This year’s S4 Great Debate Topic – Anti-Virus and Monthly Security Patching Should Be Abandoned in SCADA and DCS. Billy Rios spends 5-minutes taking the con-position (that AV and Security Patching should not be abandoned) and Michael Toecker then takes the opposite, pro-position. Both were tasked with making the compelling argument, whether they believed it or not.
Then we throw it open for the S4 attendees to fight it out. There is great participation and varying opinions from the attendees in this one hour video.
Almost all of the attendees felt that anti-virus and security patching should not be abandoned. They should be retained. Although there were significantly varying degrees of how realistic it was, the protection it provided, the risks to the system and how frequently it should be done.
Let me prod loyal listeners to think a bit about the issue with some questions.
- Anti-virus has been proven to be highly ineffective at stopping an attacker who wants to circumvent it. They just modify the malware to avoid the signatures and heuristics. At what point do you drop an ineffective security control?
- Application whitelisting is becoming popular and will soon be a must have. How many controls will we layer on top of one another? If a control can never be deprecated, it will become a large list over the years. And at what point do we worry about the increased attack surface? (Note that Digital Bond has actually used anti-virus software vulns to gain access in assessments, when you think of the anti-virus software age and design cycle it is the ideal software to attack)
- How valuable is incomplete security patching? If you only patch Microsoft, it may stop some automated malware, but it won’t stop an attacker who will compromise an Oracle, Symantec, backup program or some other missing patch.
- How valuable is delayed security patching? If you are patching quarterly, then that means about two-thirds of the time you have exploitable vulnerabilities. Someone who knows the likely ICS security patching cycle would just try the most current exploits.
I’m hoping some day we can stop using anti-virus, at least on every workstation or server. We are not there yet, and my insurance company would object to that recommendation. Any IT or ICS security type in a company would likely lose their job recommending this. That said, I think we need to evaluate the effectiveness and effort of these and other measures.
For next year our goal is to find a topic that generates almost a 50/50 disagreement on the basic premise. We’re open to suggestions.