Expert advice: How to cost-effectively battle viruses

The best way to battle viruses is still by using up-to-date antivirus programs and definitions from the major antivirus vendors. Depending on your risk and budget, a multi-layered approach covering desktops, servers and gateways in that order is best. Ideally, use a mix of products from different vendors, so that a flaw or missing signature in one product is covered by another. Obviously that adds to the cost and complexity of the solution, so that approach may not be feasible for everyone. There are a few "free" antivirus programs out there, but they are mostly for non-commercial use only.

There are frequent questions in the Snort-users mailing list about using Snort to detect viruses and worms. Using Snort for this purpose is not ideal, since by the time any IDS (intrusion-detection system) detects the infection it's already too late. In some environments (notably education) this may be your only option. Join the Snort-users and Snort-sigs lists, and read the archives for more information.

As far as prevention goes, again you need a layered approach that begins with policies and user education, and encompasses antivirus software, strict firewall rules and hardening all your hosts as much as possible. One particular challenge is the laptop user who plugs into an unprotected broadband at home, gets infected, then brings the infection back inside the firewall on Monday morning. You need to have an e-mail policy and make sure all users are educated about these dangers.

You may need to consider strict workstation policies, such as not allowing the local user to have administrative rights, and install software and so-called personal firewalls for laptops or even all users. Firewall rules and device hardening reduce the avenues by which worms may spread, as well as improving overall security. Vulnerabilities in software that is not installed are not a threat to your organization.

IPSes (intrusion-prevention systems) are another possible layer. These take the form of a gateway (like a firewall) or transparent bridge in the network, or as agent software on each host. IPSes aim to actively prevent activity perceived as malicious. It turns out that all malicious code tries to do is a relatively small number of things, so the idea is to prevent those things from happening, rather than reactively build giant signature or definition lists of known malicious code. The problem is that it's often difficult to distinguish between benign and malicious activity, and an IPS can actively break your network, host or application if you are not very careful (and maybe a little lucky). They are improving rapidly, so they may be worth a look.

Network segmentation or compartmentalization is another possible containment strategy. See Marcus Ranum's The Big Red Button from the February 2004 issue of Information Security magazine for a discussion.

Finally, to sell the idea to management you have to have the numbers, and you have to have management that is aware of infosec issues and risks. The latter is improving as more infosec issues hit the mainstream press and as various legislation with serious impact on corporations and/or senior management (notably Sarbanes-Oxley, the Gramm-Leach-Bliley Act, California's SB 1386 and HIPAA). "The numbers" are different for every organization and environment, but the idea is to show the costs of the last infection, predict the cost of the next one and then show that an once of prevention is better than a pound of cure. The various products above are capital expenses, but there are other things you can do such as education, device hardening, tightening up the firewall rules and possibly network segmentation which only require your time and effort. In the end it all comes down to risk. Can you afford to take the time to do this? Can you afford not to?

Security Tip: Keys to an effective virus incident-response team

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip BROWSE BY TAG Threat Monitor,   Information Security Threats,   Malware, Viruses, Trojans and Spyware,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Threat Monitor Cut down on calls to help desk with cybersecurity awareness training How to detect software tampering How to prevent phishing attacks with social engineering tests An enterprise strategy for Web application security threats How SSL-encrypted Web connections are intercepted How a corporate Twitter policy can combat social network threats Cyberwarfare and the enterprise: Is the threat real? Software security threats and employee awareness training Newest malware threats How to defend against rogue DHCP server malware Malware, Viruses, Trojans and Spyware New Zeus spam poses as Social Security statements Increase in Gumblar backdoors poses FTP credential problems Hackers to sharpen malware, malicious software in 2010 iPhone worm Rickrolls jailbroken phones Israeli Mossad add Trojan Horse to Syrian laptop Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RAT (remote access Trojan)  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.