtime Plug-ins, these applications are major sources of attack, all versions of these applications up to and some including the latest versions (Flash & Shockwave), are vulnerable to remote exploitation, there are 3^rd Party software patching systems available, (Secunia CSI/PSI).
4. Perimeter HARDENING. Use the functionality  of the UTM system not just the FW/VPN
5. Implement IPS/IDS systems to catch Malware entering the companies networks.
6. Tighten control of Re-Moveable media USB Sticks/CD etc. Provide scanning stations that users have to use before inserting USB or CD media into laptops/PC.
7. Enforce company policy to ensure users DO NOT install non approved software.
8. Use Web Content Filtering (WEBSENSE) to keep users away from web threats.
9. Use Multiple AV software to achieve a larger catchment, some AV software is better at picking up some Malware than others. Deploy specific AV software on servers, ie Email scanning AV on Mail servers.
10. Do Not use out of date/vulnerable software.
11. Educate the End User to be more aware of Web Threats and Social Engineering tactics.
12. Stop using Social Networking sites to Promote/Advertise the company. FACEBOOK has a high level of Malware propagation and very low security of personal data.
13. Consider implementing SIEM,(Security information Event Management System) This system tied in with an IPS/IDS will be far more effective than relying on the Endpoint AV solution.

This list of points is by no means the only options available and is in no particular order of significance, but I do feel that too much importance is being put on your Corporate Anti Virus solution when other factors need to be addressed.

My opinion is that by reducing the AV vendor down to 1, you are leaving your company at greater risk of Malware outbreak than with a mixed AV system and cannot see the Malware/Trojan detection rates from inside the company networks reducing until some or all of the above methods and systems are considered and implemented.

I would place a high priority on the following points,

2.Admin Rights Removal

3.Patching 3^rd Party Software

4.Perimeter HARDENING

6.Tighten Control of Re Movable Media

8.Web Content Filtering

9.Use Multiple AV software, use specific versions of AV on mail servers etc.

I would greatly appreciate any input from anyone who reads this post

Cheers.