- CNET NETWORKS UK BUSINESS SITES:
- atlarge.com
- BNET UK
- silicon.com
- SmartPlanet.com
- ZDNet.co.uk
To print: Click here or Select File and then Print from your browser's menu
This story was printed from silicon.com, located at http://www.silicon.com/
Story URL: http://comment.silicon.com/0,39024711,10006334,00.htm
Through the Fog: Who should protect you from viruses?
Take a second not to blame hackers, Microsoft or the guy down in IT - the answer could be closer to home
By Quocirca
Published: Wednesday 08 October 2003
Quocirca analyst Dale Vile considers some of the weaknesses of traditional protection from malware...
Computer viruses are nothing new. They have been causing irritation and in some cases devastation for many years. Yet we sometimes seem as far away from controlling the problem as ever.
Is this because Microsoft is too busy making money to take the problem seriously enough?
Is it that those would-be champions from the security software vendors are slacking?
Or is it because all of us users out here are stupid enough to keep clicking on those dodgy email attachments?
In order to look at the problem objectively, we need to understand the nature of the beast that is continually threatening us. It is easy to conjure up images of greasy-haired anarchists sitting in their bedrooms manically hacking out code. The people responsible for the more successful viruses, however, may better be described as a well-disciplined community that applies rigorous collaborative software development and roll out techniques to achieve an effective result.
It could even be argued that a lot of IT departments in the corporate world benefit greatly if they could emulate the talent, creativity and determination exhibited by the “hacker” community.
But let’s not get too carried away. This community of virus authors is responsible for an awful lot of disruption, financial loss and human misery. As far as the greater population of computer users is concerned, they are definitely the bad guys.
Nevertheless, just as in the sphere of legitimate systems software, technology and techniques used in the virus development world are constantly evolving. This can only be kept in check by continuous evolution of defences by the good guys along with responsible, informed action on the part of us targets. Unfortunately, there are a number of problems that exist within the triangle of dependencies that has virus authors at the first corner, users at the second and the software industry at the third.
The first problem is that organisations are typically unaware of much of the equipment attached to their network, despite the presence of systems management and monitoring tools. Why is this important? Because you can only protect what you know exists and uncontrolled machines quickly become easy targets for attack. But even when the existence of machines is known, too many organisations still leave themselves open by assuming that protecting the corporate network is all that’s needed. Many machines, notebook PCs in particular, now regularly leave the protective corporate cocoon and promiscuously connect to other networks out there in the big wide world – an open internet link on a domestic ADSL line, an ad hoc wireless network set up naively on the fly or even hotspot services from an un-trusted ISP.
If machines are used in this way without the proper protection there is no knowing what they might pick up and bring back with them to the corporate network. It’s a bit like having sex without a condom, contracting some nasty disease, then coming home and infecting your spouse. Not a nice thought but a pretty effective analogy.
In the case of our notebooks, the metaphorical condom takes the form of a well configured personal firewall and effective up-to-date anti-virus software. But how many notebooks have both of these components installed, let alone properly maintained?
Misunderstandings about the routes viruses exploit to penetrate an organisation are also very common. Given the way stories are reported in the press, it is understandable that people often focus on just email when considering virus protection. After all, once into the corporate email system, a virus can quickly bring a business to its knees.
While taking steps to safeguard against email borne viruses is important, it is also critical to appreciate that many attacks nowadays are 'blended', meaning that the virus will persist in trying alternative entry points - such as direct open TCP/IP ports - until it finds a way in. Such ‘burrowing’ viruses are often called worms. Just because an infection spreads rapidly via the email system doesn’t necessarily mean it originally entered in that way.
Much of the exposure businesses face is therefore as a result of not being aware of the nature of the threat and the kind of issues discussed here. All too commonly a company may block one route effectively but leave others wide open. As commonly, however, it is a case of not having adequate procedures and controls in place. Anti-virus software can only do its job if it is kept up to date with the latest virus signatures. Firewalls eventually become ineffective if they are progressively opened up over the course of time as users request access via additional ports to run their favourite application or service.
As well as businesses needing to smarten up their act, security solution companies need to continually develop their solutions to keep up with emergence of new threats. A recent interview with Lee Fisher, technical solutions director at Network Associates, highlighted the phenomenon of 'flash attacks'. These are extremely well planned and organised initiatives in which the virus authors pre-identify a few hundred thousand seed machines confirmed to have the necessary vulnerability. They are then able to launch the attack hitting all of the targets simultaneously to achieve almost immediate critical mass. From there, the infection can spread to millions in an hour or two.
What’s frightening is that it takes up to 2.5 hours for a vendor like Network Associates to prepare and test a signature to block a new virus. Traditional filtering techniques are therefore inadequate to halt some of the new types of threat emerging. The next generation of virus protection software has to work more on the basis of real-time behavioural analysis to identify threats based on the suspicious systems activity they cause. Rather than simply raising an alert, also needs to isolate or neutralise the threat proactively.
The bottom line is that it is not enough to simply point the finger at Microsoft. The dynamics of the software space mean there will always be vulnerabilities appearing and new kinds of threats to exploit them. The availability of condoms doesn’t stop some practicing unsafe sex and existence of security solutions doesn’t, in itself, stop computer viruses. There are a lot of nasties out there and companies, just like individuals, must take responsibility for their own safety.
**Quocirca is a leading, user-facing analyst house known for its focus on the 'big picture'. For a full summary of its activities see www.quocirca.com, or reach the company's founding directors by emailing quocirca@silicon.com.
Also in this series: Through the fog... Software configuration management Through the fog... The Functional Infrastructure Through the fog… Management of utility IT Through the fog... How to buy content management software Through the fog... Getting your business processes finely tuned Through the fog... Better connecting users to technologies Through the fog... Better connecting users to technologies Through the fog... Predictive texting Through the fog... Business continuity and disaster recovery Through the Through the fog... Wireless email at work dilemmas Through the fog... Storage as a service Through the fog... Buying an application server Through the fog... Corporate content management Through the fog... Automated speech recognition Through the fog... Public Key Infrastructure Through the fog... Vendor-channel relationships Through the fog... What future photo messaging?
For Quocirca's 'What's the fuss about...?' series for silicon.com, see this page
And for their earlier 'Surviving the Recession' series, see this page.
Copyright ©1995-2008 CNET Networks, Inc. All rights reserved. Top of page
