3   Founded By:    3 :  Network Information Access   : 3 Mother Earth BBS 3
 3 Guardian Of Time 3D:            17APR90            :D3  NUP:> DECnet    3
 3   Judge Dredd    3 :          Judge Dredd          : 3Text File Archives3
          3           HMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM<           3
          @DDDDDDDDD6 Overview On Viruses & Threats III GDDDDDDDDDY

$_Virus Prevention for Multi-User Computers and Associated Networks

  Virus prevention in the multi-user  computer environment is aided
  by the centralized system and  user management, and the  relative
  richness of technical controls.   Unlike personal computers, many
  multi-user    systems   possess    basic   controls    for   user
  authentication, for levels  of access  to files and  directories,
  and  for  protected regions  of  memory.   By  themselves,  these
  controls are not  adequate, but combined with other  policies and
  procedures that  specifically target viruses and related threats,
  multi-user systems  can greatly  reduce their  vulnerabilities to
  exploitation and attack.

  However, some relatively powerful multi-user  machines are now so
  compact as to be  able to be located  in an office or on  a desk-
  top.  These machines are still fully able to support a small user
  population, to connect to major  networks, and to perform complex
  real-time operations.  But  due to their size and  increased ease
  of operation, they  are more  vulnerable to unauthorized  access.
  Also,  multi-user  machines are  sometimes  managed by  untrained
  personnel  who  do not  have adequate  time  to devote  to proper
  system management and who may not possess  a technical background
  or  understanding  of  the  system's  operation.    Thus,  it  is
  especially important for organizations who use or are considering
  machines of this nature to pay  particular attention to the risks
  of attack by unauthorized users, viruses, and related software.

  The  following sections  offer guidance  and recommendations  for
  improving  the management  and reducing  the risk  of attack  for
  multi-user computers and associated networks.

$_General Policies

  Two general policies are  suggested here.  They are  intended for
  uniform adoption throughout an organization,  i.e., they will not
  be entirely effective if they are  not uniformly followed.  These
  policies are as follows:

     - An organization must assign a dedicated system manager to
       operate each multi-user computer.   The manager should be
       trained,  if  necessary,  to  operate  the  system  in  a
       practical and secure  manner.  This individual  should be
       assigned  the  management  duties  as  part  of  his  job
       description; the management duties should not be assigned
       "on top"  of the  individual's other  duties, but  rather
       adequate time should be taken  from other duties.  System
       management  is a  demanding and  time-consuming operation
       that can  unexpectedly require  complete dedication.   As
       systems are increasingly inter-connected via networks,  a
       poorly managed system that  can be used as a  pathway for
       unauthorized access  to  other  systems  will  present  a
       significant vulnerability to an organization.   Thus, the
       job of system  manager should be assigned  carefully, and
       adequate time be given  so that the job can  be performed

     - Management needs to impress upon users the need for their
       involvement  and  cooperation in  computer  security.   A
       method  for  doing this  is  to create  an organizational
       security policy.  This policy should be a superset of all
       other  computer-related  policy,  and  should  serve   to
       clearly define what is  expected of the user.   It should
       detail  how  systems are  to be  used  and what  sorts of
       computing are permitted and not  permitted.  Users should
       read this policy  and agree  to it as  a prerequisite  to
       computer  use.   It  would also  be  helpful to  use this
       policy to create  other policies specific to  each multi-
       user system.

$_Software Management

  Effective  software management  can help  to make  a  system less
  vulnerable to  attack and can make containment  and recovery more
  successful.  Carefully controlled access to software will prevent
  or  discourage  unauthorized  access.   If  accurate  records and
  backups  are  maintained, software  restoral can  be accomplished
  with  a minimum of lost  time and data.  A  policy of testing all
  new  software,  especially  public-domain   software,  will  help
  prevent accidental infection  of a system by  viruses and related
  software.    Thus,  the  following  policies and  procedures  are

     - Use only licensed copies of  vendor software, or software
       that can be verified to be free of harmful code or  other
       destructive aspects.  Maintain complete information about
       the software, such  as the  vendor address and  telephone
       number,  the  license  number  and  version,  and  update
       information.   Store the  software in  a secure,  tamper-
       proof location.

