Information Today
Volume 18, Issue 2 — February 2001
Table of Contents Previous Issues Subscribe Now! ITI Home
• The Systems Librarian •
A Prescription for Computer Health
Here's the way to develop an effective antivirus strategy for networks
by Marshall Breeding

As I reflect on the state of computing over the past year, one of the most striking concerns involves the amount of time that my colleagues and I have had to spend in protecting the computers in our libraries. We've expended numerous resources to combat viruses and protect our systems from hackers--the number of actual attacks has been alarming. But our efforts have paid off. We finished the year with little to no damage to our computer systems. Read on to learn more about how to develop a successful strategy for computing in an increasingly dangerous world.
 

What We're Up Against
I believe it's safe to say that computers are under attack, now more than ever. As they've become more powerful, well-connected, and capable of performing useful tasks, they've also become more desirable targets and more efficient instruments for transmitting hackers' wares. The current generation of desktop PCs has taken on many characteristics previously held only by servers: powerful, multitasking operating systems, high-speed network connections, and access to the Internet. While we appreciate the tremendous computing power at our disposal, we must also be aware of the vulnerabilities.

Computer viruses earned their name because they resemble the biological ones in many ways. Like a bad cold, they have the ability to move from one victim to the next. The more a computer remains isolated, the less likely it will be infected. Most viruses can replicate--a single copy of malicious program code can eventually infect thousands of other computers by making copies of itself on other host systems. Just like their biological counterparts, computer viruses can attack their hosts, often in vicious ways. They can delete files and damage critical system components. Data can be lost and systems can be rendered unusable. Viruses that remain static and unchanged can be identified, and cures or vaccines can be devised. Unfortunately, many computer viruses have been programmed to mutate--to change their behavior and markings just enough to make them difficult to identify and eradicate.

Computer viruses have steadily become more sophisticated over the years. The first generation involved file viruses that were most often transmitted through diskettes. Most of these viruses could only be transmitted or activated if the user booted from the disk or ran a particular program. Hackers soon discovered that the boot sector on a diskette or hard drive is a convenient means to store and transmit viruses. While these file and boot-sector viruses were troublesome enough in their day, they spread at a fairly slow pace. Such viruses were also platform-specific. Since they invaded executable files, they targeted only one platform at a time: Windows, Macintosh, or UNIX. Windows seemed to be the one most favored.

The current generation of viruses spreads more rapidly and finds a much wider range of victims. While the early viruses depended on "sneakernet" (the process of carrying floppy disks from one machine to another to exchange information when you don't havea network) to propagate, the modern ones take advantage of e-mail and other networked systems. A typical virus will insert itself into a computer's e-mail program, exploit any available address book, and send itself to all known recipients. Victims are no longer limited to a single type of computer platform, as many applications have macro languages that operate across computer types. Microsoft Word, for example, has a macro language that functions under both Macintosh and Windows operating systems. Malicious macros can equally attack either system. The presence of scripting languages is also a great boon for the virus creator. A computer with Visual Basic or Windows Script Host offers a powerful tool, not only for its own user, but also for intruders.
 

Taking Defensive Measures
Although we recognize that our computing world has become increasingly dangerous, the tools to combat these ills have also become more effective. The antivirus software market has become a booming industry--one that's dominated by a small number of large corporations. And don't expect a free ride--antivirus software will require a modest investment of both money and time. You'll need to invest proportionately to the complexity of your computing environment.

Whether your network is large or small, the best way to ensure its safety against the current and next generation of computer viruses is to implement multiple layers of protection. These layers involve both human and technical components. In many ways, the human aspects are the most important.
 

Layer One: User Training
Most--but unfortunately not all--computer viruses require some sort of human intervention in order to spread, activate, or attack. Computer users must be trained to understand the warning signs of potential viruses and to avoid the actions that trigger infection and attack.

The great majority of recent viruses spread through e-mail attachments. While e-mail attachments serve useful purposes, they should be used sparingly and cautiously. One of the rules of thumb I follow is to open attachments only when I'm expecting a document or related material from a specific individual. It's also unwise to open attachments that are executable programs or scripts. Your mail program should show you each attachment's file type. Launching ones that end in .vbs or .exe could be harmful to your computer's health. Also avoid attachments sent through listservs. It's impolite to send an unsolicited attachment to a listserv, and most listservs are configured to automatically strip submissions of attachments anyway.

Be skeptical of any program you might plan to install on your computer and obtain software only from reliable sources. Don't assume that every game, utility, or screen saver on the Internet is virus-free.

Be very cautious of diskettes. My recent experience is that a significant percentage of the diskettes I encounter have boot-sector or file viruses on them. While the use of diskettes is waning due to their limited storage capacity, the same concerns theoretically apply to Zip disks and CD-Recordable (CD-R) discs.
 

