Viruses A Weak Threat? Think Again

By Lynn Haber

(Back to article)

Last year Quest Inc., an 18-year-old Sacramento, Calif., technology consultancy, experienced no significant downtime from virus attacks on its network security architecture.

So why, when its antivirus software license expired late last year, did the $100 million company undertake a thorough examination of the latest technology designed to zap productivity-sapping viruses?

Sheer volume. The number of viruses received by computers in Quest's network skyrocketed in 2000 over the previous year. While none had a major effect, network administrator Stephanie Buckmaster was concerned enough about the increase -- and the time required for her staff to distribute virus updates and security patches to the company's 180 employees in three offices -- to spend time and money to determine which antivirus system would work best for Quest.

At a Glance

The company: Quest Inc., an 18-year-old technology consulting and management company based in Sacramento, Calif., with $100 million in 2000 revenues and180 employees in 3 locations.

The problem: Ensure the latest in antivirus protection while slashing time spent by IT staff with updates and management.

The solution: Quest bought Norton/Symantec's AntiVirus Solution V7.5, which satisfied criteria of price, ease of use, and manageability.

After scouring the market, Quest bought the Norton Antivirus Solution V7.5, sold by Symantec Corp. of Cupertino, Calif. Not only was the product highly rated, Buckmaster said, it met the company's criteria for ease of use, manageability, and price. "The vendor was also quick to jump on the opportunity to partner with us and help install the software and train users," she said.

Quest installed the antivirus software on about 160 devices, including workstations, laptops, and both e-mail and data servers.

Quest is one of many organizations realizing they've got to take a broader look at the process of keeping malicious code from infiltrating their networks. Even if fighting viruses is not as sexy a security technology as firewalls, intrusion detection, or other techniques flooding the market, it's vital.

Why? More than a decade ago, industry reports of antivirus activity occurred one to two times per month. Today, 10 to 15 viruses are reported each day, said David Perry, public education director at TrendMicro Inc. in Cupertino. And while 96 percent of all enterprise desktops are protected with antivirus software, viruses continue to pose an enormous security threat.

The problem has escalated largely because of the growth of points in a network where a virus can infiltrate -- mainly proliferating numbers of file servers, e-mail servers, and Internet gateways. Viruses exploit security holes in operating systems or applications, and the greater the system's complexity, the greater the likelihood of a breach.

Viruses are also commonly introduced when mobile workers or telecommuters install floppy disks brought from home. Most famously, hacking has become a competitive sport, with many hackers viewing the authoring of new viruses as more challenge than crime.

"Viruses are the most frequent security breach that enterprises face on a daily basis," said Arabella Hallowell, senior analyst at the Gartner Group of Stamford, Conn., who ranks antivirus software among a company's most critical investments.

Any organization not staying on top of virus fighting risks serious losses. Just look at the data: Computer Economics, a Carlsbad, Calif., research company estimated that losses due to the iloveyou attack in May 2000 cost businesses $6.7 billion in one week. On average, the firm calculated, productivity loss for each desktop infected by the virus averaged $1,500, with three to four days of downtime.

So it's no surprise when industry watchers describe antivirus security as moving out of the stepsister role in which it's languished in the security software family.

A New Approach

The newest trend: a multi-level, multi-point approach. Vendors like TrendMicro, Symantec and McAfee, a subsidiary of Network Associates of Santa Clara, Calif., recommend that network managers ramp up antivirus security to defend more vulnerability points such as file servers, desktops, Internet gateways, e-mail servers, and firewalls.

Additionally, antivirus protection is about more than software. It's about centralized management -- that is, knowing all systems in the IT environment and ensuring that all security data are updated and the latest virus signatures deployed.

The antivirus solution previously used at Quest required a technician to spend about a day each week managing the software. The technician had to get antivirus updates and e-mail them to users on a regular basis, help users install them, confirm that they were done correctly, and fix any problems.

Now all that is managed centrally, with updates pushed to users' desktops through the corporate network. In addition, Quest's 50 notebook users -- who formerly had to receive updates from network administrators during their infrequent office visits -- now receive automatic updates whenever they connect to the Internet on the road, or when they connect to the office network.

Quest considers such control the key to its antivirus system. "Ninety-five percent of the management is now automatic," Buckmaster said, making oversight far more efficient.

Just as for tech consultancy Quest Inc., problems with the antivirus technology used by the Louisiana Department of Public Safety (LDPS) centered as much on system management as on virus fighting.

