05 August 2005
Double trouble
Double trouble
Besides cutting productivity, adware and spyware can also cause computer problems and worse. "They can cause instability in PCs, operations to crash, slow performance," says Chris Williams, a senior analyst at Ferris Research. "And [malware] can log your keystrokes and report those back to a Web site, so your network log-in is being compromised."
How can a company shore up its servers and desktops against this rising tide of malware? First, say experts, educate employees on spam and viruses. But education can go only so far; technology is also needed. Here are five steps in the defence against malware:
1) Restrict user privileges: The fewer system privileges on a user's desktop, the fewer opportunities there are for viruses and spyware to take over, says Andrew Jaquith, an analyst at The Yankee Group. "The biggest reason companies have spyware problems is that user privileges are set too high," he says.
IT may also choose to block certain types of attachments, such as executable or Zip files, and prevent access to certain Web sites. The DOE's Carlsbad office now uses Websense software to block access to adware- and spyware-heavy sites, such as gambling sites. It also relies on an e-mail firewall from Tumbleweed Communications with built-in McAfee antivirus and spyware filtering tools.
2) Apply patches immediately: Installing security patches and updates is critical, regardless of how much antivirus protection you may have. JetBlue Airways in New York, for example, has layers of antivirus and antispam defences, but its IT staffers also apply new security patches promptly, says Lesen Wang, IT e-mail systems administrator at JetBlue.
"Even with an antivirus program, a virus can get through," he says. Two years ago, for example, JetBlue's desktops were infected by the Blaster virus because they hadn't been patched, but the airline's servers, which had received regular updates, remained unaffected.
3) Switch to alternative e-mail packages: While not guaranteed to be shielded against viruses, nonstandard (that is, not Microsoft) software is less likely to be targeted by virus writers.
For example, Brett McKeachnie, network systems administrator at a state school, reports that the school, which uses Novell's GroupWise, never had a virus problem and didn't realize it was receiving viruses until it installed iSolation Server, an e-mail security product from Avinti.
"Avinti put [iSolation Server] into the mail stream, and the next thing you know, we've got 40 to 50 viruses hitting the filter," McKeachnie says. However, not everyone at the school uses GroupWise -- some are on Outlook -- so the school remains vulnerable to virus attacks and, of course, spam.
4) Build a multilayered defence: There are several approaches to antivirus and antispam protection, none of which is 100 percent effective. So using two or more is a useful strategy, experts say.
Techniques for blocking spam include maintaining blacklists of spammers' Internet addresses and employing the challenge/response strategy, which attempts to catch spammers by asking a suspicious sender to resend the message, the assumption being that an automated spam program won't reply. Another option is Bayesian filters, which "learn" to recognize spam from samples that an IT administrator or an end user feeds it. The filter then uses probability scores to decide whether an e-mail is likely to be spam.
Signature-based scanning is the most common approach for identifying viruses, but it doesn't help when there's a brand-new virus on the loose. The "zero hour" problem -- the time lag between the initial release of a new virus and the point when an antivirus software vendor can issue a patch update -- is the biggest problem with signature-based products, especially since the gap can be as long as eight hours. Companies relying solely on pattern-based antivirus protection are vulnerable to new viruses during that time.
One technique that attempts to close this gap is blocking technology that shuts down access to certain systems if it detects any initial virus activity. For example, JetBlue used Trend Micro's signature-based ServerProtect, but it opted to add IronPort Systems' C-Series antivirus and antispam device, which includes a blocking technology called Virus Outbreak Filter. The filter quarantines suspect e-mail if it detects a new virus outbreak based on data from IronPort's SenderBase e-mail monitoring network.
Yet another approach to blocking viruses is heuristics scanning, which detects viruses by analyzing a file's structure, behaviour and other attributes instead of looking for a pattern match in the code.
The bottom line, experts say, is that two or more defensive technologies -- whether in different products or combined in one -- are better than one.
Just as using two types of antivirus or antispam software can increase your odds of catching malware, so, too, can locating defensive products at different points on your network. Firewalls, SMTP gateways, HTTP gateways, e-mail and file servers, and desktops are all good places to defend.
Monrovia Nursery, a plant and flower wholesaler, recently added its fourth layer of security: an antispam and antivirus gateway from MailFrontier. The new gateway complements an existing firewall -- which blocks attachments such as Visual Basic scripts -- and antivirus software from Symantec on its e-mail servers and desktops. "It's another layer of protection," says Ray Martin, Monrovia's IS technical manager. "Redundancy and variety are good when it comes to e-mail security."
The main point of a multilayered defence, says Richi Jennings, a Ferris Research analyst, is to cover all the potential points where a virus could enter. Too often, he says, companies think they're immune to viruses, when in fact they've failed to cover a key point of entry.
