What is Antivirus Software?
Lets face it, we are living in a highly technical age. Computers and digital technology surround us, cell phones that fit in our pockets have turned into full blown portable computers. There have been threats to computers just about as long as computers have been around. The first antivirus (AV) software was used to protect against just that, a computer virus. The name remains today, but there are far more malicious tools out there other than viruses. Modern anti-virus software protections can include shields against trojan horses, worms, spyware, adware, rootkits and can sometimes include guards against phishing.
There are a few ways that antivirus protections work. Most of the modern softwares use real-time protection, which can also sometimes be referred to as on-access scanning, background guard, resident shield, or autoprotect. Just like the name suggests, this software monitors suspicious activity in real time, meaning while data is loading onto the computers memory. So when inserting a CD, opening an email, browsing the web, or when a file already on the computer is opened, the program is scanning for viruses and other malicious software types. This scanning through secure systems goes on in the background practically unnoticed.
Some AV software comes equipped with the ability to detect rootkit malware. This type of intruder is designed to gain administrative-level control over a computer system without being detected. It targets the operating system in order to render any antivirus software ineffective. If malware like this makes it into your system it can be very difficult to remove, sometimes requiring a complete reinstallation of the operating system. Needless to say, any malware that can disable your AV software is dangerous and should be guarded against.
Another variation, signature-based detection, is what most traditional antivirus softwares rely on to discover malware. When AV companies come in contact with new malware they use their systems to analyze it and extract its signature or unique code. These unique signatures are added to a database and use their software to detect those specific malware files.
The latest technique to guard against malware is data mining and machine learning. This technique will extract certain signatures from a file and run them through an algorithm. Based on the features or patterns that a file possesses, the software can determine if the file is malicious or not.
Why You Need Updated AV Software
While its true that there are many methods and techniques used by AV software companies to fight malicious attacks, it is widely known that AV software alone can be ineffective against whats out there. The reason is that for every viral signature that is known, there are about half of a million variants of that signature going around. AV software companies want you to keep using their product, so they are constantly working to improve the program they have in order for your company to remain protected. That is why updating your software whenever possible is a good practice to have. By regularly updating, your system will have the latest viral signatures on hand, which will provide the best chance to detect the most prominent malware. In order to keep up its possible that updates will occur daily; making sure that these latest updates are installed should be a priority.
Updates will also help maintain the scan engine. The scan engine is the location where the viral signatures are loaded to when an update occurs. It is responsible for scanning and performing actions such as cleaning, quarantining and deleting identified viruses in your computer. Updates to the scan engines themselves can pop up from time to time, though not as often as the AV software. When a scan engine is updated, it is either to fix a scan engine issue or to help with faster scanning and detection of fewer false positives.
There are some AV software that can also scan for vulnerabilities. For example Microsoft’s Windows Update automatically checks for vulnerabilities and installs patches on the computer. The vulnerabilities here are in the operating system and thats where viruses will take advantage. Staying up to date on your software can help detect these gaps in your security.
The end game for these updates is two-fold. One reason is to retain your status as compliant with the PCI SSC. Requirement 5 goes into great detail about what is expected when it comes to compliance and your AV software. In addition to making sure you have software in place and updated, requirement 5.3 explains that you must keep your AV software running at all times. The only exception for deactivation is by authorized personnel and for limited time periods. The requirement also states that unauthorized users must not be allowed to disable or alter the AV software in any way. The other reason to keep your AV software updated is to protect the data of your customers. Remaining compliant is good, but be careful to avoid a check off the box approach. Malware exists as a way to steal that data and a security breach is not something you or your customers want to go through. AV software isnt foolproof, but it provides an additional roadblock between hackers and your data.
Antivirus and Firewalls
There are packages out there that combine the services of antivirus software and a firewall. This configuration would also be benefited by regular updates. First lets find out how AV software and firewalls differ. AV software is designed to protect the PCs that are accessed by regular users. These devices come in contact with threatening malware usually through emails or any other access to the internet. AV software is built to detect and quarantine malware that might find its way onto the PC through these channels. In comparison, firewalls are designed as a filter to guard your network (LAN) by regulating the traffic that flows in and out. Basically your firewall is the network gate to the outside environment and is designed to keep your data environment separate.
