Saturday 13 January 2007

Virus Prevention Better Than Cure

Sunday Business Post - Computers in Business Magazine - October 2006


While people are aware that they must keep their PCs and networks protected from viruses, the fact that virus-writing is now a multi-billion-dollar industry may not be as well known.

“The people who are creating these viruses are in business, and unfortunately the business they are in is an illicit one,” said Tom Gillis, senior vice-president of worldwide marketing with a US e-mail and web security company, IronPort Systems.

The idea of the rogue programmer writing viruses as a joke or publicity stunt is well out of date.

“Basically the people that propagate these viruses are business people,” he said.

“They have the resources to hire professional engineers that can develop this stuff, so the level of coordination that we are seeing now is very significant.”

Time is now the most important factor in combating virus threats. Ten or 15 years ago viruses were primarily passed on slowly from machine to machine by floppy disc. The global growth of the internet and other communication technologies means that a virus can be released at nine o'clock in the morning and shut down systems all over the world by lunchtime.

“What the virus writers are exploiting is the reaction time,” Gillis said. “For all of the various anti-virus companies, the reaction time is measured in hours or sometimes days. And in that interval the viruses propagate around the world without any kind of defences or mechanisms to slow them down. Virus writers are designing viruses to last for 12 or 24 hours, and that is all they need.”

All Irish companies and organisations need to be prepared and have up-to-date solutions that can deal with the very latest dangers. Acting after you have been hit by a virus attack is not an option.

“We need companies to see the threat,” said James Finglas, sales director of MJ Flood Technology, which provides ICT solutions to Irish SMEs. “There is a bad taste left in the mouth if we are charging them to clean it up.

“We would much prefer they put in a solid platform that protects them from threat in the first place.

“But typically in the Irish market, a lot of companies might think that there is a lot of hype generated around this area, and it is not until their business is brought to its knees that they realise that it is a very serious threat.”

Finglas gives the example of an Irish SME which called in MJ Flood last year when it suffered a virus attack after its out-of-date virus protection software failed.

“This company had four offices with 50 users and they were down for seven days,” said. “The total bill for cleaning, with four engineers from here, was in the region of €27,000.”

These are the hard costs that were involved in physically cleaning up the problem.

Soft costs, such as lost productivity, stolen data and customer information, lost trust from customers if the outbreak is made public, time spent by IT support staff and so on can be far more expensive and damaging.

There are many different types of viruses out there. Traditional viruses attacked a machine or network and shut it down completely, deleting system or data files, often requiring a full re-install of each application and programme on all machines.

Newer ‘blended' threats, propagated by e-mail and over the web, include worms, spyware and malware such as Trojans and zombies. The latter come in and take over a machine, often automatically connecting to a rogue server to pull down malicious content or sending further e-mail to everyone in an address book to continue to spread the virus.

Other viruses are merely hoaxes, which waste users' and tech support teams' time.

While Microsoft Windows users are most at risk, viruses can also target anybody using a Mac, Linux or other system.

Viruses can enter into a company in many ways, including through unrestricted e-mail use, contaminated memory sticks, flash or USB drives, or through a network or server. Another increasingly common gateway for viruses is conscious or accidental visits to unsavoury websites.

“We are seeing more and more on the internet rogue code being streamed down to the user,” said Sean Reynolds, managing director of Rits, a leading Irish information security consulting and professional services provider.

“When they browse a site, something comes down and they either say yes or it just happens automatically.”

However, spam remains the number-one risk to companies.

The concepts of spam and viruses are intertwined.

“The vast majority of viruses are designed to send spam,’' Gillis said. “The people who are writing spyware are using spam to deliver more viruses, which then go and infect machines with spyware.

“These threats are related, so putting together comprehensive solutions is a real challenge for the IT team: to be educated on the different threats and understand the different solutions out there.”

It may not be apparent automatically that a virus has been downloaded onto a PC. A worm, for instance, can sit quietly on a machine until it is triggered by an action by the user, such as loading an application or hitting a particular key, or by a point in time.

Some virus writers go for a big bang effect, such as wiping out your entire system, whereas others are more discrete, but still very damaging.

“There was a very nice virus, which went around modifying Excel spreadsheets. Everywhere it found an eight it made it a nine and everywhere it found a nine it made it an eight, which is very subtle because it could be months before you realise you have a problem,’' Reynolds said.

While these virus threats are real, Irish companies and organisations have many options to protect themselves.

There are a huge number of anti-virus programs and applications on the market. Some provide a general off-the-peg package which aims to protect against all threats; other providers offer a more tailored solution. Managers have to decide which one suits their particular requirements and circumstances the best.

The most well known anti-virus brands in the international market are Panda, Trend, Sophos, Symantec (formerly Norton), F-Secure, McAfee, Computer Associates, RAV, Microsoft, Kaspersky, AVG and Central Command.

These anti-virus programs scan all incoming web files, email, attachments and downloads, as well as files accessed from a server, network, drive or disk. If they find a threat, it is isolated and killed. Each programme is constantly updated to ensure that, as far as possible, they can meet all the threats that are out there.

Most traditional anti-virus packages work on a signature based system. This means that once a virus is released and noticed, programmers employed by the software companies immediately being working on a cure. As soon as they are successful, the ‘fingerprint' or ‘signature' is uploaded onto their website in the form of a patch, from where it can be downloaded by the software installed on each user's system. Once you have the patch on your PC, it will notice any file containing the signature and eliminate it, keeping you safe.

However, if the virus gets to you before you have downloaded the patch, you are in trouble.

