ZDDDDDDDDDDDDDDDDDD? IMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM; ZDDDDDDDDDDDDDDDDDD? 3 Founded By: 3 : Network Information Access : 3 Mother Earth BBS 3 3 Guardian Of Time 3D: 17APR90 :D3 NUP:> DECnet 3 3 Judge Dredd 3 : Judge Dredd : 3Text File Archives3 @DDDDDDDDBDDDDDDDDDY : File 26 : @DDDDDDDDDBDDDDDDDDY 3 HMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM< 3 3 IMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM; 3 @DDDDDDDDDDD6 Computer Viruses & Threats IV GDDDDDDDDDDDY HMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM< $_Virus Prevention for Personal Computers and Associated Networks Virus prevention in the personal computer environment differs from that of the multi-user computer environment mainly in the following two respects: the relative lack of technical controls, and the resultant emphasis this places on less-technically oriented means of protection which necessitates more reliance on user involvement. Personal computers typically do not provide technical controls for such things as user authorization, access controls, or memory protection that differentiates between system memory and memory used by user applications. Because of the lack of controls and the resultant freedom with which users can share and modify software, personal computers are more prone to attack by viruses, unauthorized users, and related threats. Virus prevention in the personal computer environment must rely on continual user awareness to adequately detect potential threats and then to contain and recover from the damage. Personal computer users are in essence personal computer managers, and must practice their management as a part of their general computing. Personal computers generally do not contain auditing features, thus a user needs to be aware at all times of the computer's performance, i.e., what it is doing, or what is normal or abnormal activity. Ultimately, personal computer users need to understand some of the technical aspects of their computers in order to protect, deter, contain, and recover. Not all personal computer users are technically oriented, thus this poses some problems and places even more emphasis on user education and involvement in virus prevention. Because of the dependance on user involvement, policies for the personal computer environment are more difficult to implement than in the multi-user computer environment. However, emphasizing these policies as part of a user education program will help to ingrain them in users' behavior. Users should be shown via examples what can happen if they don't follow the policies. An example where users share infected software and then spread the software throughout an organization would serve to effectively illustrate the point, thus making the purpose of the policy more clear and more likely to be followed. Another effective method for increasing user cooperation is to create a list of effective personal computer management practices specific to each personal computing environment. Creating such a list would save users the problem of determining how best to enact the policies, and would serve as a convenient checklist that users could reference as necessary. It will likely be years before personal computers incorporate strong technical controls in their architectures. In the meantime, managers and users must be actively involved in protecting their computers from viruses and related threats. The following sections provide guidance to help achieve that aim. $_General Policies Two general policies are suggested here. The first requires that management make firm, unambiguous decisions as to how users should operate personal computers, and state that policy in writing. This policy will be a general re-statement of all other policies affecting personal computer use. It is important that users read this policy and agree to its conditions as a prerequisite to personal computer use. The purposes of the policy are to (1) ensure that users are aware of all policies, and (2) impress upon users the need for their active involvement in computer security. The second policy is that every personal computer should have an "owner" or "system manager" who is responsible for the maintenance and security of the computer, and for following all policies and procedures associated with the use of the computer. It would be preferable that the primary user of the computer fill this role. It would not be too extreme to make this responsibility a part of the user's job description. This policy will require that resources be spent on educating users so that they can adequately follow all policies and procedures. $_Software Management Due to the wide variety of software available for many types of personal computers, it is especially important that software be carefully controlled. The following policies are suggested: - Use only licensed copies of vendor software for personal computers. Ensure that the license numbers are logged, that warranty information is completed, and that updates or update notices will be mailed to the appropriate users. Ensure that software versions are uniform on all personal computers. Purchase software from known, reputable sources - do not purchase software that is priced suspiciously low and do not use pirated software, even on a trial basis. As possible, buy software with built-in security features. - Do not install software that is not clearly needed. For example, software tools such as compilers or debuggers should not be installed on machines where they are not needed. - Store the original copies of vendor software in a secure location for use when restoring the software. - Develop a clear policy for use of public-domain software and shareware. It is recommended that the policy prohibit indiscriminate downloading from software bulletin boards. A special isolated system should be configured to perform the downloading, as well as for testing downloaded and other software or shareware. The operation of the system should be managed by a technically skilled user who can use anti-virus software and other techniques to test new software before it is released for use by other users. - Maintain an easily-updated database of installed software. For each type of software, the database should list the computers where the software is installed, the license numbers, software version number, the vendor contact information, and the responsible person for each computer listed. This database should be used to quickly identify users, machines, and software when problems or emergencies arise, such as when a particular type of software is discovered to contain a virus or other harmful aspects. - Minimize software sharing within the organization. Do not permit software to be placed on computers unless the proper manager is notified and the software database is updated. If computer networks permit software to be mailed or otherwise transferred among machines, prohibit this as a policy. Instruct users