Most people think of antivirus software as a solid line of defense for their work and home networks. But it may not be providing as much protection as they think, security experts say.
Not only have hackers gotten better at getting around such programs, in rare cases they have even used antivirus software itself to gain a foothold into sensitive data. The result is that many web users are browsing the internet with a false sense of invincibility.
“Compare antivirus software to the lock you buy from Home Depot
for your front door,” says Stu Sjouwerman, chief executive of KnowBe4 Inc., a provider of enterprise-security training programs. “Anyone with a small amount of skill can pick that lock and get in your house, but the lock will also keep out a lot of people who don’t have those skills.”
A valuable target
Ninety-three percent of U.S. enterprises with at least 500 employees rely on security products to protect their technology, according to an August study published by security-product testing firm NSS Labs Inc. Jon Oltsik, senior principal analyst at market-research firm Enterprise Strategy Group, puts the number of individual consumers running antivirus software in the “65% to 70% adoption range.” Other consumers rely on the security software that comes baked into popular operating systems like Windows 10, from Microsoft Corp.
Antivirus software can help mitigate risks such as hacked email and social-media accounts, identity theft and malware that locks up victims’ computers until they pay a ransom.
But hackers are constantly finding gaps in its protections, and consumers and businesses often fail to keep their antivirus software updated, undermining its effectiveness. What’s more, antivirus software is a highly valuable target for hackers, and if infiltrated could provide access to the very information it is supposed to be protecting.
In September, the U.S. Department of Homeland Security issued a binding directive that requires federal government agencies to remove products from Moscow-based antivirus-software provider Kaspersky Lab from their networks within 90 days, amid continuing suspicion the company may have ties to Russian intelligence services. Rob Joyce, the White House cybersecurity coordinator, has also advised Americans not to use Kaspersky products.
In a statement, Kaspersky Lab says it “does not have any unethical ties or affiliations with any government, including Russia…Kaspersky Lab has never helped, nor will help, any government in the world with its cyberespionage or offensive cyber efforts, and it’s disconcerting that a private company can be considered guilty until proven innocent, due to geopolitical issues.”
Today, antivirus software is most effective at preventing common attacks such as phishing emails that try to entice users to click on malicious links, or infected banner advertisements on otherwise legitimate web pages.
However, even the most advanced antivirus products only detect known viruses. New strains of malicious software—such as the attack known as Petya that affected a range of companies in June—are being created at such a fast pace that antivirus companies are constantly rushing to squash the newest bugs. Hackers have an advantage in that they can view public websites that catalog which security providers are capable of protecting against which viruses.
“The bad guys are really good at tweaking their software just a little bit to convince antivirus products that malware is actually benign and safe to let through,” says Oltsik. “Vendors are generally good at updating, but the cybercrime underground is getting better at writing very specific attacks that are harder to stop.”
Move toward AI
The next generation of security software aims to abandon the traditional antivirus approach altogether, in favor of artificial intelligence. By monitoring user behavior such as typing speed, mouse clicks and other factors, newer security products aim to identify when a trusted user has been hacked. If a company employee tries to access sensitive company health records or intellectual property at a strange hour, for instance, AI algorithms in various products would aim to stop that behavior or log it as a potential breach. Traditional antivirus providers have also sought to incorporate artificial intelligence and other algorithms into their existing offerings.
Meanwhile, consumers should take extra measures to stay ahead of hackers, experts say. Keeping antivirus software updated is a simple, yet critical step. Multifactor authentication, which uses multiple methods to confirm a user’s identity—usually password credentials, along with a text message to a user’s phone—can improve a person’s digital health. So can the use of ad-blocking software to avoid any malicious pop-ups or infected banner ads.
“It is an absolute misnomer that a single security product will save the day,” says Mischel Kwon, chief executive of the security consultancy firm MKA Cyber Inc. and former director for the U.S. Computer Emergency Readiness Team. “We should be looking at our own hygiene.”
For companies, the best approach may be to use more than one security product.
Some 65% of the organizations polled in Cisco Systems Inc.’s
2017 Annual Cybersecurity Report, which surveys midmarket and large enterprises, say they rely on six or more antivirus products to protect their corporate networks, while 28% use more than 11 antivirus vendors.
Edna Conway, chief security officer for Cisco’s global value chain, also recommends that organizations vet their third-party partners closely when possible. “It always comes down to the same fundamentals of knowing who you’re working with,” she says.
Attacked from within
But even that won’t guarantee a company’s safety, and there have been a few instances where the security software that firms relied on to protect their networks were used against them.
In 2013, application-security company Bit 9 Inc. announced that hackers had infiltrated its software. Bit 9’s chief executive wrote in a blog post at the time that “an operational oversight” made it possible for attackers to then use Bit 9’s trusted credentials to aim malware at clients. (Bit 9 has since merged with the security company Carbon Black Inc.)
“Security vendors are like any application-development shop out there,” says Rick Holland, vice president of strategy at the threat intelligence firm Digital Shadows Ltd. “If someone is looking at that code, they can find vulnerabilities in there. That’s the bottom line.”
Nearly two years before the Bit 9 breach, RSA Security LLC confirmed that outsiders stole information about RSA’s SecurID authentication program as part of an apparent attempt to infiltrate U.S. defense contractor Lockheed Martin Corp.
The attackers sought to leverage a trusted identification device from RSA, which was a subsidiary of EMC Corp. at the time, to infect their target.
Lockheed was able to mitigate the breach, but the case raised alarm bells throughout the security community.
Still, experts say organizations need to balance those kinds of risks with the need to protect themselves from far more common threats like phishing.
“There are some things in life you want to do even if they’re not perfect, and antivirus is in that category,” Conway says.
Jeff Stone is a copy editor for The Wall Street Journal in New York and a staff reporter for WSJ Pro Cybersecurity. He can be reached at email@example.com.
The story “The Limits of Antivirus Software” first appeared in The Wall Street Journal.