Information Security

Defending the digital infrastructure


Manage Learn to apply best practices and optimize your operations.

How to solve the growing enterprise issue of cyber menace

This issue of Information Security offers a six-part special report on the growing threat of viruses and worms and how enterprises can best battle the never-ending cyber menace.

One of the great ironies of infosecurity is that almost every organization uses AV, yet viruses and worms continue to wipe us out. When you bring this to the attention of the antivirus vendors, they'll calmly explain that no security tool is 100 percent effective, and that as important as AV scanning is, it's only one part of a larger strategy for combating malcode. Fair enough. But whether there are gaps in the technology or gaps in enterprise strategy or gaps in both, this much is clear: whatever we're doing to fight viruses isn't enough.

In this Information Security Special Report, we expose the root of today's malcode problem, offering insight on why viruses and worms continue to hit us so hard, as well as practical advice for improving your organization's antivirus posture. The report is broken down into six sections, each exploring a critical aspect of the war on malicious code.

How Bad Is It?

The first step in defending against any cybersecurity threat is to determine the severity of a given risk. So the first question we must ask is, "How bad is the virus problem?" In a word: bad. And getting worse.

The Seventh Annual ICSA Labs' Virus Prevalence Survey, released this spring, shows that companies experience an increasing number of virus incidents year after year, and that the cost of recovering from those incidents continues to rise. The survey group of 300 organizations experienced nearly 1.2 million virus encounters on about 650,000 machines during the 20-month survey period. In the last two months of the 2001 survey, companies averaged 103 virus infections per 1,000 machines per month, up 13 percent from the 2000 survey.

Information Security special report: Cyber menaces

Predicting the future of malware and tomorrow's malicious code

Centralized antivirus management: Get a bird's-eye view of AV defenses

The best malware program to defeat unwanted, nonviral code

Using 'synergistic' antivirus to combat multivector viruses and worms

Fighting viruses: Seven things you should know about antivirus tools

Given the increase in incidents, it's not surprising that the majority of survey respondents said the virus problem is getting worse. One-third of companies (32 percent) said the problem was "much worse," while 40 percent said it was "somewhat worse." Only 2 percent said it was better.

On the positive side, the number of virus "disasters" -- defined as 25 or more PCs or servers infected at the same time -- decreased from 2000 to 2001. In 2001, 28 percent of respondents said they experienced a virus disaster, down from 51 percent in 2000 and 43 percent in 1999. The average server downtime for those experiencing disasters was 14 hours.

That virus disasters are decreasing overall is little consolation for those hit by them. Not surprisingly, Nimda was cited most often by respondents as the source of their most recent disaster, followed by LoveLetter -- even though it's been in the wild for more than two years now.

The effects of viruses on enterprise computing are wide-ranging and numerous. Nearly three out of four respondents said viruses caused PC downtime and a loss of personnel and machine productivity. More than half said viruses corrupted their files, while a third said they lost data as a result.

What about AV coverage? Nine out of 10 respondents said that they run AV scanning on all corporate desktops, with Network Associates' McAfee Security and Symantec as the leading software choices.

The survey also shows that many companies installed AV scanners on mail servers, proxy servers and firewalls for the first time in 2001. In 2000, almost no one protected these network services. But in 2001, 84 percent of respondents said they protect mail servers with AV, while 45 percent do so on proxy servers and 51 percent on firewalls. In addition, many more corporations are now blocking, filtering or quarantining selected files or objects at gateway servers. Nearly seven out of 10 do so on mail servers, while about 40 percent do so on both proxies and firewalls.

The Menace Is Loose Again

Overall, the ICSA Labs' Virus Prevalence Survey underscores the importance of a multilayered AV defense strategy. The prevalence and cost of virus infections are up, but the frequency of virus disasters is down. Why? One possibility is that the virus problem has become so common that it's now underreported. Another possibility is that many more corporations are supplementing desktop AV scanning with server-based scanning and gateway filtering.

As blended threats such as Nimda become more common, server-based security will become even more important. Companies must not only scan, block and filter at the gateway, but make sure vulnerable Web and application servers have been hardened and patched.

It's unrealistic to expect that we'll ever completely eradicate the threat of computer viruses. But a sound methodology that combines scanning, host hardening, gateway protection and other practical security controls will make malcode a little less menacing.

About the author: Andy Briney is editor-in-chief of Information Security.

Article 1 of 11
This was last published in May 2002

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All