Analyze Risk

This article in Computerworld brings up an interesting problem. It reflects the claims of one Thierry Zoller who has been studying bugs in anti-virus software.

"...companies that try to improve security by checking data with more than one antivirus engine may actually be making things worse. Why? Because bugs in the 'parser' software used to examine different file formats can easily be exploited by attackers, so increasing your use of antivirus software increases the chances that you could be successfully attacked."

Zoller has found a number of parser bugs in anti-virus software. At least some, I am sure, are known to the most sophisticated hackers. But the level of risk of the two options is not as clear cut as Zoller states. The problem at hand is one of analyzing complex and very subtle shades of risk when engineering security.

"People think that putting one AV engine after another is somehow defense in depth. They think that if one engine doesn't catch the worm, the other will catch it," he said. "You haven't decreased your attack surface; you've increased it, because every AV engine has bugs."

Is it better to have only 1 parser? Or are these holes so dangerous we should have no anti-virus? Or is Zoller overstating the risk, and so 2 parsers are better than one? Sure, the attack surface increases the more parsers you have--for the attack vector targeting the parsers. Meanwhile, the virus/trojan threat vector increases. So, what is the optimal balance in this tradeoff?

While Zoller appears to ignore this crucial question as a researcher, infosec professionals responsible for architecting and engineering security solutions in their organizations don't have that luxury. Not if they want to spend resources where it counts the most, and provide a sufficient level of security to their companies at a proportional price.

To find the optimal balance, look at risk of each available alternative, while seeking to minimize risk and cost (ultimately the business has to decide what level of cost and risk mitigation is acceptable).

As we all know, risk is a product of likelihood and impact. Likelihood of an attack is based on types of threat sources, their capabilities, motivations, and attraction to your information assets; also, how widespread or easily obtained is information about the attacks in question. Impact of a successful compromise is based on the attack itself, the intent of the attacker, value of your data, and mitigating security controls in place.

For the situation above, on one hand, common viruses and email-borne trojans are very common. Attackers range from the fairly unsophisticated aiming to expand a bot empire and/or steal personal information, to motivated and reasonably equipped corporate spies targeting companies with spear-phishing attacks and such. Less common are highly sophisticated attackers leveraging true 0-day exploits such as those in anti-virus parsers. But they are out there.

Arguably, the more targeted and sophisticated the threat source and attack, the more impact is possible per compromise, although in aggregate, common anti-virus threats may represent more financial risk to the company through sheer volume than highly sophisticated anti-virus parser attacks. It depends on the value of the data, and the impacts of its compromise.

Don't forget to consider mitigating controls. Look at existing controls, and consider additional controls--and their cost--for each alternative. Suppose we use an architecture that isolates email anti-virus engines with excellent egress filtering controls in place, among other countermeasures. Such controls alone may largely mitigate the risk of the anti-virus parser compromise attack vector. Look at existing controls, and also consider controls that can be added. But don't forget to consider the costs of each alternative's controls.

Likewise, the anti-virus is itself a control. The number of anti-virus engines is strongly related to the number of malware emails that pass through (and result in a successful compromise). Fewer engines mean more likelihood of compromise through that attack vector.

Running 2 a-v parsers doesn't guarantee doom. But, it might. It depends on all these factors and risk analysis will help you answer this question and make good tradeoff decisions.

Don't forget that threats change. The best option today may be terrible in a month, or a year, or some time in the future. Keep that in mind, and revisit risk analysis tradeoffs, too.