John Wack, Lisa Carnahan
Computer Systems Technology, NIST Special Publication
August 1989
Computer viruses and related threats represent an increasingly serious security problem in computing systems and networks. This document presents guidelines for preventing, deterring, containing, and recovering from attacks of viruses and related threats. This section acquaints senior management with the nature of the problem and outlines some of the steps that can be taken to reduce an organization's vulnerability.
Computer viruses are the most widely recognized example of a class of programs written to cause some form of intentional damage to computer systems or networks. A computer virus performs two basic functions: it copies itself to other programs, thereby infecting them, and it executes the instructions the author has included in it. Depending on the author's motives, a program infected with a virus may cause damage immediately upon its execution, or it may wait until a certain event has occurred, such as a particular date and time. The damage can vary widely, and can be so extensive as to require the complete rebuilding of all system software and data. Because viruses can spread rapidly to other programs and systems, the damage can multiply geometrically.
Related threats include other forms of destructive programs such as Trojan horses and network worms. Collectively, they are sometimes referred to as malicious software. These programs are often written to masquerade as useful programs, so that users are induced into copying them and sharing them with friends and work colleagues. The malicious software phenomena is fundamentally a people problem, as it is authored and initially spread by individuals who use systems in an unauthorized manner. Thus, the threat of unauthorized use, by unauthorized and authorized users, must be addressed as a part of virus prevention.
Unauthorized users and malicious software may gain access to systems through inadequate system security mechanisms, through security holes in applications or systems, and through weaknesses in computer management, such as the failure to properly use existing security mechanisms. Malicious software can be copied intentionally onto systems, or be spread when users unwittingly copy and share infected software obtained from public software repositories, such as software bulletin boards and shareware. Because malicious software often hides its destructive nature by performing or claiming to perform some useful function, users generally don't suspect that they are copying and spreading the problem.
Viruses and related threats, while not a recent phenomena, have had relatively little attention focused on them in the past. They occurred less frequently and caused relatively little damage. For these reasons, they were frequently treated lightly in computer design and by management, even though their potential for harm was known to be great.
Computer users have become increasingly proficient and sophisticated. Software applications are increasingly complex, making their bugs and security loopholes more difficult to initially detect and correct by the manufacturer. In conjunction with these two factors, some brands of software are now widely used, thus their bugs and security loopholes are often known to users. With the widespread use of personal computers that lack effective security mechanisms, it is relatively easy for knowledgeable users to author malicious software and then dupe unsuspecting users into copying it.
Organizations can take steps to reduce their risk to viruses and related threats. Some of the more important steps are outlined below.
This document provides guidance for technical managers for the reduction of risk to their computer systems and networks from attack by computer viruses, unauthorized users, and related threats. The guidance discusses the combined use of policies, procedures, and controls to address security vulnerabilities that can leave systems open to attack. The aim of this document is not to provide solutions to the wide range of specific problems or vulnerabilities, rather it is to help technical managers administer their systems and networks such that manifestations of viruses and related threats can be initially prevented, detected, and contained.
This document is intended primarily for the managers of multi-user systems, personal computers, and associated networks, and managers of end-user groups. Additionally, the document is useful for the users of such systems. The document presents an overview of computer viruses and related threats, how they typically work, the methods by which they can attack, and the harm they can potentially cause. It then presents guidance in the following areas:
Within these general categories, individual computing environments will vary widely, from size of computer to user population to type of software and computing requirements. To accommodate these differences, the guidance presented here is general in nature. It attempts to address computer security problems and vulnerabilities that are likely to be found in most computing environments. This document does not address problems directly related to specific brands of software or hardware. A reading list at the end of the document contains references and pointers to other literature that address specific systems and software.
Recommended control measures are grouped according to categories that include general policies and procedures, education, software management, technical controls, monitoring, and contingency planning. The guidance emphasizes the need for a strong security program as a means for protection from manifestations of viruses and related threats, and as a means for providing detection, containment, and recovery. Such a security program requires personal involvement on the part of management to ensure that the proper policies, procedures, and technical controls exist, and that users are educated so that they can follow safe computing practices and understand the proper actions to take if they detect the presence of viruses or related threats. The guidelines recommend that network managers, multi-user system managers, end-users, and end-user managers work with each other and approach virus protection from an organizationally consistent basis.
