|
Achieving Security
Passively Protecting the Enterprise
Mary Landesman
Download as PDF
The word security is derived from the Latin word securus, meaning safe, free from care, unworried, unconcerned. Therefore, an assumption can be made that to be truly secure,
a high level of confidence in a particular methodology or environment must exist. The question then becomes what constitutes free from care. Car-jackings and burglaries have taught us the need to lock our doors. However, until the door is locked, i.e. we remember to lock the door, we are not secure. Unfortunately, this type of intervention hardly constitutes free from care, as it requires active participation and thus protection levels will vary among individuals. An apartment building with a self-locking entrance is effective only if every tenant properly closes the door. Thus, active participation becomes the weak link in the quest for security. In other words, if one is actively engaged in taking measures for security, one is not guaranteed security because there is no assurance of total compliance. Conversely, if a method of passive protection is introduced, removing the need for individual interaction, this will allow us to be free from care and security is achieved. It is the method of implementation that is key - security is dependent on the dynamics of passive protection.
Enterprise managers face many challenges in delivering secure networked environments.
One of the larger threats facing system administrators is the computer virus, malicious code concern. According to the ICSA, lost time and corrupted data resulted in a median cost of $1750 per viral incident in 1999 and current estimates predict 88 incidents per 1000 PC's monthly1 . With e-mail and floppy diskettes as the primary means of virus transmission and the primary means of distributing valid data, the need for protection at the user level is clear. The dichotomy is that security measures cannot be adopted if they hamper the individual's ability to perform their job, yet, if proper security measures are not adopted, the individual may be unable to perform their job. A further contradiction is that the administrator must protect the user's ability to work, yet cannot rely on the user to assist in that protection. Simply put, if the user is required to participate in the quest for security, "free from care" cannot be achieved. Indeed, though strategies will vary among companies, one common denominator shared by all is the inability to rely on the local user for security measures. Thus, dynamic passive protection is key to an effective anti-virus strategy.
Passive Protection
We know that securing the enterprise from viral threats is an important aspect of any IT manager's responsibilities and must be done independently of, or perhaps in spite of, the local user. Nonetheless, resources often dictate that this policing occur as an adjunct to many other demanding duties. Even if this were not the case, physically presiding over each user's workstation is simply not a feasible defense. Passive protection, then, can be defined, in part, as the means by which a user's workstation is defended, without their participation being required.
A second part to the equation of providing viable security, i.e. passive protection, is dealing with the ever-changing nature of viruses. Not only are the numbers of viruses increasing, but the type of threat and method of delivery are constantly evolving as well. Obviously, actively policing against individual viruses would be a daunting task for any administrator.
The Melissa virus, which exploited e-mail address books for distribution, infected 38 times more frequently than previous viruses. This occurred despite the fact that 90% of respondents to the 1999 ICSA survey2 reported using anti-virus software. Why then, were infection rates so severe?
First, we must understand that we are entering a new era of computer viruses. Initially spread via floppy diskette, virus infections did not easily become widespread. A year might pass before the virus could be considered prevalent. In the 90's, macro viruses were introduced which exploited Microsoft Word and were able to spread with relative ease through shared documents. Even so, it took a month or two before the virus achieved significant prevalence. This next generation of viruses, as seen with the Melissa virus, exploits the connectivity of the Internet and needs only a few days to establish widespread infection.
HoloCheck Technology
Obviously, anti-virus firms cannot possibly manage these emerging virus threats using standard methods of signature scanning for detection. With a vehicle as fast as the Internet, signature based scanning would be akin to placing a band-aid on a severe wound. It simply would not be able to stop the flow of infection. Worse, this method is only useful for viruses that are already known to the anti-virus industry. Melissa was a brand new virus. To counteract in this sophisticated arena, the anti-virus engine must be able to intelligently make decisions regarding the behavior of a file. This element, called heuristic scanning, is key to successful detection.
Compounding the problem of rapidly transmitted infections, computer viruses often vary their behavior in order to avoid detection by anti-virus scanners. More sophisticated viruses may intersperse their instructions with arbitrary values, creating a need to thoroughly research and identify each of these sequences prior to providing a disinfection routine. Scanners that rely solely on signature files may be unable to detect a virus that has modified itself, or the virus may require extensive research time to develop such a signature. In today's world, with virus numbers increasing at such alarming rates, adding increasing numbers of signature files is simply not adequate defense.
HoloCheck technology combines the use of signature files and behavior monitoring to determine virus and virus-like conduct. By monitoring the behavior of files in a protected, virtual environment, Command AntiVirus can identify and protect against both known and unknown viruses. This virtual virology lab safely monitors the behavior and outcome of files, isolating or disinfecting those that are infected before they have the opportunity to execute and infect your system. This superior methodology, combined with frequently updated signature files, provides unparalleled security in the fight against viruses.
Dynamic Virus Protection
To achieve the two critical facets necessary for true security, enterprise managers require a solution that combines transparent, passive protection for the local user and intelligent scanning methods that identify newly emerging threats. Command AntiVirus provides a constantly monitoring background scanner employing a high level of heuristic capabilities. Indeed, dynamic virus protection, often referred to as real-time scanning, has been documented by the ICSA as the single most important defense against computer viruses.
Continually monitoring operating system activity, Command AntiVirus' DVP responds to any file actions such as File Open, File Close, File Copy, File Rename, and File Delete. Before the operating system is allowed to carry out such a request from the user, DVP scans the file, checking first to determine if it is a file type that has the potential to be infected, and if so, scanning the file for viruses. Only after DVP has examined the file, is the operating system allowed to carry out the original instruction. DVP performs this scanning based on the native file header and is not influenced by the existing file extension or absence of an extension.
Recognizing that a multitude of entry points exist for malicious code threats, DVP responds to file downloads from the Internet and e-mail, as well as file manipulations on CD-ROM, floppy disk, local drives and network drives. Protection is provided for virus threats, trojans, worms, hostile Java and ActiveX controls, and DoS attacks such as Trinoo.
By default, DVP provides full-protection, passively securing the environment - independent of the user. To further increase this high level of safety, configuration options are provided allowing administrators to prevent users from disabling or changing the preferences for DVP. In addition, options determining what to scan and what action should be taken can also be configured prior to installation. Signature updates can be pushed to or automatically pulled by the local machine, providing further passive protection for the local user. E-mail alerting, which can be combined with pagers, is available for instantaneous notification for the administrator in the event of an infection and can also be configured prior to installation. In short, a simple text editor can be used to make all the desired changes to Command AntiVirus, prior to deployment, providing administrators an easy, effective, "free from care" installation.
Not all passive protection is created equal. Some vendors entirely disable or lower heuristic scanning in their real-time scanners by default, relying on the user to have the sophistication and knowledge to modify the setting for suitable protection. For example, Network Associates disables all heuristic scanning in their real-time module and Symantec excludes all Microsoft executables from being scanned. To achieve true passive protection then, requires system-wide configuration changes with both of these programs. However, even with the defaults changed to provide a higher level of protection, neither of these products provided suitable defense against Melissa. In fact, only one commercially available scanner in the U.S. detected the Melissa virus based solely on powerful heuristics - Command AntiVirus.
1 Fifth Annual ICSA Computer Virus Prevalence Survey: 1999
21999 Congressional Testimony of Richard Pethia, CERT Coordination Center
Home � Purchase Center � Virus Center � Support Center
|
|
|