When the Nimda worm struck in 2001, one of its many US victims was the Virginia Hospital Centre in Arlington. The worm crashed servers, erased data and forced VHC to hire a consultant.
"It deleted files and brought a couple of servers to their knees," says IT director Mark Rein, who joined VHC a year after Nimda struck. "We had to have a company come in and eradicate the virus."
Fortunately, the virus didn't attack patient data. But it did provide a wake-up call, making VHC aware that it needed better email security. There wasn't a silver bullet that could stop all viruses and - nearly as bad - spam, so VHC opted for multiple overlapping defences.
Today, the hospital is protected by five layers of antivirus and antispam defences: an email relay and antivirus product called eSafe from Aladdin Knowledge Systems; an antispam and antivirus device from MailFrontier; Symantec antivirus software on the email servers and desktops; and a Web filter from Websense to monitor HTTP traffic and prevent employees from accidentally downloading viruses from the Web.
Finally, the hospital uses a Juniper Networks intrusion detection and prevention (IDS/IPS) product to alert IT staff to anomalies in network traffic or unauthorised software on the system.
Sounds excessive? In this era of massive malware attacks, such multiple layers of defence are, in fact, not paranoid but prudent.
In a March report from Ferris Research in San Francisco, antivirus software vendors said that there were nearly 100,000 viruses in existence then, and that the number is increasing each month. Finnish antivirus vendor F-Secure notes that the largest virus outbreak in 2004, MyDoom.A, churned out nearly 10 percent of global email at its peak.
Another problem is spyware and adware, small programs that install themselves on a PC and either push out advertising or, in the case of spyware, track user activities. Such programs can come from the most innocent of sources.
Last fall, for example, the US Department of Energy's office in Carlsbad, New Mexico, was perplexed by a sudden flood of pop-up pornographic ads on employee PCs. "We couldn't understand how we were getting all this traffic from adult sites," says Paul DeVito, information systems site security manager.
His staff traced it to a weather site used by the DOE that had been hacked and was downloading X-rated adware to visitors' PCs.
Besides cutting productivity, adware and spyware can also cause computer problems and worse. "It can cause instability in PCs, operations to crash, slow performance," notes Chris Williams, a senior analyst at Ferris Research. "And it can log your keystrokes and report those back to a Web site, so your network log-in is being compromised."
How can a company shore up its servers and desktops against this rising tide of malware? First, say experts, educate employees on spam and viruses. But education can go only so far; technology is also needed. Here are five steps for defending against malware.
Restrict user privileges: The fewer the system privileges on a user's desktop, the fewer opportunities there are for viruses and spyware to take over, says Andrew Jaquith, an analyst at The Yankee Group in Boston. "The biggest reason companies have spyware problems is the user privileges are set too high," he says.
IT may also opt to block certain types of attachments, such as executable or Zip files, and prevent access to certain Web sites. The DOE's Carlsbad office now uses Websense software to block access to adware- and spyware-heavy sites, such as gambling sites. It also relies on an email firewall from Tumbleweed Communications with built-in McAfee antivirus and spyware filtering tools.
Apply patches immediately: Installing security patches and updates is critical, regardless of how much antivirus protection you may have. For example, JetBlue Airways in New York has layers of antivirus and antispam defences, but its IT staff also apply new security patches promptly, says Lesen Wang, IT email systems administrator at JetBlue.
"Even with an antivirus program, a virus can get through," he says. Two years ago, for example, JetBlue's desktops were infected by the Blaster virus because they hadn't been patched, but the airline's servers, which had received regular updates, remained unaffected.
Switch to alternative email packages: While not guaranteed to be shielded against viruses, non-standard (that is, non-Microsoft) software is less likely to be targeted by virus writers.
Thus, Brett McKeachnie, network systems administrator at Utah Valley State College, reports that the school, which uses Novell GroupWise, never had a virus problem and didn't realise it was receiving viruses until it installed iSolation Server, an email security product from local company Avinti.
"Avinti put an iSolation Server into the mail stream, and the next thing you know, we've got 40 to 50 viruses hitting the filter," says McKeachnie. However, not everyone at Utah Valley State uses GroupWise — some are on Outlook — so the college remains vulnerable to virus attacks, and of course spam.
Build a multilayered defence: There are several approaches to antivirus and antispam protection, none of which is 100 percent effective. So using two or more is a useful strategy, say experts.
