Even the healthiest people sometimes get sick. And even the best-protected companies can catch a virus. As with human health, the true test of a network’s well-being comes in how quickly it fights off or recovers from an illness.
To keep computer viruses, worms, Trojan Horses, and other nasties that fall under the umbrella title of “malicious code” away, most companies simply deploy anti-virus software.
But what happens if the anti-virus vendor gets sick? Just ask Symantec Corp., of Cupertino, Calif. Earlier this month, the company received a message from hackers threatening to unleash a worm via e-mail. Luckily, employees in the Netherlands perceived the threat quickly. Executives in San Jose then deleted the message and repelled the infection with Symantec’s security software, says company spokesperson Richard Saunders.
The lesson to be learned is that no network–no matter how secure–is totally immune. And while the best option is to avoid computer viruses, the next best alternative is to know how to quickly recover, as Symantec did, when your network does get sick. Remember to be aggressive. Deploying anti-virus software is a good start. Establishing and implementing a set of best practices and policies should be next on your agenda. If your network is compromised, having a plan can save time and a lot of headaches in the IT department.
Willamette Industries Inc. has taken this lesson to heart. The $4 billion integrated forest products company based in Portland, Ore., uses Symantec’s integrated Norton AntiVirus product, combined with regular updates, careful inspection of all incoming files, and end user education. This system has made for a more secure environment.
Despite these checks and balances, the company earlier this year caught the Melissa virus. A macro virus that made the rounds in March by getting into users’ systems through a Microsoft Corp. Office document, Melissa then replicated itself, and sent out copies via e-mail using Microsoft Outlook. Melissa propagated itself up to 50 times with each user it successfully infected. According to a recent survey conducted by Icsa Inc., a Reston, Va., provider of Internet security assurance services, there were 7.6 infections per 1,000 PCs during the week Melissa was released. The chance of encountering Melissa was around 30 per 1,000 PCs per month. Of the almost 5,000 PC users surveyed during or after Melissa, 3,650 reported having been infected.
Melissa managed to infect two servers at Willamette, one at corporate headquarters and one in a branch office in the Southwest, according to Robert Woods, PC systems manager for the company. “A few of our servers were slowed down by the volume of mail, but it was more of an annoyance than anything else,” Woods says.
Fortunately, the impact was minimal because IT officials identified the problem, isolated the systems, and got them fixed quickly.
Press and Internet warnings had alerted Willamette to the virus. “We were aware that Melissa was a possibility, so we sent out a notification to all users via e-mail, telling them what to look out for and reminding them of the policies we had in place,” says Woods.
Willamette’s early warning system kept Melissa in check until a cure was found. As a result, IT officials watched the virus–mostly inert–in its system for about two days, until Symantec issued the “inoculation” that would scrub the virus out. It was distributed, and that was that.
Thus, quick response on the part of the company and the supplier averted what was for other companies a period of costly downtime. “Damages from viruses can range from mere annoyance … to the obliteration of critical data resources,” says Bill Pollak, a spokesperson for the federally funded Computer Emergency Response Team (CERT) Coordination Center at Carnegie Mellon University, in Pittsburgh.
Enough to make you sick
The use of the term virus is somewhat inaccurate, since a computer virus is only one of several types of malicious programs that can wreak havoc with a company’s network. But colloquially, virus can be used interchangeably with mal-ware, or malicious software.
“A virus is any type of malicious code that can be used to cause disruption of the information infrastructure,” according to a spokesperson for the Defense Intelligence Agency (DIA), which is part of the U.S. Department of Defense. “The disruption can entail attacking the system’s integrity, circumventing security capabilities, and causing adverse operation action, or exploiting and taking advantage of the information system.”
Viruses are classified by the way they infect systems, says CERT’s Pollak. File viruses attack executable files, boot viruses infect boot sectors of hard and floppy disks, and macro viruses are data files written to exploit the macro commands available to Microsoft Word and other applications.
Today, 80% of all viruses are macro viruses, according to Carie Nachenberg, chief researcher for Symantec’s Anti-virus Resource Center. “It used to be the floppy disk, but today, a machine can get infected surfing the net, or from executables from Usenet [news] groups.”
