The ICSA survey and techniques for protecting companies

By | May 6, 2005

Every year, ICSA publishes the results of a survey about the prevalence of viruses in companies. This survey always tends to throw up the odd surprise, and this year has been no exception. The companies asked about their experiences with viruses have painted a picture of the world of malware as well as of their own weaknesses.

One thing in particular caught my eye: the answers to the question about which systems companies have installed to protect their networks. Companies responded overwhelmingly that they have anti-malware protection installed in their email gateways. No surprise there, as once again according to the results of the survey 92 percent of viruses responsible for some kind of infection entered via email (how things have changed since the 9 percent recorded in 1996!).

But taking a closer look, there is a great contradiction here. If 97 percent of companies have their email gateways protected, why are viruses causing problems? Is the protection installed deficient? Or is it the system administrators who don´t know how to handle the protection?

The answer is neither one thing nor the other. The problem lies elsewhere, as while almost all companies have their email gateways protected, the situation is not the same with other systems.

Very often, users have email accounts unrelated to the company. As long as these accounts are accessed through POP3 e-mail clients, it is still possible for the antivirus in the email gateway to detect any viruses. However, in many cases, webmail systems are being used, rendering the POP3 antivirus ineffective. In fact, this traffic is not even usually routed to the email servers.

In this case, the task is the responsibility of the proxy server and firewall protection. A third of companies surveyed had no protection in their proxies, and worse still, half of the companies had unprotected firewalls. Here is the key, email viruses are those that have caused most infections (Netsky, Sober, Mymail, Sobig, etc.) and Internet gateways are the worst protected point of the network.

We can clarify things further by adding another problem: the SQLSlammer worm was one of the leading examples of malware. This malicious code caused a huge impact in 2003 (and evidently, in 2004 as well, judging by the results of the survey), and the way it operates is quite different from other malware. Instead of spreading itself by using a file, such as a classic worm or Trojan, SQLSlammer is actually a malicious instruction directed at vulnerable Microsoft SQL Servers. Therefore, the protection installed is of no use, trusting exclusively in protection for workstations or email gateways is simply not adequate.

What protection should be installed?

Protection against malicious code clearly needs to be installed at those points through which viruses enter, but without forgetting that each protection system must fulfil certain specifications for each different type of virus targeting this platform. Take for example the case of SQLSlammer. This is a malicious code that acts against Microsoft SQL Server and for this reason one might think of protecting the server or servers in which this service is provided. However, these servers are only carrying out the role of file servers. Antivirus solutions installed there will monitor data traffic to the disks, without taking into account other types of traffic and so will not protect against SQLSlammer.

The same reasoning could be applied for example to a Sendmail gateway. If you want to protect the email service, there are antivirus solutions available to scan messages passing through the server, but if Samba is also installed on the server, an additional protection system will be needed.

All this could lead one to think that a single antivirus installed in the malicious code entry point could be sufficient. This theory is no more than an extrapolation of the protection policies that used to be applied some time ago, when simply scanning floppy disks was enough to keep out of the reach of viruses. Today, it is not only necessary to protect the entry point, but also all data traffic and storage systems.

A corporate protection strategy must include protection of all possible points, in order to avoid unexpected malicious code slipping past non-specific protection in the system: from workstations to e-mail gateways, from internal servers to the firewall, and including the company´s Internet connection point.

And where should the protection be?

Take a look at any ranking of malicious code and you will see that in recent months there has been a dramatic change in the type of malware that are now a concern to administrators. Since 1999, when the Melissa worm appeared, the advance of this type of malware has been, leaving the classic concept of a virus way behind. It is no longer profitable for a malicious programmer to create viruses, as other malicious code offer more direct financial benefits such as a bots or spyware.

The concept of protection against malicious code therefore has to move away from simply scanning files downloaded onto a computer and encompass the thorough scanning of TCP/IP transmissions, at a point in the network (where the corporate connection is made) and intelligent scanning of applications running in each workstation.

By understanding antivirus protection as a whole and not just as the sum of all the individual protections, it will be possible to obtain security which until has eluded many companies. Maybe in the future surveys on the prevalence of viruses will be based exclusively on malicious code rejected by the protection, not by the infections caused.

Leave a Reply