ZDDDDDDDDDDDDDDDDDD? IMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM; ZDDDDDDDDDDDDDDDDDD?
3 Founded By: 3 : Network Information Access : 3 Mother Earth BBS 3
3 Guardian Of Time 3D: 17APR90 :D3 NUP:> DECnet 3
3 Judge Dredd 3 : Judge Dredd : 3Text File Archives3
@DDDDDDDDBDDDDDDDDDY : File 26 : @DDDDDDDDDBDDDDDDDDY
3 HMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM< 3
3 IMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM; 3
@DDDDDDDDDDD6 Computer Viruses & Threats IV GDDDDDDDDDDDY
HMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM<
$_Virus Prevention for Personal Computers and Associated Networks
Virus prevention in the personal computer environment differs
from that of the multi-user computer environment mainly in the
following two respects: the relative lack of technical controls,
and the resultant emphasis this places on less-technically
oriented means of protection which necessitates more reliance on
user involvement. Personal computers typically do not provide
technical controls for such things as user authorization, access
controls, or memory protection that differentiates between system
memory and memory used by user applications. Because of the lack
of controls and the resultant freedom with which users can share
and modify software, personal computers are more prone to attack
by viruses, unauthorized users, and related threats.
Virus prevention in the personal computer environment must rely
on continual user awareness to adequately detect potential
threats and then to contain and recover from the damage.
Personal computer users are in essence personal computer
managers, and must practice their management as a part of their
general computing. Personal computers generally do not contain
auditing features, thus a user needs to be aware at all times of
the computer's performance, i.e., what it is doing, or what is
normal or abnormal activity. Ultimately, personal computer users
need to understand some of the technical aspects of their
computers in order to protect, deter, contain, and recover. Not
all personal computer users are technically oriented, thus this
poses some problems and places even more emphasis on user
education and involvement in virus prevention.
Because of the dependance on user involvement, policies for the
personal computer environment are more difficult to implement
than in the multi-user computer environment. However,
emphasizing these policies as part of a user education program
will help to ingrain them in users' behavior. Users should be
shown via examples what can happen if they don't follow the
policies. An example where users share infected software and
then spread the software throughout an organization would serve
to effectively illustrate the point, thus making the purpose of
the policy more clear and more likely to be followed. Another
effective method for increasing user cooperation is to create a
list of effective personal computer management practices specific
to each personal computing environment. Creating such a list
would save users the problem of determining how best to enact the
policies, and would serve as a convenient checklist that users
could reference as necessary.
It will likely be years before personal computers incorporate
strong technical controls in their architectures. In the
meantime, managers and users must be actively involved in
protecting their computers from viruses and related threats. The
following sections provide guidance to help achieve that aim.
$_General Policies
Two general policies are suggested here. The first requires that
management make firm, unambiguous decisions as to how users
should operate personal computers, and state that policy in
writing. This policy will be a general re-statement of all other
policies affecting personal computer use. It is important that
users read this policy and agree to its conditions as a
prerequisite to personal computer use. The purposes of the
policy are to (1) ensure that users are aware of all policies,
and (2) impress upon users the need for their active involvement
in computer security.
The second policy is that every personal computer should have an
"owner" or "system manager" who is responsible for the
maintenance and security of the computer, and for following all
policies and procedures associated with the use of the computer.
It would be preferable that the primary user of the computer fill
this role. It would not be too extreme to make this
responsibility a part of the user's job description. This policy
will require that resources be spent on educating users so that
they can adequately follow all policies and procedures.
$_Software Management
Due to the wide variety of software available for many types of
personal computers, it is especially important that software be
carefully controlled. The following policies are suggested:
- Use only licensed copies of vendor software for personal
computers. Ensure that the license numbers are logged,
that warranty information is completed, and that updates
or update notices will be mailed to the appropriate
users. Ensure that software versions are uniform on all
personal computers. Purchase software from known,
reputable sources - do not purchase software that is
priced suspiciously low and do not use pirated software,
even on a trial basis. As possible, buy software with
built-in security features.
- Do not install software that is not clearly needed. For
example, software tools such as compilers or debuggers
should not be installed on machines where they are not
needed.
- Store the original copies of vendor software in a secure
location for use when restoring the software.