“It’s way beyond the benign stage,” adds Michael Erbschloe, vice president of research for Computer Economics Inc., an independent research firm in Carlsbad, Calif. According to the company’s survey of about 2,000 customers using computers, from which it received about 150 responses, Erbschloe figures that companies worldwide lost $7.6 billion in the first half of 1999 because of computer viruses–that’s more than five times the losses for all of 1998. “That includes about $1.4 billion to clean up results of the virus,” he explains. “And the rest was lost productivity.”
The DIA spokesperson, who requested anonymity, is familiar with the agency’s virus defenses and says that “while there may be thousands of unique viruses or mutations of those viruses, only the more sophisticated ones cause problems today. There are probably less than 10 that are true problems right now.”
Taking the initiative
Willamette’s proactive approach to Melissa was due to the fact that the company has had other brushes with computer viruses. “We’d gotten the ‘Concept’ macro virus in 1996,” explains Woods. The Concept macro resided in Word documents and replicated itself by writing over existing or creating new Word macros. “It made us realize what a problem viruses could be.”
At the time, Willamette had some anti-virus capabilities, including a variety of software from different vendors such as Symantec/Norton, McAfee, Trend Micro Inc., and others, “but it was a mishmash of different products at different places,” says Woods. Because Willamette is decentralized, each office was permitted to buy whatever anti-virus products it deemed appropriate, with no regard for what everyone else was using.
When Concept hit, Woods ran the then-current Norton AntiVirus utilities on a corporate file and print server running Novell NetWare and discovered the more than 200 occurrences of the virus, which were then scrubbed clean. “But we realized we needed something global,” Woods says. That’s when Willamette turned to the integrated Symantec solution.
A systematic global approach is one of the important keys to preventing and mitigating malicious code attacks. “Generally, we’re a fairly decentralized organization,” Woods says. “We try to let each group run its own show. But in matters like this, we have standard policies and procedures that they must follow.”
In addition to establishing policies about what anti-virus software should be used, updating regularly is an important key to protecting the network from malicious code. Willamette posts monthly updates made available from Symantec. The company also has mid-month updates as necessary and emergency notifications, according to Woods.
Willamette uses “the carrot, rather than the stick,” approach to get policy compliance, according to Woods. “We don’t say ‘you must do this,’ we say, ‘here are some things that can help you.'” Anti-virus updates are done manually by administrators at each site, but they are nudged to do so by frequent reminders from corporate administration.
But it’s not smart to just depend on your vendor for updates. Willamette regularly consults Web sites, Usenet news groups, and other sources for news on the latest viruses (see “Sites to see”). “We’re checking the Web every day or two just in case,” Woods says.
“A multitier solution is important–desktop, server, and gateway,” adds Symantec’s Nachenberg. “We used to say the desktop was the most important because viruses spread by floppy disk. Today, with e-mail and the Internet, security’s most important at the gateway, where it is filtering traffic.”
Willamette has virus checks at the firewall–which is a combination of a Cisco router and an unspecified Linux box with homegrown software–at the Compaq ProLiant mail server, and at the desktop level, which runs Microsoft Mail with Microsoft Exchange as sort of the backbone, says Woods. “Generally, one of them will stop a virus,” he says.
Many companies are currently in the state Willamette was in three years ago. “Most companies today have a random hodgepodge of products,” says Ted Julian, an analyst with Forrester Research Inc., in Cambridge, Mass. “One workgroup bought this product, another bought that…the company started with a desktop-oriented approach, but then added a firewall. It’s a mess.”
The good news is that improving anti-virus practices isn’t difficult, according to Julian. “Most companies are doing such a lousy job, anything is an improvement,” he says. Julian recommends getting and keeping one type of anti-virus software and making sure it runs everywhere in the organization, as Willamette did. He also suggests updating anti-virus software regularly, using the multiyear, anti-virus service provider agreements that are already in place in the organization, as well as having a policy in place.
Timing is critical
In a rare example of cooperation in the computer industry, many anti-virus vendors share information when a new virus becomes known. Regardless of the vendor, patches are usually available within 48 hours of a virus’ release, often the same day.
