In-Depth
The Human Factor
Anti-virus software can help with only one part of the defense.
There are certain inventions that have occurred over the last thirty
years that I call integral. By this I mean inventions that have integrated
themselves into life so thoroughly that while we know there must have
been a way of doing things before, we really can't remember that way and
we don't want to go back to it. Microwaves fall into this category (my
children don't believe that you can make popcorn any other way), along
with photocopiers (remember mimeographs?), word processing programs and
of course e-mail.
In the business world e-mail has quickly established itself as the lifeblood
of communication. Electronic messaging has been recognized as an efficient
means of communication that is quicker and cheaper than traditional methods.
E-mail is also now mission-critical to any enterprise. Watch the looks
of consternation and the loss that happens in a corporation when someone
pronounces, "the server is down."
But there's a dark side to e-mail. E-mail is also the most likely source
of penetration and disruption of a corporate network. Securing the e-mail
access point should be the most important security concern of any Chief
Security Officer.
Spam, chain letters and e-mails with inappropriate or offensive content
are enough by themselves to give computer security personnel headaches.
Not only do they cause loss of productive time, waste of bandwidth and
storage space, but they can be sources of embarrassment and, in an increasingly
litigious world, expensive.
Another serious concern is information leaks. Whether an organization
likes to admit it or not there is a greater risk of crucial data being
stolen from within the company than from outside. A 1999 survey revealed
that 21-31% of workers in Fortune 500 companies admitted to sending confidential
information (like financial or product data) to recipients outside the
company by e-mail. In addition there is increasing concern over e-mail
interception and tampering.
Viruses, though, are still the major e-mail security hazard. The ICSA
2000 Computer Virus Prevalence Survey showed that 87% of all viruses are
being transmitted by e-mail or through the Internet. Failure to guard
against e-mail borne viruses is an open invitation to disaster.
What viruses can do and how they infect a system via e-mail seems to
be limited only by the imagination of the virus writers. As Melissa showed
in early 1999 and SirCam this year, it doesn't take much time for a virus
to spread and starting making mischief.
The need for anti-virus engines both on the server and the client should
be obvious. Failing to have a technological response to potential virus
attacks is little short of criminal. At the very least it demonstrates
incompetence and a flagrant disregard for corporate assets.
At the same time relying solely on an industrial strength anti-virus
scanner, stringent content checking and draconian e-mail policies is an
act of false confidence because it does not take into consideration one
of the most important factors in anti-virus defense: an educated user.
So far all of the viruses that have been wreaking e-mail havoc have one
thing in common: Someone had to activate them. That person was the recipient,
who from ignorance, carelessness or just a momentary lapse in concentration
double-clicked on the file they had received and ended up sending it to
everyone in their mailbox, crashing their own system, sending off the
company's entire password file, launching a nuclear strikeā¦and other things
depending on the particular flavor of malware. A single virus can bring
down an entire e-mail system for days. In the case of one like the SirCam
worm, it can also send sensitive documents out within moments to everyone
in the user's address book. Viruses such as the Love Bug have cost companies
literally billions of dollars in downtime. The vast majority of these
inadvertent activations happened before the virus made a media splash
or anti-virus software was available for it. The lack of technology was
not the real issue. A poorly trained user was.
Not surprisingly, nearly all the virus attacks taking place today feed
on employees' lack of knowledge about security. Devoting a portion of
your security resources to comprehensive education and training of employees,
along with a constant awareness campaign, is a key aspect of any attempt
to minimize viruses. This is becoming particularly true as more and more
employees use their browsers to access web-based e-mail accounts that
are outside of a company's control. Firewalls view these connections as
normal web traffic, defeating all the e-mail security on the mail server.
Simply stated not educating employees and users (and assuring they understand
and act on the message) leaves corporate networks vulnerable to attack,
and that is just as a serious an oversight and as not installing the latest
patch.
About the Author
David W. Tschanz, Ph.D., MCSE, is author of the recent "Exchange Server 2007 Infrastructure Design: A Service-Oriented Approach" (Wiley, 2008), as well as co-author of "Mastering Microsoft SQL Server 2005" (Sybex, 2006). Tschanz is a regular contributor to Redmond magazine and operates a small IT consulting firm specializing in business-oriented infrastructure development.