“The most important thing is to have a reliable anti-virus product which is updated regularly,” said Reynolds. “By regularly, I would personally have it checking every hour, and as a minimum downloading updates daily.”

There is a move under way within the anti-virus market towards more pro-active systems which aim to detect the effects of viruses without having to depend on recognising a known signature. These are ‘behaviour-based' systems, which predict what a virus might make your system do, recognise this unusual behaviour, and shut down any system that starts to act in unusual ways.

“Behaviour analysis looks for bad behaviour on a system,” said James McLoughlin, senior security specialist with Eircom subsidiary Lan Communications. “For example, if it sees that someone is trying to delete some important files on your system or make an outbound connection across the network that would never have been seen before, it will flag that as being unusual behaviour and block it.”

These newer systems can therefore protect against new viruses immediately, and cut out any time lag which may prove problematic. All main anti-virus brands are introducing behaviour-based functionality into their solutions.

Many SMEs choose an all-in programme from one of the major providers that suits them. Finglas estimates the installation costs for an SME with a 15-user network for a typical anti-virus package at about €2,500,with a yearly subscription covering updates and support of about 65 per cent.

Larger organisations may have more complex requirements, and go to an outside service provider to design an individual anti-virus solution, made up of more than one level of protection.

“People in the enterprise space see the value of getting something which is specific to their environment and can take account of the myriad of problems which they would typically have,” said Reynolds.

Protecting networks from viruses is part of the challenge, especially for larger organisations who may have very complex systems, including wireless Lans and Wans.

Each element within a network must be sealed and protected, so if a virus does get in, the game is not completely up.

“We wouldn't see protection against viruses and worms as being one product,” said Karl McDermott, system engineering manager for Cisco Systems Ireland. “We would see security being in every single element of the network and the architecture that we have built - what people have termed a ‘self-defending network'.”

Network and server vendors are introducing products which also incorporate ‘behaviour-based' functionality.

“We have developed a behavioural-based intrusion prevention system called Cisco Security Agent (CSA) that sits on the end devices in conjunction with the anti-virus software,” he said. “You don't have to wait for a signature, we understand the way that PC works normally and, once we start to see it doing strange things, then we realise there is an attack and stop it at source.”

This is especially important in large organisations that may have thousands of machines and devices to protect.

“In a world where you have viruses coming out every single day, and updates and patches to get around those viruses, IT departments could in theory spend their entire time just updating the Microsoft releases on the PCs, but the CSA product gives customers the ability to plan when they are going to upgrade their software,’' McDermott said.

“They don't need to do things reactively, they can proactively say we will patch all our machines every month because CSA will protect us.

“People now carry and use laptops and mobile devices everywhere in the outside world (at home, with clients, abroad) using both traditional and wireless Lan connections.

“Companies must ensure that staff returning to the office carrying unwanted viruses are quarantined until everyone is sure they are uninfected.

“More people are out and about and they can pick up things and bring them back into an organisation. So another element to the self-defending network is a thing called network admission control.

“This is built into the switches in the network, so when you come back the first thing the network will do is check your PC to make sure you have the latest patches and your signatures are up to date.

“And if they're not, it will put you into a quarantine area and stop you getting access to the full resources of the corporation.”

Given the potentially devastating consequences of an all-out virus attack on a large organisation or enterprise, it is vital to ensuring that all your machines, servers, networks, devices and applications are working together to keep you safe. Larger companies tend to go for anti-virus solutions which include all aspects of their business.

“We design the security in the network the same way as you might design the wiring plan in a building,’' McDermott said. “The security is inter-built into absolutely everything and it is all connected up. It is one security system with multiple layers of security, so if a virus gets past one thing there will be two or three more layers there to stop them getting into the network.”

Just as important is to protect your own network from threats arriving with outside people coming into your own organisation.

“Nowadays, a lot of people are opening up their networks,” McLoughlin said.

“You may have contractors coming on site with laptops which you have no control over, but you want to protect your assets from what they might potentially be bringing onto the network. You may also feel obliged to protect those guys from anything you are connected to.”

The individual user also has to be protected while he or she is out of the office. Personal firewalls can be incorporated into the anti-virus mechanism on a laptop.

“A personal firewall says that while I am connected to an untrusted zone, which might be the internet or a wireless access point at the airport or in a coffee shop, I won't allow any inbound traffic, and any outbound traffic must be authorised by the user,” said Reynolds.

Smaller communications devices such as PDAs and even mobile phones can also be attacked by viruses, and once infected these can carry a virus back into the rest of your network.

“The viruses evolve as the technology evolves,” McLoughlin said. “There are some anti-virus packages that have been developed for the Palm operating system.”

While companies are investing heavily in integrated solutions to protect themselves, the most important factor of all in insuring against a virus attack can be neglected.

“Your first line of defence is always going to be human because the people who are creating these viruses are also human,’' Gillis said. “Having an intelligent set of human eyes that can look at anomalies and adapt network defences is the key.”

Most viruses are still spread because someone clicks on an attachment they shouldn't, or visits a URL that is not safe.

Staff training and education is vital for protection.

“In a utopian world where everyone knew what to watch for, you would probably satisfy 80 per cent of your requirements,” Reynolds said. “The reality is we are probably the other way around. 20 per cent of people are clued in.”

Regular staff training and ensuring people are aware of threats is required, as is a sensible internet usage policy.

“It is very much about teaching the staff of the threats that are posed,’' Finglas said.

“And then having a defined policy that discourages usage which reduces the potential risks posed to the company.”

http://archives.tcm.ie/businesspost/2006/10/01/story17558.asp

No comments:

Post a Comment