“Response time is what’s critical,” says A. Padgett Peterson, PE, principle engineer for Information Security, Corporate Information Security, at Lockheed Martin Corp., in Bethesda, Md. “Absolutely the most important thing is the ability to change your defensive posture instantly.”
That’s why “you’ve got to have the latest signature files,” says the Defense Intelligence Agency spokesperson. The DIA uses a commercial anti-virus software package, and it is absolutely rigid about distributing the latest updates as soon as they are made available. Not every commercial organization can make that kind of commitment, though.
Bandwidth considerations may mean that distributions have to be done during off-peak hours, or even during the weekend. While updates may take only a few minutes to install, companies may not be able to dedicate the system during business hours because there’s business being transacted on the intranet.
That’s playing a dangerous game, though, since the longer a network is unprotected from a virus, the more likely it is to become infected. “There are lots of good tools out there,” says Computer Economics’ Erbschloe, such as firewalls, sniffers, and anti-virus software. “But you’ve got to keep them updated, or it won’t do any good.”
Remedy Intelligence Staffing, of Aliso Viejo, Calif., a nationwide staffing company, uses a central Novell NetWare server to distribute information to its users at about half of its 250 branch offices throughout the United States. Remedy IT officials started becoming truly concerned about security several years ago with the rise of the macro virus, according to Andras Somogyi, lead technical support specialist for Remedy’s Network Services Group. “Since we’re very much a Microsoft shop, macros became a big issue,” he says.
Using anti-virus software from Trend Micro, in Cupertino, Calif., Remedy is stopping about 100 virus attacks a month throughout the company, Somogyi says.
“Today, updates are done automatically [and immediately] with no trigger” on 2,000 desktops, says Somogyi, which has proven to be a real time saver for IT. But, he admits, his company may have to switch to scheduling updates overnight because of other demands on corporate bandwidth. Remedy is connected through a 128K Frame Relay. The 1MB to 2MB updates take a minute or two, at which time each user who needs to be updated is taking a good chunk of the frame.
Remedy’s automated scheme not only detects viruses as they come in, but also notifies whoever sent the e-mail that they have an infection. “We’ve gotten viruses from big companies like AT&T and Compaq,” Somogyi says. “They’ve always been grateful for our feedback.”
No network is immune
Despite the most valiant efforts, you’re still going to get malicious code in your system. Virus designers are endlessly inventive, and viruses mutate too quickly for even the best system to catch all of them.
“Viruses will get in,” says Dan Schrader, vice president of new technology for Micro Trend. “Your job is to make sure that if an incident strikes, it doesn’t spread. If a virus affects one computer, it’s a nuisance. If it affects 100, it’s a disaster.”
No network is completely immune, concurs Forrester’s Julian. “If you set that as a goal, you will fail. So you should put policies in place that will minimize the impact. Companies have to learn to take these things in stride so that every mistake doesn’t bring it down.”
Plan ahead, Julian insists. “The way you respond to a self-replicating virus is different from the way you respond to an attachment infection,” he says.
But that planning has to have flexibility built in, says Remedy’s Somogyi. “We can’t have any firm plans in place, because we can’t know exactly where a virus is going to hit or how.”
One policy both Willamette and Remedy have in place is to identify and isolate the systems that have been infected. “Shut the system down and try to isolate the machines it’s on,” Somogyi advises.
Lockheed’s Peterson thinks isolation is vital. “You have to be able to isolate to limit the damage,” he says. “In the past, that used to mean cutting a machine off the network. Now that may mean cutting off the network. And that means you have to find someone you can trust with the authority to shut your network down. You need a dictator you can trust, because you don’t have time to react through bureaucracies. That kind of person isn’t easy to find.”
Once the network has been isolated, IT has to figure out what the network has been infected with and what the virus is corrupting. “Assess the probable damage and rate of speed,” says Lockheed’s Peterson. “What kind of virus is it? You have to categorize it quickly. Get a sample over to the anti-virus provider as soon as possible.”
To correctly assess the impact of the virus, network administrators have to know what the system looks like normally. “Administrators should understand the inventory of the network,” says Symantec’s Nachenberg. “To identify the culprit, you can set up a test machine from a clean install, attach the machine to the network, and find out if anything attacks.
When the virus has been neutralized, the system has to be rebuilt. And that means using your backup files. Of course, it’s crucial to ensure those backups are clean of the infection.
Finally, says CERT’s Pollak, learn from your mistakes. “Collect and protect information…and identify and implement security lessons learned.”
Primary line of defense
One of the major problems with getting a good anti-virus policy implemented is money, according to Computer Economics’ Erbschloe. “We’ve been studying IT budgets for a decade, and security is always underfunded. You have to give [the security implementers] money so that they can keep up on current issues and get the tools they need.”
Firewalls are one of those tools, and implementing a firewall is a prerequisite for computer security. But it isn’t sufficient. Although firewalls can keep unwelcome users out, they can’t protect your network from inadvertently dangerous payloads from approved sources like a customer.
“You have to have software on the desktop. That’s your primary line of defense,” says Lockheed’s Peterson. Computer security for Lockheed Martin involves thousands of platforms, from PCs to Macintoshes to UNIX workstations and mainframes, at hundreds of locations worldwide.
That means IT still has to educate the end user on how to use the anti-virus software. It can be a difficult task, when you consider that most managers are still trying to convince end users simply to back up their files regularly.
The main lesson to be learned? “Scan anything from the outside world,” says Symantec’s Nachenberg, including any e-mail message, program, or data file introduced into the system. This must be done at each level of a multitiered approach. Some experts go even further and recommend not opening any e-mail attachments whatsoever. Of course, that’s impractical in today’s business world, but users should be taught to think twice before running an .EXE file, especially if it’s from an unknown source.
It’s difficult to get users to comply, though, since most are only semi-computer literate. “We think we have literacy,” says Computer Economics’ Erbschloe. “But you have people not backing up their files, not defragging regularly, not taking care of their systems.” Basically, many users often don’t know what they’re doing. They need more training before venturing onto the information superhighway.
But not using anti-virus software is only one way corporate users put the network at risk. “People don’t like to think about this, but even before there was Internet access, people were using their computers for personal use,” says Erbschloe. “Today, they’re getting joke e-mails, they’re on mailing lists, they’re visiting a variety of Web sites.” Each of these areas is a potential source of virus infection.
The DIA has implemented a layered policy–defenses at the gateway, server, and desktop level–called Defense in Depth. There are agencywide guidelines as to what each person is responsible for in terms of handling media and the policy for malicious code. The DIA’s spokesperson acknowledges that it might be difficult to make users in the commercial sector comply with strict policy mostly because people don’t always do what you tell them to. For example, many people don’t back up their software or defrag their disks, even though they’re told to. On the other hand, the army can “order” someone to do it. “The fact that we’re a defense organization means that we can make a policy mandatory…we have greater jurisdiction.”
Order or no, it’s unlikely that you’ll be able to stop such practices–managers have been trying to do so for years. But through education, you should at least be able to raise user awareness of security issues, according to Erbschole.
The war between virus designers and anti-virus developers is only going to escalate. And new parties are going to be drawn in. “Macro viruses became possible because information became active,” says Trend Micro’s Schrader. “Today, more than 90% of the malicious code infections come in by e-mail. Soon, that code will be part of the e-mail itself.”
So far, anti-virus software providers have been able to respond rather quickly to virus threats, in part because of the slap-dash nature of many computer viruses. “They’re still mostly amateur efforts,” says Lockheed’s Peterson. “And you can tell that because it’s very rare that you come up against a virus that works cross-platform. I have never seen what I would call professionally written mal-ware.”
That may change, though. “I think we’re going to see more and more sophisticated [viruses],” warns the DIA spokesperson. Some analysts believe that a new breed of virus writers are deliberately targeting specific corporations. For instance, Trojan Horses may be used for industrial espionage, irate former employees are also a possibility. People with a political point to make might target the military or a specific industry.
Certainly, the speed with which malicious code propagates is increasing. “Once we had six to nine months between the time when a virus was reported and when we would see it,” says Lockheed’s Peterson. “Now it’s almost instantaneous.”
Willamette’s Woods has a final word of advice about computer virus infection for his IT colleagues: “If it hasn’t happened to you yet, it will. So you’d better get moving on it now.” //
Gerald Lazar is a freelance writer in Tenafly, N.J. He can be reached at email@example.com.