(ISC)² Twitter Updates

  • (ISC)² Twitter Updates

    Archives

    More...

    About the
    (ISC)² Blog

    • (ISC)² believes in the importance of open dialogue and collaboration, between both (ISC)², its certified members and members of business and society.

      (ISC)² established this blog to provide a voice to its certified members, who have significant knowledge and valuable insights to share that can benefit the information security industry, the people in it and the public at large.

      The postings on this site are the author's own and don't necessarily represent
      (ISC)²'s positions, strategies or opinions. (ISC)² does not control, monitor, or endorse any links provided in this blog and makes no warranty or statement regarding the content on any linked website.

      Those who post comments to blogs should ensure their comments are focused on the topic at hand. (ISC)² reserves the right to remove any post or comment from this site.

      Should you find objectionable content in this blog, please notify us as soon as possible at blog@isc2.org.

      Please click here for FAQs.

      Please click here for the Blog guidelines.

    « Cyberbullying Defined in H.R. 2163 | Main | Challenges to sell Information Security products and services »

    09 June 2008

    Are anti-virus applications a waste of money?

    While browsing through the security headlines the other day, I came across an article where Cisco’s CSO, John Stewart, proclaimed that anti-virus software and security patches are, “… completely wasted money.” His justification for this statement was due to the large number of, “companies in the world that actually believe infection is just a cost of doing business and are getting used to doing it--as opposed to stopping it completely.”


    Now, though my work history, I have failed to witness organizations that view a virus infection as a commonplace occurrence. This was because the organizations that I have been associated with all maintained up-to-date virus definitions throughout their enterprise. As we all know, anti-virus products are only as good as their definitions – failure to keep your definitions up to date can lead to serious problems. But I do not feel that this is par for the course. The same can be said for operating system and application security patches. Failure to maintain these can leave holes in your defenses that can be easily attacked.


    I do not think that it would be wise to completely abandon an organizations anti-virus and software patching process. This is a fairly safe and easy way to maintain your organization’s security. I am interested to know, what does everyone else think?

    Posted by on 09 June 2008 at 09:03 AM in Albrecht, Hacking, IT Security |

    TrackBack

    TrackBack URL for this entry:
    http://www.typepad.com/services/trackback/6a00e54f109b67883400e552ff4f518834

    Listed below are links to weblogs that reference Are anti-virus applications a waste of money?:

    Comments

    Some security is better than no security. As simple as that!

    Posted by: Prasanna Govindankutty | 09 June 2008 at 10:29 AM

    That I know of there is no way to (as Cisco’s CSO, John Stewart puts it) completely stop virus infections. Were companies to adopt such absolutist security ideologies, they would be woefully equipped when new threats emerge.

    Posted by: Jonathan Bruss | 09 June 2008 at 11:16 AM

    A well-maintained site shouldn't be totally reliant on anti-virus: defence against malware (like other security) should be multilayered. But I agree: I've never understood the "Solution X isn't 100% effective, so we shouldn't be using it" argument.

    Actually, in this case, perhaps I do: it carries the implicit assumption that "we" should be using the "100% solution" du jour, in this case whitelisting. Whitelisting is a viable defence layer, but it isn't a 100% solution (there aren't any 100% solutions!) and, ironically enough, it usually depends to some extent on traditional anti-virus to establish its "clean" dataset.

    By the way, to expand slightly on the statement that "anti-virus products are only as good as their definitions": I agree, but only if you mean to include generic signatures and proactive technologies such as heuristic analysis, sandboxing and so on, not just known-malware scanning. I can't help but notice that specialists in other areas of security are sometimes surprised to realize that modern anti-virus products are not purely reactive...

    David Harley

    Posted by: David Harley | 09 June 2008 at 03:36 PM

    Dear Readers,

    If there was no antiviral possible, then software makers would be been forced to design software of much higher quality - this is what John Stewart seems to be trying to say.

    So, in a matter of speaking John Stewart's statements, in a different context, have a degree of truth; and his quoted statement:

    “Companies in the world that actually believe infection is just a cost of doing business and are getting used to doing it--as opposed to stopping it completely.”

    ... has a degree of truth.

    The truth is that because companies and end users consider AVS a part of the standard solution, they accept poorly written software, as a matter of "the normal way things are." John considers this a waste of money and resources and demands better written code.

    When I first read John Stewart's statement, I reacted differently; but after thinking about it, I think I understand what he was trying to say.

    Yours sincerely, Tim

    Posted by: Tim Bass | 10 June 2008 at 09:02 AM

    The biggest security vulnerability these days is the web browser combined with scripting of any sort (ActiveX, Javascript). All the anti-virus in the world won't stop a malicious web page from commandeering your web browser to do some malicious task.

    Posted by: PhoneBoy | 11 June 2008 at 01:54 AM

    The comments to this entry are closed.

    Recent Contributors

    Past Contributors