As has already been discussed, antivirus software is purchased and installed on individual PCs and then updated to remain effective. There are also AV software packages available that can cover all the PCs in a network. Firewalls usually come built into PCs and can be toggled ON or OFF. If you wish to secure your entire network, you need to purchase a firewall appliance, which is basically a router with built-in firewall features.
PCI requirements come into play when talking about having a router with firewall features. Youll need to make sure that the configurations are correct in order to limit chances that your data environment can be breached. A demilitarized zone (DMZ) needs to be established. The DMZ is the portion of your network that will manage the connections between the internet and things such as your web servers. Keeping configurations up to date will ensure that inbound traffic is limited to only authorized IP addresses. You can also manage configurations to keep outbound traffic secure as well. When connecting to the internet, traffic from within your company should only be able to reach authorized communication destinations. By implementing these procedures you are going to be able to guard your cardholder data environment more closely. In addition you will find that these procedures will fall into some of PCI requirement 1.3.
It isn’t necessary for you to have an AV software and firewall combo package. It depends on the needs of your company when it comes to security and which software and firewall work best to protect the data you have acquired.
Data Security Services
There are companies out there that specialize in data security. If you get the feeling that keeping track of every PC and every network connection is too much, you might consider hiring one. Most of them offer services such as:
- Perform a search and discover where all data is stored and provide alerts for unusual activity.
- Monitor how users are handling data, both on and off the network.
- Protect data by notifying users of policy violations and monitoring outbound traffic.
- Manage access to data and design security strategies.
- Classify data as it’s created, enabling more control over even unstructured data.
- Provide you with and show you how to use a secure wipe program, to ensure that any electronic media is rendered unrecoverable (Requirement 9.8.2)
Something like this could get you going if you’re a new business and need help making sure everything is secure. Companies like these could also be beneficial to larger businesses that might need a more specialized touch to help manage security. In any case, they are another potential asset to consider when securing your cardholder data environment.
Cardholder Data Environment
The ultimate goal of all of this is to protect the cardholder data environment. The bare minimum is not going to cut it when it comes to securing your CDE. As was mentioned above, AV software alone is not effective enough to prevent a breach. If you truly want to protect systems from all malware as specified in requirement 5, you need to use anti-virus in conjunction with a whitelisting/blacklisting and/or file change detection solution. Managed security services may come in handy when employing these further methods of security.
Another way to prevent data from being accessed by unauthorized persons is to simply limit the data you have on hand. From PCI requirement 3 it states that companies need to only store data that is absolutely necessary and get rid of the rest. Having less data in your CDE limits the amount that can be stolen if a breach were to occur. It also goes into detail about HOW that data should be stored. Encryption of the data within your systems is crucial. Without the cryptographic key, any data that is snatched by an intruder will be useless. As per requirement 4, it is also a necessity to have encrypted data when sending it through public networks. The reasons are the same, if the data is intercepted, it will be useless if it isn’t in plain text.
PCI Requirement 7 discusses an additional feature of your security blanket. There should be systems and processes in place to limit the personnel that can access sensitive data. Limit access to system components and payment card data to only those individuals whose job requires such access. If the scope of an employees job doesn’t involve accessing your CDE, then they shouldn’t have the ability to do so. Establish an access control system for systems components with multiple users that restricts access based on a users need to know, and is set to deny all unless specifically allowed.
First Lines of Defense
To tie in AV software to everything that you just read, you need to understand that updated AV software is one of the first lines of defense. Firewalls and AVS stand near the front and guard your network. Remember that merely checking off a box to meet the PCI Requirements is not the way to go about protecting your CDE. Be thorough. Be sure all of the data in that environment is accounted for and encrypted. Every business is unique, take the precautions that are going to be right for your business and if necessary consult with experts in the security industry. Updating your AV software keeps your system in tune with the latest malware and keep it ready to quarantine that malware when it encounters it. So keep clicking that update button and stay guarded against malware.