$_Virus Prevention for Personal Computers and Associated Networks
Virus prevention in the personal computer environment differs
from that of the multi-user computer environment mainly in the
following two respects: the relative lack of technical controls,
and the resultant emphasis this places on less-technically
oriented means of protection which necessitates more reliance on
user involvement. Personal computers typically do not provide
technical controls for such things as user authorization, access
controls, or memory protection that differentiates between system
memory and memory used by user applications. Because of the lack
of controls and the resultant freedom with which users can share
and modify software, personal computers are more prone to attack
by viruses, unauthorized users, and related threats.
Virus prevention in the personal computer environment must rely
on continual user awareness to adequately detect potential
threats and then to contain and recover from the damage.
Personal computer users are in essence personal computer
managers, and must practice their management as a part of their
general computing. Personal computers generally do not contain
auditing features, thus a user needs to be aware at all times of
the computer's performance, i.e., what it is doing, or what is
normal or abnormal activity. Ultimately, personal computer users
need to understand some of the technical aspects of their
computers in order to protect, deter, contain, and recover. Not
all personal computer users are technically oriented, thus this
poses some problems and places even more emphasis on user
education and involvement in virus prevention.
Because of the dependance on user involvement, policies for the
personal computer environment are more difficult to implement
than in the multi-user computer environment. However,
emphasizing these policies as part of a user education program
will help to ingrain them in users' behavior. Users should be
shown via examples what can happen if they don't follow the
policies. An example where users share infected software and
then spread the software throughout an organization would serve
to effectively illustrate the point, thus making the purpose of
the policy more clear and more likely to be followed. Another
effective method for increasing user cooperation is to create a
list of effective personal computer management practices specific
to each personal computing environment. Creating such a list
would save users the problem of determining how best to enact the
policies, and would serve as a convenient checklist that users
could reference as necessary.
It will likely be years before personal computers incorporate
strong technical controls in their architectures. In the
meantime, managers and users must be actively involved in
protecting their computers from viruses and related threats. The
following sections provide guidance to help achieve that aim.
$_General Policies
Two general policies are suggested here. The first requires that
management make firm, unambiguous decisions as to how users
should operate personal computers, and state that policy in
writing. This policy will be a general re-statement of all other
policies affecting personal computer use. It is important that
users read this policy and agree to its conditions as a
prerequisite to personal computer use. The purposes of the
policy are to (1) ensure that users are aware of all policies,
and (2) impress upon users the need for their active involvement
in computer security.
The second policy is that every personal computer should have an
"owner" or "system manager" who is responsible for the
maintenance and security of the computer, and for following all
policies and procedures associated with the use of the computer.
It would be preferable that the primary user of the computer fill
this role. It would not be too extreme to make this
responsibility a part of the user's job description. This policy
will require that resources be spent on educating users so that
they can adequately follow all policies and procedures.
$_Software Management
Due to the wide variety of software available for many types of
personal computers, it is especially important that software be
carefully controlled. The following policies are suggested:
- Use only licensed copies of vendor software for personal
computers. Ensure that the license numbers are logged,
that warranty information is completed, and that updates
or update notices will be mailed to the appropriate
users. Ensure that software versions are uniform on all
personal computers. Purchase software from known,
reputable sources - do not purchase software that is
priced suspiciously low and do not use pirated software,
even on a trial basis. As possible, buy software with
built-in security features.
- Do not install software that is not clearly needed. For
example, software tools such as compilers or debuggers
should not be installed on machines where they are not
needed.
- Store the original copies of vendor software in a secure
location for use when restoring the software.
- Develop a clear policy for use of public-domain software
and shareware. It is recommended that the policy
prohibit indiscriminate downloading from software
bulletin boards. A special isolated system should be
configured to perform the downloading, as well as for
testing downloaded and other software or shareware. The
operation of the system should be managed by a
technically skilled user who can use anti-virus software
and other techniques to test new software before it is
released for use by other users.
- Maintain an easily-updated database of installed
software. For each type of software, the database should
list the computers where the software is installed, the
license numbers, software version number, the vendor
contact information, and the responsible person for each
computer listed. This database should be used to quickly
identify users, machines, and software when problems or
emergencies arise, such as when a particular type of
software is discovered to contain a virus or other
harmful aspects.
- Minimize software sharing within the organization. Do
not permit software to be placed on computers unless the
proper manager is notified and the software database is
updated. If computer networks permit software to be
mailed or otherwise transferred among machines, prohibit
this as a policy. Instruct users not to run software
that has been mailed to them.
- If using software repositories on LAN servers, set up the
server directory such that users can copy from the
directory, but not add software to the directory. Assign
a user to manage the repository; all updates to the
repository should be cleared through this individual.
The software should be tested on an isolated system as
described earlier.
- If developing software, consider the use of software
management and control programs that automate record
keeping for software updates, and that provide a degree
of protection against unauthorized modifications to the
software under development.
