In-Depth

The Human Factor

Anti-virus software can help with only one part of the defense.

• By David W. Tschanz
• 12/01/2001

There are certain inventions that have occurred over the last thirty years that I call integral. By this I mean inventions that have integrated themselves into life so thoroughly that while we know there must have been a way of doing things before, we really can't remember that way and we don't want to go back to it. Microwaves fall into this category (my children don't believe that you can make popcorn any other way), along with photocopiers (remember mimeographs?), word processing programs and of course e-mail.

In the business world e-mail has quickly established itself as the lifeblood of communication. Electronic messaging has been recognized as an efficient means of communication that is quicker and cheaper than traditional methods. E-mail is also now mission-critical to any enterprise. Watch the looks of consternation and the loss that happens in a corporation when someone pronounces, "the server is down."

But there's a dark side to e-mail. E-mail is also the most likely source of penetration and disruption of a corporate network. Securing the e-mail access point should be the most important security concern of any Chief Security Officer.

Spam, chain letters and e-mails with inappropriate or offensive content are enough by themselves to give computer security personnel headaches. Not only do they cause loss of productive time, waste of bandwidth and storage space, but they can be sources of embarrassment and, in an increasingly litigious world, expensive.

Another serious concern is information leaks. Whether an organization likes to admit it or not there is a greater risk of crucial data being stolen from within the company than from outside. A 1999 survey revealed that 21-31% of workers in Fortune 500 companies admitted to sending confidential information (like financial or product data) to recipients outside the company by e-mail. In addition there is increasing concern over e-mail interception and tampering.

Viruses, though, are still the major e-mail security hazard. The ICSA 2000 Computer Virus Prevalence Survey showed that 87% of all viruses are being transmitted by e-mail or through the Internet. Failure to guard against e-mail borne viruses is an open invitation to disaster.

What viruses can do and how they infect a system via e-mail seems to be limited only by the imagination of the virus writers. As Melissa showed in early 1999 and SirCam this year, it doesn't take much time for a virus to spread and starting making mischief.

The need for anti-virus engines both on the server and the client should be obvious. Failing to have a technological response to potential virus attacks is little short of criminal. At the very least it demonstrates incompetence and a flagrant disregard for corporate assets.

At the same time relying solely on an industrial strength anti-virus scanner, stringent content checking and draconian e-mail policies is an act of false confidence because it does not take into consideration one of the most important factors in anti-virus defense: an educated user.

So far all of the viruses that have been wreaking e-mail havoc have one thing in common: Someone had to activate them. That person was the recipient, who from ignorance, carelessness or just a momentary lapse in concentration double-clicked on the file they had received and ended up sending it to everyone in their mailbox, crashing their own system, sending off the company's entire password file, launching a nuclear strike…and other things depending on the particular flavor of malware. A single virus can bring down an entire e-mail system for days. In the case of one like the SirCam worm, it can also send sensitive documents out within moments to everyone in the user's address book. Viruses such as the Love Bug have cost companies literally billions of dollars in downtime. The vast majority of these inadvertent activations happened before the virus made a media splash or anti-virus software was available for it. The lack of technology was not the real issue. A poorly trained user was.

Not surprisingly, nearly all the virus attacks taking place today feed on employees' lack of knowledge about security. Devoting a portion of your security resources to comprehensive education and training of employees, along with a constant awareness campaign, is a key aspect of any attempt to minimize viruses. This is becoming particularly true as more and more employees use their browsers to access web-based e-mail accounts that are outside of a company's control. Firewalls view these connections as normal web traffic, defeating all the e-mail security on the mail server.

Simply stated not educating employees and users (and assuring they understand and act on the message) leaves corporate networks vulnerable to attack, and that is just as a serious an oversight and as not installing the latest patch.