Published: 01 May 2002
One of the great ironies of infosecurity is that almost every organization uses AV, yet viruses and worms continue to wipe us out. When you bring this to the attention of the antivirus vendors, they'll calmly explain that no security tool is 100 percent effective, and that as important as AV scanning is, it's only one part of a larger strategy for combating malcode. Fair enough. But whether there are gaps in the technology or gaps in enterprise strategy or gaps in both, this much is clear: whatever we're doing to fight viruses isn't enough.
In this Information Security Special Report, we expose the root of today's malcode problem, offering insight on why viruses and worms continue to hit us so hard, as well as practical advice for improving your organization's antivirus posture. The report is broken down into six sections, each exploring a critical aspect of the war on malicious code.
How Bad Is It?
The first step in defending against any cybersecurity threat is to determine the severity of a given risk. So the first question we must ask is, "How bad is the virus problem?" In a word: bad. And getting worse.
The Seventh Annual ICSA Labs' Virus Prevalence Survey, released this spring, shows that companies experience an increasing number of virus incidents year after year, and that the cost of recovering from those incidents continues to rise. The survey group of 300 organizations experienced nearly 1.2 million virus encounters on about 650,000 machines during the 20-month survey period. In the last two months of the 2001 survey, companies averaged 103 virus infections per 1,000 machines per month, up 13 percent from the 2000 survey.
Information Security special report: Cyber menaces
Predicting the future of malware and tomorrow's malicious code
Centralized antivirus management: Get a bird's-eye view of AV defenses
The best malware program to defeat unwanted, nonviral code
Using 'synergistic' antivirus to combat multivector viruses and worms
Fighting viruses: Seven things you should know about antivirus tools
Given the increase in incidents, it's not surprising that the majority of survey respondents said the virus problem is getting worse. One-third of companies (32 percent) said the problem was "much worse," while 40 percent said it was "somewhat worse." Only 2 percent said it was better.
On the positive side, the number of virus "disasters" -- defined as 25 or more PCs or servers infected at the same time -- decreased from 2000 to 2001. In 2001, 28 percent of respondents said they experienced a virus disaster, down from 51 percent in 2000 and 43 percent in 1999. The average server downtime for those experiencing disasters was 14 hours.
That virus disasters are decreasing overall is little consolation for those hit by them. Not surprisingly, Nimda was cited most often by respondents as the source of their most recent disaster, followed by LoveLetter -- even though it's been in the wild for more than two years now.
The effects of viruses on enterprise computing are wide-ranging and numerous. Nearly three out of four respondents said viruses caused PC downtime and a loss of personnel and machine productivity. More than half said viruses corrupted their files, while a third said they lost data as a result.
What about AV coverage? Nine out of 10 respondents said that they run AV scanning on all corporate desktops, with Network Associates' McAfee Security and Symantec as the leading software choices.
The survey also shows that many companies installed AV scanners on mail servers, proxy servers and firewalls for the first time in 2001. In 2000, almost no one protected these network services. But in 2001, 84 percent of respondents said they protect mail servers with AV, while 45 percent do so on proxy servers and 51 percent on firewalls. In addition, many more corporations are now blocking, filtering or quarantining selected files or objects at gateway servers. Nearly seven out of 10 do so on mail servers, while about 40 percent do so on both proxies and firewalls.
The Menace Is Loose Again
Overall, the ICSA Labs' Virus Prevalence Survey underscores the importance of a multilayered AV defense strategy. The prevalence and cost of virus infections are up, but the frequency of virus disasters is down. Why? One possibility is that the virus problem has become so common that it's now underreported. Another possibility is that many more corporations are supplementing desktop AV scanning with server-based scanning and gateway filtering.
As blended threats such as Nimda become more common, server-based security will become even more important. Companies must not only scan, block and filter at the gateway, but make sure vulnerable Web and application servers have been hardened and patched.
It's unrealistic to expect that we'll ever completely eradicate the threat of computer viruses. But a sound methodology that combines scanning, host hardening, gateway protection and other practical security controls will make malcode a little less menacing.
About the author: Andy Briney is editor-in-chief of Information Security.