[ Pobierz całość w formacie PDF ]
Implementing Anti-Virus Controls
in the Corporate Arena
(Version 1.00)
Martin Overton
Chek
WARE
Email:
ChekWARE@Cavalry.com
WWW:
http://www.arachnophiliac.com/cmindex.htm
Tel:
+44 (0) 1403 241376 or +44 (0) 1403 232937
51 Cook Road,
Horsham, West Sussex,
RH12 5GJ, United Kingdom.
Abstract
When you are responsible for the security of 1,000 to 100,000 PCs, virus outbreaks are getting
out of hand, the users won’t scan, can’t run the TSR scanner or don’t care about viruses, what
do you do?
This appears to be the scenario in many large corporates.
Many security officers or support staff are given the onerous task of anti-virus strategy, policy,
testing, implementation and support. Of these, few have the in-depth knowledge that
really is
required
to understand the problem, let alone the solutions. How do they choose the right
solution(s)? What are the options?
For many it’s a catch-22 situation. If they ignore the problem, they are wrong. If they do
something and it fails, they are also wrong! Management just want results.
Viruses are at the very least a nuisance and no matter how ‘safe’ and ‘toothless’ a virus it still
hits the corporate support budget. Magnify this by the number of outbreaks within a company
and add the cost of anti-virus software, updates and training and the problem becomes more
focused and expensive.
This paper aims to answer the question that many corporates are asking ‘What anti-virus
defences do I choose, how do I implement them and how do I know that they are sufficient’.
This paper was written for, and presented at the Compsec ’99 International conference at London
England on November 3rd - 5th 1999.
I would welcome any constructive feedback on this paper and it’s content.
This paper will be updated from time to time.
(Martin Overton 5th November 1999)
© Martin Overton and ChekWARE 1999
 Implementing Anti-Virus Controls in the Corporate Arena
© Martin Overton and ChekWARE 1999
2
 Implementing Anti-Virus Controls in the Corporate Arena
© Martin Overton and ChekWARE 1999
The Problem
[MGO96]
Before we begin I think it would be worth spending a little time looking at the common problems and
some of their solutions.
Background
According to the Information Security Breaches Survey 1996, the most common security
breach reported were computer viruses. The most expensive virus outbreak reported during the
survey was estimated at £100,000.
By now most, if not all companies have encountered viruses. Their response to this problem is
either panic, confusion, anger or in a few cases a well-geared machine kicks into action to
solve the problem.
Most companies' anti-virus defence consists of a scanner on the desktop PC
[VB-1]
and in most
cases nothing else is used to combat the virus threat. The ability of most companies to defend
themselves against the ever-growing numbers of new viruses is practically nil.
Viruses are now an everyday business problem
[VB-2]
and that trend will continue to get worse
for the foreseeable future.
The Cost
British businesses lost £28 million
1
due to reported virus incidents in 1994. This is just the tip
of the iceberg, as many companies do not report virus incidents due to the fear of lost
confidence, both from business partners and customers and the subsequent affect on the
companies stocks.
Testing
How do you test anti-virus software?
Well, for most corporates, it is simply out of the question. Even if you have several or tens of
thousands of viruses on hand
(unlikely)
how do you know they are
real
viruses? Remember
that to be viruses they
must
replicate otherwise they are considered germs or more often
damaged files.
Even if you do get a valid virus test set, how do you test anti-virus software without risking
cross-contaminating your systems?
Do you want to trust the glossy magazines reviews? Of course they rarely use
real
viruses and
the journalist doing the test knows little or nothing about viruses. Never mind, the winning
products got a great user-friendly interface, that’s all you're interested in right?
Well, there’s always the anti-virus companies themselves. They are bound to give impartial
advice, right?
This is the biggest headache for the corporate security officer!
The answer lies in independent
2
tests carried out by researchers that understand the issues and
can in most cases make impartial recommendations on the ability of a scanner or other anti-
virus counter-measure.
1
Source: National Computing Centre Survey 1994.
2
Such as Marko Helenius of the University of Tampere. Virus Bulletin also perform regular comparative tests, but
some feel that they are a little too close to the industry to be completely objective.
1
 Implementing Anti-Virus Controls in the Corporate Arena
© Martin Overton and ChekWARE 1999
Threats
Let's have a quick review of the viral threats that occur in companies.
Boot Viruses
Until recently floppy disks infected with boot and partition sector viruses accounted for in
excess of 80% of virus infections reported world-wide. Against all logic boot and partition
sector viruses spread faster than most file viruses.
File Viruses