not to run software that has been mailed to them. - If using software repositories on LAN servers, set up the server directory such that users can copy from the directory, but not add software to the directory. Assign a user to manage the repository; all updates to the repository should be cleared through this individual. The software should be tested on an isolated system as described earlier. - If developing software, consider the use of software management and control programs that automate record keeping for software updates, and that provide a degree of protection against unauthorized modifications to the software under development. - Prohibit users from using software or disks from their home systems. A home system that is used to access software bulletin boards or that uses shared copies of software could be infected with viruses or other malicious software. $_Technical Controls As stated earlier, personal computers suffer from a relative lack of technical controls. There are usually no mechanisms for user authentication and for preventing users or software from modifying system and application software. Generally, all software and hardware is accessible by the personal computer user, thus the potential for misuse is substantially greater than in the multi-user computer environment. However, some technical controls can be added to personal computers, e.g., user authentication devices. The technical controls that do not exist can be simulated by other controls, such as a lock on an office door to substitute for a user authentication device, or anti-virus software to take the place of system auditing software. Lastly, some of the personal computer's accessibility can be reduced, such as by the removal of floppy diskette drives or by the use of diskless computers that must download their software from a LAN server. The following items are suggested: - Where technical controls exist, use them. If basic file access controls are available to make files read-only, make sure that operating system files and other executable files are marked as read-only. Use write- protect tabs on floppy diskettes and tapes. If LAN access requires a password, ensure that passwords are used carefully - follow the guidelines for password usage presented in in file III. - Use new cost-effective forms of user identification such as magnetic access cards. Or, setup other software such as password mechanism that at a minimum deters unauthorized users. - If using a LAN, consider downloading the personal computer's operating system and other applications from a read-only directory on the LAN server (instead of the personal computer's hard disk). If the LAN server is well protected, this arrangement would significantly reduce chances of the software becoming infected, and would simplify software management. - Consider booting personal computers from write-protected floppy diskettes (instead of the computer's hard disk). Use a unique diskette per computer, and keep the diskette secured when not in use. - Do not leave a personal computer running but unattended. Lock the computer with a hardware lock (if possible), or purchase vendor add-on software to "lock" the keyboard using a password mechanism. Alternatively, turn off the computer and lock the office door. Shut down and lock the computer at the end of the day. - When using modems connected to personal computers, do not provide more access to the computer than necessary. If only dial-out service is required, configure the modem so that it won't answer calls. If dial-in service is necessary, consider purchasing modems that require a password or that use a call-back mechanism to force a caller to call from a telephone number that is known to the modem. - Consider using "limited-use" systems, whereby the capabilities of a system are restricted to only what is absolutely required. For example, users who run only a certain application (such as word-processor) may not require the flexibility of a personal computer. At the minimum, do not install applications or network connections where they are not needed. $_Monitoring Personal computer operating systems typically do not provide any software or user monitoring/auditing features. Monitoring, then, is largely a user function whereby the user must be aware of what the computer is doing, such as when the computer is accessing the disk or the general speed of its response to commands, and then must decide whether the activity is normal or abnormal. Anti- viral software can be added to the operating system and run in such a way that the software flags or in some way alerts a user when suspicious activity occurs, such as when critical files or memory regions are written. Effective monitoring depends on user education. Users must know what constitutes normal and abnormal activity on their personal computers. They need to have a reporting structure available so that they can alert an informed individual to determine whether there is indeed a problem. They need to know the steps to take to contain the damage, and how to recover. Thus, the following policies and procedures are recommended: - Form a team of skilled technical people to investigate problems reported by users. This same group could be responsible for other aspects of virus prevention, such as testing new software and handling the containment and recovery from virus-related incidents. Ensure that users have quick access to this group, e.g., via a telephone number. - Educate users so that they are familiar with how their computers function. Show them how to use such items as anti-viral software. Acquaint them with how their computers boot, what files are loaded, whether start-up batch files are executed, and so forth. - Users need to watch for changes in patterns of system activity. They need to watch for program loads that suddenly take longer, whether disk accesses seem excessive for simple tasks, do unusual error messages occur, do access lights for disks turn on when no disk activity should occur, is less memory available than usual, do files disappear mysteriously, is there less disk space than normal? - Users also need to examine whether important files have changed in size, date, or content. Such files would include the operating system, regularly-run applications, and other batch files. System sweep programs may be purchased or built to perform checksums on selected files, and then to report whether changes have occurred since the last time the program was run. - Purchase virus prevention software as applicable. At a minimum, use anti-viral software to test new software before releasing it to other users. However, do not download or use pirated copies of anti-viral software. - Always report, log, and investigate security problems, even when the problems appear insignificant. Then use the log as input into regular security reviews. Use the reviews as a means for evaluating the effectiveness of security policies and procedures. $_Contingency