IT Security Management: Spam, Viruses and Software Patches

1 2 Page 2
Page 2 of 2

Mary Finlay, deputy CIO of Partners HealthCare System in Boston, says she’s considering outsourcing virus management because it’s become just too much of a nuisance. In January 2003, Slammer attacked a vulnerability in Microsoft SQL 2000 Web servers. For Finlay, whose company is largely standardized on Microsoft servers, Slammer was the last straw. She realized that her 1,000 IT workers weren’t communicating well and that they should be handling viruses?big and small?in a better way. "We were managing each virus as it came," says Finlay, whose network ferries crucial information on everything from patient registration to lab tests to medication orders among employees at 10 hospitals. That virus-by-virus approach?done differently within each department?is typical at big corporations where each manager wants to handle the problem in his own way.

But that method made the company’s network vulnerable, Finlay says. So she initiated a system to keep antivirus software consistently up to date on both Windows NT servers and desktops at all 10 sites. "Whenever we’ve been hit since, having this process in place makes things run more smoothly," Finlay says. Still, she says she’s looking to companies such as Symantec for help. "It’s very labor-intensive and confusing to gather intelligence around an impending virus," she says.

Recognizing Friendly E-Mails Among the Foes

CIOs face a quandary when they get scrupulous about e-mail filtering. They want to keep out the "Cheap Viagra" messages, but they don’t want to filter out serious, work-related e-mail in the process.

Sean Bagshaw, CTO of Mortgage Bankers Association (MBA), tackled this problem recently. E-mail the company sends out?newsletters and other information?is often blocked as spam because some of MBA’s banking members include the word mortgage on their e-mail blacklists. "You are constantly fighting to get off the [black]list," he says.

To fix the problem, Bagshaw asks member companies to add MBA’s e-mail to their white-list. But Bagshaw is also considering joining a Bonded Sender program through IronPort Systems. Bonded Sender uses a third party to certify that an e-mail sender has met specific antispam standards and has put up cash to back that. Under the system, MBA would put up a bond for, say, $50,000, which ensures a marketing campaign is not spam. A debit from the bond is collected if the third party finds MBA in violation. About 18,000 organizations participate in the program.

At ABM, the building services contractor whose CEO was hit by the Blaster virus, a blacklist mishap last year prompted a policy change, Finley says.

Blacklists blocked important e-mail coming in to ABM and prevented the company from sending mail to its customers. Finley says the company missed a sales opportunity last year because its software filtered out an e-mail from a potential customer who had sent a business inquiry to the sales department from a home address. The prospective customer later followed up, asking why no one from ABM responded to the e-mail. (The salesman, of course, never got the e-mail, Finley says.) In response, ABM hired a full-time employee to sift through thousands of filtered spam messages to identify spam patterns and catch legitimate e-mails.

And, Finley says, he still battles the ISPs that have kept ABM on their blacklists?an unfortunate side effect that occurred when an e-mail spoofer rerouted spam e-mail messages through ABM’s corporate servers so it appeared that ABM was the sender. "We have to call and threaten legal action and say, ’You better unblock us,’" he says.

Users JOIN THE BATTLETo gain control of the biggest nuisances, IT departments need to stop viewing workers as the enemy?and start recruiting them to be part of the solution.

CIOs who send out e-mail warnings or updates to workers are fooling themselves because employees "will think it’s some techy thing that they don’t have to worry about," says Chris Belthoff, a senior security analyst at Sophos, a corporate provider of antispam and antivirus solutions.

Belthoff advises that companies create a hands-on training program with employees to educate them about the dangers of spam and viruses. He says it’s critical to show workers what spam e-mail subject lines look like so that they recognize them in their inboxes. Programs to train IT workers to be end user teachers are available from Symantec, among others. (For more tips, see "Spam Battle Gear," Page 64.)

Training users in good e-mail hygiene has been part of the thinking at Winstead Sechrest & Minick, a law firm with approximately 720 employees. Director Mark Garrett says the firm trains all new employees on e-mail and Internet use policies and is now looking to add training and usage policies for instant messaging users. The law firm banned IM but is considering letting Internet-reliant lawyers use a chat application to communicate with clients.

There’s no way to get rid of every single nuisance. There will always be one employee who can’t resist clicking on an infected attachment. Still, prevention stops the nuisance from becoming a nightmare. "It’s about the little proactive things," says the California Independent System Operator Corp.’s CIO Yee. "You don’t retrofit as an afterthought."

Related:

Copyright © 2004 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 secrets of successful remote IT teams