This class of viruses infect executable files, these include the common *.EXE (including
*.SCR) and *.COM files to the more esoteric file types such as *.TTF, *.OVL, *.BIN, *.DRV,
etc.
Most of this class of viruses either infect a file by one of the following methods, overwriting
the start of the file with the viruses code, appending the virus code to the end of the file and
modifying the original host to run the viral code first, or pre-pending the virus code to the
beginning of the host.
Viruses can be freely found on the internet. However, virus outbreaks linked to the internet
sites run by commercial companies are quite rare
3
. Most site operators have a good policy of
checking files for viruses before offering them for downloading to the public. This is similar to
most well run Bulletin Board Systems and similar information systems
Be more worried about e-mail that contains binary data, such as Word and Excel files (Yes,
they are binary files!) to be the biggest threat the internet has to offer corporates. This is of
course only true for viruses and Trojan horses, other security issues for internet use need to be
similarly addressed.
Multipartile Viruses
This is a class of viruses that infect boot/partition sectors and files. In many cases the virus can
be spread via infected floppies, like boot sector viruses, and via infected files as with
executable viruses.
Y2K Viruses
"There are no known viruses that trigger on 1st January 2000, at this time."
4
According to a number of anti-virus vendors there are currently no known viruses that have a
trigger date of the 1st Jan 2000. Bear in mind that between 300-800 new viruses are
discovered each and every month. Of these, only a small percentage of viruses are reported in
the wild.
There is certainly a risk that a virus (or a number of them) will be written targeting that date,
these will most likely be released shortly before the 1st Jan 2000. The most likely scenario will
be a number released throughout December to cause maximum confusion and disruption
.
3
Although a number of large companies have inadvertently placed infected files on their web sites. These include
Microsoft.
4
This statement was known to be true as at 5
th
September 1999, although there are a few viruses that will trigger
on the 1
st
of Jan of any year.
2
 Implementing Anti-Virus Controls in the Corporate Arena
© Martin Overton and ChekWARE 1999
Macro Viruses
Macro viruses have become the biggest virus threat to corporate security. What was once
considered safe, is now seen as just as capable of carrying an infection as executable code
5
.
Indeed, the boundary between data and executable code is getting mighty blurred. Currently
Microsoft Word for Windows (6.0, 95, 97 and 2000), Excel 4.0, 95, 97 and 2000, PowerPoint
97 and 2000, Access 97 and 2000, Lotus Wordpro (
was AmiPro
) can be infected by this class
of viruses. Even more worrying is that other vendors are including VBA into their products.
Already Visio includes VBA and the latest version of WordPerfect Office now supports VBA
too.
Of course many applications have macro languages built in to them to give even higher
functionality to the end-user. Many are mini-operating systems in their own right. What this
means to you is that macro viruses are going to become the number one threat to your
corporate data. So expect the worst, if you use a widely used application with a macro
language expect it to be targeted sooner rather than later.
Macro viruses pose a higher threat than the more conventional viruses for several reasons:
·
They spread through any means used to share documents, diskettes, e-mail and
groupware.
·
They execute on any operating system that runs the application and the macro
language that the virus runs under.
·
The potential for damage, both from destructive variants, such as Hot and from
the ease of creation by disgruntled employees.
Trojan Horses
The difference between viruses and Trojans is frequently argued, but as a general rule of
thumb, the difference can be simply summed up thus:
Viruses must replicate to be classed as viruses and Trojans don't replicate.
A Trojan Horse is a program that does something that its programmer intended but the
user is not expecting.
Worms
Worms have made a comeback over the last year, but just what is a worm and how does it
differ from a virus and a Trojan?
A worm is a program that makes copies of itself, for example from one disk drive to another,
or by copying itself using email or some other transport mechanism, such as the network. It
may do damage and compromise the security of the computer, but it doesn't replicate by
changing a hosts code or files.
Windows Scripting Language (VBS)
This is a relatively new threat and currently only effects Windows 98, NT 2000 and other
operating systems that have installed Windows Scripting support (this is a option that can be
installed as part of Internet Explorer 5.0).
5
Macro Viruses first became a reality in 1995, although the possibility of macro viruses was known a
number of years before.
3
  [ Pobierz całość w formacie PDF ]

zanotowane.pl

doc.pisz.pl

pdf.pisz.pl

mirabelkowy.keep.pl