Techniques for blocking spam include maintaining blacklists of spammers' Internet addresses and employing the challenge/response strategy, which attempts to catch spammers by asking a suspicious sender to resend the message, the assumption being that an automated spam program won't reply. Another option is Bayesian filters, which learn to recognise spam from samples that an IT administrator or an end user feeds it. The filter then uses probability scores to decide whether an email is likely to be spam.
Signature-based scanning is the most common approach for identifying viruses, but it doesn't help when there's a brand-new virus on the loose. The "zero hour" problem - the time lag between the initial release of a new virus and the point when an antivirus software vendor can issue a patch update - is the biggest problem with signature-based products, especially since the gap can be as long as eight hours. Companies relying solely on pattern-based antivirus protection are vulnerable to new viruses during that time.
One technique that attempts to close this gap is blocking technology that shuts down access to certain systems if it detects any initial virus activity. For example, JetBlue used Trend Micro's signature-based ServerProtect, but it opted to add IronPort's C-Series antivirus and antispam device, which includes a blocking technology called Virus Outbreak Filter. The filter quarantines suspect email if it detects a new virus outbreak based on data from IronPort's SenderBase email monitoring network.
Yet another approach to blocking viruses is heuristics scanning, which detects viruses by analysing a file's structure, behaviour and other attributes instead of looking for a pattern match in the code.
The bottom line, say experts, is that two or more defensive technologies, whether in different products or combined in one, are better than one.
And just as using two types of antivirus or antispam software can increase your odds of catching malware, so too can locating defensive products at different points on your network. Firewalls, SMTP gateways, HTTP gateways, email and file servers, and desktops are all good places to defend.
Monrovia Nursery, a plant and flower wholesaler in California, recently added its fourth layer of security: an MailFrontier antispam and antivirus gateway. The new gateway complements an existing firewall, which blocks attachments such as Visual Basic scripts, and antivirus software from Symantec on its email servers and desktops. "It's another layer of protection," says Ray Martin, Monrovia's IS technical manager. "Redundancy and variety are good when it comes to email security."
The main point of a multilayered defence, says Richi Jennings, a Ferris Research analyst, is to cover all of the potential points where a virus could enter. Too often, he says, companies think they're immune to viruses, when in fact they've failed to cover a key point of entry.
"You may feel you have a clean architecture, with virus scanning on the perimeter of the network," Jennings says. "But if you've forgotten a vector, such as a laptop that has a virus and gets plugged into the company network, then suddenly you've got a bunch of infected machines because you didn't put antivirus on the desktops."
Use an outside service: If you want a multitiered defence without having to purchase individual products and implement them, an outside antivirus and antispam service may be the answer. Companies such as MessageLabs and Postini will intercept and clean your email of viruses and spam before sending it to your email server, thus sparing you the software and hardware expense of scanning and processing your own email.
Internet service providers may offer antivirus and antispam filtering services to corporate clients. For example, virus and spam filtering at Bata Canada, a unit of shoe manufacturer and retailer Bata International, is handled by Bata's service provider, Pathway Communications.
One major advantage, according to Eli Gabbay, manager of IT technical support at Bata, is the ability to offload some of the administrative chores to Pathway. "I found [antispam and antivirus software] to be very complicated. There's a lot of work for me to do to maintain it," he explains. "Now the only thing I need to do is put any spam that gets through into a folder, and Pathway adds it to its database."
Typically, antivirus services use signature-based scanning in combination with other approaches to optimise their success rates. And they clean up the email before it ever reaches their customers' servers. Some users are also turning to antivirus and antispam service providers to clean up their email before it even hits their firewalls.
Euro RSCG Worldwide, an international advertising and marketing firm with 233 agencies, turned to MessageLabs for help in dealing with a rising flood of spam that threatened to overload its email servers.
"We had more spam coming in than legitimate e-mail," says CIO John Tanner. "It got to the point, last August, where we were going to have to increase our hardware by 33 percent."
Euro RSCG tried blocking spam at the firewall with blacklists, but that approach resulted sometimes in blocked mail from prospective clients whose addresses or email servers had been hijacked by spammers. So the ad agency tried the MessageLabs service, which culls spam and viruses before sending the clean mail on.
Of course, the company still uses antivirus software on its servers and desktops to be safe. But so far, spam has ceased to be a problem. "I don't have to manage any hardware or software. I don't have to worry about upgrading hardware because spam has increased," says Tanner. "Spam has disappeared from the planet for us."
Find your next job with techworld jobs