Sunday Business Post - Computers in Business Magazine - 4th March 2007
Protecting a business of any size from virus attacks has become vitally important, as the threats evolve from disruptive nuisance to targeted fraud.
“Virus attacks are becoming more frequent and more sophisticated,” said John Power, security strategist with CA. “Once upon a time the objective of the virus was to cause widespread disruption, and take you out your IT infrastructure, server or network for a while."
"The difference these days is that the people who are writing these malware attacks are now motivated by profit. They look to get inside the organisation to steal personal or company information, at small as well as large companies.”
It is no longer really correct just to speak of virus or spam attacks. The latest security threats come in many shapes and sizes, with lots of colourful and inventive names that mask their impending serious dangers.
These include worms, adware, browser hijackers, downloaders, key-loggers, rootkits, trojans and spyware.
The general term ‘malware’ is now commonly used to cover all of these different threats, each of which have very specific aims and potentially very devastating consequences for the IT systems of SMEs that are not adequately informed and protected.
Many malware programmes now combine a number of different threats in one attack, making them particularly difficult to combat and neutralise.
“The guys who are creating these malware programmes are now introducing multi-modal or blended attacks,” said Power.
“A blended attack combines several different threats in one. It could be a piece of malware code that incorporates spyware, and a virus, and a worm.”
Each element of the malware can have a specific function, and they all act together to cause maximum impact.
“For example, in the first instance it may look to take out the company’s firewall, then once it gets in, it looks to drop a payload into the organisation which may be a worm to take out an application,” said Power.
Michael Conway, director of Renaissance Contingency Services, said that these blended threats can be specifically designed to look innocuous at first.
“There might appear to be absolutely nothing wrong in a spam message, the email will be scanned at a point and there is nothing malicious so it gets to somebody’s inbox,” said Conway. “Then when opened it may lead to a site which downloads some spyware or a virus.”
Once malware has gained access to a PC, system or network, it can lie dormant for a set period of time, or until the user does something specific, such as open a certain type of file or application.
“Threats can come in and sit on your system and activate on a particular event or date,” said James Finglas, sales director of MJ Flood Technology. “It may not become apparent immediately that there is a problem.”
Once the threat does go into action it can quickly spread to each PC in your office. Viruses are designed to automatically replicate themselves and aggressively infect as many systems as possible.
As networks become more standard in typical SMEs, the potential damage of a virus attack increases, as one malware entry can damage your entire IT infrastructure.
“Once the malware gets on your system it will propagate and run through your entire network,” said James McLoughlin, who is senior security specialist with Lan Communications.
In the modern business environment there are many ways in which malware or viruses can gain access to an organisation’s IT infrastructure. Even smaller businesses now typically have a number of different platforms, including desktops, laptops, servers, networks and mobile devices, all of which provide malware with different entry points.
The prevalence of internet use in almost all Irish SMEs means that it is now the number one malware doorway into IT systems and infrastructure.
“The three biggest entry points for viruses would be email, instant messenger and internet browsing,” said McLoughlin.
USB flash drives, mobile phones, portable devices such as blackberries, DVDs, CD-Roms and floppy disks can also carry threats into a business’ systems.
While each piece of malware is different, and some viruses are actually harmless, the three main aims of virus writers are to steal personal and company information, destroy IT infrastructure and damage a company’s reputation.
Malware, such as key-loggers and phishing scams, work by trying to get unsuspecting staff to input sensitive data such as credit card numbers or passwords.
“Unscrupulous types are trying to get credit card information from users or even important company information,” said McLoughlin. “Unsuspecting users can end up on a website that looks safe, but can turn out to be quite damaging.”
Trojans, backdoors and rootkits allow outsiders to ‘hack in’ to your system and access sensitive private information.
More basic viruses will just come in and start smashing up everything in sight, deleting files, applications, disks, networks and memory.
Subtler malicious programmes can make small changes to settings or files, which can have equally damaging results if they are not noticed and neutralised quickly.
Just because an organisation is relatively small or self-contained, does not mean that malware poses any less of a risk to the business. In fact, SMEs can be more open to disastrous virus attacks.
“Threats to SMEs would be of the same nature as those faced by larger organisations, but the consequences would be very different,” said Finglas. “In corporate size enterprises you might have a number of different levels of security, whereas in SMEs if a threat isn’t picked up by the one anti-virus you are using there can be a huge problem.”
These huge problems can include the need to replace IT equipment and infrastructure, lost productivity while a system or network is down, loss of reputation or prestige by not being able to service customers, unreliable data and information in your records, and much more. All this costs money.
“The damage done can be very significant,” said Finglas. “We had one particular instance last year of a company with 50 users that was taken down for seven days. They had 3,500 instances of malware on their system, it really was an awful mess. Forgetting about the productivity costs and loss within that time, the actual costs of cleaning up came to about €20,000.”
Finglas warned that despite these clear and present dangers, he still encountered people who felt that there was too much hype around about viruses and other security threats.
“There is a perception out there that perhaps this is being over-played,” he said. “But I can absolutely guarantee that there is quite a serious danger to all SMEs”
The Solutions
SMEs which decide to implement a new anti-virus product, or upgrade their existing solution, have a number of options. They can buy a product online or directly from a manufacturer and install it themselves, or deal with a re-seller or vendor who may provide a range of different solutions and provide assistance with their implementation, as well as ongoing support as issues arise.
SMEs without the requisite IT expertise or malware experience are advised to speak with someone who knows the different threats and solutions before making any purchasing decision.
“You can implement a solution in-house, but I would suggest that they definitely need to engage somebody that understands the different threats,” said Finglas.
