A Deployment Model Lens
For software that must go on an endpoint to protect it, the assumptions about operating system detections that were made in the previous analysis no longer hold true. Software intended for a machine that will be primarily one person’s computer and which will likely run at least some of the time on possibly untrusted networks mustn’t even assume that the endpoint is “clean.” Oftentimes, this is especially true in the consumer market. The user is installing antivirus software in response to the belief that the machine is already compromised. In other words, endpoint security software must assume that, very similar to software exposed to the public Internet, it is being installed into an aggressively hostile environment. Any assumptions about the operating system being free of successful compromises would cause the endpoint antivirus software, itself, to become a juicy target. At the very least, assumptions about a safe environment might lead security software makers to believe that they don’t have to take the care with their security posture that, in fact, is demanded by the real-world situation.
The foregoing leads us to two axioms:
- • Assume active attackers may be on the machine even at installation time.
- • Assume that attackers will poke and prod at every component, every input, every line of communication.
As you may see, this is somewhat analogous, though at a different level of granularity, to the threat landscape for exposed inputs to the Internet. However, in that situation we were able to make assumptions about protections to hosts and networks that were under the control of sophisticated staff (repeating what’s been previously stated).
In this situation, the network must be assumed to be hostile. The system “administrator” may have very little understanding of computers, much less security. Even so, that user may be running with significant privileges so they can install software. Consumers typically give themselves greater privileges simply to make life easier as they go about their daily business with the computer. This is a very different situation from having a professional administrative staff providing protections to the system. And, the endpoint situation is radically different from a situation of restricted, need-to-access privileges.
Due to the likelihood of elevated privileges, endpoints (especially consumer endpoints) make juicy targets. Compromise of the user account is equal to compromise of the operating system, since the user is the administrator. Compromise at administrative privileges means that the attacker controls the machine and every user action taken upon it. All data belongs to the attacker. In addition, the attacker may use the machine for her or his own purposes, quite likely without the owner of the machine knowing or understanding what is taking place. This level of control offers attacker value in and of itself.
Every threat agent that has so far been mentioned will be attacking broadly distributed security software. Although consumers probably don’t need to worry about state-sponsored industrial espionage, if the antivirus software is aimed at businesses, especially enterprises, and is in use by consumers, the maker of the software should consider these threat agents among those likely to be attacking the software.
Of course, cyber criminals will want to get around any protections of the antivirus software. They may even test the software for vulnerabilities that allow them to masquerade (spoof) as the antivirus software during attacks. Indeed, I think it’s not too much to say that every type of attacker and researcher is “gunning” for every type of security software, including antivirus software intended for endpoints.
If the maker of antivirus software wants to be successful, the software has to be as close to bulletproof as the maker can possibly make it. Nothing is perfect; we certainly should understand at this point that no software can be proven bug free and that no security posture is 100% risk-free? As an aspiration, in my experience, security software vendors understand the level of attack that their software must resist. Failure to do so will put the company’s future at significant risk.