This document is divided into five chapters and two appendices. Chapter 2 describes in general how viruses and related software operate, the vulnerabilities they exploit, and how they can be introduced into systems and networks. Chapter 3 discusses general protection strategies and control measures that apply to technical and end-user management in general; this is done so that the same guidance need not be repeated for each of the succeeding chapters that deal with specific environments. Chapters 4 and 5 present guidance specific to multi-user and personal computer environments, respectively. The guidance in these chapters is directed at the respective technical managers and managers of associated networks, as well as the managers of end-user groups that use such systems and networks. It is recommended that all readers, regardless of their management perspective, examine Chapters 3, 4, and 5 to gain a fuller appreciation of the whole environment with regard to threats, vulnerabilities, and controls.
Appendix A contains document references, while Appendix B contains a reading list with references to general and specific information on various types of viruses, systems, and protective measures. Readers can use these documents to obtain information specific to their individual systems and software.
The term computer virus is often used in a general sense to indicate any software that can cause harm to systems or networks. However, computer viruses are just one example of many different but related forms of software that can act with great speed and power to cause extensive damage - other important examples are Trojan horses and network worms. In this document, the term malicious software refers to such software.
A Trojan horse1 program is a useful or apparently useful program or command procedure containing hidden code that, when invoked, performs some unwanted function. An author of a Trojan horse program might first create or gain access to the source code of a useful program that is attractive to other users, and then add code so that the program performs some harmful function in addition to its useful function. A simple example of a Trojan horse program might be a calculator program that performs functions similar to that of a pocket calculator. When a user invokes the program, it appears to be performing calculations and nothing more, however it may also be quietly deleting the user's files, or performing any number of harmful actions. An example of an even simpler Trojan horse program is one that performs only a harmful function, such as a program that does nothing but delete files. However, it may appear to be a useful program by having a name such as CALCULATOR or something similar to promote acceptability.
Trojan horse programs can be used to accomplish functions indirectly that an unauthorized user could not accomplish directly. For example, a user of a multi-user system who wishes to gain access to other users' files could create a Trojan horse program to circumvent the users' file security mechanisms. The Trojan horse program, when run, changes the invoking user's file permissions so that the files are readable by any user. The author could then induce users to run this program by placing it in a common directory and naming it such that users will think the program is a useful utility. After a user runs the program, the author can then access the information in the user's files, which in this example could be important work or personal information. Affected users may not notice the changes for long periods of time unless they are very observant.
An example of a Trojan horse program that would be very difficult to detect would be a compiler on a multi-user system that has been modified to insert additional code into certain programs as they are compiled, such as a login program. The code creates a trap door in the login program which permits the Trojan horse's author to log onto the system using a special password. Whenever the login program is recompiled, the compiler will always insert the trap door code into the program, thus the Trojan horse code can never be discovered by reading the login program's source code. For more information on this example, see [THOMPSON84].
Trojan horse programs are introduced into systems in two ways: they are initially planted, and unsuspecting users copy and run them. They are planted in software repositories that many people can access, such as on personal computer network servers, publicly-accessible directories in a multiuser environment, and software bulletin boards. Users are then essentially duped into copying Trojan horse programs to their own systems or directories. If a Trojan horse program performs a useful function and causes no immediate or obvious damage, a user may continue to spread it by sharing the program with other friends and co-workers. The compiler that copies hidden code to a login program might be an example of a deliberately planted Trojan horse that could be planted by an authorized user of a system, such as a user assigned to maintain compilers and software tools.
Computer viruses, like Trojan horses, are programs that contain hidden code which performs some usually unwanted function. Whereas the hidden code in a Trojan horse program has been deliberately placed by the program's author, the hidden code in a computer virus program has been added by another program, that program itself being a computer virus or Trojan horse. Thus, computer viruses are programs that copy their hidden code to other programs, thereby infecting them. Once infected, a program may continue to infect even more programs. In due time, a computer could be completely overrun as the viruses spread in a geometric manner.
An example illustrating how a computer virus works might be an operating system program for a personal computer, in which an infected version of the operating system exists on a diskette that contains an attractive game. For the game to operate, the diskette must be used to boot the computer, regardless of whether the computer contains a hard disk with its own copy of the (uninfected) operating system program. When the computer is booted using the diskette, the infected program is loaded into memory and begins to run. It immediately searches for other copies of the operating system program, and finds one on the hard disk. It then copies its hidden code to the program on the hard disk. This happens so quickly that the user may not notice the slight delay before his game is run. Later, when the computer is booted using the hard disk, the newly infected version of the operating system will be loaded into memory. It will in turn look for copies to infect. However, it may also perform any number of very destructive actions, such as deleting or scrambling all the files on the disk.