As described by Dennis Weber, the department's information services technical support supervisor, updating the latest antivirus signatures was a cumbersome process. Technicians would download updates from the Internet and post them on the department's intranet for employees to access. While this made the updates available to all, it was left to employees to retrieve them.

Given the number of offices that fall under department's jurisdiction -- including state police, fire marshals, motor vehicles, and the gas commission -- and a total of 3,500 desktop computers and 600 laptops, it's easy to see why a technician averaged 20 hours a week simply managing the system.

When shopping for a less time-consuming way to stamp out viruses, the LDPS turned to a software maker it knew -- Computer Associates International of Islandia, N.Y., which had installed its Unicenter TNG package to manage the department's entire network. Computer Associates sells a security suite, called eTrust, that works within the TNG framework, and its antivirus component is called InnoculateIT.

The LDPS has now installed InnoculateIT on about half of its networked desktops and laptops, and it expects to complete the installation, including on 90 servers, by summer. That day that can't come too soon for Weber, who realizes that spreading viruses is child's play even for novice hackers who would struggle to breach a firewall.

Lessons Learned

1) Antivirus security can't be left up to users to implement. Solutions must be automated.

2) Opt for centralized management to control antivirus policy across the enterprise.

3) Antivirus software only performs as well as it's managed, meaning it must be kept updated and operational.

4) Contrary to popular belief, the latest virus is generally not the most dangerous. The viruses most people catch are not new; many stick around for years and continue to create problems.

But the IT supervisor returns to the ease of system management: "With the new software, antivirus updates are automatic -- the minute a user logs onto our system the most recent protection is pushed down to the devices. Once InnoculateIT is up and running, we don't have to touch it."

The result: a 20-hour technician's chore has been reduced to a 30-minute task of checking software logs once a week to ensure that the software is running smoothly.

Growing Damage

While the most damaging virus infections, such as Michelangelo, Melissa, and Iloveyou, have attracted enormous publicity, many corporate execs remain ignorant of how such malicious code has multiplied in severity. Industry sources say Michelangelo took seven months to reach 75,000 people; that Melissa took 10 hours to reach 3.5 million people; and iloveyou took all of three hours to reach 72 million.

Ninety percent of all viruses breach organizational gateways through e-mail, said Michael Callahan, director of product marketing at McAfee, the Network Associates security subsidiary. Virus writers are getting more creative, he said, while noting that systems have grown more vulnerable in direct proportion to their growing complexity.

The latest potential security vulnerability on the radar screen of both vendors and users: handheld devices. While most industry watchers still believe the threat to business networks from handhelds and personal digital assistants is low, they expect the situation to change as the devices proliferate. Reports of the first handheld virus -- PalmOS/Phange -- was reported last year, followed closely by the second, Liberty Crack Trojan Horse.

Within the last year most vendors have introduced antivirus protection for handheld CE- and Palm-operated devices -- McAfee with VirusScan Wireless last August, TrendMico Inc. late last year with PC-cillin for Wireless, and Symantec Corp. in March with AntiVirus 2001 for Palm operating systems. But for the moment, sales remain scanty.

Ryan McGee, marketing manager at McAfee, said, "We're seeing a lot of enterprise interest in antivirus protection for handheld devices, but not a lot of buying." Any reports of businesses suffering significant data losses to viruses spread through handhelds would likely change that situation quickly, he added.

Thinking About Costs

As with most of today's software packages, pricing for licenses is far less than for ongoing support and maintenance.

According to McAfee, the average cost for a multitiered antivirus system for a company with 5,000 nodes is between $30 and $40 per user. Pricing includes the company's "E-Policy Orchestrator" management system.

Industry watchers insist that good customer support is mandatory when thinking about the cost of antivirus protection. (McAfee estimates that customer support can be anywhere from 7 percent to 20 percent of the total cost.) In fact, Arabella Hallowell of the Gartner Group recommends that businesses buy vendors' premium packages to ensure the best support, while also pushing for customization.

Even at its best, Hallowell maintains that virus protection is still akin to firefighting -- that is, only as good as the security policy a company has in place. Not only must an organization have a policy for administering the software and maintaining antivirus updates, it also must have a plan for dealing with viruses should one attack.

"It's important to look not only at what vendors do to prevent viruses but what types of resources they provide to help clean up after a virus strikes," the analyst said.

For any business serious about best IT practices and protecting networks at their point of greatest weakness, antivirus protection across the enterprise has become a non-negotiable item. As Weber of LDPS put it, "Because of e-mail, the door is always open unless a company has good antivirus protection in place."

Lynn Haber reports on IT and business technology issues from Norwell, Mass. She can be reached at lthaber@mediaone.net.