- Prohibit users from using software or disks from their
home systems. A home system that is used to access
software bulletin boards or that uses shared copies of
software could be infected with viruses or other
malicious software.
$_Technical Controls
As stated earlier, personal computers suffer from a relative lack
of technical controls. There are usually no mechanisms for user
authentication and for preventing users or software from
modifying system and application software. Generally, all
software and hardware is accessible by the personal computer
user, thus the potential for misuse is substantially greater than
in the multi-user computer environment.
However, some technical controls can be added to personal
computers, e.g., user authentication devices. The technical
controls that do not exist can be simulated by other controls,
such as a lock on an office door to substitute for a user
authentication device, or anti-virus software to take the place
of system auditing software. Lastly, some of the personal
computer's accessibility can be reduced, such as by the removal
of floppy diskette drives or by the use of diskless computers
that must download their software from a LAN server. The
following items are suggested:
- Where technical controls exist, use them. If basic file
access controls are available to make files read-only,
make sure that operating system files and other
executable files are marked as read-only. Use write-
protect tabs on floppy diskettes and tapes. If LAN
access requires a password, ensure that passwords are
used carefully - follow the guidelines for password
usage presented in in file III.
- Use new cost-effective forms of user identification such
as magnetic access cards. Or, setup other software such
as password mechanism that at a minimum deters
unauthorized users.
- If using a LAN, consider downloading the personal
computer's operating system and other applications from a
read-only directory on the LAN server (instead of the
personal computer's hard disk). If the LAN server is
well protected, this arrangement would significantly
reduce chances of the software becoming infected, and
would simplify software management.
- Consider booting personal computers from write-protected
floppy diskettes (instead of the computer's hard disk).
Use a unique diskette per computer, and keep the diskette
secured when not in use.
- Do not leave a personal computer running but unattended.
Lock the computer with a hardware lock (if possible), or
purchase vendor add-on software to "lock" the keyboard
using a password mechanism. Alternatively, turn off the
computer and lock the office door. Shut down and lock
the computer at the end of the day.
- When using modems connected to personal computers, do not
provide more access to the computer than necessary. If
only dial-out service is required, configure the modem so
that it won't answer calls. If dial-in service is
necessary, consider purchasing modems that require a
password or that use a call-back mechanism to force a
caller to call from a telephone number that is known to
the modem.
- Consider using "limited-use" systems, whereby the
capabilities of a system are restricted to only what is
absolutely required. For example, users who run only a
certain application (such as word-processor) may not
require the flexibility of a personal computer. At the
minimum, do not install applications or network
connections where they are not needed.
$_Monitoring
Personal computer operating systems typically do not provide any
software or user monitoring/auditing features. Monitoring, then,
is largely a user function whereby the user must be aware of what
the computer is doing, such as when the computer is accessing the
disk or the general speed of its response to commands, and then
must decide whether the activity is normal or abnormal. Anti-
viral software can be added to the operating system and run in
such a way that the software flags or in some way alerts a user
when suspicious activity occurs, such as when critical files or
memory regions are written.
Effective monitoring depends on user education. Users must know
what constitutes normal and abnormal activity on their personal
computers. They need to have a reporting structure available so
that they can alert an informed individual to determine whether
there is indeed a problem. They need to know the steps to take
to contain the damage, and how to recover. Thus, the following
policies and procedures are recommended:
- Form a team of skilled technical people to investigate
problems reported by users. This same group could be
responsible for other aspects of virus prevention, such
as testing new software and handling the containment and
recovery from virus-related incidents. Ensure that users
have quick access to this group, e.g., via a telephone
number.
- Educate users so that they are familiar with how their
computers function. Show them how to use such items as
anti-viral software. Acquaint them with how their
computers boot, what files are loaded, whether start-up
batch files are executed, and so forth.
- Users need to watch for changes in patterns of system
activity. They need to watch for program loads that
suddenly take longer, whether disk accesses seem
excessive for simple tasks, do unusual error messages
occur, do access lights for disks turn on when no disk
activity should occur, is less memory available than
usual, do files disappear mysteriously, is there less
disk space than normal?
- Users also need to examine whether important files have
changed in size, date, or content. Such files would
include the operating system, regularly-run applications,
and other batch files. System sweep programs may be
purchased or built to perform checksums on selected
files, and then to report whether changes have occurred
since the last time the program was run.
- Purchase virus prevention software as applicable. At a
minimum, use anti-viral software to test new software
before releasing it to other users. However, do not
download or use pirated copies of anti-viral software.
- Always report, log, and investigate security problems,
even when the problems appear insignificant. Then use
the log as input into regular security reviews. Use the
reviews as a means for evaluating the effectiveness of
security policies and procedures.