A computer virus exhibits three characteristics: a replication mechanism, an activation mechanism, and an objective. The replication mechanism performs the following functions:
The flag may be necessary because without it, programs could be repeatedly infected and grow noticeably large. The replication mechanism could also perform other functions to help disguise that the file has been infected, such as resetting the program file's modification date to its previous value, and storing the hidden code within the program so that the program's size remains the same.
The activation mechanism checks for the occurrence of some event. When the event occurs, the computer virus executes its objective, which is generally some unwanted, harmful action. If the activation mechanism checks for a specific date or time before executing its objective, it is said to contain a time bomb. If it checks for a certain action, such as if an infected program has been executed a preset number of times, it is said to contain a logic bomb. There may be any number of variations, or there may be no activation mechanism other than the initial execution of the infected program.
As mentioned, the objective is usually some unwanted, possibly destructive event. Previous examples of computer viruses have varied widely in their objectives, with some causing irritating but harmless displays to appear, whereas others have erased or modified files or caused system hardware to behave differently. Generally, the objective consists of whatever actions the author has designed into the virus.
As with Trojan horse programs, computer viruses can be introduced into systems deliberately and by unsuspecting users. For example, a Trojan horse program whose purpose is to infect other programs could be planted on a software bulletin board that permits users to upload and download programs. When a user downloads the program and then executes it, the program proceeds to infect other programs in the user's system. If the computer virus hides itself well, the user may continue to spread it by copying the infected program to other disks, by backing it up, and by sharing it with other users. Other examples of how computer viruses are introduced include situations where authorized users of systems deliberately plant viruses, often with a time bomb mechanism. The virus may then activate itself at some later point in time, perhaps when the user is not logged onto the system or perhaps after the user has left the organization. For more information on computer viruses, see [DENNING88]
Network worm programs use network connections to spread from system to system, thus network worms attack systems that are linked via communications lines. Once active within a system, a network worm can behave as a computer virus, or it could implant Trojan horse programs or perform any number of disruptive or destructive actions. In a sense, network worms are like computer viruses with the ability to infect other systems as well as other programs. Some people use the term virus to include both cases.
To replicate themselves, network worms use some sort of network vehicle, depending on the type of network and systems. Examples of network vehicles include (a) a network mail facility, in which a worm can mail a copy of itself to other systems, or (b), a remote execution capability, in which a worm can execute a copy of itself on another system, or (c) a remote login capability, whereby a worm can log into a remote system as a user and then use commands to copy itself from one system to the other. The new copy of the network worm is then run on the remote system, where it may continue to spread to more systems in a like manner. Depending on the size of a network, a network worm can spread to many systems in a relatively short amount of time, thus the damage it can cause to one system is multiplied by the number of systems to which it can spread.
A network worm exhibits the same characteristics as a computer virus: a replication mechanism, possibly an activation mechanism, and an objective. The replication mechanism generally performs the following functions:
The network worm may also attempt to determine whether a system has previously been infected before copying itself to the system. In a multi-tasking computer, it may also disguise its presence by naming itself as a system process or using some other name that may not be noticed by a system operator.
The activation mechanism might use a time bomb or logic bomb or any number of variations to activate itself. Its objective, like all malicious software, is whatever the author has designed into it. Some network worms have been designed for a useful purpose, such as to perform general "housecleaning" on networked systems, or to use extra machine cycles on each networked system to perform large amounts of computations not practical on one system. A network worm with a harmful objective could perform a wide range of destructive functions, such as deleting files on each affected computer, or by implanting Trojan horse programs or computer viruses.
Two examples of actual network worms are presented here. The first involved a Trojan horse program that displayed a Christmas tree and a message of good cheer (this happened during the Christmas season). When a user executed this program, it examined network information files which listed the other personal computers that could receive mail from this user. The program then mailed itself to those systems. Users who received this message were invited to run the Christmas tree program themselves, which they did. The network worm thus continued to spread to other systems until the network was nearly saturated with traffic. The network worm did not cause any destructive action other than disrupting communications and causing a loss in productivity [BUNZEL88].
The second example concerns the incident whereby a network worm used the collection of networks known as the Internet to spread itself to several thousands of computers located throughout the United States. This worm spread itself automatically, employing somewhat sophisticated techniques for bypassing the systems' security mechanisms. The worm's replication mechanism accessed the systems by using one of three methods:
By using a combination of these methods, the network worm was able to copy itself to different brands of computers which used similar versions of a widely-used operating system. Many system managers were unable to detect its presence in their systems, thus it spread very quickly, affecting several thousands of computers within two days. Recovery efforts were hampered because many sites disconnected from the network to prevent further infections, thus preventing those sites from receiving network mail that explained how to correct the problems.
