Chinks begin to appear in the antivirus armor

Eighteen months ago, my company, a large financial services organization, suffered a number of attacks that were stopped mostly by luck. With the awareness of security raised, management hired me as information security manager to secure their infrastructure and operations.

I manage a team of five people, with an annual budget of just under US$750,000. With these resources, I protect 4,315 IP-connected devices and 617 staffers from the real and imaginary threats of the New Economy -- and keep our regulators and customers convinced that we're a safe and trustworthy organization.

How do I know we have 4,315 connected devices? We have a vulnerability scanning system. That sounds terribly impressive, but really it consists of a ping sweep followed by the use of nmap freeware port scanner software and Internet Scanner software from Internet Security Systems Inc. in Atlanta. This would be easier if my company maintained an accurate inventory of the equipment it bought and deployed, but with the organization split between development and operations, there's no central tracking of computers.

I highly recommend checking the connected operating systems on your network. We mostly use Windows NT Workstation 4 on the desktop, some Windows NT 4 servers, Sun Solaris systems and a healthy wedge of back-office servers running OpenVMS. All these operating systems are linked by Cisco Systems Inc. routers and switches.

But we knew that before we ran the tests. The useful data is the strange other network stacks we detected:the printers, the developers trying out betas of Windows 2000 and Linux without permission, and even partner organizations, like those that manage the phone system, connecting firewalls and some non-Y2k-compliant versions of Windows 3.1.

And those 617 people? I wish I could say I knew them all. Like other financial services companies, we have many contractors and high staff turnover. Nonetheless, I must educate them all in the basics of information security.

To keep control of the staff changes, we've set up a system that takes a feed from the human resources database and matches it to all the user accounts across our infrastructure. For the past three months, we've been clearing up the discrepancies. With 28,652 accounts in our environment, that was a lot of work. I'm not convinced of the real value of this cleanup, because most of the accounts were expired before we deleted them. But this kind of work really delights internal and external audit, so that alone makes it worthwhile. This would be easier if the human resources database were correct, but at least we have eradicated some of the errors.

Shipshape Firewalls

Having an inventory of accounts and systems gives us a feel for what we have to protect. That protection consists of two firewalls: FireWall-1 from Checkpoint Software Technologies Ltd. in Redwood City, Calif., and the Secure Pix Firewall from San Jose-based Cisco. Like the best-designed oil tankers, we have a double-walled hull protecting us from the harsh outside world.

And just as such tankers can sink, we expect our firewalls to fail despite our best efforts, and therefore, we have host and network intrusion-detection systems. These also protect us from insider threats, if the attack is a well-known script-kiddie-style one. If a more competent attack occurs, we'll still catch it because we use integrity assessment tools and honeypots.

The integrity assessment tools maintain an off-line, more-difficult-to-hack database of file details. If any file is changed, we can tell when we compare the live and stored records on a daily basis. We also do random spot-checks in case someone is smart enough to figure out when we're going to do it. This also tells us when developers or support staff have made a quick fix to a live server without going through testing or change control.

The Virus Threat

Our protection from external hackers and malicious insiders is fairly thorough. However, despite all the wonderful hype on security vendor Web sites, the highest risk we face in terms of downtime and lost revenue is virus infection.

This Week's Glossary

Ping sweep: Using the Internet Control Message Protocol, you can tell what devices are on your network by trying to connect to each of the possible IP addresses in turn. This is like ringing each doorbell on a street to see who's in.

Script kiddie: A hacker who is too lame to write his own code so instead uses point-and-click tools to attack machines. You can detect these from the accounting logs on the hacked machines. If they manage to hack root on your critical Unix server, then type "dir," you know you've been had by a script kiddie.

Honeypots: A term stolen from the world of espionage. In the information security world, these aren't gorgeous Russian ladies leading James Bond astray, but rather hosts and files so tempting that no hacker can resist. Salary.xls is our favorite. But if you open, copy or change the file, we get paged with your details.

www.encase.com: Guidance Software Inc.'s EnCase forensics system

www.all.net: Fred Cohen & Associates' ForensiX

www.insecure.org/nmap: Nmap, the leading freeware network scanning tool

Our strategy includes VirusScan from Santa Clara, Calif.-based Network Associates Inc. on the desktops; Sophos Anti-Virus from U.K.-based Sophos PLC on the file servers; MIMEsweeper from Bellevue, Wash.-based Content Technologies Inc. at the e-mail gateway; and WebManager from Cupertino, Calif.-based Trend Micro Inc. at the Web proxy server.

We have associated .vbs extensions with a notepad at the desktop to stop the threat of new Love Bug variants like the Anna Kournikova worm. And we are rolling out Microsoft Corp.'s patch to stop the sending of various file types from the desktop.

Despite all this, we still get virus outbreaks. Not many, but it doesn't take much to ruin our careful public relations image. We expend a huge overhead managing this multivendor multilayer protection. I have a free T-shirt for the reader who has the best product tip or approach to improving the management of an antivirus program.

All this lets us know when the bad guys or malicious code or foolish insider does something wrong, but in today's increasingly litigious world, how can we prove it?

We use the EnCase forensics system from Pasadena, Calif.-based Guidance Software Inc. for Windows NT desktops and are looking at ForensiX from Livermore, Calif.-based Fred Cohen & Associates for the Unix world. These products let you take a cryptographically sound copy of a disk and search it to find deleted files, naughty images or whatever dirt a user has been getting his hands into (and, yes, it's always a he in these cases). I suppose I could see a point to downloading pornography in the privacy of one's own home, but I still don't understand why anyone would download it at work.

So, all I have to do in the next three weeks is deploy a method to provide secure e-mail to our board members at their companies for minutes of their meetings and provide our critical internal monitoring data to an outsourced partner.

I'm out of the office for the next week to complete certification and training on some of our security infrastructure, and my manager is out of the country for two weeks, so I'm also acting head of infrastructure.

As I try to keep all the plates spinning, if you have any advice or insights, the Security Manager's Journal forum is always open for discussion.

This story, "Chinks begin to appear in the antivirus armor" was originally published by Computerworld.

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies