3   Founded By:    3 :  Network Information Access   : 3 Mother Earth BBS 3
 3 Guardian Of Time 3D:            17APR90            :D3  NUP:> DECnet    3
 3   Judge Dredd    3 :          Judge Dredd          : 3Text File Archives3
          3           HMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM<           3
          3           IMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM;           3
          @DDDDDDDDDDD6 Computer Viruses & Threats IV GDDDDDDDDDDDY

$_Virus Prevention for Personal Computers and Associated Networks

  Virus  prevention in  the personal  computer  environment differs
  from  that of the  multi-user computer environment  mainly in the
  following two respects:  the relative lack of technical controls,
  and  the  resultant  emphasis  this  places  on  less-technically
  oriented means of protection which  necessitates more reliance on
  user involvement.   Personal computers  typically do not  provide
  technical controls for such things  as user authorization, access
  controls, or memory protection that differentiates between system
  memory and memory used by user applications.  Because of the lack
  of controls and the resultant freedom  with which users can share
  and modify software, personal computers are more  prone to attack
  by viruses, unauthorized users, and related threats.

  Virus prevention in  the personal computer environment  must rely
  on  continual  user  awareness  to  adequately  detect  potential
  threats  and  then  to  contain  and  recover  from  the  damage.

  Personal   computer  users  are   in  essence  personal  computer
  managers, and must practice  their management as a part  of their
  general computing.   Personal computers generally do  not contain
  auditing features, thus a user needs to be aware at all  times of
  the computer's performance,  i.e., what it  is doing, or what  is
  normal or abnormal activity.  Ultimately, personal computer users
  need  to  understand  some  of  the  technical aspects  of  their
  computers in order to protect, deter,  contain, and recover.  Not
  all personal computer  users are technically oriented,  thus this
  poses  some  problems  and  places  even  more emphasis  on  user
  education and involvement in virus prevention.

  Because of the dependance on  user involvement, policies for  the
  personal  computer environment  are more  difficult to  implement
  than  in   the   multi-user  computer   environment.     However,
  emphasizing  these policies as  part of a  user education program
  will help to ingrain  them in users'  behavior.  Users should  be
  shown  via  examples what  can happen  if  they don't  follow the
  policies.   An example  where users  share infected  software and
  then spread the  software throughout an organization  would serve
  to effectively illustrate  the point, thus making the  purpose of
  the policy  more clear and more  likely to be  followed.  Another
  effective method for  increasing user cooperation is  to create a
  list of effective personal computer management practices specific
  to  each personal computing  environment.   Creating such  a list
  would save users the problem of determining how best to enact the
  policies,  and would serve  as a convenient  checklist that users
  could reference as necessary.

  It will  likely be  years before  personal computers  incorporate
  strong  technical  controls  in  their  architectures.    In  the
  meantime,  managers  and  users  must  be  actively  involved  in
  protecting their computers from viruses and related threats.  The
  following sections provide guidance to help achieve that aim.

$_General Policies

  Two general policies are suggested here.  The first requires that
  management  make  firm,  unambiguous decisions  as  to  how users
  should  operate  personal  computers, and  state  that  policy in
  writing.  This policy will be a general re-statement of all other
  policies affecting personal computer use.   It is important  that
  users  read  this  policy  and  agree  to  its  conditions  as  a
  prerequisite to  personal  computer use.    The purposes  of  the
  policy are  to  (1) ensure that users  are aware of all policies,
  and (2) impress upon users the  need for their active involvement
  in computer security.

  The second policy is that every  personal computer should have an
  "owner"  or  "system   manager"  who   is  responsible  for   the
  maintenance and security of the  computer, and for following  all
  policies and procedures associated with  the use of the computer.
  It would be preferable that the primary user of the computer fill
  this  role.    It  would   not  be  too  extreme  to   make  this
  responsibility a part of the user's job description.  This policy
  will require that resources  be spent on educating users  so that
  they can adequately follow all policies and procedures.

$_Software Management

  Due  to the wide variety of  software available for many types of
  personal computers, it  is especially important that  software be
  carefully controlled.  The following policies are suggested:

     - Use only licensed copies of  vendor software for personal
       computers.  Ensure  that the license numbers  are logged,
       that warranty information is completed, and  that updates
       or  update  notices  will be  mailed  to  the appropriate
       users.   Ensure that software versions are uniform on all
       personal  computers.     Purchase  software  from  known,
       reputable  sources  - do  not  purchase software  that is
       priced suspiciously low and do  not use pirated software,
       even on a  trial basis.   As possible, buy software  with
       built-in security features.

     - Do not install software that is  not clearly needed.  For
       example, software  tools such  as compilers  or debuggers
       should not  be installed on  machines where they  are not

     - Store the original copies of vendor software in  a secure
       location for use when restoring the software.

