CBC News had a pretty controversial headline today. They wrote that some computer consultants say the global malware threat has gotten so bad that conventional security measures, such as anti-virus software, are no longer adequate to fight them.
"Anti-virus programs are 'totally useless,' says Mohammad Mannan, an assistant professor at the Concordia Institute for Information Systems Engineering in Montreal."
I was quoted in the article as well. Anti-virus software works on the principle of identifying malevolent files and infected sites. But because of the sheer volume of malware online nowadays, rather than blacklisting bad sites we should be "whitelisting" the good ones, says Stu Sjouwerman, founder and CEO of U.S.-based computer security consultancy KnowBe4.com.
The amount of malicious software — better known as “malware”— circulating on the web has grown significantly in the past decade. According to figures from virus detection sites, in 2002 there were an estimated 17 million known “good” executable files from various existing applications on the commercial internet, while antivirus engines detected two million nefarious ones. By 2012, there were 40 million known good files and 80 million bad ones.
The major problem, says Concordia’s Mannan, is that anti-virus software is by nature reactive, which means that it responds to specific malware after it has been distributed. Should a malware writer change a few lines of code, however, that anti-virus solution suddenly becomes obsolete.
It’s the sheer number of malware variations that makes it impossible for anti-virus software to effectively combat the problem, says Mannan. To illustrate this, he points to the Storm botnet of 2007, a sophisticated piece of malware that affected millions of computers worldwide and generated 8,000 variations of itself every day. “How many updates or variants are you going to catch, if you’re an anti-virus company?” Mannan asks.
Is ‘whitelisting’ the answer?
Given these overwhelming threats, Sjouwerman believes whitelisting is vital to keep web surfers safe.
The principle is similar to verified accounts on Twitter, which was a response to the proliferation of bogus accounts (usually ones pretending to belong to celebrities). Rather than identifying all the fake accounts, Twitter’s verification process simply certifies the legitimate one.
Whitelisting has been around for more than a decade, says Mannan, but only a few companies offer it right now. The way it works is that anytime you surf the web, the whitelist prompt appears in your browser. If you go to a website that has been penetrated by hackers, the browser pops up a stern warning telling you not to proceed to the site.
Google’s Chrome browser “has this to a degree, but that’s all based on blacklists,” says Sjouwerman. Whitelisting would keep a list of good sites on your workstation and in the cloud, which is a “sanity check” for the list on your computer.
Sjouwerman is convinced it’s the only way to deal with the growing malware threat. “We need to do a 180, and we need to stop "keeping the bad guys out", because you can’t keep up,” says Sjouwerman. That’s why I’m on an evangelizing rampage to tell people we need to go to whitelisting.”
We need to start with only allowing "known-good" programs to run, much like a bouncer standing at the door and anyone who is "not on the list" simply is denied entry.