Antivirus vulnerability calls for a multi layered cybersecurity approach

Beginning of the week, it was revealed that the antivirus engines (AVE) used in Symantec products presented a critical vulnerability, making it an easy-to-exploit system entry point. This is the latest of news from a troubling string of flaws uncovered in conventional IT security products. Unfortunately for antivirus software vendors, the road seems to be heading downhill from here on. More and more enterprises and individual users alike are realizing that the time has come to step up their cybersecurity game.

Discovered by Google security researchers, the Symantec vulnerability could have been easily exploited remotely by potential attackers, enabling them to execute malicious code on the user station. After preparing his attack, all a hacker had to do was send an email containing a malicious file with in-build code to any random target. This input, especially designed to be executed on your system, triggers avulnerability domino effect. The file needn’t be executed, since the AVE employs a driver that intercepts all incoming and outgoing operations.

 

Hope for the best and prepare for the worst

The vulnerability, rated 9.1 / 10 in the CVSS[1] by Symantec, does the most damage on Windows OS, since the scan engine of the antivirus is loaded directly into the kernel. As long as its header points to a portable executable file packed with ASPack (an advanced Win32 executable file compressor), the AVE will automatically scan the file, unpacking it inside the region of highest privilege within an OS. What does this mean? Well, obviously, parsing executable files with malformed headers cannot bring anything good. On the contrary, it can only imply one thing: you are faced with a memory safety vulnerability and you are about to get acquainted with the Blue Screen of Death (watch this video for a short history of the BSoD). Full system crash.

A patch to correct the flaw was issued almost immediately after its discovery. All is well that ends well, right? Not exactly. This quick ‘fix’ doesn’t change the reality of things. The general public continues to live under the impression that the cybersecurity threat landscape is immobile, something that doesn’t really affect us in the here and now. By the time everyone is done updating their antivirus, new vulnerabilities are more than likely to appear again.

The solution? Expect change. Time can render any solution obsolete and, in order to fight against these unfavorable odds, we must ensure a consistent cyber-ecosystem around IT environments. Even up-to-date antivirus tools are no longer enough against advanced attack (as we’ve already covered in our previous article on “How to cure yourself of antivirus side-effects” here). That is why industry vendors should make it their responsibility to aid businesses in adapting their strategy to a multi-layered cybersecurity approach.

Time to step up your cybersecurity game

Let’s suppose for a moment that the Symantec AVE vulnerability would have never been discovered last week. Let’s also suppose that those targeted disposed only of basic security tools. It wouldn’t be a long shot to assume that the number of related incidents would plague the news by now.

Now let’s replay the same scenario, only this time, the target had the good sense of tapping into behavior analytics. A hacker infiltrates the system through this security flaw and then lets the malware do its thing. Would the outcome be the same? Definitely not. This extra layer of protection bridges the intelligence gap that antiviruses are confronted with, identifying the threat before it has reached the end of the kill-chain (at the moment it tries contacting its C&C server).

One of the main issues encountered when dealing with traditional network protection is the false of security tools such as antiviruses and firewalls create. The aim is to catch the hacker in the act, not just react in the aftermath of a cyber-attack. By implementing multiple layers of security, based on a continuous monitoring of system vulnerabilities and behavior anomalies, enterprises of all sizes can improve their detection response time and gain broader and more in-depth insights.

 

[1] CVSS (Common Vulnerability Scoring System): is a free and open industry standard for assessing the severity of computer system security vulnerabilities. CVSS attempts to assign severity scores to vulnerabilities, allowing responders to prioritize responses and resources according to threat. Scores are calculated based on a formula that depends on several metrics that approximate ease of exploit and the impact of exploit. Scores range from 0 to 10, with 10 being the most severe.

Link:

https://www.reveelium.com/en/call-for-multilayer-cybersecurity/