Security and Virus Protection: The Safety Dance

Q: We have conducted some informal research on virus protection software. Our research indicates that the three major virus protection products (Norton, McAfee and Computer Associates International) are basically equivalent and that any variation in performance results from variation in version control practices and local settings. Would you say this is accurate?

A: I would have to see your findings up close to offer a specific opinion. However, based on my experience in selecting antivirus products for the U.S. Department of State, I feel that you are headed down the right path. There are only so many ways to identify, contain and eradicate malicious code. The key in this market is to be the first to update virus signatures and get them to the end user for a rapid install, and to take into account the number of viruses that are “in the wild”?which will always be ahead of the signature update.

Q: We are seriously considering having a professional audit conducted within our organization to ensure the highest level of security possible. Do you recommend such an audit? And if so, what companies might you suggest we contact? What is the standard hourly rate for such services?

A: I would recommend an audit only if you’re going to get real solutions along with the list of identified problems. Too many companies are making a quick buck by running some automated auditing tool and adding a cover letter to the results. Ask the potential auditor to show you a sample of its product report and ask that a value-added solution be provided. Hourly rates range from $150 to $500 per hour, depending on the reputation of the company and the perceived quality of the audit team.

Q: What is the relative risk of having PCs connected to the Internet via modems and connected to a mission critical LAN-WAN via Ethernet? Is it likely or even possible that a virus could be introduced to a business network?despite good virus detection software?through a user’s separate modem connection, even though the modem and the Ethernet cannot run simultaneously?

A: Your concern is valid, and the threat is real. PCs connected as you describe are definitely vulnerable to possible introduction of backdoor software or viruses. While a user is connected to the Internet by a dial-up connection, someone could introduce a program that would map their network and place the results into a database for retrieval on the next dial-up connection. There are so many possibilities.

Q: What is the best way to protect computer systems from intrusions by the virus Back Orifice? Will Norton AntiVirus provide adequate protection against the program? Now that Back Orifice 2000 is freely available from a download site, how do we prevent users from using this tool?

A: Make sure you keep up-to-date on all “patches” and keep your software current. Removing vulnerabilities will make it harder to introduce malicious software. Yes, Norton and other antivirus vendors can detect some of the latest backdoor installations. Again, like the operating system and applications, you must keep current to keep up with the potential vulnerabilities.

Q: How do you convince management and a company full of lawyers that it is in the company’s best interest to employ strong password standards?

A: Good question! Well, this has been an issue for a long time. Even more so since computers have been networked with worldwide 24/7 access and little to no intrusion detection. Using poor or common passwords is like leaving the key to your house in a flowerpot on the front porch. It takes very little time to access and potentially damage the property. On the flip side of the subject, you are really being counterproductive if you expect an employee to remember quite a few random alphanumeric sequences with no rhyme or reason. A good password generation method is to enforce the use of “pass phrases” to generate passwords. An example would be to take the first character of each word in a phrase and use them as a password you can remember. “IiaRd2d” would come from “It is a rainy day today.”

Q: I recently lost a key IT person who was responsible for the computer networking and communications infrastructure. We have about 10 servers and a host of other devices running inside a firewall. Short of simply changing passwords, what other key steps are needed to prevent security breaches from outsiders and departing employees?

A: The best configuration for your network and systems would be to have an enterprise implementation of public key infrastructure supporting access to all your resources. It would be an easy task to just revoke an employee’s key as he walked out the door. Many products support this idea. Another step besides changing passwords would be ensuring that all employees know the individual is no longer employed and no longer allowed access. This applies to physical and electronic access. Before this inevitable event occurs, make sure that all employees sign to indicate they have read the company’s computer use and misuse policy. This should cover you legally in case someone turns rogue.

Q: What are some effective ways to bring both upper and midlevel management to the realization that security is now a necessary part of doing business within the government?

A: First, use the media to document the high number of attacks against government Internet sites. This will hopefully paint a picture that the government spends far more on security than industry and is still facing a formidable challenge in keeping systems and information secure. Second, play the facility clearance card that poses the question “How safe is your facility to conduct government work, let alone store the contents of this work that is potentially classified?” Third, recognize the fact that computer use and misuse agreements and system warning banners often lay the responsibility on the individual’s head and not on the company’s. All it takes is one rogue employee to abuse his privileges and the company suffers. Hence the argument for good discretionary access controls for all employees. Finally, make a commonsense argument that regardless of your company’s desire to do government business, your information infrastructure must be secure in order to compete successfully in today’s network economy.