Many in the sports world tell us that "defense wins championships" and in some cases, this may be true - until it's not. The strategy of an aggressive attacking style of offense has two main advantages. One, you are distracting your opponent from their own attempts to score and two, you are focusing your team on the main path to a win; scoring points. The strategy that the best defense is a good offense can also be applied to cybersecurity.
Past anti-malware strategies have focused on reactive technologies such as intrusion detection, content filtering, and detecting and blocking malware.
There is an ongoing argument as to how effective those reactive technologies are but there is no doubt that the success of these solutions hinges on the effectiveness of the system and the capability of the system administrator.
There are plenty of malware detection systems on the market and many of them are very good, but the fact is that there are many more malware sources out there so there is a lot of pressure on the malware detection system to stay up to date. It really is an uphill battle and will never be 100% fool proof.
The number of different malware signatures is growing at an exponential rate and is flooding the detection system's ability to find and include each malware signature in its databases. In just one year, the different malware signatures detected grew from around 700 million to over 900 million!
Malware attacks today are almost always automated. The goal is to use search and destroy programs to find thousands of vulnerable computers into which malware can then be installed. The desired result is to build a botnet – a large network of computers that is ready to do the bidding of the controller.
The goal of a botnet operator is to quickly get as many compromised machines as possible, with no regard for the victims. This means the ‘low hanging fruit’ – the machines that are easiest to attack – will be compromised and the sites and servers that are even slightly harder to crack are skipped. This strategy puts to rest the theory that only certain businesses are vulnerable to attack.
Knowing that attackers are bound to use an automated attack, the best countermeasure is to make sure your site and network are less vulnerable than others. Think the old adage "I don't have to run faster than the lion just faster than the guy next to me". By identifying and eliminating your underlying vulnerabilities instead of attempting to detect and block the attacks you make your network less appealing to attack than hundreds of thousands of others who have left their vulnerabilities exposed.
By addressing this relatively small set of vulnerability issues, you can easily cause the attacker (typically an automated ‘bot’) to move to their next target rather than trying harder to penetrate your network.
Low-Cost Common Sense
Vulnerability Assessment and Management (VAM) has been a major pillar of network security in enterprise-grade, Class A networks for many years. Within just the last couple of years, the cost of VAM has come down to the point that SMBs are discovering the appeal of fixing their relatively few vulnerabilities rather than attempting to identify and block every malware attack signature before it can infiltrate your network.
Vulnerability assessment tools scan every node on a network on a frequent, regular basis. Doing a penetration test, or having a security consultant scan your network once a year, every 6 months or even every 3 months doesn’t cut it. They must be done regularly – on a weekly or at the very least monthly basis. The reason is obvious – Microsoft alone discloses a boatload of vulnerabilities every month (on “Patch Tuesday“), every one of which can affect your organization and open a potential security risk. But on top of that – networks are dynamic. Someone changing the firewall configuration can accidentally create an opening for an attacker.
What is a Vulnerability Assessment?
Vulnerability Assessment (VA) is the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system. Think of it as a network scanner that will first identify the components on your network. It will find all the endpoints from PCs to Printers and Scanners and phones and Wi-Fi access points. It will find all software proprietary and 3rd party and firmware. Once this list is compiled the VA tool will then scan each component bombarding them with data to uncover any vulnerabilities.
This exercise is a load on the network so it's recommended that it run after hours. The reports generated will help to identify risk areas that can be addressed individually
Need a Vulnerability Scan?
With a list of weaknesses in hand, you can set about to fix them one by one. Typically the fix will involve a simple patch or update to a current version. For example, the well-known Microsoft printer spooling exploit was fixed with a security patch.
We strongly believe that periodic vulnerability scans, coupled with even basic malware detection and blocking, will be enough to prevent an organization from being compromised and becoming a part of a botnet – not because either method of defense alone leads to the absolute protection, but because they harden the organization enough for the botnet operator to simply give up and move on to their next target.
It might be more exciting to talk about detecting and blocking attacks but it is impractical, reactive, and often impossible to do without expensive, high maintenance systems. It is much more effective (and less expensive) to be proactive and run periodic vulnerability scans to detect the relatively easy-to-find vulnerabilities and plug those holes before they are used by attackers.