Remedy Intelligence Staffing, of Aliso Viejo, Calif., a nationwide staffing company, uses a central Novell NetWare server to distribute information to its users at about half of its 250 branch offices throughout the United States. Remedy IT officials started becoming truly concerned about security several years ago with the rise of the macro virus, according to Andras Somogyi, lead technical support specialist for Remedy's Network Services Group. "Since we're very much a Microsoft shop, macros became a big issue," he says.
|Sites to see|
| There are literally hundreds of Web sites with information on computer viruses. Here are a few Internet resources we have found useful: |
Computer Emergency Response Team Command Center: Carnegie Mellon's CERT Command Center has up-to-the-minute alerts about new computer viruses. It's also quick to post fixes or links to available fixes.
Wildlist Organization International: Many computer viruses are never spotted except in the laboratory. When malicious code actually infects a computer unintentionally and is spreading, it is said to be "In the Wild." Wildlist keeps a database of malicious code.
The Virus Hoax page: There are plenty of sites on the Internet that expose fake virus notices. This site isn't as much fun as some of the others, but it's the most up to date.
comp.virus, alt.com.virus are the two best known Usenet groups on the subject of viruses. Both sites are excellent for trading war stories and picking up information about the latest threats to IT. On Web browsers, click on news.
Dr. Soloman's Home Page: Now part of Network Associates International, this well-known site is still worth visiting for its insights and solutions.
Using anti-virus software from Trend Micro, in Cupertino, Calif., Remedy is stopping about 100 virus attacks a month throughout the company, Somogyi says.
"Today, updates are done automatically [and immediately] with no trigger" on 2,000 desktops, says Somogyi, which has proven to be a real time saver for IT. But, he admits, his company may have to switch to scheduling updates overnight because of other demands on corporate bandwidth. Remedy is connected through a 128K Frame Relay. The 1MB to 2MB updates take a minute or two, at which time each user who needs to be updated is taking a good chunk of the frame.
Remedy's automated scheme not only detects viruses as they come in, but also notifies whoever sent the e-mail that they have an infection. "We've gotten viruses from big companies like AT&T and Compaq," Somogyi says. "They've always been grateful for our feedback."
No network is immune
Despite the most valiant efforts, you're still going to get malicious code in your system. Virus designers are endlessly inventive, and viruses mutate too quickly for even the best system to catch all of them.
"Viruses will get in," says Dan Schrader, vice president of new technology for Micro Trend. "Your job is to make sure that if an incident strikes, it doesn't spread. If a virus affects one computer, it's a nuisance. If it affects 100, it's a disaster."
No network is completely immune, concurs Forrester's Julian. "If you set that as a goal, you will fail. So you should put policies in place that will minimize the impact. Companies have to learn to take these things in stride so that every mistake doesn't bring it down."
Plan ahead, Julian insists. "The way you respond to a self-replicating virus is different from the way you respond to an attachment infection," he says.
But that planning has to have flexibility built in, says Remedy's Somogyi. "We can't have any firm plans in place, because we can't know exactly where a virus is going to hit or how."
One policy both Willamette and Remedy have in place is to identify and isolate the systems that have been infected. "Shut the system down and try to isolate the machines it's on," Somogyi advises.
Lockheed's Peterson thinks isolation is vital. "You have to be able to isolate to limit the damage," he says. "In the past, that used to mean cutting a machine off the network. Now that may mean cutting off the network. And that means you have to find someone you can trust with the authority to shut your network down. You need a dictator you can trust, because you don't have time to react through bureaucracies. That kind of person isn't easy to find."
Once the network has been isolated, IT has to figure out what the network has been infected with and what the virus is corrupting. "Assess the probable damage and rate of speed," says Lockheed's Peterson. "What kind of virus is it? You have to categorize it quickly. Get a sample over to the anti-virus provider as soon as possible."
To correctly assess the impact of the virus, network administrators have to know what the system looks like normally. "Administrators should understand the inventory of the network," says Symantec's Nachenberg. "To identify the culprit, you can set up a test machine from a clean install, attach the machine to the network, and find out if anything attacks.
When the virus has been neutralized, the system has to be rebuilt. And that means using your backup files. Of course, it's crucial to ensure those backups are clean of the infection.