It was unclear what the network worm's objective was, as it did not destroy information, steal passwords, or plant viruses or Trojan horses. The potential for destruction was very high, as the worm could have contained code to effect many forms of damage, such as to destroy all files on each system. For more information, see [DENNING89] and [SPAFFORD88].
The number of variations of Trojan horses, computer viruses, and network worms is apparently endless. Some have names, such as a rabbit, whose objective is to spread wildly within or among other systems and disrupt network traffic, or a bacterium, whose objective is to replicate within a system and eat up processor time until computer throughput is halted [DENNING88]. It is likely that many new forms will be created, employing more sophisticated techniques for spreading and causing damage.
In that computer viruses and related forms of malicious software are intriguing issues in themselves, it is important not to overlook that they are created by people, and are fundamentally a people problem. In essence, examples of malicious software are tools that people use to extend and enhance their ability to create mischief and various other forms of damage. Such software can do things that the interactive user often cannot directly effect, such as working with great speed, or maintaining anonymity, or doing things that require programmatic system calls. malicious software exploits the same vulnerabilities as can knowledgeable users. But in general, Thus, any steps taken to reduce the likelihood of attack by malicious software should address the likelihood of unauthorized use by computer users.
To provide general protection from attacks by computer viruses, unauthorized users, and related threats, users and managers need to eliminate or reduce vulnerabilities. A general summary of the vulnerabilities that computer viruses and related threats are most likely to exploit is as follows:
As can be seen from this summary, virus prevention requires that many diverse vulnerabilities be addressed. Some of the vulnerabilities can be improved upon significantly, such as security controls that can be added or improved, while others are somewhat inherent in computing, such as the risk that users will not use security controls or follow policies, or the risk of unauthorized use of computers and networks. Thus, it may not be possible to completely protect systems from all virus-like attacks. However, to attain a realistic degree of protection, all areas of vulnerability must be addressed; improving upon some areas at the expense of others will still leave significant holes in security.
To adequately address all areas of vulnerability, the active involvement of individual users, the management structure, and the organization in a virus prevention program is essential. Such a program, whether formal or informal, depends on the mutual cooperation of the three groups to identify vulnerabilities, to take steps to correct them, and to monitor the results.
A virus prevention program must be initially based upon effective system computer administration that restricts access to authorized users, ensures that hardware and software are regularly monitored and maintained, makes backups regularly, and maintains contingency procedures for potential problems. Sites that do not maintain a basic computer administration program need to put one into place, regardless of their size or the types of computers used. Many system vendors supply system administration manuals that describe the aspects of a basic program, and one can consult documents such as [FIPS73], or [NBS120].
Once a basic administration program is in place, management and users need to incorporate virus prevention measures that will help to deter attacks by viruses and related threats, detect when they occur, contain the attacks to limit damage, and recover in a reasonable amount of time without loss of data. To accomplish these aims, attention needs to be focused on the following areas:
General guidance in each of these areas is explained in the following sections.
Education is one of the primary methods by which systems and organizations can achieve greater protection from incidents of malicious software and unauthorized use. In situations where technical controls do not provide complete protection (i.e., most computers), it is ultimately people and their willingness to adhere to security policies that will determine whether systems and organizations are protected. By educating users about the general nature of computer viruses and related threats, an organization can improve its ability to deter, detect, contain and recover from potential incidents.
Users should be educated about the following:
User education, while perhaps expensive in terms of time and resources required, is ultimately a cost-effective measure for protecting against incidents of malicious software and unauthorized use. Users who are better acquainted with the destructive potential of malicious software and the methods by which it can attack systems may in turn be prompted to take measures to protect themselves. The purpose of security policies and procedures will be more clear, thus users may be more willing to actively use them. By educating users how to detect abnormal system activity and the resultant steps to follow for containing and recovering from potential incidents, organizations will save money and time if and when actual incidents occur.
As shown by examples in Chapter 2, one of the prime methods by which malicious software is initially copied onto systems is by unsuspecting users. When users download programs from sources such as software bulletin boards, or public directories on systems or network servers, or in general use and share software that has not been obtained from a reputable source, users are in danger of spreading malicious software. To prevent users from potentially spreading malicious software, managers need to
The role of education is important, as users who do not understand the risks yet who are asked to follow necessarily restrictive policies may share and copy software anyway. Where technical controls cannot prevent placing new software onto a system, users are then primarily responsible for the success or failure of whatever policies are developed.
