Silicon Valley Biz Ink, October 10, 2003
Security must be re-examined
|The Lovsan and SoBig.F worms recently captured worldwide attention. This was not the first time companies and home personal computers have encountered an Internet attack and it certainly will not be the last. SoBig.F was heavily covered by the media because it was the fastest spreading worm security experts had ever seen; an estimated 1 million copies were sent in the first 24 hours. It was intelligently disguised with subject headers such as "approved," "my details," "wicked screensaver" and "that movie," among others, which tricked many computer users into actually opening the infected e-mail attachment.
But with so many anti-virus and firewall applications available and being used today, it begs the question, "Why were so many computers still infected?"
Here are some of the reasons:
First, let's look at firewalls. Firewalls are good for allowing and not allowing certain traffic to enter a network, but can't tell you whether an e-mail attachment is malicious or not. It looks at materials on a packet level, is able to determine where it came from and where it is trying to go, but cannot be used as a virus defense.
Anti-virus software, by comparison, is extremely good at recognizing and blocking viruses that currently exist, but it does a very poor job at recognizing and blocking new Internet attacks and outbreaks. In fact, according to the 2003 CSI/FBI Computer Crime and Security Survey, 82 percent of responding companies were attacked by a virus, even though 99 percent of them had anti-virus software. Because it relies on a database of listed and known viruses, anti-virus software is unable to recognize new outbreaks and can't protect any of their users from them until hours later -- after the anti-virus software vendor analyzes the code that was used in the attack, figures out how the attack manipulates a computer and then creates a patch to protect users. Until the patch is made available, users are completely unprotected. In other words, a window of vulnerability exists.
In addition to being reactive, updates from anti-virus vendors also bring human error into the equation. From the recent Lovsan and SoBig.F worms, it was reported that many computers were vulnerable because network administrators and home users who had security software installed on their computers simply neglected to download updates from their vendors.
Fortunately, there are other technologies that can significantly reduce computer users' risk of becoming victims of the next new virus or worm attack. For example, behavior-monitoring technology -- commonly known as "sandboxing" technology -- must be implemented by home users and corporate information technology departments. Sandboxing prevents malicious code from doing something it's not authorized to do. For example, policies can be set so that if a program tries to access your address book or personal folders or write to the registry, the program will immediately be blocked. With this technology, users would be protected from all worms and viruses, even brand-new ones.
Lastly, greater education among computer users regarding viruses, worms and malicious content is needed. Many users are desensitized to the possibility that spam can carry malicious content, because they are use to receiving unsolicited advertising in their inboxes on a daily basis and think nothing of opening an e-mail message from someone they do not know. Remember, "curiosity killed the cat" and it probably contributed to the spread of SoBig.F. But make no mistake about it, the large-scale impact it had on home and corporate users was preventable.
Just as the Internet permanently changed the way we communicate, share information and conduct business, it must also change the way we address computer security, data integrity and content management. Traditional approaches must be challenged, analyzed and reconsidered to ensure that our security strategies are keeping up with the ever-evolving technologies used by malicious individuals now and in the future.
Shlomo Touboul is founder and CEO of San Jose-based Finjan Software Ltd.
You can reach him at firstname.lastname@example.org.. To send a letter to the editor, e-mail email@example.com.