"You may feel you have a clean architecture, with virus scanning on the perimeter of the network," Jennings says. "But if you've forgotten a vector -- such as a laptop that has a virus and gets plugged into the company network -- then suddenly you've got a bunch of infected machines because you didn't put antivirus on the desktops."
5) Use an outside service: If you want a multi-tiered defence without having to purchase individual products and implement them, an outside antivirus and antispam service may be the answer. Companies such as MessageLabs and Postini will intercept and clean your e-mail of viruses and spam before sending it to your e-mail server, thus sparing you the software and hardware expense of scanning and processing your own e-mail.
Internet service providers may offer antivirus and antispam filtering services to corporate clients. For example, virus and spam filtering at Bata Canada, a unit of shoe manufacturer and retailer Bata International, is handled by Bata's service provider.
A significant advantage, according to Eli Gabbay, manager of IT technical support at Bata, is the ability to offload some of the administrative chores to the service provider. "I found [antispam and antivirus software] to be very complicated. . . . There's a lot of work for me to do to maintain it," he explains. "Now the only thing I need to do is put any spam that gets through into a folder, and the provider adds it to its database." Typically, antivirus services use signature-based scanning in combination with other approaches to optimize their success rates. And they clean up the e-mail before it ever reaches their customers' servers. Some users are also turning to antivirus and antispam service providers to clean up their e-mail before it even hits their firewalls.
Euro RSCG Worldwide, an international advertising and marketing firm with 233 agencies, turned to MessageLabs for help in dealing with a rising flood of spam that threatened to overload its e-mail servers.
"We had more spam coming in than legitimate e-mail," says CIO John Tanner. "It got to the point, last August, where we were going to have to increase our hardware by 33 percent."
The agency tried blocking spam at the firewall with blacklists, but that approach resulted sometimes in blocked mail from prospective clients whose addresses or e-mail servers had been hijacked by spammers. So the ad agency tried the MessageLabs service, which culls spam and viruses before sending the clean mail on.
Of course, the company still uses antivirus software on its servers and desktops to be safe. But so far, spam has ceased to be a problem. "I don't have to manage any hardware or software. I don't have to worry about upgrading hardware because spam has increased," says Tanner. "Spam has disappeared from the planet for us."
Besides cutting productivity, adware and spyware can also cause computer problems and worse. "They can cause instability in PCs, operations to crash, slow performance," says Chris Williams, a senior analyst at Ferris Research. "And [malware] can log your keystrokes and report those back to a Web site, so your network log-in is being compromised."
How can a company shore up its servers and desktops against this rising tide of malware? First, say experts, educate employees on spam and viruses. But education can go only so far; technology is also needed. Here are five steps in the defence against malware:
1) Restrict user privileges: The fewer system privileges on a user's desktop, the fewer opportunities there are for viruses and spyware to take over, says Andrew Jaquith, an analyst at The Yankee Group. "The biggest reason companies have spyware problems is that user privileges are set too high," he says.
IT may also choose to block certain types of attachments, such as executable or Zip files, and prevent access to certain Web sites. The DOE's Carlsbad office now uses Websense software to block access to adware- and spyware-heavy sites, such as gambling sites. It also relies on an e-mail firewall from Tumbleweed Communications with built-in McAfee antivirus and spyware filtering tools.
2) Apply patches immediately: Installing security patches and updates is critical, regardless of how much antivirus protection you may have. JetBlue Airways in New York, for example, has layers of antivirus and antispam defences, but its IT staffers also apply new security patches promptly, says Lesen Wang, IT e-mail systems administrator at JetBlue.
"Even with an antivirus program, a virus can get through," he says. Two years ago, for example, JetBlue's desktops were infected by the Blaster virus because they hadn't been patched, but the airline's servers, which had received regular updates, remained unaffected.
3) Switch to alternative e-mail packages: While not guaranteed to be shielded against viruses, nonstandard (that is, not Microsoft) software is less likely to be targeted by virus writers.
For example, Brett McKeachnie, network systems administrator at a state school, reports that the school, which uses Novell's GroupWise, never had a virus problem and didn't realize it was receiving viruses until it installed iSolation Server, an e-mail security product from Avinti.
"Avinti put [iSolation Server] into the mail stream, and the next thing you know, we've got 40 to 50 viruses hitting the filter," McKeachnie says. However, not everyone at the school uses GroupWise -- some are on Outlook -- so the school remains vulnerable to virus attacks and, of course, spam.
4) Build a multilayered defence: There are several approaches to antivirus and antispam protection, none of which is 100 percent effective. So using two or more is a useful strategy, experts say.
