Step five: Tackling viruses and spam
In the fifth of his series on information security, Stewart Twynham of Bawden Quinn addresses something that concerns every internet user - how to protect themselves from infections and the growing flood of unwanted emails.
The state of play
Research carried out by Dynamic Markets suggests that 97% of SMEs have implemented some form of anti-virus protection, however the DTI's 2002 security study suggested that 41% of small businesses had suffered a virus attack, with more recent studies suggesting far higher figures.
Based upon these statistics ' it appears that over half of small businesses fail to use anti-virus technology correctly. This article will tackle the problem head on.
We'll also look at Spam ' the scourge of modern day communications. MessageLabs reported that over half of the email it processes for businesses every single day is spam ' a trend that is getting steadily worse, not better.
Firewalls and anti-virusare two completely different forms of protection, working to solve two very different problems. Imagine an office block. When you enter, you first have to get past a security guard ' who will ensure that you do indeed have a valid appointment with someone on the premises. That's what a firewall does ' controls who enters and leaves the building. Next, although you have a valid appointment, you could be carrying a bomb. You are therefore asked to pass your briefcase through an X-Ray machine. That's what anti-virus does ' examines the data you are carrying to see if there is anything malicious inside. One without the other is a false economy ' they are not interchangeable parts.
How anti-virus works
There are essentially three core techniques used by present-day anti-virus systems, two of which can run on your desktop PC.
Signature based anti-virus A virus is essentially a software program like any other ' and as such has instructions which are unique to that particular program. These unique instructions can be used as a 'signature' to help detect the presence of that program. The anti-virusprogram will normally check for these signatures whenever your computer tries to read or write files to or from a disk, or as part of a 'scan' of your hard drive. Some will also check for viruses whenever your computer is downloading emails.
- False positives (where a legitimate file is mistaken for a virus) are low
- The software can run on your desktop, and is usually fairly cheap
- The anti-virussoftware is only as good as your last update
- New viruses can spread before the signatures are updated.
Heuristics based anti-virus Virus writers aren't usually the world's best software developers. They share their secrets on-line, and even use 'virus development toolkits' to create new viruses with a few clicks of a mouse. Consequently, large chunks of seemingly different viruses can often use similar instructions.
A heuristics engine is usually used in addition to a signature based engine, and looks for 'virus like' software ' spotting anything that looks like a potential virus.
- Can spot some viruses before they are written
- False positives can be high. A 1% error scanning 10,000 Word documents would keep any IT department busy!
- The ones that run on your PC are not that good at finding new viruses
- They can slow your PC's performance
Internet-level anti-virus (eg MessageLabs) Most virus writers have chosen email as the fastest way of spreading viruses. In addition, some have even used Spamming techniques ' sending the virus to millions of people to give it a jumpstart ahead of the anti-virus companies.
Internet based anti-virus companies such as MessageLabs combat this by sitting between the email sender and your ISP, and combine signature based anti-virus with sophisticated heuristics engines. Any mass-mailing virus is easily spotted ' the system sees that someone is trying to send a number of very similar attachments in real time, and all such emails are immediately blocked and quarantined before any customer receives them.
- Not signature based ' spots 100% of viruses before they are written
- Runs on massive computer 'towers' ' so the software can be much more sophisticated than that on your desktop PC
- No maintenance required
- System can be extended to block Spam and porn as well
- Cost for very small businesses ' minimum £50 per month for the anti-virus only service, for up to 25 users.
- Only protects against email viruses ' businesses must still deploy some form of desktop/server anti-virus protection
Common mistakes when deploying anti-virus systems
These are the common mistakes that we have observed in a number of companies ' often as a result of the company wishing to save a little money. Then end result is that the company ends up spending far more money putting things right, and then still has to go out and invest in the anti-virus products anyway to prevent the same thing happening all over again!
1. Not updating the signatures
When a virus is released, anti-virus companies will attempt to create a signature in a matter of hours. Until then, the virus can spread rapidly, and as a result numbers of email infections will often surpass other viruses by an order of magnitude. If you receive 20 viruses on day one, 19 of them could be the 'latest' virus. If you haven't updated your anti-virus software BEFORE you opened up your email system, your anti-virus software will only spot one of those twenty ' and hence is only 5% effective.
Anti-virus which is a day out of date is, for all practical purposes, completely useless.
2. Too little, too late
If you have five desktops, two laptops and one server ' you need anti-virus for five desktops, two laptops and one server. It is our direct experience that companies will perhaps only protect the laptops ' or only the machines used for email or receiving files on disk. This Swiss-cheese approach has one benefit ' it saves a small amount of money up-front, but modern viruses present a 'blended threat' ' spreading through a variety of means ' once they enter your network they can spread to all machines, making eradication difficult. Overall, the cost will be far higher than if you'd done the job properly in the first place.
It is vital to protect every part of your network, where possible, otherwise that one computer or server you didn't protect will probably become your weakest link, and hence your downfall.
3. Putting cure before prevention
You would never put yourself at risk of a serious medical infection just because you knew your GP could administer antibiotics. So why put your network at risk by assuming your anti-virus will kick in, hopefully in time to save your data?
