Network security used to be the bastion of IT pros only. But as Boeing Co. has learned in the six years since the Melissa virus roared across cyberspace, there are some aspects of security that IT personnel have no direct control over -- in the end, the biggest battle is educating employees on the dangers of cyberspace and how to ride the Internet safely.
"One big change for us is the role of end-user education and communication," said Jeannette Jarvis, security systems product manager for Boeing, a leading aerospace company. "Since Melissa, we have done a lot of communication about the threat posed by viruses, including the ways viruses can come into the company; how employees can protect the company's computing infrastructure from viruses and malicious code; and what actions employees should take if they think their computer has been infected."
Melissa began circulating March 26, 1999 as a Word e-mail attachment that required user interaction to spread. In addition to indirectly causing a denial of service and
The first successful mass-mailing virus, Melissa quickly overwhelmed many companies by the volume of e-mail it generated, causing many organizations to shut down their e-mail systems to avoid the onslaught until they could mitigate the threat.
Boeing chose to deal with the initial outbreak by delivering e-mail internally and holding up external e-mail until it was cleaned of the virus. The company used antivirus tools and a homegrown content filtering tool to identify and destroy the virus in-house, as well as any infected mail still being sent to Boeing.
"The challenge then was that without any sort of centralized management of any antivirus tools, identifying the infected employee was done manually," Jarvis said. "Due to Melissa [we've since] implemented some automated monitoring techniques that give us an early warning of unusual activity before the antivirus products even touch the mail. This then triggers alerts and automated lockdown of mailboxes."
As Boeing found, there's only so much network defenses can prevent -- user awareness and education can not only prevent users from unwittingly contributing to an attack, it can also give networks another line of defense.
"We've also got the process for quickly alerting employees when there is a specific threat, using a prepared template into which information about the threat is inserted
"We also realized that having an early warning system for new threats was imperative. As a result we became much more involved in the industry, including co-founding the Anti-Virus Information Exchange and Anti-Virus Early Warning System," Jarvis added. "All these forums have allowed for needed communication to occur with those fighting the daily virus threat. The relationship between the antivirus vendors and their large customers have developed into a partnership that didn't exist before."
Melissa taught organizations valuable lessons on securing their networks, but though its impact was severe, it wouldn't have the same effect on networks today.
"Melissa is a standout as the beginning of the e-mail virus era," said Jimmy Kuo, McAfee Fellow for the McAfee Anti-Virus Emergency Response Team [AVERT]. "But it wouldn't spread all that much in today's environment. Because macros have been disabled in all Microsoft applications except Excel, most macro viruses are effectively prevented from being transmitted to users."
Kuo said that e-mail viruses will continue to pose a problem for organizations until new e-mail standards are in place. "We're going to have e-mail viruses until we change e-mail standards," Kuo said. He noted that IBM's FairUCE, a spam filter that stops spam by verifying sender identity instead of filtering content, is a step in the right direction -- and not only for viruses. Said Kuo: "It should do a lot toward cutting down spam and especially phishing."