- Develop a clear policy for use of public-domain software
and shareware. It is recommended that the policy
prohibit indiscriminate downloading from software
bulletin boards. A special isolated system should be
configured to perform the downloading, as well as for
testing downloaded and other software or shareware. The
operation of the system should be managed by a
technically skilled user who can use anti-virus software
and other techniques to test new software before it is
released for use by other users.
- Maintain an easily-updated database of installed
software. For each type of software, the database should
list the computers where the software is installed, the
license numbers, software version number, the vendor
contact information, and the responsible person for each
computer listed. This database should be used to quickly
identify users, machines, and software when problems or
emergencies arise, such as when a particular type of
software is discovered to contain a virus or other
harmful aspects.
- Minimize software sharing within the organization. Do
not permit software to be placed on computers unless the
proper manager is notified and the software database is
updated. If computer networks permit software to be
mailed or otherwise transferred among machines, prohibit
this as a policy. Instruct users not to run software
that has been mailed to them.
- If using software repositories on LAN servers, set up the
server directory such that users can copy from the
directory, but not add software to the directory. Assign
a user to manage the repository; all updates to the
repository should be cleared through this individual.
The software should be tested on an isolated system as
described earlier.
- If developing software, consider the use of software
management and control programs that automate record
keeping for software updates, and that provide a degree
of protection against unauthorized modifications to the
software under development.
- Prohibit users from using software or disks from their
home systems. A home system that is used to access
software bulletin boards or that uses shared copies of
software could be infected with viruses or other
malicious software.
$_Technical Controls
As stated earlier, personal computers suffer from a relative lack
of technical controls. There are usually no mechanisms for user
authentication and for preventing users or software from
modifying system and application software. Generally, all
software and hardware is accessible by the personal computer
user, thus the potential for misuse is substantially greater than
in the multi-user computer environment.
However, some technical controls can be added to personal
computers, e.g., user authentication devices. The technical
controls that do not exist can be simulated by other controls,
such as a lock on an office door to substitute for a user
authentication device, or anti-virus software to take the place
of system auditing software. Lastly, some of the personal
computer's accessibility can be reduced, such as by the removal
of floppy diskette drives or by the use of diskless computers
that must download their software from a LAN server. The
following items are suggested:
- Where technical controls exist, use them. If basic file
access controls are available to make files read-only,
make sure that operating system files and other
executable files are marked as read-only. Use write-
protect tabs on floppy diskettes and tapes. If LAN
access requires a password, ensure that passwords are
used carefully - follow the guidelines for password
usage presented in in file III.
- Use new cost-effective forms of user identification such
as magnetic access cards. Or, setup other software such
as password mechanism that at a minimum deters
unauthorized users.
- If using a LAN, consider downloading the personal
computer's operating system and other applications from a
read-only directory on the LAN server (instead of the
personal computer's hard disk). If the LAN server is
well protected, this arrangement would significantly
reduce chances of the software becoming infected, and
would simplify software management.
- Consider booting personal computers from write-protected
floppy diskettes (instead of the computer's hard disk).
Use a unique diskette per computer, and keep the diskette
secured when not in use.
- Do not leave a personal computer running but unattended.
Lock the computer with a hardware lock (if possible), or
purchase vendor add-on software to "lock" the keyboard
using a password mechanism. Alternatively, turn off the
computer and lock the office door. Shut down and lock
the computer at the end of the day.
- When using modems connected to personal computers, do not
provide more access to the computer than necessary. If
only dial-out service is required, configure the modem so
that it won't answer calls. If dial-in service is
necessary, consider purchasing modems that require a
password or that use a call-back mechanism to force a
caller to call from a telephone number that is known to
the modem.
- Consider using "limited-use" systems, whereby the
capabilities of a system are restricted to only what is
absolutely required. For example, users who run only a
certain application (such as word-processor) may not
require the flexibility of a personal computer. At the
minimum, do not install applications or network
connections where they are not needed.
$_Monitoring
Personal computer operating systems typically do not provide any
software or user monitoring/auditing features. Monitoring, then,
is largely a user function whereby the user must be aware of what
the computer is doing, such as when the computer is accessing the
disk or the general >
Transfer interrupted!