Conway also recommends that SMEs without IT expertise deal with a reseller or service provider who can provide advice and support about products, and help deal with problems as they arise.
“Those who just buy off the web will find things more difficult,” he said.
The most popular anti-malware products in the SME space are now UTMs or Unified Threat Management suites. These take a holistic approach to threat management, and integrate anti-virus, anti-spyware, anti-spam, firewalls and web content filtering in one package. These are quickly replacing previous ‘point-based’ solutions which focussed on one particular threat, but did little to protect from the others. In the era of sophisticated blended threats, such an integrated solution is generally accepted as necessary.
“A lot of firewalls are now building in anti-virus, anti-spyware and content filtering functionality,” said McLoughlin. “So rather than someone buying several specialist software products, they can go for an all-in-one box.”
UTM systems are particularly designed for the smaller company.
“You are not going to be able to throw ten thousand users at it, but in a hundred user or less environment they are an attractive proposition,” said McLoughlin.
McLoughlin advises companies to look for a modular threat management system which can be upgraded and added to over time, as your business evolves and faces new risks.
“All of these UTM-type solutions will start of with a base level with very basic features, maybe acts as a firewall on its own, and then as the budget becomes available or as your requirements become more demanding you can add extra features,” he said.
UTM products can typically be centrally managed and controlled, which means that one person can keep an eye on each entry-point into a system or network, a good idea as it is often not practical or sensible to rely on each individual within an organisation to ensure their anti-virus software is running properly and regularly updated.
“Good all-in-one solutions are deployed and managed through a central console,” said Conway. “You identify your threats and roll out your updates from a central point. If you have one piece of software running on ten different machines, and a separate piece of software running on five, you have no central point of control, and you will have gaps. A centrally managed solution is also the most cost effective.”
Conway said that organisations operating stand alone PCs, cannot use the integrated threat management packages.
“Very small organisations without a server will have to manage their desktops on an individual basis,” he said.
Thousands of new threats are unleashed onto the internet every day, and spread quickly, so keeping an anti-virus system completely up to date is of vital importance.
“The technology is updated live over the internet in real time, the unified threat management makes contact with our system which looks to see what are the latest threats, where are they coming from, and distributes the solution to all customers worldwide,” said Power.
The costs of all-in-one systems vary depending on the requirements and size of the organisation. Power gave an example for a company with 100 employees looking for full protection.
“For a unified threat management suite that neutralises each of the threats and types of malware you are looking at a per user cost in the region of €21 per annum, that includes all maintenance and update costs,” he said.
Finglas quoted a figure of €270 per user in a typical 25-user network environment to cover anti-virus, spyware, malware, spam and email and web content filtering, and €190 per user in a 50-user network environment. These costs include dedicated hardware required to run these software solutions, and include dedicated hardware required to run the software solutions.
Conway said that the costs for a typical SME with 25 users would be €925 for an annual licence for basic anti-virus, with extra modules then costing extra. This licence included office hours support is included, with 24 hour service costing more.
“I think price is very important when you buy a piece of software, but the most important thing is that there is somebody there to help you if and when you come across a problem,” said Conway. “SMEs need a good level of support, with access to a knowledgeable person who knows what to do in a situation.”
It is possible for SMEs on a tight budget to download solutions for free from the internet, which can offer a certain amount of protection. Conway said that while this could work on occasion, there were definite risks involved.
“Some people go off down the freeware route and decide they want to manage things themselves,” he said. “They may have the latest version of freeware on some machines, but they are not centrally deployed, managed or updated. If you do not have current up to date protection which covers everything then you are going to get infected.”
New technologies such as mobile devices and wireless networks can also bring challenges to SMEs looking for total protection from malware, and managers should ensure that their anti-virus systems are able to deal with these.
“The attraction to wireless is so big that people very often overlook the security risks involved,” said McLoughlin.
For example if a member of staff is out of the office travelling for a few days, their laptop may not have been updated during that time, and may now be a potential weak point in your system.
“The anti-virus technology should check the mobile device before it is allowed access back to the network,” said Finglas.
While solutions can spend most of their time ensuring an organisation’s IT infrastructure is safe from external threats, they can also keep an eye on internal usage to ensure that there are no problems there.
“We are seeing a focus whereby firewall technology within the organisation is ensuring that employees are not spending time visiting websites that they should not,” said Power. “Devices are locked down to ensure that staff are focused on day to day business and not wasting company time downloading music from itunes, for example.”
Conway said that a certain amount of basic training for all employees was required to complement any anti-malware product, no matter how sophisticated the solution installed.
“Dangerous e-mail should be quarantined or deleted by your anti-virus software, but if it is not and you receive it in your inbox do not open it, just delete it,” said Conway. “If people are following the basic rules, browse the internet in a sensible way and do not open email they shouldn’t, then you have a reasonable layer of protection.”
McLoughlin said that a well thought-out and properly implemented security policy, which clearly lays out to all employees what the correct behaviours and usages of each element of the organisation’s IT infrastructure is also useful to keep a business safe.
“You have to ensure it is enforceable and that people are going to comply. For an SME vigilance is your best thing,” he said.
Despite all the warnings and publicity around spam, viruses and malware threats, McLoughlin said that many Irish SMEs are still not sufficiently protected, for a number of reasons.
“I think there is a better awareness than there was, but a lot of IT security is still taken for granted,” he said.
As each new technology is introduced to a business, managers should re-evaluate their security policies and ensure that their anti-virus solutions can cope.
“The attractions of some of the new technologies and the benefits that they provide may be too big a carrot for people who plough ahead and use them regardless,” he said.
No comments:
Post a Comment