     - Maintain configuration reports of all installed software,
       including the operating system.  This information will be
       necessary if the software must be re-installed later.

     - Prevent user access to system software and  data.  Ensure
       that  such  software   is  fully   protected,  and   that
       appropriate  monitoring  is  done to  detect  attempts at
       unauthorized access.

     - Prohibit users  from installing software.   Users  should
       first contact the system  manager regarding new software.
       The software should  then be tested on an isolated system
       to determine whether the software may contain destructive
       elements.  The isolated system should  be set up so that,
       to a practical  degree, it replicates the  target system,
       but does  not connect  to networks  or process  sensitive
       data.  A highly-skilled user knowledgeable about  viruses
       and related threats should perform the testing and ensure
       that  the  software  does  not  change  or  delete  other
       software or data.  Do not allow users to directly add any
       software  to  the  system, whether  from  public software
       repositories, or other systems, or their home systems.

     - Teach  users  to  protect  their  data  from unauthorized
       access.  Ensure that they know how to use access controls
       or  file  protection mechanisms  to  prevent others  from
       reading  or  modifying  their files.    As  possible, set
       default file protections such that when a user  creates a
       file, the file can  be accessed only by that user, and no
       others.  Each user should not permit others to use his or
       her account.

     - Do  not   set-up  directories   to   serve  as   software
       repositories  unless  technical  controls  are  used   to
       prevent users from  writing to the directory.   Make sure
       that users contact the system  manager regarding software
       they wish to place in a software repository.  It would be
       helpful  to  track  where the  software  is  installed by
       setting up a  process whereby  users must first  register
       their  names  before  they  can  copy software  from  the

     - If  developing  software, control  the update  process so
       that the  software is not modified without authorization.
       Use a  software  management and  control  application  to
       control  access  to  the  software  and to  automate  the
       logging of modifications.

     - Accept system and  application bug fixes or  patches only
       from  highly  reliable  sources,  such  as  the  software
       vendor.  Do  not accept  patches from anonymous  sources,
       such as received via a network.  Test the new software on
       an isolated system  to ensure that the  software does not
       make an existing problem worse.

$_Technical Controls

  Many  multi-user  computers   contain  basic  built-in  technical
  controls.   These  include  user  authentication  via  passwords,
  levels of user  privilege, and  file access controls.   By  using
  these  basic  controls  effectively, managers  can  significantly
  reduce the risk of attack by  preventing or deterring viruses and
  related threats from accessing a system.

  Perhaps   the   most   important   technical   control   is  user
  authentication, with the most widely  form of user authentication
  being a username associated with a  password.  Every user account
  should use a password that is  deliberately chosen so that simple
  attempts  at  password  cracking  cannot  occur.    An  effective
  password should not consist of a  person's name or a recognizable
  word, but rather should consist of alphanumeric characters and/or
  strings of words  that cannot easily  be guessed.  The  passwords
  should be changed  at regular intervals,  such as every three  to
  six months.  Some systems include or can be modified to include a
  password history, to  prevent users  from reusing old  passwords.

  The  username/password mechanism  can  sometimes be  modified  to
  reduce opportunities  for password  cracking.  One  method is  to
  increase the running time of  the password encryption to  several
  seconds.   Another method is to  cause the user login  program to
  accept from three  to five incorrect  password attempts in a  row
  before disabling  the  user account  for several  minutes.   Both
  methods  significantly  increase the  amount  of time  a password
  cracker would spend  when making repeated attempts at  guessing a
  password.  A method for ensuring  that passwords are difficult to
  crack involves  the use  of a  program that  could systematically
  guess passwords,  and then  send warning messages  to the  system
  manager and corresponding users if successful.  The program could
  attempt passwords that  are permutations of each  user's name, as
  well as using words from an on-line dictionary.

