While the number of reported security breaches increased fourfold over the last 12 months, many companies remain heavily dependent on the effectiveness of antivirus (AV) technology, unaware of its shortfalls or the magnitude of the damage they could face if it fails.
Devising a contingency plan for the prevention of AV failure, along with a company's recovery afterwards, should be seen as critical elements of a total AV protection offering. Helping customers implement such a plan gives solution providers an opportunity to add value to their current AV offering. To educate customers about the importance of having a contingency plan in place, nothing beats a live point-in-case.
Antony Steele, certified technical engineer of AV software vendor F-Secure, tells of a client whose network became infected with the Sircam virus in October 2001 after several users ran an infected e-mail attachment. For several days, nobody was even aware that the virus was running. Meanwhile, the infected machines were e-mailing random documents to all recipients in the users' Windows address book.
As dumb luck would have it, the documents attached contained confidential information, and it was only when some of the staff started to question why they were receiving document attachments that any investigation took place. As the final straw, the virus slowly filled up the users' hard disk space.
According to Steele, the infection was as much due to a failure of the AV technology as it was human error and poor management. The customer had not processed a virus signature update for the software for some time, thus leaving huge gaps in its ability to detect new viruses.
Furthermore, poor security with network shares allowed the machines to easily infect areas on the file server, further spreading the virus.
The company also failed to back up some of its desktops, causing one unfortunate soul to lose all her hard drive contents and have to sit through the tedious process of reinstalling the OS and applications.
At this stage, the company became deeply concerned about which confidential documents had been sent out and to whom, as they were not using any encryption software. The consequences of this alone could have been catastrophic.
Meanwhile, back in the server room, the company's IT manager could not fix the problem so he contacted a reseller, who removed the virus infection, restored the system and installed F-Secure antivirus software at the server and on the desktops.
This example highlights some of the potential disasters that await companies that are wholly dependent on the effectiveness of their AV software and do not have adequate contingency plans in place. Despite the technology's failure to detect the virus on entry, the scale of damage could have been minimised and the recovery time shortened had the company been aware of the technology's weaknesses and allocated the necessary resources to preventative measures.
The problem for pedlars of AV is twofold: they are selling a solution based on potential disaster, which is not something managers want to hear about; and the costs associated with a scenario like the one described above are largely invisible. People have come to accept downtime and data loss as a necessary evil of the information age, an attitude that does little to raise the bar on standards.
What constitutes good practice
No-one in the AV and security space will deny the importance of updating AV software to ensure networks are protected from the latest and greatest bug. Yet not everyone concurs on just how frequently such updates should be made.
"If companies are organised enough to have a recovery procedure, they're probably organised enough to never have a breach," says Ian McKay, of Australian software developer Manaccom. MacKay says the technology is more or less impregnable if software is updated hour7ly. "I update my own every hour to make sure I have the latest. You'd be mighty unlucky to be in the first hour of a virus anywhere in the world."
However, as Glenn Miller, managing director of security distributor Janteknology, points out; "hourly updates are practical at a certain level, but for most companies it's unrealistic. It's a theory more than something you'll ever see in practice. You've got to deal with the practical realities of the life of a network manager. They simply don't have time to do it."
According to Miller, you cannot rely on the technology stopping a virus at its point of entry. "No antivirus vendor can say that their product will stop viruses 100 per cent." Miller says he recently spoke to one large reseller that had dealt with a customer that was having support problems from one of the top five antivirus vendors. "They [the reseller's customer] weren't getting the type of support they were after so they put in another antivirus package," he says. "The new package discovered 30,000 viruses that they didn't realise were in there."
If you truly want the best possible virus protection given the limits of the technology, Miller recommends a company runs two different vendors' antivirus packages. "Run one on the server and the other one on the desktops. That way you're hedging your bets. Not to be critical of any antivirus vendor, but none of them at any point in time are going to cover everything," he says.
Miller says that the backup of business-critical data is one of the most essential parts of a contingency plan. Backing up company data on the file server is the simplest and least expensive way of minimising damage caused by a virus infection and is a preventative measure that should be enforced as part of a company's contingency plan. By backing up its server, and ideally its desktops, all a business will have to do if it gets hit is a simple restoration procedure. If getting desktop users to back up their PCs proves a logistical nightmare, then companies should ensure that the systems administrator backs up the central server, which will back up the core company information.
In real life, however, backup procedures often go untested, even by IT service providers, who really should be setting an example. According to an insider, Telstra Enterprise Services (TES), which supplies managed services to Qantas and National Australia Bank among others, has only just backed up its systems this February. Despite the well-known folly of putting DR??? systems right next door to the operations centre, TES has done exactly that. In addition, the system backs up to a TSM server, which entails complicated scripting and processes, so no-one really knows if the backup is performing properly.
