The Secret Lie of Web Security

June, 03, 2014 Franklyn Jones

There are so many news stories about new cyber attacks, week after week, that it doesn't take long before your eyes start to glaze over when another comes along. So, in case you missed this one, CBS News reported this week that European hackers stole about $100M from various US bank accounts.

So what else is new?

And, no great surprise, it was reported that the strategy involved targeting "hundreds of thousands of computers with malware."

Hmm, more undetectable malware that penetrated cyber security defenses and gained access to confidential data? On one hand, I guess that shouldn't surprise us anymore. But on the other hand, I thought we were making great advances in improving malware detection technologies? Wait, what's really going on here?

I wanted to get to the bottom of this, so I went to the AV-Comparatives web site to read their latest report on the effectiveness of AV products. If you are not familiar with this organization or web site, they are a well-respected resource that offers:

"systematic testing that checks whether security software, such as PC/Mac-based antivirus products and mobile security solutions, lives up to its promises. Using one of the largest sample collections worldwide, it creates a real-world environment for truly accurate testing."

In their latest published report, from March 2014, AV-Comparatives tested more than 20 different AV products by pounding them with more than 125,000 malware samples. The results varied slightly, but in most cases the AV products were able to detect and block 98-99 percent of these malware samples. Not bad, eh?

Well, actually it's terrible for two reasons. First, these are known malware samples, so I would have expected 100 percent of known malware to be blocked by every product. Guess not. Second, a 99 percent success rate still sounds great, but this is where the "lie" of web security comes into play.

If a hacker fails 99 percent of the time, it sounds bad — but he is likely a rock star in the cyber criminal world because it only takes a 1 percent success rate to make big bucks. On the other hand, a business blocking 99 percent of all cyber attacks sounds impressive — but is likely a failure because it only takes one devastating attack to ruin everything.

Not to pick on Target, but well ok, I'm picking on Target as an example of that.

So the truth is that only 100 percent web malware protection is good enough. Anything less than 100 percent is a lie – it's a false sense of security and fails to protect your business. The core problem here is that we all place too much trust in detection technologies to stop advanced malware attacks. The reports from CBS News and the AV-Comparatives both provide proof that detection alone is no longer effective.

Franklyn Jones, CMO, Spikes Security

Keep informed.