  Besides  user  authentication,   access  control  mechanisms  are
  perhaps  the  next  most  important  technical control.    Access
   control mechanisms permit a system  manager to selectively permit
  or bar user access  to system resources regardless of  the user's
  level of privilege.  For example, a user at a low-level of system
  privilege  can be granted access to a  resource at a higher level
  of privilege without raising the user's privilege through the use
  of an access  control that specifically grants that  user access.
  Usually,  the access control  can determine  the type  of access,
  e.g.,  read  or  write.   Some  access  controls  can send  alarm
  messages  to audit logs  or the system  manager when unsuccessful
  attempts are  made  to access  resources protected  by an  access

  Systems which do not use access controls  usually contain another
  more  basic form  that grants  access based  on user  categories.
  Usually, there are four: owner, where only the user who "owns" or
  creates the resource  can access it;  group, where anyone in  the
  same group as the owner can access the resource; world, where all
  users can access  the resource, and system, which  supersedes all
  other user privileges.   Usually, a file or directory can  be set
  up to allow any combination of the four.  Unlike access controls,
  this scheme doesn't permit access to resources on a specific user
  basis, thus if a user at a low level of privilege requires access
  to  a  system level  resource, the  user  must be  granted system
  privilege.    However,   if  used  carefully,  this   scheme  can
  adequately  protect  users'  files from  being  accessed  without
  authorization.  The  most effective  mode is to  create a  unique
  group  for each  user.   Some systems  may permit a  default file
  permission mask  to be set  so that every  file created would  be
  accessible only by the file's owner.

  Other technical control guidelines are as follows:

     - Do  not  use  the  same   password  on  several  systems.
       Additionally,  sets  of   computers  that  are   mutually
       trusting in the sense that login to one constitutes login
       to all should be carefully controlled.

     - Disable  or  remove  old  or unnecessary  user  accounts.
       Whenever users leave  an organization or no  longer use a
       system, change all passwords that the users had knowledge

     - Practice a  "least privilege"  policy, whereby  users are
       restricted to accessing resources on a need-to-know basis
       only.    User  privileges  should  be as  restricting  as
       possible without adversely  affecting the performance  of
       their  work.   To  determine  what  level  of  access  is
       required, err first  by setting privileges to  their most
       restrictive,  and  upgrade  them as  necessary.    If the
       system uses access controls, attempt to maintain a user's
       system privileges at  a low level while using  the access
       controls  to  specifically grant  access to  the required

     - Users are generally able to determine other users' access
       to their files  and directories,  thus instruct users  to
       carefully maintain their files  and directories such that
       they are not accessible,  or at a minimum,  not writable,
       by  other  users.     As   possible,  set  default   file
       protections such  that files  and directories created  by
       each user are accessible by only that user.

     - When  using modems,  do not  provide more  access to  the
       system than is necessary.  For  example, if only dial-out
       service  is required, set up the  modem or telephone line
       so  that dial-in  service is  not  possible.   If dial-in
       service  is   necessary,  use  modems  that   require  an
       additional  passwords  or  modems  that  use  a call-back
       mechanism.  These modems may work such that a caller must
       first  identify   himself  to   the  system.     If   the
       identification has been pre-recorded with  the system and
       therefore valid,  the system  then calls  back at  a pre-
       recorded telephone number.

     - If file  encryption mechanisms are  available, make  them
       accessible to users.  Users may wish to use encryption as
       a  further  means of  protecting  the confidentiality  of
       their files, especially  if the system is  accessible via
       networks or modems.

     - Include  software so  that users  can temporarily  "lock"
       their terminals from accepting keystrokes while they  are
       away.  Use software that  automatically disables a user's
       account if no  activity occurs after a  certain interval,
       such as 10 - 15 minutes.