A policy that prohibits any copying or use of public-domain software may be overly restrictive, as some public domain programs have proved to be useful. A less restrictive policy would allow some copying, however a user might first require permission from the appropriate manager. A special system should be used from which to perform the copy and then to test the software. This type of system, called an isolated system, should be configured so that there is no risk of spreading a potentially malicious program to other areas of an organization. The system should not be used by other users, should not connect to networks, and should not contain any valuable data. An isolated system should also be used to test internally developed software and updates to vendor software.
Other policies for managing vendor software should be developed. These policies should control how and where software is purchased, and should govern where the software is installed and how it is to be used. The following policies and procedures are suggested:
Technical controls are the mechanisms used to protect the security and integrity of systems and associated data. The use of technical controls can help to prevent occurrences of viruses and related threats by deterring them or making it more difficult for them to gain access to systems and data. Examples of technical controls include user authentication mechanisms such as passwords, mechanisms which provide selective levels of access to files and directories (read-only, no access, access to certain users, etc.), and write-protection mechanisms on tapes and diskettes.
The different types of technical controls and the degree to which they can provide protection and deterrence varies from system to system, thus the use of specific types of controls is discussed in Chapters 4 and 5. However, the following general points are important to note:
Managers need to determine which technical controls are available on their systems, and then the degree to which they should be used and whether additional add-on controls are necessary. One way to answer these questions is to first categorize the different classes of data being processed by a system or systems, and then to rank the categories according to criteria such as sensitivity to the organization and vulnerability of the system to attack. The rankings should then help determine the degree to which the controls should be applied and whether additional controls are necessary. Ideally, those systems with the most effective controls should be used to process the most sensitive data, and vice-versa. As an example, a personal computer which processes sensitive employee information should require add-on user authentication mechanisms, whereas a personal computer used for general word processing may not need additional controls.
It is important to note that technical controls do not generally provide complete protection against viruses and related threats. They may be cracked by determined users who are knowledgeable of hidden bugs and weaknesses, and they may be surmounted through the use of Trojan horse programs, as shown by examples in Chapter 2. An inherent weakness in technical controls is that, while deterring users and software from objects to which they do not have access, they may be totally ineffective against attacks which target objects that are accessible. For example, technical controls may not prevent an authorized user from destroying files to which the user has authorized access. Most importantly, when technical controls are not used properly, they may increase a system's degree of vulnerability. It is generally agreed that fully effective technical controls will not be widely available for some time. Because of the immediate nature of the computer virus threat, technical controls must be supplemented by less technically-oriented control measures such as described in this chapter.
An important aspect of computer viruses and related threats is that they potentially can cause extensive damage within a very small amount of time, such as minutes or seconds. Through proper monitoring of software, system activity, and in some cases user activity, managers can increase their chances that they will detect early signs of malicious software and unauthorized activity. Once the presence is noted or suspected, managers can then use contingency procedures to contain the activity and recover from whatever damage has been caused. An additional benefit of general monitoring is that over time, it can aid in determining the necessary level or degree of security by indicating whether security policies, procedures, and controls are working as planned.
Monitoring is a combination of continual system and system management activity. Its effectiveness depends on cooperation between management and users. The following items are necessary for effective monitoring:
The statistics gained from monitoring activities should be used as input for periodic reviews of security programs. The reviews should evaluate the effectiveness of general system management, and associated security policies, procedures, and controls. The statistics will indicate the need for changes and will help to fine tune the program so that security is distributed to where it is most necessary. The reviews should also incorporate users' suggestions, and to ensure that the program is not overly restrictive, their criticisms.
The purpose of contingency planning with regard to computer viruses and related threats is to be able to contain and recover completely from actual attacks. In many ways, effective system management that includes user education, use of technical controls, software management, and monitoring activities, is a form of contingency planning, generally because a well-run, organized system or facility is better able to withstand the disruption that could result from a computer virus attack. In addition to effective system management activities, managers need to consider other contingency procedures that specifically take into account the nature of computer viruses and related threats.
Possibly the most important contingency planning activity involves the use of backups. The ability to recover from a virus attack depends upon maintaining regular, frequent backups of all system data. Each backup should be checked to ensure that the backup media has not been corrupted. Backup media could easily be corrupted because of defects, because the backup procedure was incorrect, or perhaps because the backup software itself has been attacked and modified to corrupt backups as they are made.
