Antivirus programs and other security measures serve our protection. But what happens if the security system itself becomes a threat? The IT security association Tabidus Technology has dealt with this problem. Here, we will explain the correlations and how catastrophes can be prevented.
“Reports of PC crashes piling up in the past few hours: In Australia, supermarkets have been forced to close due to the breakdown of the PC-POS. At chip manufacturer Intel, according to witnesses, most of the departments come to an operational standstill. Research institutions such as the National Science Foundation witnessed the total failure of their computers. At least one policy network in the US has also broken down. In some hospitals, surgeries were postponed and patients without acute trauma were dismissed. At the teaching hospital of the University of Michigan, 8,000 of the hospital’s 25,000 computers stopped working.” (Source: CNet)
Scenes like this sound like a Hollywood movie, but are already a bitter reality. The reason for this catastrophe: A false alert (false-positive) through the antivirus system of a renowned security provider.
How can this happen?
False-positives are not uncommon and not the issue of a single security vendor. Rather, they are a side effect that occurs when fighting cyber threats.
Every security vendor faces the challenge of distinguishing “good” from “evil” in order to identify and combat threats. When is it a legitimate file and when is it a malicious code? As trivial as that may sound, it is not. The amount of data that needs to be examined daily is enormous, and a variety of techniques are needed to detect increasingly complex and well-camouflaged threats. In addition to many analysts employed in the vendors’ antivirus labs, machines do much of the work, specifically for this reason. Depending on the security approach, such as heuristics, sandboxing or machine learning, such automated threat detection also takes place, in part, directly at the customer site.
The risk of mistakes when assessing a threat is something every vendor is aware of. Quality assurance is therefore very important to all providers and is usually carried out by machines as well. One of the most important aids for eliminating these mistakes is comparison with well-known files from reputable software manufacturers (whitelists). Test runs with reference systems are also often used to detect potential false alarms.
How can false-positives occur on customer systems under these circumstances? In addition to human error, the main reason is that no vendor can test its security measures against any worldwide software. Equally, a check can only take place at the time of delivery and changes in the software version can only be considered later, in the form of corrections. In the case of autonomous security techniques, which take place at the customer site, a preliminary check is impossible, since they do not take place in the immediate sphere of influence of the provider. Another aspect is different viewpoints on the question of what is and is not a threat. While one vendor considers a file legitimate, another vendor may argue and label it as malicious.
What are the consequences of a false-positive?
How bad a false alarm affects things varies from case to case. For example, global disasters, as described in the introduction, occur when parts of the operating system are affected. Falsely classifying a system file as a threat and cleaning it automatically can lead to computer crashes worldwide. In other cases, the incident is limited to individual software products and causes crashing, deletion and potential data loss and malfunction. Particularly prone to this are proprietary developments and specific software tools. In any case, a false-positive for those affected has very unpleasant consequences. Starting with a high workload to eliminate the incident, up to financial losses due to production downtime and possible loss of reputation.
How can this be avoided?
A false alarm from a security provider can never be completely ruled out. What can be prevented, however, are the negative effects of a false positive. These are caused by automatic actions (such as deleting or moving a file) that trigger threat detection. However, as previous observations show, the likelihood that two independent vendors will produce a false alarm on the same file at the same time will be negligible.
Therefore, Tabidus Technology’s approach is to use two or more independent security vendors simultaneously and to make automatic actions dependent on their compliance. For example, a file should only be deleted if at least two different vendors confirm that it is a malware. If only a single vendor reported a threat, a simple alarm might be enough. This approach prevents the negative effects of a false-positive and to prevent potential catastrophes.
The agile use of multiple security providers, however, can not only prevent unwanted effects of false alarms. Find out more in our whitepaper “Keeping Your Data Safe: Threat Detection Optimisation For Enterprises”. Download your free whitepaper here:
Keeping Your Data Safe: Threat Detection Optimisation For Enterprises