Techniques for blocking spam include maintaining blacklists of spammers' Internet addresses and employing the challenge/response strategy, which attempts to catch spammers by asking a suspicious sender to resend the message, the assumption being that an automated spam program won't reply. Another option is Bayesian filters, which "learn" to recognize spam from samples that an IT administrator or an end user feeds it. The filter then uses probability scores to decide whether an e-mail is likely to be spam.
Signature-based scanning is the most common approach for identifying viruses, but it doesn't help when there's a brand-new virus on the loose. The "zero hour" problem -- the time lag between the initial release of a new virus and the point when an antivirus software vendor can issue a patch update -- is the biggest problem with signature-based products, especially since the gap can be as long as eight hours. Companies relying solely on pattern-based antivirus protection are vulnerable to new viruses during that time.
One technique that attempts to close this gap is blocking technology that shuts down access to certain systems if it detects any initial virus activity. For example, JetBlue used Trend Micro's signature-based ServerProtect, but it opted to add IronPort Systems' C-Series antivirus and antispam device, which includes a blocking technology called Virus Outbreak Filter. The filter quarantines suspect e-mail if it detects a new virus outbreak based on data from IronPort's SenderBase e-mail monitoring network.
Yet another approach to blocking viruses is heuristics scanning, which detects viruses by analyzing a file's structure, behaviour and other attributes instead of looking for a pattern match in the code.
The bottom line, experts say, is that two or more defensive technologies -- whether in different products or combined in one -- are better than one.
Just as using two types of antivirus or antispam software can increase your odds of catching malware, so, too, can locating defensive products at different points on your network. Firewalls, SMTP gateways, HTTP gateways, e-mail and file servers, and desktops are all good places to defend.
Monrovia Nursery, a plant and flower wholesaler, recently added its fourth layer of security: an antispam and antivirus gateway from MailFrontier. The new gateway complements an existing firewall -- which blocks attachments such as Visual Basic scripts -- and antivirus software from Symantec on its e-mail servers and desktops. "It's another layer of protection," says Ray Martin, Monrovia's IS technical manager. "Redundancy and variety are good when it comes to e-mail security."
The main point of a multilayered defence, says Richi Jennings, a Ferris Research analyst, is to cover all the potential points where a virus could enter. Too often, he says, companies think they're immune to viruses, when in fact they've failed to cover a key point of entry.
"You may feel you have a clean architecture, with virus scanning on the perimeter of the network," Jennings says. "But if you've forgotten a vector -- such as a laptop that has a virus and gets plugged into the company network -- then suddenly you've got a bunch of infected machines because you didn't put antivirus on the desktops."
5) Use an outside service: If you want a multi-tiered defence without having to purchase individual products and implement them, an outside antivirus and antispam service may be the answer. Companies such as MessageLabs and Postini will intercept and clean your e-mail of viruses and spam before sending it to your e-mail server, thus sparing you the software and hardware expense of scanning and processing your own e-mail.
Internet service providers may offer antivirus and antispam filtering services to corporate clients. For example, virus and spam filtering at Bata Canada, a unit of shoe manufacturer and retailer Bata International, is handled by Bata's service provider.
A significant advantage, according to Eli Gabbay, manager of IT technical support at Bata, is the ability to offload some of the administrative chores to the service provider. "I found [antispam and antivirus software] to be very complicated. . . . There's a lot of work for me to do to maintain it," he explains. "Now the only thing I need to do is put any spam that gets through into a folder, and the provider adds it to its database." Typically, antivirus services use signature-based scanning in combination with other approaches to optimize their success rates. And they clean up the e-mail before it ever reaches their customers' servers. Some users are also turning to antivirus and antispam service providers to clean up their e-mail before it even hits their firewalls.
Euro RSCG Worldwide, an international advertising and marketing firm with 233 agencies, turned to MessageLabs for help in dealing with a rising flood of spam that threatened to overload its e-mail servers.
"We had more spam coming in than legitimate e-mail," says CIO John Tanner. "It got to the point, last August, where we were going to have to increase our hardware by 33 percent."
The agency tried blocking spam at the firewall with blacklists, but that approach resulted sometimes in blocked mail from prospective clients whose addresses or e-mail servers had been hijacked by spammers. So the ad agency tried the MessageLabs service, which culls spam and viruses before sending the clean mail on.
Of course, the company still uses antivirus software on its servers and desktops to be safe. But so far, spam has ceased to be a problem. "I don't have to manage any hardware or software. I don't have to worry about upgrading hardware because spam has increased," says Tanner. "Spam has disappeared from the planet for us."
# posted by vdodon @ 07:44 
