-
-
-
BlogInfoSec.com Sponsors
-
-
BlogInfoSec.com Partners
-
Disclaimer: The opinions of the columnists are their own and not necessarily those of their employer.
Qualified Writer?
Submit a Guest Article through the SUBMISSIONS link above!
Full-Time Inquiries Contact Us: authors@bloginfosec.com
Subscribe to Our Newsletter:
-
Authors
Categories
Translations
English • Afrikaans • العربية • Беларуская • Български • Català • Česky • Cymraeg • Dansk • Deutsch • Eesti • Ελληνικά • Español • فارسی • Français • Gaeilge • Galego • हिन्दी • Hrvatski • Bahasa Indonesia • Íslenska • Italiano • עברית • Latviešu • Lietuvių • 한국어 • Magyar • Македонски • മലയാളം • Malti • Nederlands • 日本語 • Norsk (Bokmål) • Polski • Português • Română • Русский • Slovenčina • Slovenščina • Shqip • Srpski • Suomi • Svenska • Kiswahili • ไทย • Tagalog • Türkçe • Українська • Tiếng Việt • ייִדיש. • 中文 / 漢語Recent Comments
- How to be a Software Engineer without Understanding Software | BlogInfoSec.com on The Difference between Quantitative and Qualitative Risk Analysis and Why It Matters (Part 1)
- David M. Zendzian on How to Define “Connected Systems” to the PCI Cardholder Data Environment (CDE)
- greystoke on How to Define “Connected Systems” to the PCI Cardholder Data Environment (CDE)
- Brian Krebs on Normative Cyber Security
- Heather J. @ TLC Boo on Normative Cyber Security
- Advanced Persistent Threat agility application security APT assessment Audit authentication Availability awareness Awareness / Education awareness training Ben Edelman Ben Worthen BITS black swans botnets BP breach breaches breach incidents business continunity china ChoicePoint CISO CISO savvy CISO skills cloud computing CNCI COBIT Coding Securely / SDLC compliance Conferences / Events / Meetups Contingency Planning contingency plans cyberattack cyber attack cybersecurity cyber war Dan Geer Dan Schutzer data breach data breaches data breach notification laws data classification data leakage data loss prevention data mining data protection DHS disaster planning disaster recovery DLP Donn Parker economics of security Ed Amoroso education Encryption Enterpise Information Security and Privacy Enterprise Information Security and Privacy Exploit Code / Malware exploits facebook FBI featured FFIEC Firmware Forensics / Incidents FS-ISAC FST FSTC FUD FUD Theater Fukushima functional security testing Gary Hinson GLBA Google governance Gramm-Leach-Bliley Gramm-Leach-Bliley Act Gulf oil disaster hack hackers hacking Heartland Payment Systems HIPAA Human Elements identity management identity theft IDM incident incident reporting incidents Industry Commentary Information security information security governance information security incidents information security metrics information security outsourcing insider threat iPhone ISSA Japan Jennifer Bayuk Jobs in Information Security Joel Brenner keylogging law leadership Legal & Regulatory Issues Lockheed logging Lord Kelvin malicious insider malware metrics microsoft monitoring Monte Carlo Nassim Nicholas Taleb national security National Security Agency negative testing network News Commentary NIST NSA nuclear power plant meltdown objective one-time passwords outsourcing OWASP passwords Patching PCI Penetration Testing perimeter personal information Phishing Physical Security Policies and Procedures Privacy privacy regulations private sector probability probability calculus probability theory process pump-and-dump qualitative quantitative resiliency Richard Clarke risk Risk Analysis risk assessment risk management risk managment risk models ROI ROSI RSA sarbanes-oxley SCADA systems SDLC SEC secure development SecurID Security security awareness Security Breaches security economics Security Metrics self-awareness Siobhan Gorman Social Engineering software assurance Software Assurance Initiative software engineering software security assurance software testing Solutions / Workarounds subjective The Black Swan The Wall Street Journal Tools Toyota training two-factor authentication Uncategorized Virtual Trust Viruses / Worms vulnerability vulnerability assessment Vulnerability Commentary Vulnerability Disclosure Wall Street Journal web applications Y2K
© 2012 BlogInfoSec.com. All rights reserved.
|
Privacy
|
Terms of Service
My $.02 – Consumer Reports, AV and Virus Creation
It is well known at this point — in other words, this is old news — that Consumer Reports created new viruses to test current anti-virus products abilities to defend against unknown attack variants.
The question before us: Can we learn anything from this?
Fundamentally I do not see anything wrong with this testing. Perhaps the process of running new virus strains and new viruses through an AV product should be considered the equivalent of AV fuzzing.
Perhaps my perspective will change. But it will only change if it can be demonstrated that AV cannot capture new variants and unknown viruses (i.e., there must be existing signatures in order to capture malware). If this is true, then we must define and accept the limits of AV protection.
Might it be possible to use the Consumer Reports technique to build a better heuristic model and increase the AV signatures to include possible new strains?
—
In addition:
There is a distinction in the AV world between: “proactive testing” and “retrospective testing.” It is not wise to think that these are equivalent testing models. While both are necessary, retrospective testing lacks the ability to project possible future trends because retrospective testing focuses on the “past to present” trend analysis instead of analyzing the “present to possible future” trends.
Popularity: 17%