Another preventative measure that many companies fail to implement is the use of encryption software to protect highly sensitive or confidential information.
Mass-mailing viruses, like those that attach themselves to a business document then send it out to all names in the address book, can cause business-threatening disasters. "I recommend to all businesses that have sensitive or confidential data that they encrypt it on to the hard disk," says Miller. "That way, users can only access the information they've got a key or password to. That protects you from the inadvertent distribution of sensitive information by malicious viruses, and it also protects you from people internally or externally accessing the information," he says.
Just as important as ensuring staff are allocated to implement these preventative measures, is ensuring that the right staff are available and have a set of directives to follow after a virus or hacking incident occurs.
After an attack, the company is clearly in a race against time to minimise damage, particularly if none of the aforementioned preventative measures have been implemented. There is no time for a company meeting to discuss what to do next; the company must act immediately.
Firstly, it must have the staff and resources on hand to restore the system as quickly as possible. If a company's IT manager is on vacation, for example, there must be an equally adept staff member on hand who is authorised to make decisions on the manager's behalf.
"It's critical that the company can quickly recognise what has been affected or damaged by the virus. Commonly, companies hit by a virus are unaware of the damage that has been done," says Miller.
A company should also be prepared to deal with customer and staff concerns, along with shareholder and press enquires if the incident is leaked and made public. According to Meta, a benchmark and research group, public exposure of an IT security breach can cause a 1.75 per cent drop in a company's share price within 48 hours.
Optus Telecommunications recently suffered an attempted hack by an ex-employee, allegedly seeking access to the telco database in an effort to alter data with malicious intent. After the breach, the share price of SingTel, Optus's parent company, dropped 10 cents in 24 hours and continued to slide to its lowest point in six months. Optus Australia flatly denied that the attempted breach was responsible for the dive -- after all, the SingTel share value is dictated by operations in approximately six countries throughout the Asia-Pacific. But while it is unlikely that the attempted hack was responsible for the full extent of the drop, an Optus spokesperson admits that, the set-up being the way it is, there is no way to definitively tell.
Optus officials agreed that companies should be prepared to keep their customers and shareholders informed once a security breach becomes public knowledge. "Legal or not, it's good practice to keep customers informed when an incident like this occurs," said an Optus spokesperson. "Customers don't expect cast-iron guarantees that nothing will break down, but when it does happen they want a speedy recovery time."
One of the difficulties resellers face when it comes to educating their customers on the importance of a contingency plan, is that most companies that have experienced a serious breach are unwilling to talk in detail about the incident. Furthermore, they don't want to reveal their recovery strategies for fear of a potential hacker pinpointing vulnerabilities to exploit.
"We have recovery and crisis strategies at our disposal, but Optus doesn't want to shout its protective technology and methodology from the rooftops. That would be a flashing light to say this is what we've got, and open us up to abuse of the system," explains the Optus spokesperson.
All the secrecy surrounding security policies makes it hard for integrators and service providers to identify a good benchmark. It also raises the question: are companies not talking because they want to protect the strategies they have in place, or are they not talking because there are no strategies and they don't want anyone to know they're exposed?
One industry pundit suggests that the old 'it all comes out in the wash' cliché might be the best way to sort the sheep from the wolves. "Look at the quality of their product, whether it's goods or services, and their performance and customer satisfaction levels," he says. "No business will sustain a high level across all these areas without a strong backend to support it."
For proactive suppliers, an examination of these aspects might very well point the way to opportunities for contingency planning.
Seven-step contingency plan
1. Treat AV and security like an insurance policy. Don't wait to check that you are sufficiently covered when you need to make a claim.
2. Know up-front where to go for information, advice and tools.
3. Have automated procedures in place that cover AV updates.
4. Have backup images available so that PCs can be quickly rebuilt should the worst occur.
5. Force users to save important documents to the file servers and not to their local hard drives (unless they are also backed up regularly).
6. Check security access rights on the file server. Don't give all users write access to areas on the server unless it is necessary.
7. Check security access rights on the PCs, especially file shares. These allow many viruses to spread so should only be configured for use where they are actually required.
Inside Australian companies
94% reported computer viruses.
92% reported employee abuse of Internet access.
48% reported attacks from outside.
38% reported denial-of-service attacks.
Source: 2001 Computer Security Institute report.
Top 6 AV products
Symantec Norton AntiVirus 2002.
Network Associates Virusscan 6.0.
Symantec Norton AntiVirus 2001.
Trend Micro PC-Cillin 2000.
Network Associates Virusscan 6.0 Pro.
Computer Associates VET Anti Virus Prem.
Source: Inform, for the week ending Feb 3.
This feature appears in this week's issue of ARN (March 13), out now.