December 08, 2006 12:23 PM CST

Vital Security for Vital Computers

By Tom Inglesby

Most companies have come to depend greatly on computer systems to run day-to-day affairs, yet many of these same companies often fail to understand how to keep these systems safe from external threats.

Thirty years ago, no one was concerned about getting a "virus" in their calculator or desktop adding machine. Now, people are concerned about getting a virus in their cell phones, digital music players and anything else with a microchip. Yes, we've come a long way from six-function calculators and computers the size of a room, but we haven't necessarily moved in the right direction when it comes to security.

According to Eric Vaughan, author of the TweakHound.com security news and information website, "The current 'survival time' — the average time for an unprotected system to be attacked and compromised — is only nine minutes. This means that a newly installed, unprotected operating system connecting to the Internet for the first time will, on average, be attacked within nine minutes and compromised in some way. That further implies that there is insufficient time for a new system to connect to the Windows Update site and download the latest security and critical updates from Microsoft before the system is attacked and compromised. Yes, the Internet is a dangerous place for the unwary."

What are the threats? Let's look at the most familiar term: virus. The usual definition is: Viruses are programs that can enter computers or IT systems, causing effects that range from simply annoying to highly destructive and irreparable. Viruses have been lumped into a category of nasty computer programs called malware, a contraction of malicious software. Also in this group are such fun items such as worms, spyware, keyloggers, Trojans and rootkits. What is not generally included, despite the feelings of most, are spam and "phishing" e-mails.

Do you need to know what each does and how? Not really. What you need to know is that they are all potentially damaging to your computers (office or field) and by extension, to your business. The bad news is that there are thousands of malicious code writers working night and day to develop new generations of malware to foist on computer users. The good news is that there are also thousands of computer security experts working day and night to develop effective counter measures to help computers defend such attacks.

As soon as a new malware is discovered, security software companies begin developing an update or "patch" to contend with the threat. The time lag between the introduction of the malware and the creation of the security update can take hours or days — sometimes even weeks. This means that some threats have the capability to propagate and do considerable damage before defenses can be distributed. There are several reasons for this, one of the most overlooked being "social engineering."

Virus authors often are people looking for some kind of social recognition or notoriety. Their principal objective is to exploit whatever possible means (e.g., security holes, user naivety, new technology) to ensure their creations spread as widely as possible. Oftentimes, they simply rely on the natural curiosity of most people; they lure the recipient of a malware-loaded e-mail into opening it, clicking on the embedded link, opening an attachment, going to an infected website, or otherwise releasing the malware into their system. Unfortunately, one of the weakest links in computer security is often the user, not the system.

To combat this problem, antivirus software generally tries to catch the offensive program at the point of entry, determining what e-mail messages are potentially threats, what attachments meet the criteria for the latest threats, and in general working behind the scenes to protect the system and user — and sometimes the system from the user.

The first line of defense, and the one that gets the most attention, is the antivirus segment. Familiar developers in this market are Symantec (www.symantec.com) and McAfee (www.mcafee.com). A lesser known but growing company is Panda Software of Bilbao, Spain. In test after test, Panda's security products score as high or higher than the better known brands, but they are, in many ways, the silent, stealth vendor. As such, many hackers around the world fail to defend against Panda's products while actively embedding code to override the antivirus programs of the other, more mainstream, manufacturers.

Ryan Sherstobitoff, CTO of Panda Software's U.S. office in Glendale, Calif., noted, "Panda's products are designed to include protection technologies to address various problems facing the SMB (small to medium business) market. One of Panda's key innovations, TruPrevent was designed to respond to emerging threats not immediately identified by virus laboratories. These threats pose a significant risk to SMBs because of the advanced capabilities of replicating to a large number of machines in a small amount of time. The dynamics of malicious software have changed to include a focal point of organized crime with the sole purpose of financial gain through data theft on unsuspecting users."

