In a previous blog, I explained that pen testing is the act of looking for vulnerabilities to exploit, whether that be technical, human (social engineering), physical (an open door), or any other way to capitalize on a weakness. However, considering this article which states anti-virus software is only effective on 45% of computer system attacks, what does the future hold for pen tests and for vulnerabilities?
The reason anti-virus software isn’t more effective is that anti-virus companies are looking after-the-fact to identify the signatures of a virus. This means that, unless you know what to look for or have an application to alert you to the vulnerability, you could have many viruses on your computer and not even know it.
This is certainly concerning and most consumers would say that they want and expect the anti-virus software to be automated and reliable. Those in the industry can respond in two ways. The first is to say that the only way to be 100% secure is to disconnect from the Internet and network and use no external media. The second is to take on the challenge.
For those who want to take on the challenge of solving this issue and others like it: What can we do? In my view, we need to start by having patience and persistence. Patience for the long road to get there and persistence for the roadblocks encountered. For example, perhaps you want to program an application like Wireshark to look for IP addresses, abnormal packet sizes, or maybe protocols not used on your network. It’s no secret that there are many challenges of being in a network operations center and observing the network to monitor for zero-day threats.
On the other hand, do we need to dive so deep for every day work? Are there other solutions out there that we do not think about because they are inconvenient? Think about working on a sensitive document for work and the worker is connected to the Internet…is the worker using the Internet? If not, they can “close the door” and disconnect. When they are done with the document, they can encrypt the document and they can store it externally. One might say, but when they connect to the Internet, they’re opening the computer to threats again. To that I say “mitigate” the threat, not “eliminate” the threat. The worker can mitigate the threat by closing the ports and shutting down services not in use—effectively minimizing the number of vulnerabilities available for exploitation. As always, ensuring the machine has all the latest updates and patches is another way to minimize vulnerabilities. Most importantly, ALWAYS ensure employees have training in “thinking before clicking” and, potentially, introducing their machine to the latest botnet out there.
In the end, I know consumers would prefer an automated, reliable solution to keep computers safe. However, there are other ways to mitigate the vulnerabilities outside of automated solutions which is where the future of pen testing appears to be headed. Regis University's information assurance degree programs can provide the education for thinking about this type of cyber defense.