Close encounters of the virus kind: Page 2

(Page 2 of 3)

The DIA spokesperson, who requested anonymity, is familiar with the agency's virus defenses and says that "while there may be thousands of unique viruses or mutations of those viruses, only the more sophisticated ones cause problems today. There are probably less than 10 that are true problems right now."

Taking the initiative

Willamette's proactive approach to Melissa was due to the fact that the company has had other brushes with computer viruses. "We'd gotten the 'Concept' macro virus in 1996," explains Woods. The Concept macro resided in Word documents and replicated itself by writing over existing or creating new Word macros. "It made us realize what a problem viruses could be."

Doctor, doctor!
Desktop symptoms that may indicate the presence of a computer virus:
Programs suddenly take longer to load.
Program size keeps changing.
Hard disk keeps running out of free space.
User gets 32-bit errors in Windows.
Drive light keeps flashing when user isn't doing anything.
User can't access the hard drive when booting from the A drive.
Unidentifiable files appear.
Files have strange names that users can't recognize.
Keyboard keeps making clicking noises.
Letters look like they are falling to the bottom of the screen.
Computer doesn't remember CMOS settings, even though battery the is new.
Source: Symantec Corp.

At the time, Willamette had some anti-virus capabilities, including a variety of software from different vendors such as Symantec/Norton, McAfee, Trend Micro Inc., and others, "but it was a mishmash of different products at different places," says Woods. Because Willamette is decentralized, each office was permitted to buy whatever anti-virus products it deemed appropriate, with no regard for what everyone else was using.

When Concept hit, Woods ran the then-current Norton AntiVirus utilities on a corporate file and print server running Novell NetWare and discovered the more than 200 occurrences of the virus, which were then scrubbed clean. "But we realized we needed something global," Woods says. That's when Willamette turned to the integrated Symantec solution.

A systematic global approach is one of the important keys to preventing and mitigating malicious code attacks. "Generally, we're a fairly decentralized organization," Woods says. "We try to let each group run its own show. But in matters like this, we have standard policies and procedures that they must follow."

In addition to establishing policies about what anti-virus software should be used, updating regularly is an important key to protecting the network from malicious code. Willamette posts monthly updates made available from Symantec. The company also has mid-month updates as necessary and emergency notifications, according to Woods.

Willamette uses "the carrot, rather than the stick," approach to get policy compliance, according to Woods. "We don't say 'you must do this,' we say, 'here are some things that can help you.'" Anti-virus updates are done manually by administrators at each site, but they are nudged to do so by frequent reminders from corporate administration.

But it's not smart to just depend on your vendor for updates. Willamette regularly consults Web sites, Usenet news groups, and other sources for news on the latest viruses (see "Sites to see"). "We're checking the Web every day or two just in case," Woods says.

"A multitier solution is important--desktop, server, and gateway," adds Symantec's Nachenberg. "We used to say the desktop was the most important because viruses spread by floppy disk. Today, with e-mail and the Internet, security's most important at the gateway, where it is filtering traffic."

Willamette has virus checks at the firewall--which is a combination of a Cisco router and an unspecified Linux box with homegrown software--at the Compaq ProLiant mail server, and at the desktop level, which runs Microsoft Mail with Microsoft Exchange as sort of the backbone, says Woods. "Generally, one of them will stop a virus," he says.

Many companies are currently in the state Willamette was in three years ago. "Most companies today have a random hodgepodge of products," says Ted Julian, an analyst with Forrester Research Inc., in Cambridge, Mass. "One workgroup bought this product, another bought that...the company started with a desktop-oriented approach, but then added a firewall. It's a mess."

Today, anti-virus updates are done automatically and immediately with no trigger, which has proven to be a real time saver for IT.
The good news is that improving anti-virus practices isn't difficult, according to Julian. "Most companies are doing such a lousy job, anything is an improvement," he says. Julian recommends getting and keeping one type of anti-virus software and making sure it runs everywhere in the organization, as Willamette did. He also suggests updating anti-virus software regularly, using the multiyear, anti-virus service provider agreements that are already in place in the organization, as well as having a policy in place.

Timing is critical

In a rare example of cooperation in the computer industry, many anti-virus vendors share information when a new virus becomes known. Regardless of the vendor, patches are usually available within 48 hours of a virus' release, often the same day.

"Response time is what's critical," says A. Padgett Peterson, PE, principle engineer for Information Security, Corporate Information Security, at Lockheed Martin Corp., in Bethesda, Md. "Absolutely the most important thing is the ability to change your defensive posture instantly."

That's why "you've got to have the latest signature files," says the Defense Intelligence Agency spokesperson. The DIA uses a commercial anti-virus software package, and it is absolutely rigid about distributing the latest updates as soon as they are made available. Not every commercial organization can make that kind of commitment, though.

Bandwidth considerations may mean that distributions have to be done during off-peak hours, or even during the weekend. While updates may take only a few minutes to install, companies may not be able to dedicate the system during business hours because there's business being transacted on the intranet.

That's playing a dangerous game, though, since the longer a network is unprotected from a virus, the more likely it is to become infected. "There are lots of good tools out there," says Computer Economics' Erbschloe, such as firewalls, sniffers, and anti-virus software. "But you've got to keep them updated, or it won't do any good."

Page 2 of 3

Previous Page
1 2 3
Next Page

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.