Contingency procedures for restoring from backups after a virus attack are equally important. Backups may contain copies of malicious software that have been hiding in the system. Restoring the malicious software to a system that has been attacked could cause a recurrence of the problem. To avoid this possibility, software should be restored only from its original media: the tapes or diskettes from the vendor. In some cases, this may involve reconfiguring the software, therefore managers must maintain copies of configuration information for system and application software. Because data is not directly executable, it can be restored from routine backups. However, data that has been damaged may need to be restored manually or from older backups. Command files such as batch procedures and files executed when systems boot or when user log on should be inspected to ensure that they have not been damaged or modified. Thus, managers will need to retain successive versions of backups, and search through them when restoring damaged data and command files.
Other contingency procedures for containing virus attacks need to be developed. The following are suggested; they are discussed in more detail in Chapters 4 and 5:
Virus prevention in the multi-user computer environment is aided by the centralized system and user management, and the relative richness of technical controls. Unlike personal computers, many multi-user systems possess basic controls for user authentication, for levels of access to files and directories, and for protected regions of memory. By themselves, these controls are not adequate, but combined with other policies and procedures that specifically target viruses and related threats, multi-user systems can greatly reduce their vulnerabilities to exploitation and attack.
However, some relatively powerful multi-user machines are now so compact as to be able to be located in an office or on a desk-top. These machines are still fully able to support a small user population, to connect to major networks, and to perform complex real-time operations. But due to their size and increased ease of operation, they are more vulnerable to unauthorized access. Also, multi-user machines are sometimes managed by untrained personnel who do not have adequate time to devote to proper system management and who may not possess a technical background or understanding of the system's operation. Thus, it is especially important for organizations who use or are considering machines of this nature to pay particular attention to the risks of attack by unauthorized users, viruses, and related software.
The following sections offer guidance and recommendations for improving the management and reducing the risk of attack for multi-user computers and associated networks.
Two general policies are suggested here. They are intended for uniform adoption throughout an organization, i.e., they will not be entirely effective if they are not uniformly followed. These policies are as follows:
Effective software management can help to make a system less vulnerable to attack and can make containment and recovery more successful. Carefully controlled access to software will prevent or discourage unauthorized access. If accurate records and backups are maintained, software restoral can be accomplished with a minimum of lost time and data. A policy of testing all new software, especially public-domain software, will help prevent accidental infection of a system by viruses and related software. Thus, the following policies and procedures are recommended:
Many multi-user computers contain basic built-in technical controls. These include user authentication via passwords, levels of user privilege, and file access controls. By using these basic controls effectively, managers can significantly reduce the risk of attack by preventing or deterring viruses and related threats from accessing a system.
Perhaps the most important technical control is user authentication, with the most widely form of user authentication being a username associated with a password. Every user account should use a password that is deliberately chosen so that simple attempts at password cracking cannot occur. An effective password should not consist of a person's name or a recognizable word, but rather should consist of alphanumeric characters and/or strings of words that cannot easily be guessed. The passwords should be changed at regular intervals, such as every three to six months. Some systems include or can be modified to include a password history, to prevent users from reusing old passwords. For more information on effective password practices, see [FIPS73].
The username/password mechanism can sometimes be modified to reduce opportunities for password cracking. One method is to increase the running time of the password encryption to several seconds. Another method is to cause the user login program to accept from three to five incorrect password attempts in a row before disabling the user account for several minutes. Both methods significantly increase the amount of time a password cracker would spend when making repeated attempts at guessing a password. A method for ensuring that passwords are difficult to crack involves the use of a program that could systematically guess passwords, and then send warning messages to the system manager and corresponding users if successful. The program could attempt passwords that are permutations of each user's name, as well as using words from an on-line dictionary.
Besides user authentication, access control mechanisms are perhaps the next most important technical control. Access control mechanisms permit a system manager to selectively permit or bar user access to system resources regardless of the user's level of privilege. For example, a user at a low-level of system privilege can be granted access to a resource at a higher level of privilege without raising the user's privilege through the use of an access control that specifically grants that user access. Usually, the access control can determine the type of access, e.g., read or write. Some access controls can send alarm messages to audit logs or the system manager when unsuccessful attempts are made to access resources protected by an access control.
Systems which do not use access controls usually contain another more basic form that grants access based on user categories. Usually, there are four: owner, where only the user who "owns" or creates the resource can access it; group, where anyone in the same group as the owner can access the resource; world, where all users can access the resource, and system, which supersedes all other user privileges. Usually, a file or directory can be set up to allow any combination of the four. Unlike access controls, this scheme doesn't permit access to resources on a specific user basis, thus if a user at a low level of privilege requires access to a system level resource, the user must be granted system privilege. However, if used carefully, this scheme can adequately protect users' files from being accessed without authorization. The most effective mode is to create a unique group for each user. Some systems may permit a default file permission mask to be set so that every file created would be accessible only by the file's owner.
