Would you ever expect a well established anti-virus company to fail to provide you with signature updates? Would your company's security policy be ready to deal with such a situation?
Copyright © 2006 Virus Bulletin
From time to time we witness events that seem so unlikely or unwanted that they almost defy belief. Occasionally, such an event occurs within the IT security business. This article has been inspired by events that have been described by many as 'unbelievable'.
The story is short and simple: recently, a local AV vendor had some serious problems with producing signature updates for its product, and failed to update its scanning engine for as long as two weeks. (Unfortunately it seems that, at the time of writing, the problems have yet to be resolved and updates are still sporadic and infrequent.)
Would you ever expect a well established anti-virus company to fail to provide you with signature updates while the company was still operational? Many security officers probably did not. We have seen buyouts of anti-virus companies, and even bankruptcy in the past, but in these cases measures have usually been put in place to ensure continuity in malware protection for customers.
Broken or invalid signature updates are also something with which we are familiar, but this situation is something new and worrying – especially considering that the ie_xp_pfv_metafile  exploit was used widely and Microsoft security bulletins MS06-001 , MS06-002  and MS06-003  were all released during the period in which no updates were provided.
This got me thinking about the past. Historically, security policies have been shaped by critical events. Consider, for example, corporate security policies dated prior to 2001. In how many would you find reference to scenarios involving terrorist attacks or BCP (business continuity planning)?
Despite the various mathematical models we use for risk analysis, we always seem to learn the hard way in the security area. So what we can learn from this story? I think the following are the most important points:
The failure of a safeguard may not always be the result of a direct, easily foreseen technical issue. Even risk management-driven security policy can be flawed simply due to incomplete threat and risk catalogs. This might pose an even more important question: is risk management the right approach? After all, in evaluating risks and threats we rely partly on historical data. If a particular event has a very rare occurrence, then we might wrongly ignore it.
The defence-in-depth strategy suggests that we should never rely on one safeguard to protect a particular asset. This may be tricky to implement in the case of malware protection as many organizations use a single product that operates at different levels of the network.
The use of a multiple-engine product won't necessarily provide continuity in malware protection if, for example, the vendor of that product encounters problems.
Some might say that the situation described above is unlikely to happen where the well established vendors who operate worldwide (the 'big players') are concerned. Try telling that to Arthur Andersen or Enron shareholders.
We have to ask whether our security policies and BCPs are ready to deal with such a situation. It seems that using two different products from different vendors (based on different engines from different vendors) could be a wise move.
The introduction of stack protection mechanisms and IDS/IPS systems might seem like a good solution too. But we could be very wrong – for example, the MS06-001  vulnerability is not stack overflow-based – so we should remember that DEP and MS/GS mechanisms are not the final solution to system security. While it's easy to filter out well known attack web servers that contain exploits, it's far from being the final solution – even in the case of this particular vulnerability. Not every vulnerability exploitation process is easy to detect using a signature-based approach – even methods based on code emulation can have serious problems. Along with Dave Aitel , I'm curious as to how IDS/IPS vendors will approach this problem.
So as you can see, we have entered the new year with new vulnerabilities and new challenges. I wonder what the maximum length of time is that an AV vendor can stay operational without providing updates. I hope that none of VB's readers will ever have to find out.
 MetaSploit Framework: http://www.metasploit.com/.
 Message: [Dailydave] Commander Keen in Fonts, 14 January 2006, http://lists.immunitysec.com/pipermail/dailydave/2006-January/002828.html.