Anti-virus does exactly what it says on the tin ' it's the last resort before you have to wipe all of your computers and hope your backup tapes are working. Instead, exercise good practices when setting up your network, including:
- Blocking malicious attachments (such as .exe, .pif, .scr) at your email software, email server or firewall
- Configuring firewalls to prevent the spread of viruses/worms back outside of your network
- Patching and updating all software and operating systems
- Training users not to click on certain attachments, pop-up ads, etc
- Training users what to do in the event of something unexpected happening, such as an attachment not appearing to open, or a very slow Internet connection
- Maintaining an acceptable use policy ' banning certain services such as P2P/Kazaa file sharing, preventing downloads of MP3s, pornography etc, which often require dubious 'tools' to be installed. Basically ' ban anything that isn't work related!
Spam/unsolicited bulk email
A special note is reserved for Spam, since it's such a big problem for so many users. Spam is any email sent to a user which is unsolicited ' and usually for some bizarre, offensive or non-existent product or service. Spammers are increasingly unlawful ' they have been hijacking insecure computers for years to send millions of emails for free (often computers belonging to home users or small businesses). Over the last few years, however, the subject matter of the Spam itself has become increasingly unlawful, including:
- Attempts to get people to buy non-existent or inferior services in order to obtain credit card numbers
- Banking scams ('Please re-enter all your personal details') ' which has even hit Barclays customers in the UK
- The 'Advanced Fee' 419 Nigerian scam ('Hi, I am an official of XYZ bank, I need your money to help me move several billion dollars out of the country, for which you will get a 20%). This particular scam has resulted in kidnap and death for some of those daft enough to play along.
- Distributing viruses by Spam
- Creating viruses to turn PCs into Spam 'bots'
The reason Spam works is simple. By hijacking the servers and PCs belonging to users, small businesses and small ISPs, Spammers can send millions of emails for free. It only takes one response in that million to turn a profit. And there are always plenty of people daft enough to play along.In the coming weeks, we will discuss:
- Good housekeeping, backup and physical security
- Training, acceptable use policies and legislation
- ISPs, Domains, Web design and Hosting
- The impact of new technology ' VPNs, WiFi, Broadband, et al
Dealing with Spam ' Step one: Reduce the effects
Single users and small businesses can opt to download one of the many free/cheap tools available to automatically detect and eliminate spam from inboxes. Mailwasher is pretty neat ' and free for single account use. It allows you to delete spam directly from POP3 mailboxes, saving you from having to download first. Some ISPs also are starting to offer low-cost Spam protection ' if so, use it.
Slightly larger businesses should opt to use the commercial services from companies like MessageLabs, where combined anti-virus/porn/spam protection costs from £75 per month for up to 25 users. This kind of service comes with service level guarantees far stronger than your ISP can offer, and has a far more sophisticated anti-virus/Spam heuristics engine.
Just to put the cost in perspective (because many people still complain!): one of our clients was being hammered by viruses and spam and was going to have to upgrade their email server and leased line. This is a 15-user recruitment company, which advertises heavily on the Internet (hence the volume of Spam). Installing MessageLabs cost £150, plus £900 for the annual fee. In that time the service has:
- Dealt with over 266,000 emails
- Deleted over 121,000 items of spam (almost 50%)
- Stopped all 2,500 viruses sent to the company.
The client estimates that not having to upgrade its email server and leased line has saved literally thousands. The service is also much cheaper and more reliable than most server-based anti-virus/Spam products and requires no maintenance. It has saved as much as ten man-weeks in eliminating the enormous volume of Spam the company was receiving.
Step two: Prevention
Spammers work by harvesting or guessing email addresses. You can reduce the amount of Spam you receive by:
- Being careful when/how you register with online services. If possible, use a hotmail or yahoo account set up purely for registrations, or choose an anonymous service such as Mailinator
- Don't advertise email addresses on your website ' or limit to password protected areas. If you want customers to contact you, use an online-form with no discernable address, or limit to a specific 'contact' address.
- Don't use your business email when setting up and buying domain names. Nominet allows 'ex-directory' registration for .co.uk domains, where the details are withheld from internet searches.
- Where possible, DO NOT OPEN Spam email. Many use 'web beacons', unique graphics and/or other content either embedded into the email or the web pages they direct you to. Just opening the email or web page link is sufficient to tell the spammer your email has been read and your address is live' hence more junk email!
- NEVER EVER (EVER') use the 'click here to remove your email' option unless you know the company ' this is the easiest way to trick people into confirming their email address!
I hope that this has been a useful insight into the world of virus and Spam prevention.Next week: we look at housekeeping, data backup and physical security. No matter how good your systems and software may be ' getting the most basic things wrong will destroy all of your good work.
Further reading: Information security series
- Step 1 - Identify your assets
- Step 2 - Understanding the threats and vulnerabilities
- Step 3: Things that turn threats and potential loss into risk
- Step 4: The firewall
- Step 5: Tackling viruses and spam
- Step 6: Good housekeeping
- Step 7: Training, acceptable use policies and legislation
- Step 8: Domain name purchase and protection