Other technical control guidelines are as follows:
Many multi-user systems provide a mechanism for automatically recording some aspects of user and system activity. This monitoring mechanism, if used regularly, can help to detect evidence of viruses and related threats. Early detection is of great value, because malicious software potentially can cause significant damage within a matter of minutes. Once evidence of an attack has been verified, managers can use contingency procedures to contain and recover from any resultant damage.
Effective monitoring also requires user involvement, and therefore, user education. Users must have some guidelines for what constitutes normal and abnormal system activity. They need to be aware of such items as whether files have been changed in content, date, or by access permissions, whether disk space has become suddenly full, and whether abnormal error messages occur. They need to know whom to contact to report signs of trouble and then the steps to take to contain any damage.
The following policies and procedures for effective monitoring are recommended:
As stressed in Chapter 3, backups are the most important contingency planning activity. A system manager must plan for the eventuality of having to restore all software and data from backup tapes for any number of reasons, such as disk drive failure or upgrades. It has been shown that viruses and related threats could potentially and unexpectedly destroy all system information or render it useless, thus managers should pay particular attention to the effectiveness of their backup policies. Backup policies will vary from system to system, however they should be performed daily, with a minimum of several months backup history. Backup tapes should be verified to be accurate, and should be stored off-site in a secured location.
Viruses and related software threats could go undetected in a system for months to years, and thus could be backed up along with normal system data. If such a program would suddenly trigger and cause damage, it may require much searching through old backups to determine when the program first appeared or was infected. Therefore the safest policy is to restore programs, i.e., executable and command files, from their original vendor media only. Only system data that is non-executable should be restored from regular backups. Of course, in the case of command files or batch procedures that are developed or modified in the course of daily system activity, these may need to be inspected manually to ensure that they have not been modified or damaged.
Other recommended contingency planning activities are as follows:
Multi-user computers are more often associated with relatively large networks than very localized local area networks or personal computer networks that may use dedicated network servers. The viewpoint taken here is that wide area network and large local area network security is essentially a collective function of the systems connected to the network, i.e., it is not practical for a controlling system to monitor all network traffic and differentiate between authorized and unauthorized use. A system manager should generally assume that network connections pose inherent risks of unauthorized access to the system in the forms of unauthorized users and malicious software. Thus, a system manager needs to protect the system from network-borne threats and likewise exercise responsibility by ensuring that his system is not a source of such threats, while at the same time making network connections available to users as necessary. The accomplishment of these aims will require the use of technical controls to restrict certain types of access, monitoring to detect violations, and a certain amount of trust that users will use the controls and follow the policies.
Some guidelines for using networks in a more secure manner are as follows:
Virus prevention in the personal computer environment differs from that of the multi-user computer environment mainly in the following two respects: the relative lack of technical controls, and the resultant emphasis this places on less-technically oriented means of protection which necessitates more reliance on user involvement. Personal computers typically do not provide technical controls for such things as user authorization, access controls, or memory protection that differentiates between system memory and memory used by user applications. Because of the lack of controls and the resultant freedom with which users can share and modify software, personal computers are more prone to attack by viruses, unauthorized users, and related threats.
Virus prevention in the personal computer environment must rely on continual user awareness to adequately detect potential threats and then to contain and recover from the damage. Personal computer users are in essence personal computer managers, and must practice their management as a part of their general computing. Personal computers generally do not contain auditing features, thus a user needs to be aware at all times of the computer's performance, i.e., what it is doing, or what is normal or abnormal activity. Ultimately, personal computer users need to understand some of the technical aspects of their computers in order to protect, deter, contain, and recover. Not all personal computer users are technically oriented, thus this poses some problems and places even more emphasis on user education and involvement in virus prevention.
Because of the dependance on user involvement, policies for the personal computer environment are more difficult to implement than in the multi-user computer environment. However, emphasizing these policies as part of a user education program will help to ingrain them in users' behavior. Users should be shown via examples what can happen if they don't follow the policies. An example where users share infected software and then spread the software throughout an organization would serve to effectively illustrate the point, thus making the purpose of the policy more clear and more likely to be followed. Another effective method for increasing user cooperation is to create a list of effective personal computer management practices specific to each personal computing environment. Creating such a list would save users the problem of determining how best to enact the policies, and would serve as a convenient checklist that users could reference as necessary.