If you read the computer columns in the local paper or watch almost any news show on television, you've certainly heard about the exposed vulnerabilities in Microsoft software products. However, any program that can or needs access to the Internet — which includes practically every software program under the sun — is vulnerable to attack. We often hear about Microsoft products, not because they are the most susceptible, but because its software is the most prevalent and presents the biggest target. A "boutique" virus writer might focus on vulnerabilities in a lesser-used software product, but in doing so his or her chance of hitting a large number of targets is smaller. However, if a virus author hits a Microsoft weakness, he or she could potentially threaten billions of computers worldwide and gain infamous notoriety among certain circles.

Therefore, the second line of defense is to maintain the programs that you use by downloading and installing security updates and patches, and to do so on a regular basis. Many software vendors have auto-update elements, and there are third-party programs available that automate the process. For its products, Microsoft offers Automatic Updates, a handy tool that, when downloaded and installed, will notify the computer user of new updates or, just as the name suggests, automatically keep computers up-to-date.

To keep multiple computers updated in a small- to mid-sized company, another option is Sitekeeper from Diskeeper Corporation of Burbank, Calif. (www.executive.com/sitekeeper). Sitekeeper is an easy-to-use, centralized patch and systems management program. Users do not need dedicated hardware or special training, and the program can be installed and running in less than an hour.

The third line of defense is a firewall. Much like a building's firewall, this computer version helps to contain threats and keep them from reaching vital information or programs. Computer firewalls can be implemented using software, such as with a security software suite, or hardware, as included with many Internet connection routers. Depending on the version or system in place, firewalls can protect individual computers or an entire network.

Firewalls are used to protect points of entry into a computer or network, such as Internet connections and computer ports, and to monitor all inbound and outbound "traffic" for your system. If a hacker tries to break into your computer through an unsecured port or a malware happens to bypass your antivirus software and attempts to launch a program using your Internet connection, your firewall will stop the entry or exit, flag the potentially harmful action, and notify the computer user or network administrator.

The classic, and perhaps better-known, firewall is ZoneAlarm from Zone Labs LLC, Redwood City, Calif. (www.zonelabs.com). And possibly the most maligned firewall is the one built-in with Microsoft Windows XP, Service Pack 2. While ZoneAlarm has earned its accolades, the Microsoft firewall probably hasn't earned its jibes.

Microsoft's Internet Connection Firewall (ICF) was designed to work with personal firewall applications, not to compete with them. ICF is far from perfect as firewalls go. It doesn't block any outbound traffic, which won't protect you from Trojan applications that have accessed your computer by other means. But if you are running Windows XP, the advantage is that you already have it integrated into your system.

The newest firewall, interestingly, comes from Russia — which has long been the home of some of the most creative and damaging malware authors. Mikhail Penkovsky, director of sales for Agnitum Ltd., St. Petersburg, Russia (www.agnitum.com) explained, "Russians are known as some of the most talented hackers and cyber criminals. So who better than Russian security experts to stop them from breaking into your PC?"

All of these security layers will help to protect you against threats, and together they can be very effective. Panda's Sherstobitoff pointed to some other aspects of security that often get overlooked, saying, "Data security is obviously a concern and is dependent on how secure the operating system is." Some of the obvious concerns are:

• Passwords that do not meet complexity requirements (i.e., using upper and lower case letters, and utilizing both letters and numbers).
  
  
• Insufficient permissions on critical components that allow privilege elevation attacks to occur.
  
  
• Unnecessary services running that could allow for remote access, such as Telnet.
  
  
• Unnecessary ports open that can lead to exploits and eventual access from a hacker.
  
  
• Administrator accounts with a null or weak password.

"But there are ways to 'harden' your systems," Sherstobitoff added, such as:

• Modifying the local security policy and the password complexity requirements to ensure passwords are not easily guessed. Windows provides a tool "Local Security Policy" that allows the administrator to configure system policies and export them.
  
  
• Disable any ports or services that do not directly apply to the intended usage of the system.
  
  
• Set appropriate file permissions on directories and shared drives on the system to avoid exploitation.
  
  
• Ensure that any system account with administrative rights has a complex password.

"With these configurations taken into account and a good anti-malware solution, the user can ensure that his or her data is not at risk for theft," Sherstobitoff said.

---

About the Author

Tom Inglesby is a San Diego-based freelance writer whose work has appeared in numerous online and print publications. He is the winner of the Construction Writers Association's 2002 Boger Award for Special Reports.