During a four-month long cyberattack by Chinese hackers on the New York Times, the company’s antivirus software missed 44 of the 45 pieces of malware installed by attackers on the network.
That’s a stunning wake-up call to people and businesses who think they are fully protected by their antivirus software.
“Even the most modern version of antivirus software doesn’t give consumers or enterprises what they need to compete in the hacker world,” said Dave Aitel, CEO of security consultancy Immunity. “It’s just not as effective as it needs to be.”
The New York Times said it had an antivirus system from Symantec (SYMC, Fortune 500) installed on devices connected to its network. The Chinese hackers built custom malware to, among other things, retrieve the usernames and passwords of Times’ reporters. Since that brand-new malware wasn’t on Symantec’s list of forbidden software, most of it was allowed to pass through undetected.
Symantec responded that it offers more advanced solutions than the one the New York Times (NYT) deployed.
“Advanced attacks like the ones the New York Times described underscore how important it is for companies, countries and consumers to make sure they are using the full capability of security solutions,” the company said in a written statement. “Antivirus software alone is not enough.”
“Commercially available solutions are available to everyone,” said Rohit Sethi, head of product development for SD Elements, a security firm. “It’s not hard for attackers to learn how to evade detection, and they’re coming up with ingenious ways of doing just that.”
The solution, security experts say, is to deploy technology that keeps a very, very close eye on what’s happening inside your network. You can’t always prevent attackers from getting in, but you can at least set tripwires to alert you when they do.
In the New York Times’ case, the company suspected that it would be attacked because of its investigation into Chinese Prime Minister Wen Jiabao’s family finances. It asked AT&T(T, Fortune 500) to monitor its network. AT&T quickly picked up suspicious signs. Two weeks later, when the extent of the infiltration became clear, the Times hired security consultancy Mandiant to track the attackers’ movements through its systems.
“Attackers no longer go after our firewall,” Michael Higgins, the Times’ chief security officer, told Times reporter Nicole Perlroth. “They go after individuals. They send a malicious piece of code to your e-mail account and you’re opening it and letting them in.”
From there, the best thing companies can do is track what attackers are doing.
“The question we always ask our customers is, ‘Do you know every program running on your network?” said Immunity’s Aitel. “When you know the answer to that question, you don’t need antivirus software. When you don’t, you’re screwed.”
Experts say that antivirus software is still a good, basic thing to have. Owning an antivirus solution is like putting the Club in your car — it’s not going to stop a determined thief, but it’s going to make stealing your stuff more difficult.
Antivirus software maker Avast, whose free antivirus software is among the most widely used, says there’s a major distinction between the kinds of threats encountered by everyday Web surfers and the carefully targeted attack the Times faced.
“Seatbelts and airbags are wonderful protection and improve the safety of millions, but they will not stop a bullet fired — say by a hired killer,” said Jindrich Kubec, Avast’s threat intelligence director. “Does it mean you will stop using airbags and seatbelts?”
Some antivirus solutions are better than others. In a recent analysts, Immunity simulated attacks against networks protected by the top-of-the-line software built by Symantec, Kaspersky Labs and Intel’s (INTC, Fortune 500) McAfee security division.
Immunity was able to break into the systems protected by Kaspersky and McAfee in two days. Symantec was the best of the breed, with Immunity unable to penetrate it in the several days it gave itself to achieve the task.
“New reputational-based software works to an extent,” Aitel said, referring to systems that aim to contextualize the threats they detect. “But deep down, nothing is as good has having a proper awareness about what’s going on in your network.”