It will likely be years before personal computers incorporate strong technical controls in their architectures. In the meantime, managers and users must be actively involved in protecting their computers from viruses and related threats. The following sections provide guidance to help achieve that aim.
Two general policies are suggested here. The first requires that management make firm, unambiguous decisions as to how users should operate personal computers, and state that policy in writing. This policy will be a general re-statement of all other policies affecting personal computer use. It is important that users read this policy and agree to its conditions as a prerequisite to personal computer use. The purposes of the policy are to (1) ensure that users are aware of all policies, and (2) impress upon users the need for their active involvement in computer security.
The second policy is that every personal computer should have an "owner" or "system manager" who is responsible for the maintenance and security of the computer, and for following all policies and procedures associated with the use of the computer. It would be preferable that the primary user of the computer fill this role. It would not be too extreme to make this responsibility a part of the user's job description. This policy will require that resources be spent on educating users so that they can adequately follow all policies and procedures.
Due to the wide variety of software available for many types of personal computers, it is especially important that software be carefully controlled. The following policies are suggested:
As stated earlier, personal computers suffer from a relative lack of technical controls. There are usually no mechanisms for user authentication and for preventing users or software from modifying system and application software. Generally, all software and hardware is accessible by the personal computer user, thus the potential for misuse is substantially greater than in the multi-user computer environment.
However, some technical controls can be added to personal computers, e.g., user authentication devices. The technical controls that do not exist can be simulated by other controls, such as a lock on an office door to substitute for a user authentication device, or anti-virus software to take the place of system auditing software. Lastly, some of the personal computer's accessibility can be reduced, such as by the removal of floppy diskette drives or by the use of diskless computers that must download their software from a LAN server. The following items are suggested:
Personal computer operating systems typically do not provide any software or user monitoring/auditing features. Monitoring, then, is largely a user function whereby the user must be aware of what the computer is doing, such as when the computer is accessing the disk or the general speed of its response to commands, and then must decide whether the activity is normal or abnormal. Anti-viral software can be added to the operating system and run in such a way that the software flags or in some way alerts a user when suspicious activity occurs, such as when critical files or memory regions are written.
Effective monitoring depends on user education. Users must know what constitutes normal and abnormal activity on their personal computers. They need to have a reporting structure available so that they can alert an informed individual to determine whether there is indeed a problem. They need to know the steps to take to contain the damage, and how to recover. Thus, the following policies and procedures are recommended:
As described in Chapter 3, backups are the single most important contingency procedure. It is especially important to emphasize regular backups for personal computers, due to their greater susceptibility to misuse and due to the usual requirement of direct user involvement in the backup procedure, unlike that of multi-user computers. Because of the second factor, where users must directly copy files to one or more floppy diskettes, personal computer backups are sometimes ignored or not done completely. To help ensure that backups are done regularly, external backup mechanisms that use a high-density tape cartridge can be purchased and a user assigned to run the backup procedure on a regular basis. Additionally, some personal computer networks contain a personal computer backup feature, where a computer can directly access a network server's backup mechanism, sometimes in an off-line mode at a selected time. If neither of these mechanisms are available, then users must be supplied with an adequate number of diskettes to make complete backups and to maintain a reasonable amount of backup history, with a minimum of several weeks.
Users should maintain the original installation media for software applications and store it in a secure area, such as a locked cabinet, container, or desk. If a user needs to restore software, the user should use only the original media; the user should not use any other type of backup or a copy belonging to another user, as they could be infected or damaged by some form of malicious software.
The effectiveness of a backup policy can be judged by whether a user is able to recover with a minimum loss of data from a situation whereby the user would have to format the computer's disk and reload all software. Several incidents of malicious software have required that users go to this length to recover - see [MACAFEE89].
Other important contingency procedures are described below:
Personal computer networks offer many advantages to users, however they must be managed carefully so that they do not increase vulnerability to viruses and related threats. Used incorrectly, they can become an additional pathway to unauthorized access to systems, and can be used to plant malicious software such as network worms. This section does not provide specific management guidance, as there are many different types of personal computer networks with widely varying degrees of similarity. However, some general suggestions for improving basic management are listed below:
In addition to the references listed in Appendix A, the following documents are suggested reading for specific and general information on computer viruses and related forms, and other related security information.
1 named after the use of a hollow wooden horse filled with enemy soldiers used to gain entry into the city of Troy in ancient Greece.
[Back to index] [Comments (0)]