The MyLife worm made its way around the Internet via e-mail last month, purporting to be a funny screensaver featuring Bill Clinton. Users who opened the infected attachment not only got a lame picture of the former prez, but also got a system infected with a potentially destructive worm.
If administrators had blocked screensaver files (.scr extensions) at the gateway, they would not have had to worry about MyLife. But, should companies block those files all the time? How about executables?
The benefits of blocking specific file types at the gateway are numerous, starting with the fact that it's inexpensive to do. Also, keeping those files out of users' mailboxes defuses the social engineering that may prompt a user to open an attachment, said Carey Nachenberg, chief architect for Symantec Security Response. Cutting down on attachments can also help the performance of e-mail servers by reducing the volume sent to them, he said.
Beyond blocking file extensions, companies can stop specific files such as the Nimda worm, at the gateway. Some products allow companies to block attachments arriving in a message with a specific subject line or from a specific user.
A couple of years ago, Nachenberg recommended at a security conference that companies block all executables from e-mails. "They said I was crazy and that users wouldn't stand for it," he said.
Now, many companies block those attachments. Why? Blocking files is a lot like buying insurance. Both require balancing potential loss with the benefits, Nachenberg said.
A recently as two years ago, the security benefits of blocking executables didn't necessarily outweigh the hassle. Over time, more e-mail based attacks have cropped up to tip the scales in favor of blocking executables, Nachenberg said.
One can see the effect of blocking extensions when a virus comes on strong but then goes nowhere as companies block it, said David Perry, global director of education for Trend Micro. Companies can also block certain files from leaving, which can also reduce the embarrassment and potential liability of sending out viruses.
"The best defense is not necessarily a good offense," Perry said. "The best defense is stopping the virus from entering your network at all."
At the least, antivirus experts recommend considering blocking executables at the gateway. Such files, if needed, can be sent zipped. The same can be said for files with double extensions and VB script files, that viruses often use.
Yet there are other file extensions that few busineses would need to let in, said Chris Wraight, technology consultant at Sophos. MyLife, for example, appeared as an .scr or screensaver file. Internally, Sophos has a policy against sending out Word documents because they may contain macro viruses, he said.
Others caution that the security benefits may not justify blocking certain file types. Such "brute force" approach isn't productive," said Peter Lindstrom, director of security strategies at the Hurwitz Group.
Security needs to be flexible and configurable. "Anyone who sees things as black and white in the security space doesn't know what they are doing," he said.
A specific file or extension can be blocked when a specific threat is known. But blocking shouldn't be permanent until a company has a good handle of its needs. Logging all e-mail is an important step in this process, Lindstrom said.
Moreover, companies should view security as layered, including protections on the client side such as application layer security software.
Echoing those sentiments, Perry warns against falling into "egg shell" security -- namely, a hard, tough outside with a soft middle. Even when blocking at the gateway, security measures must be taken at the e-mail and file servers and other points along the way.
"Security rules at the gateway are a lot like a garden. You need to prune and weed them over time," Perry said.