  Many  multi-user systems  provide a  mechanism for  automatically
  recording  some  aspects  of  user  and  system  activity.   This
  monitoring  mechanism,  if  used regularly,  can  help  to detect
  evidence of viruses and  related threats.  Early detection  is of
  great  value, because  malicious software  potentially can  cause
  significant damage within a matter of  minutes.  Once evidence of
  an  attack  has  been  verified,  managers  can  use  contingency
  procedures to contain and recover from any resultant damage.

  Effective  monitoring   also  requires   user  involvement,   and
  therefore,  user education.  Users must  have some guidelines for
  what constitutes normal and abnormal  system activity.  They need
  to be aware of such items  as whether files have been changed  in
  content,  date, or by access permissions,  whether disk space has
  become suddenly full, and whether  abnormal error messages occur.
  They need to know whom to contact to report signs of  trouble and
  then the steps to take to contain any damage.

  The following  policies and procedures  for effective  monitoring
  are recommended:

     - Use  the  system   monitoring/auditing  tools  that   are
       available.    Follow the  procedures  recommended  by the
       system vendor, or start out by enabling the full level or
       most  detailed  level  of  monitoring.     Use  tools  as
       available to help read the logs, and determine what level
       of monitoring is adequate,  and cut back on the  level of
       detail  as  necessary.   Be  on the  guard  for excessive
       attempts to access  accounts or other resources  that are
       protected.  Examine the log regularly, at least weekly if
       not more often.

     - As  a  further aid  to  monitoring, use  alarm mechanisms
       found in some access  controls.  These mechanisms  send a
       message to the audit  log whenever an attempt is  made to
       access a resource protected by an access control.

     - If no system  monitoring is available, or  if the present
       mechanism is unwieldy or not sufficient,  investigate and
       purchase  other  monitoring  tools as  available.    Some
       third-party software companies sell monitoring tools  for
       major operating systems  with capabilities that supersede
       those of the vendor's.

     - Educate  users  so  that   they  understand  the   normal
       operating  aspects of the system.   Ensure that they have
       quick access  to an  individual or  group who  can answer
       their   questions   and   investigate   potential   virus

     - Purchase or build system sweep programs to checksum files
       at night, and report differences from previous runs.  Use
       a password checker to monitor whether passwords are being
       used effectively.

     - Always report,  log, and  investigate security  problems,
       even when the problems appear insignificant.  Use the log
       as input into regular security reviews.  Use the  reviews
       as a means  for evaluating the effectiveness  of security
       policies and procedures.

     - Enforce  some  form   of  sanctions  against   users  who
       consistently  violate  or  attempt  to  violate  security
       policies and procedures.  Use the audit logs as evidence,
       and bar the users from system use.

$_Contingency Planning

  As  stressed  in  part II,  backups  are  the  most  important
  contingency planning  activity.  A  system manager must  plan for
  the eventuality of having  to restore all software and  data from
  backup  tapes  for any  number  of  reasons, such  as  disk drive
  failure or upgrades.  It has been shown that viruses and  related
  threats  could potentially  and unexpectedly  destroy all  system
  information  or  render  it  useless,  thus managers  should  pay
  particular   attention  to  the  effectiveness  of  their  backup
  policies.   Backup  policies  will vary  from  system to  system,
  however they should be performed daily, with a minimum of several
  months backup history.   Backup  tapes should be  verified to  be
  accurate, and should be stored off-site in a secured location.

  Viruses and  related software threats  could go  undetected in  a
  system  for months  to years, and  thus could be  backed up along
  with  normal  system data.    If  such a  program  would suddenly
  trigger  and cause damage, it may  require much searching through
  old backups to determine  when the program first appeared  or was
  infected.   Therefore the safest  policy is to  restore programs,
  i.e., executable and  command files,  from their original  vendor
  media only.   Only system data  that is non-executable should  be
  restored from regular backups.  Of course, in the case of command
  files or batch procedures  that are developed or modified  in the
  course of daily system  activity, these may need to  be inspected
  manually to ensure that they have not been modified or damaged.

