For folks following InfoSec experts on their various social media outlets, especially in the Twittersphere, there’s been a lot of linking to old articles since the New York Times announced that they’d been hacked. (Yeah, we did it too.) While there used to be a lot of breathless marketing hyperbole saying that AV can protect you against all threats that ever were or will be, I think a lot of companies have gotten to the point where they understand they can no longer reasonably say that. (Not that they ever really could reasonably say it, but…you get my drift.)
For as long as I can recall, the real InfoSec experts have been saying a layered defense is necessary, especially if you’re an individual or company likely to be specifically targeted for attack. As much as I dislike that the discussion is necessary at all, I think the plus side of the recent high-profile journalist hackings is it’s leading to a more realistic dialogue (like in this article) about what can and should be done.
Malware is not the only information security problem; it is simply a tool used by criminals. Cybercrime, for the last decade or more, has been about theft of valuable resources. Whether those resources are data or CPU cycles, for direct financial gain or simply for espionage, they’re taking something of ours for their use.
Anti-malware tools block the majority of what’s out there – these are mostly the malicious tools made to catch regular users like you and me (though we do add those unique, targeted tools too). If you’re someone with extra-valuable information, like journalists, activists, people who work with the government or in the financial sector, you need to use much stronger protection methods. Anti-virus, data-encryption, and firewall are considered by most experts to be the bare minimum for most users at this point. If you’re likely to be directly targeted by motivated cybercriminals, you need to be much more aware of what is happening on your system or your network. You should be keenly aware when there are anomalous activities – it should not take months or years to know something funky is going on.
As many individuals and organizations have not yet implemented the basics, it’s a tall order to expect people will start using more thorough methods any time soon. But until we all get to that point, we can expect a lot more headlines about incomplete defenses that failed to protect its users.