George A. Chidi Jr.
Published: 01 May 2004
An alert loan agent at SLM Corp.--better known as Sallie Mae, the college loan company--reported a suspicious e-mail as she was closing up for the day. She had spotted one of the earliest instances of the MyDoom.G worm.The best time to address a virus infection is when you don't have a virus.
Director of Information Security, Sallie Mae
This interrupted the dinner plans of Mark Houpt, Sallie Mae's technical security team leader."It didn't even have a name yet," Houpt says. Worse, there was no AV signature for the variant. Houpt ended up sleeping on the floor of Sallie Mae's Indiana data center waiting for Computer Associates to release new definitions (which arrived around 3 a.m.).
New variants of MyDoom, Bagle and Netsky have been spotted daily--sometimes several times a day--since they first appeared in the opening months of 2004. Estimates place February as the worst month on record for malware because of these rapid and voluminous outbreaks.
Roy Mellinger, Sallie Mae's director of information security, was on a plane home from Virginia when MyDoom.G was discovered on his network. Without hesitation, he alerted management and set his incident response team into action. Within minutes, the network was locked down, and all incoming e-mail was quarantined (a rare occurrence in many enterprises, but effective at Sallie Mae). While this disrupted business operations, it reduced the time, effort and cost of recovery.
The median cost of disaster recovery from a virus infection is about $11,000, according to the recently released ICSA Labs Annual Virus Prevalence Survey. While the infection rate remained relatively flat, virus encounters more than doubled in 2003, increasing to 2.7 million reported per month. The constant barrage of new malware and variants is reflected in security managers' perceptions: 88 percent of survey respondents believe the problem is getting worse.
Mellinger is in that group. He knows that an infection is a matter of when, not if. Like other security managers, he's trying to augment conventional AV scanning with stepped-up awareness policies and tighter system controls.
Network managers looking to give more than the "come-to-Jesus talk" about opening strange e-mail attachments and reporting incidents--again--need to consider synergistic technical solutions.
AV experts recommend enterprises reexamine their network security as a whole?from AV and firewalls to business practices. Security managers should concentrate on defending high-value assets, patching known vulnerabilities and rebuilding the network into easily isolatable segments to keep malware from overwhelming organic networks.
"The machine in India is as equally connected to the server as the one in Los Angeles," says Vincent Weafer, a senior director of Symantec Security Response. "The manager should ask, 'Is this machine going to be allowed on the network?' Sectioning off the network and limiting the number of connections to the Internet is vital."
Sallie Mae uses the heuristics in Computer Associates' eTrust Antivirus to look for unidentified threats. Though it's available in most major AV applications and provides an added degree of protection, heuristics is limited in its ability to detect previously unseen malicious code.
Security vendors also recognize the need to move beyond conventional AV methods. Key to Microsoft's strategy for combating malware is behavioral analysis and sandboxing, but those features probably won't be available until the release of Longhorn (the next version of Windows) in 2006.
Trend Micro is taking a multipronged approach to worm defense with its new Network VirusWall. The appliance, used in conjunction with Trend Micro's Control Manager 3.0 software, applies policy-based filters to stop worms until signatures are available. It also automates worm cleanup by removing the malicious code from infected systems.
Symantec is working on an egress-flow monitoring system to check network traffic for patterns--spikes in RPC calls, unusual protocols, bandwidth spikes, etc.--that indicate an infection.
Similar to Symantec's effort are solutions that monitor traffic flow for anomalies. Solutions by Q1 Labs, Arbor Networks and Mazu Networks will kick off alerts when they register sudden traffic spikes, unusual protocols and abnormal procedure calls. These products help enterprises detect and prevent the spread of malware, both in their networks and on the Internet.
American Tower Corp., a Massachusetts-based cellphone infrastructure company, protects its Outlook e-mail with AV software and Mazu's Profiler, a behavior-based network monitoring system.
"In the past, we've focused a lot on perimeter security, but, in the last year or two, we're seeing more backdoor viruses from laptop users," says Eric Wassell, American Tower's director of IT operations. After a frustrating experience over the holidays waiting for definitions for a low-level virus infection, Wassell says he's trying not to rely on AV software as a sole defense.
Some enterprises use honeypots to detect malware. Once reserved for re-searchers who liked to study hacker techniques, these decoy systems act like black holes on the network. Anything that hits them or any traffic coming out of them is immediately tagged as suspicious.
Other emerging technologies may work to curb the flow of fast-spreading worms and viruses. Cisco Systems is developing Network Admission Control, which checks for compliance with security policies before allowing a connection. Vendors such as Symantec, InfoExpress, StillSecure, Check Point Software Technologies and Sygate offer similar solutions.
Logically segmented infrastructures reduce demand on AV software for protection and are easier to lock down during a crisis. Check Point recently released its InterSpect appliance, which enables such a strategy. It monitors traffic at choke points and insolates network segments when it registers anomalous patterns.
A less expensive, but potentially more cumbersome, strategy is to tighten network traffic policies. Sallie Mae has started blocking employee access to Web-based e-mail programs like Hotmail and Yahoo. While there's a clear need to provide easy connections for employees, the risk of unrestricted access outweighs the business benefit. "We were spending too much time defending against attacks getting through our perimeter," Mellinger says.
Stop and block
Even if they don't always exercise good judgment, end users generally understand that double-clicking on a suspicious attachment is a major no-no. Enterprises are beginning to understand that allowing file attachments to even reach end users is often not worth the risk of infection.
"At the global enterprise level, the best advice I can give is to block everything," says Vincent Gullotto, VP of McAfee's Anti-Virus Emergency Response Team. That means no attachments, period. There's a substantial difference in infection rates and cleanup time between companies that strictly block attachments and those that don't, he says.
Until recently, enterprises were reluctant to filter at the gateway, fearing that legitimate, business-essential data would get lost or delayed. The ICSA Labs survey found that filtering select attachments such as .exe and .vbs is a common malware defense (88 percent), second only to real-time AV scanning (97 percent).
And it's also popular with the rank and file, says Paul Schmehl, adjunct information security officer for the University of Texas at Dallas. When the university began blocking e-mail executables a few years ago, some admins balked, and the majority of campus users asked why blocking delayed messages so long (sometimes more than a day).
But Schmehl says university users quickly learned that preventing virus infections outweighs the inconvenience. He expects more enterprises will realize this after they begin blocking ZIP files and the like.
About the author:
George A. Chidi, Jr. is a Massachusetts-based freelance writer.