$_Contingency Planning
As described in file II, backups are the single most important
contingency procedure. It is especially important to emphasize
regular backups for personal computers, due to their greater
susceptibility to misuse and due to the usual requirement of
direct user involvement in the backup procedure, unlike that of
multi-user computers. Because of the second factor, where users
must directly copy files to one or more floppy diskettes,
personal computer backups are sometimes ignored or not done
completely. To help ensure that backups are done regularly,
external backup mechanisms that use a high-density tape cartridge
can be purchased and a user assigned to run the backup procedure
on a regular basis. Additionally, some personal computer
networks contain a personal computer backup feature, where a
computer can directly access a network server's backup mechanism,
sometimes in an off-line mode at a selected time. If neither of
these mechanisms are available, then users must be supplied with
an adequate number of diskettes to make complete backups and to
maintain a reasonable amount of backup history, with a minimum of
several weeks.
Users should maintain the original installation media for
software applications and store it in a secure area, such as a
locked cabinet, container, or desk. If a user needs to restore
software, the user should use only the original media; the user
should not use any other type of backup or a copy belonging to
another user, as they could be infected or damaged by some form
of malicious software.
The effectiveness of a backup policy can be judged by whether a
user is able to recover with a minimum loss of data from a
situation whereby the user would have to format the computer's
disk and reload all software. Several incidents of malicious
software have required that users go to this length to recover -
Other important contingency procedures are described below:
- Maintain a database of personal computer information.
Each record should include items such as the computer's
configuration, i.e., network connections, disks, modems,
etc., the computer's location, how it is used, the
software it runs, and the name of the computer's primary
user/manager. Maintain this database to facilitate rapid
communication and identification when security problems
arise.
- Create a security distribution list for each user. The
list should include names of people to contact who can
help identify the cause of unusual computer activity, and
other appropriate security personnel to contact when
actual problems arise.
- Create a group of skilled users who can respond to users'
inquiries regarding virus detection. This group should
be able to determine when a computer has been attacked,
and how best to contain and recover from the problem.
- Set up some means of distributing information rapidly to
all affected users in the event of an emergency. This
should not rely upon a computer network, as the network
could actually be attacked, but could use other means
such as telephone mail or a general announcement
mechanism.
- Observe physical security for personal computers. Locate
them in offices that can be locked. Do not store
software and backups in unsecured cabinets.
$_Associated Network Concerns
Personal computer networks offer many advantages to users,
however they must be managed carefully so that they do not
increase vulnerability to viruses and related threats. Used
incorrectly, they can become an additional pathway to
unauthorized access to systems, and can be used to plant
malicious software such as network worms. This section does not
provide specific management guidance, as there are many different
types of personal computer networks with widely varying degrees
of similarity. However, some general suggestions for improving
basic management are listed below:
- Assign a network administrator, and make the required
duties part of the administrator's job description.
Personal computer networks are becoming increasingly
complex to administer, thus the administration should not
be left to an individual who cannot dedicate time as
necessary.
- Protect the network server(s) by locating them in secure
areas. Make sure that physical access is restricted
during off-hours. If possible, lock or remove a server's
keyboard to prevent tampering.
- Do not provide for more than one administrator account,
i.e., do not give other users administrator privileges.
Similar to the problem of multiple system manager
accounts on multi-user systems, this situation makes it
more likely that a password will become known, and makes
overall management more difficult to control. Users
should coordinate their requests through a single network
administrator.
- Do not permit users to connect personal computers to the
network cable without permission. The administrator
should keep an updated diagram of the network's topology,
complete with corresponding network addresses and users.
- Use the network monitoring tools that are available.
Track network usage and access to resources, and pinpoint
unauthorized access attempts. Take appropriate action
when violations consistently occur, such as requiring the
user in question to attend a network user class or
disabling the user's network account.
- Ensure that users know how to properly use the network.
Show them how to use all security features. Ensure that
users know how to use passwords and access controls
effectively - see for information on password usage.
Show them the difference between normal and
abnormal network activity or response. Encourage users
to contact the administrator if they detect unusual
activity. Log and investigate all problems.
- Do not give users more access to network resources than
they require. If using shared directories, make them
read-only if write permission is not required, or use a
password. Encourage users to do the same with their
shared directories.
- Do not set up directories for software repository unless
(1) someone can first verify whether the software is not
infected, and (2) users are not permitted to write to the
directory without prior approval.
- Backup the network server(s) regularly. If possible or
practical, backup personal computers using the network
server backup mechanism.
- Disable the network mail facility from transferring
executable files, if possible. This will prevent
software from being indiscriminately shared, and may
prevent network worm programs from accessing personal
computers.
- For network guest or anonymous accounts, limit the types
of commands that can be executed.
- Warn network users to be suspicious of any messages or
programs that are received from unidentified sources -
network users should have a critical and suspicious
attitude towards anything received from an unknown
source.
- Always remove old accounts or change passwords. Change
important passwords immediately when users leave the
organization or no longer require access to the network.
-JUDGE DREDD/NIA
[OTHER WORLD BBS]
Downloaded From P-80 International Information Systems 304-744-2253 12yrs+