  Other recommended contingency planning activities are as follows:

     - Create a security distribution list  for hand-out to each
       user.  The list should include  the system manager's name
       and number, and other similar information for individuals
       who can  answer  users'  questions  about  suspicious  or
       unusual system activity.   The list should  indicate when
       to contact these individuals, and where to reach  them in

     - Coordinate with  other  system  managers,  especially  if
       their  computers  are  connected  to  the  same  network.
       Ensure that all can be contacted  quickly in the event of
       a network emergency  by using  some mechanism other  than
       the network.

     - Besides  observing physical  security for  the system  as
       well as its  software and backup media,  locate terminals
       in offices that can be locked or in other secure areas.

     - If users are accessing the  system via personal computers
       and terminal emulation  software, keep a record  of where
       the personal computers  are located and their  network or
       port address for monitoring  purposes.  Control carefully
       whether such users are uploading software to the system.

     - Exercise caution when  accepting system patches.   Do not
       accept patches that arrive over a network unless there is
       a high degree of certainty  as to their validity.  It  is
       best to accept patches only from the appropriate software

$_Associated Network Concerns

  Multi-user  computers are  more often associated  with relatively
  large  networks  than  very  localized  local  area  networks  or
  personal  computer  networks  that  may   use  dedicated  network
  servers.  The viewpoint taken here is that wide area network  and
  large local  area network  security is  essentially a  collective
  function of the systems connected to the network, i.e., it is not
  practical for a controlling system to monitor all network traffic
  and differentiate  between authorized  and unauthorized  use.   A
  system manager  should generally assume that  network connections
  pose inherent risks of  unauthorized access to the system  in the
  forms  of unauthorized  users and  malicious software.   Thus,  a
  system manager  needs to  protect the  system from  network-borne
  threats and likewise exercise responsibility by ensuring that his
  system is not  a source of such  threats, while at the  same time
  making  network connections available to users as necessary.  The
  accomplishment  of these aims  will require the  use of technical
  controls  to  restrict  certain types  of  access,  monitoring to
  detect violations, and a certain amount  of trust that users will
  use the controls and follow the policies.

  Some guidelines for using networks in a more secure manner are as

     - Assume  that network  connections  elevate  the  risk  of
       unauthorized access.  Place network connections on system
       which  provide adequate  controls,  such  as strong  user
       authentication  and  access  control  mechanisms.   Avoid
       placing  network  connections  on  system  which  process
       sensitive data.

     - If the system permits, require  an additional password or
       form of authentication for accounts accessed from network
       ports.    If possible,  do  not permit  access  to system
       manager accounts from network ports.

     - If  anonymous   or  guest   accounts   are  used,   place
       restrictions  on  the  types  of  commands  that  can  be
       executed  from  the  account.    Don't permit  access  to
       software tools,  commands that  can increase  privileges,
       and so forth.

     - As  possible,  monitor usage  of the  network.   Check if
       network connections are made at odd hours, such as during
       the night, or if repeated attempts are made  to log in to
       the system from a network port.

     - When more  than  one computer  is connected  to the  same
       network,  arrange the  connections  so that  one  machine
       serves as a central gateway for the other machines.  This
       will allow a rapid disconnect from the network in case of
       an attack.

     - Ensure that users  are fully  educated in network  usage.
       Make  them  aware  of the  additional  risks  involved in
       network access.  Instruct them to be on the alert for any
       signs of tampering, and to  contact an appropriate person
       if they detect any suspicious activity.  Create a  policy
       for responsible network  usage that details what  sort of
       computing activity will and will  not be tolerated.  Have
       users read the policy as a prerequisite to network use.

     - Warn  users to  be suspicious  of  any messages  that are
       received from unidentified or unknown sources.

     - Don't advertise  a system  to network  users by  printing
       more information than necessary on a welcome banner.  For
       example, don't include  messages such as "Welcome  to the
       Payroll Accounting System"  that may cause the  system to
       be more attractive to unauthorized users.

     - Don't network  to outside organizations  without a mutual
       review of security practices