Mention the word virus to a seasoned information security professional, and he will likely cringe and pass it off as an IT problem. Until recently, I thought the same.
I never paid too much attention to viruses. Instead, there always seemed to be some energetic young employee in the operations center or within the IT group who was the virus guru. He could rattle off the name of most viruses, put them in their respective boot sectors (or categories) and be up to date on all the popular virus protection tools. For most of these folks, virus protection has evolved into a hobby of sorts—or even an obsession.
In contrast, I've always been more interested in areas such as intrusion detection, penetration testing, firewalls, encryption, single sign-on, public-key infrastructure and so on. However, after the CIO visited my office recently to ask about the status of a virus problem, I decided to take the lead. My company has talked about enterprise virus protection, content filtering at the gateways and attachment stripping, but until now, no one has pulled the trigger. It has become painfully obvious that if someone doesn't put a foot forward, nothing will get done.
Currently, our company's only defense against viruses is antivirus software from Sunnyvale, Calif.-based McAfee.com Corp. on the desktops. We automatically push the vendor's bimonthly signature updates to each user's desktop at boot up. Unfortunately, users don't shut down their PCs each day, so it's difficult to ensure that each desktop is properly protected. We could use enterprise change-management software to automatically send the updates, but at this point we have to rely on users rebooting their machines. By encouraging employees to regularly shut down their PCs and investing in an enterprise configuration management tool, we can easily solve this problem.
|
 |
But that's not the only issue. Because the antivirus software wasn't properly installed, users can disable it. If we had only a few hundred desktops, reconfiguring them might not be a problem. However, we have more than 4,000 desktops spread across hundreds of remote offices and our headquarters. I'm suggesting that we enforce a strict desktop profile, which restricts a user's ability to stop or make configuration changes to critical software.
Ports of Entry
We are trying to protect the company against more than just viruses. In fact, malicious code can take four forms: viruses, worms, Trojans and hybrid programs.
Before coming up with a defense strategy, I needed to review how malicious code could be introduced into the company. Entry points include the following:
External media: The most common entry point, this includes floppy disks, Zip disks, CD-ROMs and peripheral storage devices. Universal Serial Bus (USB) technology is wonderful. Plug a 250MB Zip drive into the USB port and voila—automatic detection. We can deal with external media by creating a policy to disable all floppy drives as well as USB, serial and parallel ports on the desktop. We can configure the desktop policy so that only administrators can access each system's BIOS (for disabling some of the ports) and the desktop configuration. And we can create exceptions to the policy for those individuals who need it. But those employees will be required to submit written approval from their manager and be asked to sign documentation confirming that they understand the risks involved and the proper use of external media.
E-mail: This is the next most popular entry point. We use Microsoft Exchange Server, which in turn pulls e-mail from a Unix Sendmail server.
E-mail attachments are a popular form of infiltration, especially for executable programs, which employees still run without thinking. One way to deal with this problem at the e-mail gateways is to block all incoming attachments with executable extensions such as .exe, .com or .vbs. Another option is to use the sandbox method, which detaches the attachment from the user's e-mail and runs a check against the file in a protected area of memory. The security software runs the suspicious code to evaluate its result and strips the attachment from the user's e-mail if the code is malicious.
I decided on attachment stripping, because 95% of our employees don't need to receive such attachments. For those who do, we can configure the software to allow exceptions.
Web mail: Employees can bypass corporate e-mail filters and introduce malicious code into the corporate infrastructure by using their Web browsers to access their Yahoo, Hotmail or other Web-based e-mail services. Savvy users may even configure their Outlook mail client to pull personal e-mail from their home Internet provider account.
Our company could restrict access to these sites at our firewall, but that would be an administrative nightmare. Instead, I've decided to combine the desktop virus protection software with an acceptable-use policy restricting users from accessing personal and Web e-mail from the corporate desktop.
Downloads: Users may introduce malicious code when they download programs from the Internet. Since 95% of our employees have no need to download such files, we plan to block outbound file transfer protocol at the firewall for all but a select few who require that capability.
Unpatched operating systems: Operating systems without the latest patches have recently fallen victim to several worm programs. The worms propagate through the Internet and attack Web servers by way of vulnerable ports. Our company needs to establish a policy that ensures that administrators install the proper patches and hot fixes on a regular basis.
Those are the technical issues. But security awareness training is one of the most important methods for preventing malicious code attacks. I assembled a PowerPoint slide presentation to add to our company's employee orientation program. It explains the types of malicious code, how to avoid becoming a victim and what action to take if malicious code is encountered. Employees will be briefed at both their initial orientation and during yearly refresher training.
I'm sure there are other methods that employees might use to introduce untrustworthy programs into our company infrastructure. I think I've addressed many of the potential entry points. Did I miss anything? If so, I invite you to share your thoughts in the Security Manager's Journal forum.