The world of malware was a lot simpler 20 years ago.
If you had received your monthly floppy disk containing the latest updates to your anti-virus software you could consider yourself relatively safe. (Assuming you actually took the disk out of the envelope and installed it, of course.)
Now we live in a far more complicated world when it comes to cybersecurity.
Nevertheless, I often hear people asking the same questions that they would have asked 20 years ago: “What is the latest software version?” and “What was the last identity file you released?”
I should stress that being on the latest software versions with regular and live updates are an essential part of modern security. The problem I have with those questions is when those are the only ones being asked.
Here is a typical scenario:
A user called Brian has a virus on his computer. He believes it must be a new zero-day threat because it got past his anti-virus software and he’s pretty sure he’s using the latest version.
Brian understands that no security vendor guarantees 100% protection, so he puts it down to a one-off. He checks that all his computers are using the latest versions and are downloading the latest threat updates. He is happy that they are so goes back to work.
The next day another ‘one-off’ attack happens…
So why is this happening? Is Brian being targeted by a cybercriminal gang? Does he need to change his anti-virus vendor?
The truth is that security is built up of layers, and ensuring the latest versions are being used is only one layer of your security.
This fact isn’t new. Imagine you are building a castle – would you consider yourself secure if you only built the walls? What about a moat, battlements, soldiers, catapults, a drawbridge, and so on…?
Now imagine you are Brian and you are using the latest next-generation, shiny new anti-virus software.
Are you safe if:
- You aren’t regularly deploying the latest security patches?
- You disabled a security feature after a user complained Facebook was slower?
- You have unprotected mobile devices that can connect to file shares?
- Your email doesn’t get scanned for viruses and spam?
- Visitors can access your Wi-Fi, which is on the same network as your servers?
- Anyone is allowed to turn on macros in Office documents they receive via email?
- Users can read files they shouldn’t access at all and write to files they shouldn’t change?
- You don’t require users to choose suitable passwords?
- You ignore alerts from your security software that are warning you something is wrong?
- You’ve forgotten about those old XP machines still running in the basement?
You can probably think up any number of examples to add to the list.
Now imagine if Brian took a more proactive approach to these recent threats.
He knows the attack wasn’t detected on his computer, but he isn’t sure if his anti-virus software is following best practice, so he double checks all the settings and corrects some mistakes made by his predecessor.
Next he looks at the first virus, which he received on an email.
It was a Microsoft Word file with a macro that automatically ran when he opened the file, so he makes changes to stop macros from running without him first allowing it.
Next he looks at his email gateway product. This was upgraded recently but he notices that some of the new security features that came with it haven’t been enabled yet.
Next he looks at the access rights of his staff and makes some very overdue changes, including enforcing proper passwords.
These are just some examples of the different security layers that Brian has at his disposal.
The goal of security software is to stop threats. If the threat can be stopped by the first security layer then that’s great, but it’s not always as easy as that.
If an attack succeeds, it didn’t just get past your anti-virus – it got past everything.
The best way to stop it from happening again is to understand how it got through and make appropriate changes to prevent a repeat.