     - Develop a clear policy for  use of public-domain software
       and  shareware.    It  is  recommended  that  the  policy
       prohibit   indiscriminate   downloading   from   software
       bulletin boards.   A  special isolated  system should  be
       configured to  perform the  downloading, as  well as  for
       testing downloaded and other software  or shareware.  The
       operation  of  the   system  should   be  managed  by   a
       technically skilled user who  can use anti-virus software
       and other techniques  to test new  software before it  is
       released for use by other users.

     - Maintain   an   easily-updated   database  of   installed
       software.  For each type of software, the database should
       list the computers  where the software is  installed, the
       license  numbers,  software  version  number, the  vendor
       contact  information, and the responsible person for each
       computer listed.  This database should be used to quickly
       identify users, machines, and  software when problems  or
       emergencies  arise,  such as  when  a particular  type of
       software  is  discovered  to  contain  a virus  or  other
       harmful aspects.

     - Minimize software  sharing within  the organization.   Do
       not permit software to be  placed on computers unless the
       proper manager is  notified and the software  database is
       updated.    If computer  networks  permit software  to be
       mailed or otherwise transferred among machines,  prohibit
       this as a  policy.   Instruct users not  to run  software
       that has been mailed to them.

     - If using software repositories on LAN servers, set up the
       server  directory  such  that  users  can copy  from  the
       directory, but not add software to the directory.  Assign
       a user  to  manage the  repository;  all updates  to  the
       repository  should  be cleared  through  this individual.
       The software  should be tested  on an isolated  system as
       described earlier.

     - If  developing software,  consider  the  use of  software
       management  and  control  programs that  automate  record
       keeping for software  updates, and that provide  a degree
       of protection  against unauthorized modifications  to the
       software under development.

     - Prohibit users from  using software  or disks from  their
       home  systems.   A  home system  that  is used  to access
       software bulletin boards  or that  uses shared copies  of
       software  could  be   infected  with  viruses  or   other
       malicious software.

$_Technical Controls

  As stated earlier, personal computers suffer from a relative lack
  of technical controls.  There are  usually no mechanisms for user
  authentication  and   for  preventing  users  or   software  from
  modifying  system  and  application  software.    Generally,  all
  software  and  hardware is  accessible  by the  personal computer
  user, thus the potential for misuse is substantially greater than
  in the multi-user computer environment.

  However,  some  technical  controls  can  be  added  to  personal
  computers,  e.g., user  authentication  devices.   The  technical
  controls that do  not exist can  be simulated by other  controls,
  such as  a  lock on  an  office door  to  substitute for  a  user
  authentication device, or  anti-virus software to take  the place
  of  system  auditing  software.   Lastly,  some  of  the personal
  computer's accessibility can  be reduced, such as  by the removal
  of floppy diskette  drives or  by the use  of diskless  computers
  that  must  download  their software  from  a  LAN  server.   The
  following items are suggested:

     - Where technical controls  exist, use them.  If basic file
       access  controls are  available to make  files read-only,
       make  sure  that   operating  system   files  and   other
       executable files  are marked  as read-only.   Use  write-
       protect  tabs on  floppy  diskettes and  tapes.   If  LAN
       access  requires a  password, ensure  that passwords  are
       used  carefully  - follow    the guidelines  for password
       usage presented in in file III.

     - Use new cost-effective forms of  user identification such
       as magnetic access cards.   Or, setup other software such
       as  password   mechanism   that  at   a  minimum   deters
       unauthorized users.

     - If  using  a  LAN,   consider  downloading  the  personal
       computer's operating system and other applications from a
       read-only directory  on the  LAN server  (instead of  the
       personal computer's  hard disk).   If the  LAN server  is
       well  protected,  this  arrangement  would  significantly
       reduce  chances of  the software  becoming infected,  and
       would simplify software management.

     - Consider booting personal computers  from write-protected
       floppy diskettes (instead  of the computer's hard  disk).
       Use a unique diskette per computer, and keep the diskette
       secured when not in use.

     - Do not leave a personal  computer running but unattended.
       Lock the computer with a  hardware lock (if possible), or
       purchase  vendor add-on  software to "lock"  the keyboard
       using a password mechanism.   Alternatively, turn off the
       computer and lock  the office door.   Shut down and  lock
       the computer at the end of the day.

     - When using modems connected to personal computers, do not
       provide more access to  the computer than necessary.   If
       only dial-out service is required, configure the modem so
       that  it  won't answer  calls.    If  dial-in service  is
       necessary,  consider  purchasing  modems  that require  a
       password or  that use  a call-back  mechanism to  force a
       caller to call from  a telephone number that is  known to
       the modem.

     - Consider   using   "limited-use"  systems,   whereby  the
       capabilities of a system  are restricted to only  what is
       absolutely  required.  For example, users  who run only a
       certain  application  (such  as word-processor)  may  not
       require  the flexibility of a  personal computer.  At the
       minimum,   do  not   install   applications  or   network
       connections where they are not needed.


  Personal computer operating systems typically  do not provide any
  software or user monitoring/auditing features.  Monitoring, then,
  is largely a user function whereby the user must be aware of what
  the computer is doing, such as when the computer is accessing the
  disk or the  general >

Transfer interrupted!