“Defence-in-depth, sometimes called layered security, is a philosophy that embraces the concept of multiple defences against threats,” observes Emmanuel Carabott, Security Research Manager, GFI Software, questioning New Zealand businesses’ use of patch management software.
“Rather than putting all the proverbial eggs in one basket and relying upon a single security strategy, multiple and different technologies, policies and practices all work together to provide as thorough and effective protection as is possible.
“It sounds good on paper, and it works great in practice, but far too often organisations – particularly smaller ones – pass over patch management software in the false belief that their antivirus software will protect them against all information security threats.”
This is not only dangerous, Carabott claims, “but it’s completely wrong.”
So much so that while antivirus software is a critical protection, and should be installed on all systems, Carabott believes the purpose of antivirus software is to simply “protect against malware.”
Whether that is a piece of code that a user tries to download and run, or a malicious script that is hosted on a website, or a worm that tries to propagate from system to system, malware is code that has a recognisable binary pattern and acts in a recognisable way.
“It’s designed to work against code specifically written to cause harm,” she explains. “What antivirus software is not built for or capable of doing is protecting against faulty code in otherwise approved applications.
“Patches are designed to fix bad code; collectively called bugs. That code could be a mistake made by a programmer, or an incompatibility with another piece of software, or perhaps instead it is code that just is not as good as it could be.
“When that mistake can be exploited by an attacker, patching that code may be the only way to prevent the vulnerability from being exploited.”
Carabott believes antivirus software acts upon malware that is already present on the system.
How did it get there? Well, frequently that code can get there through a bug, she explains.
“The problem is that malware may do things thanks to an opening created by the bug, but won’t necessarily result in any code picked up by the antivirus software and blocked,” she explains.
“When a piece of buggy code allows an attacker remote access to your system, antivirus software will not detect or prevent that access.
“Another way of looking at this is to compare antivirus software to a security guard, and patches to good locks.
“Sure, the guard can react to the presence of a thief, but the locks could proactively keep the thief completely out of the system. If the thief gets in, how much damage could be caused before the guard finds him?”
Just as Kiwi organisations need antivirus software on all systems, Carabott says its critical to ensure that the necessary patches installed are on all the systems that require them.
“The best way to accomplish that is by using patch management software,” she adds. “Patch management software – either installed onsite or based in the cloud – provides you with a centralised application that can deploy patches to every system on the network.
“It can also assess those systems so that you know exactly what each needs. In essence, it does the heavy lifting for you, upgrades the locks and secures the latches.
“Patching is an on-going task, with both monthly releases from the major operating system vendors and unpredictable releases from software vendors as new vulnerabilities are discovered.”
Carabott says automatic updates can take care of the operating system, but only if organisations trust all those patches to work on all systems without testing.
So while antivirus software is absolutely critical and has its proper place in networks, Carabott’s overriding message is simple.
“It’s no substitute for patch management software,” she adds. “Using both will help to bolster your defences and is a good start towards that layered security approach.”