Is antivirus software good or bad?
Everyone remembers working on the home desktop and seeing the alert pop-up in the right-hand corner of your screen: time to upgrade your (Name Brand) antivirus software. Clicking it takes you to a web page where the company tries to upsell you on the latest enhancements to their product.
Today, antivirus software (AV) or more precisely, antimalware software, is more sophisticated, and some security experts will say, begrudgingly, that tools like Windows Defender are “mostly good enough” for defending home PCs, where usually little protected information is stored.
But for TrueVault, “mostly good enough” security is inadequate for protecting our client’s sensitive data. In this blog post, we explain the inherent fallacy of using AV software as a security tool, and introduce some of the enhanced security measures we have taken to ensure that personal data stored in our SecureVault remains protected.
Antivirus creates an unrestricted backdoor to your computer
Installing AV software requires giving a third party system unlimited access to your computer or network servers and whatever information is stored on it. Meaning, if the AV is compromised or goes rogue at any point, it can cause immense damage because of its unlimited access to your system.
Tavis Ormandy is a Google Security researcher who prods commercial software for vulnerabilities. Ormandy has identified countless bugs ranging from the sinister to the embarrassing in AV software throughout his research. For example, in 2015 the free AV software Panda Antivirus mistakenly flagged itself as malware, and caused core functionalities to its users’ computers to be destroyed. In 2010, McAfee reportedly made a similar mistake, rendering even more computers inoperable. In these situations and others, security experts note that computers would have been more protected had AV software not be installed in the first place.
It is embarrassing for an AV company to inadvertently delete all of a client’s computer files, but it’s another thing entirely when a bad actor gets involved. In 2017, journalists reported that Kaspersky Lab’s AV software was compromised by hackers out of Russia. The Russian operatives were able to capitalize on Kaspersky’s unencumbered access to an estimated 400 million computers, including those of employees of government agencies in the United States.
The New York Times reports: “Like most security software, Kaspersky Lab’s products require access to everything stored on a computer in order to scour it for viruses or other dangers. Its popular AV software scans for signatures of malicious software, or malware, then removes or neuters it before sending a report back to Kaspersky. That procedure, routine for such software, provided a perfect tool for Russian intelligence to exploit to survey the contents of computers and retrieve whatever they found of interest.”
Antivirus software is always one step behind
Aside from creating a backdoor into your system, AV is a reactive, not proactive, approach to security.
Traditional AV largely relies on static signature-based detection to identify any corrupt software in a computer’s system. The caveat is that the AV tool needs to know what to look for well before they begin their search. A simplified description is that an antimalware tool will look at a database storing all known malware signatures and scan your computer’s code to see if anything has been corrupted.
So, what’s the problem? The problem is this model requires being one step ahead of virus makers, when in reality, it is the virus makers that are almost always ahead of the AV makers due to a fundamental flaw.
VirusTotal is a free tool that intends to help the consumer check if a file on their computer has been corrupted. A simplified explanation is the user uploads a file, VirusTotal scans it using the available AV and antimalware tools, and reports back on the health of the file. Virus makers have taken advantage of this tool and others like it by uploading the virus they’ve written, and then manipulating the virus until it is obscured enough that it will pass through most AV tools undetected.
This means virus makers are able to see that their attack will succeed without AV makers ever knowing an attack is coming. In short, AV is a security tool that is perpetually reactive, meaning there will always be fundamental failures in the security protocol.
To address this limitation, most AV software tries to detect unusual software behaviors. For example, it might block a process that has never run before or flag attempts to access many sensitive files in a row. Though more sophisticated than traditional signature-based detection, this approach is equally flawed. The AV tool may detect something that seems fishy, but intent cannot be assessed. Is a process changing an application file because a developer pushed code, or is malware trying to infiltrate the connection? AV software will never be able to determine the full story behind a set of actions by looking at the behavior of an application.
What’s my alternative?
Some security experts will raise a soft defense of AV software, noting that it can sometimes protect your computer from the unsophisticated attacks that rattle through cyberspace, aptly described as the “background radiation” of the Internet. This may be true, but there plenty of other ways to protect against sloppy attacks, and sophisticated attacks as well, that does not involved creating a backdoor to your entire system.
“[Antivirus software] is probably the most overstated tool in any security toolbox,” said security expert Brian Krebs.
We strongly agree with this statement, and take it a step further. AV induces a false sense of security for its users. We refuse to risk compromising the sensitive data protected in our SecureVault by granting an entire organization a way to bypass your authorization tools to access your system.
Instead, we’ve created checks and balances to ensure that no singular entity has unrestricted access to all of our clients data. Like Krebs says “Security is all about layers, and not depending on any one technology or approach to detect or save you from the latest threats.”
TrueVault’s 10 Layers of Security
SecureVault was designed with protecting your personal data in mind. Our platform was engineered from the foundation to be secure, so that personal data stored in our system is protected to the highest caliber.
Here’s how we advance beyond the mild benefits of AV through our layered approach to data protection:
- User authentication: Every user on the platform must be authenticated before accessing data.
- Account-based Multi-factor authentication: We secure your account under multi-factor authentication (MFA) to prevent against password theft.
- User authorization: Narrow access control is a core component to the principles of “security by design”. Every user is given specific permissions pertaining to their role, with no more access being granted than necessary to fulfill their data processing obligations.
- User-level MFA: Users are protected from social engineering and phishing scams, such that even if the password is compromised, the account will still be protected under a layer of MFA.
- Per-record encryption: Each piece of data stored in TrueVault is encrypted individually. By never needing a master key, we reduce the risk of your data being compromised.
- Encryption at-rest and in-transit: Sensitive data is encrypted immediately, so it is protected when stored but also in-flight.
- Immutable audit logging: Documentation is key to compliance, as well as security. We create a comprehensive, un-editable log of every operation related to your account.
- Immutable document versioning: A tamper-proof version of every piece of your data protects from accidental loss and ransomware.
- Network Monitoring: We have restrictive network rules to make sure that each server can only talk to specific internal or external services, and use monitoring to detect any attempted network policy violations.
- Anomaly-based threat detection: SecureVault uses services that leverages Machine Learning to continuously monitor for malicious or unauthorized behavior in our systems.
The best defense is a good offense. Our layers of security advance well beyond the basic, reactive function of your run-of-the mill AV to create a hardened, proactive security solution.