This past year the dangerous trend of shrouding viruses in social engineering techniques resulted in a trying year for network administrators. However, there are lessons to be learned from 2003 that you can take into 2004.
When I look back at the past 12 months, it occurs to me that some common themes keep appearing. I begin to wonder about what the CSI/FBI survey for 2004 will look like when it's released next spring. Certainly there has been discovered many flaws and holes in various applications, but overall two things stood out: viruses continued to breed and social engineering had reached new, unprepared audiences.
2003 reached new heights in the destructiveness of viruses and it highlighted how the primary method of dealing with viruses today simply isn't working.
The CSI/FBI survey of the past year indicated that about 98% of respondents had implemented anti-virus software as a security measure. If that's the case then why did a virus/worm like Slammer (Sapphire) have such a devastating effect and bring the Internet to a near halt? And how do we still end up with propagated emails everyday?
Well, in Slammer's case, the propagation method caused the problem, which leads one to think that the firewall setup is the issue. Allowing for certain ports to be open and available to the Internet invites trouble. And it's not just to protect from Internet attacks but also to stem the flow of "malicious" or unwanted traffic from the Intranet to the Internet. Administrators cannot solely rely on anti-virus software to solve their security and virus problems.
Administrators need to limit where and how often users go out to the Internet. In many work settings, there rarely exists a need to instant message, send/receive personal email, Web surfing, etc. In fact, few employees truly need access to the Internet, beyond work email.
While this may seem like a harsh reality, it nonetheless needs to be advocated more often. Users are often unaware of the dangers present at the many places they visit online, and admins are often too overworked to check every site users visit. A stricter Internet access policy is the way to go.
Besides Slammer, 2003 saw a bevy of other viruses, probably the best bumper crop — so to speak — since the days of "I love you." Bugbear, Blaster, Sobig and Swen made headlines. In fact, they introduced a bold new twist: spoof the source address to mimic that of a legitimate e-mail.
It's surprising that no one thought of this before. Even more surprising is that users truly believed that Microsoft and others would demonstrate such diligence and take it upon themselves to e-mail users with "fixes" to their computer problems. Not surprisingly, these viruses made the rounds (and still do today). And yet, we see that 98% of companies have installed anti-virus software.
Page 2: Blameless Administrators?
Indeed, it appears that home users are mostly to blame for propagating this. Perhaps, but I think there are greater dangers at the enterprise level. One company I work with has a problem involving propagating emails. Within any given day, the typical user receives 10-20 emails all due to a virus (at present, Klez and Yaha variants seem to send the most email).
When the IT department — and specifically, the Mail Admin — was asked to do something about it, the reply was "that all users have anti-virus, shouldn't double-click on attachments and should set up filters using Outlook so they wouldn't have to see the e-mails come in".
This is a poor way of dealing with this issue. Users are not computer experts. Administrators and tech support staff are. Users have been trained to perform their jobs and to generally believe, for the most part, that whatever hails from the Internet is a valid form of communication and thusly must be true.
The expectation that users should inherently be able to protect themselves do this is an incorrect one and one that I believe will continue to result in the continued spread of viruses. Rather than being reactive, perhaps it might be worthwhile for administrators to be proactive.
One technique that isn't reviewed or discussed often is virus walls. There aren't many manufacturers of this type of product but it does exist. A virus wall is similar to a firewall in that it examines packets as they travel back and forth between networks. The difference is that a virus wall will put packets together and examine them for virus signatures. Clearswift's MIMEsweeper, Trendmicro's Interscan, or Mcafee's Web Shield appliances are all options available to deal with viruses on the fly rather than relying on users to deal with them.
There are, unfortunately, still things that get through. Swen introduced an element of social engineering that hadn't been seen in viruses before. By pretending to be a legitimate company, the virus writer gave users a reason to want to click on the attachment. Social engineering has subsequently seen an increase in its use for spam messages.
What is worse is that there are many messages that get users to respond by putting in personal information like credit card information, phone, address, SSN, SIN, etc. or, in a recent example, cause users to flood the victim company with complaint phone calls. While users aren't expected to be that technically inclined, it is still worthwhile to educate them on the dangers of the Internet and that not everything that resides there is safe.
Some tricks to help admins and users deal with spam and viruses:
- Avoid using Outlook if possible. Many viruses are dependent on the integration that is offered by Outlook and Microsoft OS platforms
- Turn off the ability to view emails in a preview pane. Although it takes a few extra seconds to double-click and open an email, it does avoid some problems that are often found with anti-virus checking and preview pane options
- Turn off HTML email (receipt and sending of). HTML emails hide some of the social engineering techniques used spammers and virus authors (last time I checked, Microsoft.com was headquartered in the US, not Russia).
- Be vigilant. The Internet is home to many truths, but as 2003 has shown, it's a breeding ground for lies. Users should take everything that's deposited into their inboxes with a grain of salt.
Perhaps 2004 won't be as fraught with as many security woes as 2003 was. One can only hope.
Feature courtesy of Enterprise IT Planet.