Reproduced with permission from IBM Copyright (1999)
by International Business Machines Corporation.
As Dr Richard Ford pointed out in his article "I'm protected, Right?" published in Antivirus Online in December 1996, there appears to be an overwhelming misconception of what viruses are, how viruses spread, and how to protect a given computer from an infection. In addition, there is a misconception that an anti-virus product will protect a given computer from all viruses (known and unknown) once the product is installed. These misconceptions extend well beyond the sales person in the computer software department - they truly extend to many others in the information age including technical support, system administration, and, of course, computer users.
Having worked in several technical support and virus response environments, I have come to the conclusion, that the adage 'an ounce of prevention is worth a pound of cure' has gone unrealized in many organizations when it comes to computer viruses. In many instances, I have noticed that organizations will implement incident response capabilities that address computer virus infections. However, the response is limited to containing, repairing, and reporting an infection with little or no emphasis on preventing the infection, aside from the installation of an anti-virus product.
The virus threat
Given the current state of technology and the vast number of viruses, which is growing at a rate of about six new viruses per day, virtually any computer which has the power switch turned on is at risk of exposure to a computer virus. Whether it be infected files downloaded from a bulletin board or Internet services, on shared diskettes, included in electronic mail attachments, or files on an infected server, the threat and prevalence of a virus exposure is real.
Once a computer is exposed to a virus, it has the potential to become infected and to pass the infection on to other computers and electronic storage media. Responding to an infection is costly whether the infection is large or small. The costs go beyond the obvious items of removing the virus and restoring software and data to include such things as lost productivity due to redevelopment, investigations, speculations, misconceptions, and gossiping. With organizational realities such as outsourcing and downsizing, it becomes even more important to keep incident response costs and occurrences down and what better way than to invest in the prevention of infections.
Implementing an incident response capability that includes prevention entails the cooperation and participation of all computer users, whether technical experts or not. Like any security, virus prevention is only as effective as its weakest element, usually the people. If only one person ignores the prevention lessons, viruses infect, spread, and epidemics can result. The following ‘lessons’ are based upon observations I have made in various virus response environments. By incorporating these lessons into virus response initiatives, many infections can be prevented and the damage caused by infections can be minimized.
Lesson 1: Anti-virus software is not optional
Like smoke detectors for your home, anti-virus software should not be optional in this age of interconnectivity. After all, virus infections are much like small 'fires' within an organization. With the right conditions, these small ‘fires’ can flare into raging infernos which consume several servers, network connections, and diskettes - even consumer products. Without anti-virus software installed and active, virus exposures which could have been detected become virus infections. It should be common practice and/or organizational policy for anti-virus software to be installed, kept active and kept current on all computers at risk. Not keeping the anti-virus software current is like having that smoke detector installed with no batteries. While anti-virus software is not fail-safe and other protective measures can and should be used, it does afford some level of protection. But a false sense of protection is worse than no protection at all.
Lesson 2: Write-protect all system & software diskettes using the write-protect tab
Even with a smoke detector installed, people generally do not leave a fire smouldering just to see if the detector is working. Other protective measures are used to ensure safety. Write-protecting system and software diskettes is one of those measures for preventing the spread of a virus infection. Protecting the diskette with the write-protect tab prevents viruses from being transmitted to those sensitive or critical system disks. Using the write protect tab also suggests that data should be stored separately from programs and applications to ensure that the write protect tab does not need to be removed to store data files to the same diskettes.
To my knowledge there are currently no viruses with robotic capabilities which can reach out and switch the write protect tab. Of course, the write-protection of diskettes only prevents a diskette from infection provided that the hardware recognizes the tab and it is working properly.
Lesson 3: Remove the burden of detection from the user
Having anti-virus software available is not always enough. Many times anti-virus software is disabled because it is perceived (real or imaginary) as hindering the use of the computer. As such, it is imperative that care be taken in selecting the best anti-virus product for a given environment.
Correct configuration of the anti-virus software is crucial to the prevention of infections. The more autonomous the anti-virus product (and prevention technique) is, the less the prevention depends on people. I have been in several environments where users are instructed to take diskettes to a specific workstation in a central location to scan for viruses before using it. Let's be realistic: the chance that every person will take the time to do this prior to using the diskette in an unprotected computer is slim. Not to mention, that the scanning workstation might be infected itself. The whole notion is contrary to productivity and leads to careless habits. Configuring an anti-virus product to be active on all computers and scanning diskettes during access is one example of a way to ensure viruses on diskettes are detected before becoming an infection
Lesson 4: Change the system configuration
In the July 1997 Wildlist, compiled and published by Joe Wells, seven of the top ten most widely reported viruses in the wild were still Boot Sector viruses. Since boot sector viruses spread to computers through the boot (successful or not) of the system from an infected diskette, it seems natural that preventing that process from occurring would have a dramatic effect on the ability of the boot sector viruses to infect computers.
Changing the system CMOS configuration settings for the boot sequence to prevent booting from the diskette drive first will provide such an affect. If the computer is prevented from booting from the diskette drive, a boot sector virus will not get the opportunity to infect a computer during an accidental or deliberate reboot while a diskette is still in the drive, such as a power outage, system lock-up, etc.
In fact, given that a large portion of the personal computers and workstations purchased commercially come with the system software and much more already installed, there is little reason why the factory default for new systems cannot be set to booting from the hard drive first. Making this simple change can prevent infections from many of the most prevalent viruses.
Lesson 5: Practice least privilege
There is one characteristic of viruses that many people seem to forget - viruses can only do what the user who executes them can do - at least from an access control perspective. Besides being an excellent security practice, granting users least privilege to files and directories can prevent virus infections as well as preventing their spread and resulting damage. System administrators in particular need to be reminded of this characteristic. It is imperative for system administrators to have a non-privileged account for doing normal, daily activities. In addition, users should only be granted write privileges to those areas that are necessary. This prevents a virus initiated under a particular user account from having write privileges on all files on a disk, server, or network.
Lesson 6: Investigate the infection
All virus infections should be investigated to attempt to determine the source of the exposure and the scope of the infection. This will assist not only in clean-up and containment but also in prevention. Once there is a good understanding of how viruses spread, the investigation of an infection highlights areas where prevention techniques could have been used or could be improved. Too many times the response to a virus infection stops as soon as the initial infection is removed. Not looking for or attempting to identify the source or scope of an infection permits the virus to continue to infect other computers.
Lesson 7: Report infections & exposures
Virus infections tend to go unreported because people are embarrassed or afraid of retribution. Reporting is a preventive measure in that it helps to identify trends, patterns, high risk areas, and such. This information provides the response initiatives with additional ammunition to look at such things as resource allocation and product usage. In addition, reported infection information can be used to identify lessons learned and areas for improvement.
Lesson 8: Provide input to the anti-virus vendor
Do not be shy about providing information to your particular anti-virus vendor regarding issues, concerns or functions that the anti-virus products could provide to make virus response more manageable and preventable in your environment.
With prevention as the focus, organizations can go a long way to avoid virus infections. Sure, you will almost certainly have the occasional exposure to a virus when you pull that long lost diskette from the back of the desk drawer. However, if an anti-virus product is installed and active, and other preventative measures are in place, the virus should be detected and cleaned before an infection occurs. If, as IBM statistics suggest, two-thirds of all computer virus incidents are caused by the same ten viruses, prevention of those ten viruses would bring great relief to organizations. It is however everyone's responsibility to participate in the prevention effort. Remember, only YOU can prevent virus infections.