Finally, says CERT's Pollak, learn from your mistakes. "Collect and protect information...and identify and implement security lessons learned."
Primary line of defense
One of the major problems with getting a good anti-virus policy implemented is money, according to Computer Economics' Erbschloe. "We've been studying IT budgets for a decade, and security is always underfunded. You have to give [the security implementers] money so that they can keep up on current issues and get the tools they need."
Firewalls are one of those tools, and implementing a firewall is a prerequisite for computer security. But it isn't sufficient. Although firewalls can keep unwelcome users out, they can't protect your network from inadvertently dangerous payloads from approved sources like a customer.
|"We've been studying IT budgets for a decade, and security is always underfunded. You have to give [the security implementers] money so that they can keep up on current issues and get the tools they need." |
--Michael Erbschloe, VP of research, Computer Economics Inc.
"You have to have software on the desktop. That's your primary line of defense," says Lockheed's Peterson. Computer security for Lockheed Martin involves thousands of platforms, from PCs to Macintoshes to UNIX workstations and mainframes, at hundreds of locations worldwide.
That means IT still has to educate the end user on how to use the anti-virus software. It can be a difficult task, when you consider that most managers are still trying to convince end users simply to back up their files regularly.
The main lesson to be learned? "Scan anything from the outside world," says Symantec's Nachenberg, including any e-mail message, program, or data file introduced into the system. This must be done at each level of a multitiered approach. Some experts go even further and recommend not opening any e-mail attachments whatsoever. Of course, that's impractical in today's business world, but users should be taught to think twice before running an .EXE file, especially if it's from an unknown source.
It's difficult to get users to comply, though, since most are only semi-computer literate. "We think we have literacy," says Computer Economics' Erbschloe. "But you have people not backing up their files, not defragging regularly, not taking care of their systems." Basically, many users often don't know what they're doing. They need more training before venturing onto the information superhighway.
But not using anti-virus software is only one way corporate users put the network at risk. "People don't like to think about this, but even before there was Internet access, people were using their computers for personal use," says Erbschloe. "Today, they're getting joke e-mails, they're on mailing lists, they're visiting a variety of Web sites." Each of these areas is a potential source of virus infection.
The DIA has implemented a layered policy--defenses at the gateway, server, and desktop level--called Defense in Depth. There are agencywide guidelines as to what each person is responsible for in terms of handling media and the policy for malicious code. The DIA's spokesperson acknowledges that it might be difficult to make users in the commercial sector comply with strict policy mostly because people don't always do what you tell them to. For example, many people don't back up their software or defrag their disks, even though they're told to. On the other hand, the army can "order" someone to do it. "The fact that we're a defense organization means that we can make a policy mandatory...we have greater jurisdiction."
Order or no, it's unlikely that you'll be able to stop such practices--managers have been trying to do so for years. But through education, you should at least be able to raise user awareness of security issues, according to Erbschole.
The war between virus designers and anti-virus developers is only going to escalate. And new parties are going to be drawn in. "Macro viruses became possible because information became active," says Trend Micro's Schrader. "Today, more than 90% of the malicious code infections come in by e-mail. Soon, that code will be part of the e-mail itself."
So far, anti-virus software providers have been able to respond rather quickly to virus threats, in part because of the slap-dash nature of many computer viruses. "They're still mostly amateur efforts," says Lockheed's Peterson. "And you can tell that because it's very rare that you come up against a virus that works cross-platform. I have never seen what I would call professionally written mal-ware."
That may change, though. "I think we're going to see more and more sophisticated [viruses]," warns the DIA spokesperson. Some analysts believe that a new breed of virus writers are deliberately targeting specific corporations. For instance, Trojan Horses may be used for industrial espionage, irate former employees are also a possibility. People with a political point to make might target the military or a specific industry.
Certainly, the speed with which malicious code propagates is increasing. "Once we had six to nine months between the time when a virus was reported and when we would see it," says Lockheed's Peterson. "Now it's almost instantaneous."
Willamette's Woods has a final word of advice about computer virus infection for his IT colleagues: "If it hasn't happened to you yet, it will. So you'd better get moving on it now." //
Gerald Lazar is a freelance writer in Tenafly, N.J. He can be reached at firstname.lastname@example.org.