Planning As described in file II, backups are the single most important contingency procedure. It is especially important to emphasize regular backups for personal computers, due to their greater susceptibility to misuse and due to the usual requirement of direct user involvement in the backup procedure, unlike that of multi-user computers. Because of the second factor, where users must directly copy files to one or more floppy diskettes, personal computer backups are sometimes ignored or not done completely. To help ensure that backups are done regularly, external backup mechanisms that use a high-density tape cartridge can be purchased and a user assigned to run the backup procedure on a regular basis. Additionally, some personal computer networks contain a personal computer backup feature, where a computer can directly access a network server's backup mechanism, sometimes in an off-line mode at a selected time. If neither of these mechanisms are available, then users must be supplied with an adequate number of diskettes to make complete backups and to maintain a reasonable amount of backup history, with a minimum of several weeks. Users should maintain the original installation media for software applications and store it in a secure area, such as a locked cabinet, container, or desk. If a user needs to restore software, the user should use only the original media; the user should not use any other type of backup or a copy belonging to another user, as they could be infected or damaged by some form of malicious software. The effectiveness of a backup policy can be judged by whether a user is able to recover with a minimum loss of data from a situation whereby the user would have to format the computer's disk and reload all software. Several incidents of malicious software have required that users go to this length to recover - Other important contingency procedures are described below: - Maintain a database of personal computer information. Each record should include items such as the computer's configuration, i.e., network connections, disks, modems, etc., the computer's location, how it is used, the software it runs, and the name of the computer's primary user/manager. Maintain this database to facilitate rapid communication and identification when security problems arise. - Create a security distribution list for each user. The list should include names of people to contact who can help identify the cause of unusual computer activity, and other appropriate security personnel to contact when actual problems arise. - Create a group of skilled users who can respond to users' inquiries regarding virus detection. This group should be able to determine when a computer has been attacked, and how best to contain and recover from the problem. - Set up some means of distributing information rapidly to all affected users in the event of an emergency. This should not rely upon a computer network, as the network could actually be attacked, but could use other means such as telephone mail or a general announcement mechanism. - Observe physical security for personal computers. Locate them in offices that can be locked. Do not store software and backups in unsecured cabinets. $_Associated Network Concerns Personal computer networks offer many advantages to users, however they must be managed carefully so that they do not increase vulnerability to viruses and related threats. Used incorrectly, they can become an additional pathway to unauthorized access to systems, and can be used to plant malicious software such as network worms. This section does not provide specific management guidance, as there are many different types of personal computer networks with widely varying degrees of similarity. However, some general suggestions for improving basic management are listed below: - Assign a network administrator, and make the required duties part of the administrator's job description. Personal computer networks are becoming increasingly complex to administer, thus the administration should not be left to an individual who cannot dedicate time as necessary. - Protect the network server(s) by locating them in secure areas. Make sure that physical access is restricted during off-hours. If possible, lock or remove a server's keyboard to prevent tampering. - Do not provide for more than one administrator account, i.e., do not give other users administrator privileges. Similar to the problem of multiple system manager accounts on multi-user systems, this situation makes it more likely that a password will become known, and makes overall management more difficult to control. Users should coordinate their requests through a single network administrator. - Do not permit users to connect personal computers to the network cable without permission. The administrator should keep an updated diagram of the network's topology, complete with corresponding network addresses and users. - Use the network monitoring tools that are available. Track network usage and access to resources, and pinpoint unauthorized access attempts. Take appropriate action when violations consistently occur, such as requiring the user in question to attend a network user class or disabling the user's network account. - Ensure that users know how to properly use the network. Show them how to use all security features. Ensure that users know how to use passwords and access controls effectively - see for information on password usage. Show them the difference between normal and abnormal network activity or response. Encourage users to contact the administrator if they detect unusual activity. Log and investigate all problems. - Do not give users more access to network resources than they require. If using shared directories, make them read-only if write permission is not required, or use a password. Encourage users to do the same with their shared directories. - Do not set up directories for software repository unless (1) someone can first verify whether the software is not infected, and (2) users are not permitted to write to the directory without prior approval. - Backup the network server(s) regularly. If possible or practical, backup personal computers using the network server backup mechanism. - Disable the network mail facility from transferring executable files, if possible. This will prevent software from being indiscriminately shared, and may prevent network worm programs from accessing personal computers. - For network guest or anonymous accounts, limit the types of commands that can be executed. - Warn network users to be suspicious of any messages or programs that are received from unidentified sources - network users should have a critical and suspicious attitude towards anything received from an unknown source. - Always remove old accounts or change passwords. Change important passwords immediately when users leave the organization or no longer require access to the network. -JUDGE DREDD/NIA [OTHER WORLD BBS]