Layer Two: Antivirus Software for PCs
All personal computers should be equipped with professional-quality, up-to-date antivirus software. Some of the features you should look for include the following:

  • The ability to detect the signatures of all known viruses--There are some 50,000 known viruses, and the number is growing. Antivirus software must be comprehensive in its ability to detect them.
  • Automatic update of virus signatures--New viruses can spread worldwide in days, if not hours. It's vital that your antivirus software be updated frequently. Most offer the ability to take advantage of the computer's Internet connection to retrieve new virus signatures daily.
  • Automatic inspection of all files as they're accessed by your computer--Whether the file is loaded from the local hard drive or from the network, the antivirus software should check it for viruses before it's executed. Unfortunately, there's a performance penalty associated with this activity since the antivirus software pre-empts the operating system for each task that involves file access.
  • Automatic and on-demand scanning of all removable media (e.g., diskettes, Zip disks, and CD-R discs)
  • Regular, scheduled scanning of all files on each hard drive--While the active inspection features should catch any viruses before they're written to your hard drive, it's still wise to perform comprehensive scans of all your disks regularly.
You can expect to pay from $15 to $30 per computer for most of the commercial antivirus packages. Some are free for personal use, but these will likely come with advertising requirements.

Most of these workstation-level antivirus applications are configured by default to automatically activate each time the computer starts. It's possible, however, for the software to become unloaded without the user being especially aware of it. While computer administrators may believe they've installed antivirus software on each computer in their charge, they should regularly check to ensure that this software has not been accidentally disabled.
 

Layer Three: E-Mail Scanners
Most of the current viruses, as noted above, are transmitted through e-mails. Eliminating this path will drastically reduce the number of viruses that might infect your network. There are a number of products now available that inspect mail messages as they pass through a mail server to ensure that they're free of all known viruses. These scanners have the ability to process all incoming and outgoing messages.

The emergence of e-mail as a favored distribution media for viruses has made many organizations reconsider how they organize their e-mail services. The trend now favors centralized, industrial-strength e-mail servers that are well-secured. It's becoming less tenable for smaller departments to maintain their own mail servers given the current security concerns.

At Vanderbilt University, we've implemented Trend Micro's mail-scanning software on all our mail servers. While the university is working toward a single, enterprisewide e-mail system, its individual colleges--as well as our library--still operate separate e-mail systems. All the mail systems are equipped with the Trend Micro software, which intercepts many hundreds of viruses each month. This layer has, by far, made the largest impact on reducing the number of viruses that are seen on desktop computers. It's extremely rare now for the workstation-level antivirus software to catch a virus.
 

Layer Four: Antivirus Software for Servers
Most organizations rely on file servers to store critical institutional data. These NetWare, NT, or UNIX servers need to be part of an organization's antivirus strategy. Just as workstation-level antivirus software can check each file as it's accessed by its user, there are server applications that can inspect any file accessed by any user. It's also wise to regularly scan entire network disk volumes with antivirus software. While the real-time inspection of network files can degrade server performance, comprehensive scans can be scheduled at off-hours.

If the organization has implemented antivirus software on its e-mail system and on all of its desktop computers, then it should be extremely rare for a virus to make its way to a network server. But a lapse on a single computer could open the door for a potentially widespread infection on a network server. Therefore, it's still important to have this layer in place.
 

Layer Five: Personal Firewalls
A new genre of security software has emerged in the last couple of years that adds yet another layer of security for computer users. Most organizations have implementedfirewalls that inspect and filter network traffic as it enters their network from the Internet. Some have additional firewalls that secure sensitive parts of their internal networks. Personal firewall software is now available that can be installed on each workstation or server in a network. This software will monitor the computer's network port and allow only a specified type of network access.

Especially on any computer that operates as a server, personal firewalls add an important level of protection, catching any attacks that may have been missed by the institutional firewall. Given that desktop computers have server-like capabilities, it's becoming more common for personal firewalls to be implemented on these computers as well. A personal firewall doesn't do all that much to intercept viruses, but it offers protection from hackers and worms, which are just as important to resist.

One of the techniques used by hackers to identify computers that they may attempt to attack involves scanning the entire network address space of an organization port by port to see which computers answer. Each computer that answers is a potential victim. A good personal firewall will make your computer invisible to these port scans.
 

Finally, Avoid Complacency
Network security is a never-ending task. Even if you have implemented a multilayer approach such as I've described, it's important to regularly review your strategy. Viruses' behavior can change abruptly. As any systematic vulnerability becomes known andpublicized, there'll be those who'll be quick to exploit. Today, e-mail seems to be the favored inroad, but it's very likely that Web browsers will be the next favored target for attack. Never let down your guard. We live in a dangerous world.
 
 

Marshall Breeding is the technology analyst at Vanderbilt University's Heard Library and is a writer and speaker on library technology issues. His e-mail address is breeding@library.vanderbilt.edu.

Table of Contents Previous Issues Subscribe Now! ITI Home
© 2001 Information Today, Inc. Home