465 lines
24 KiB
Plaintext
465 lines
24 KiB
Plaintext
ZDDDDDDDDDDDDDDDDDD? IMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM; ZDDDDDDDDDDDDDDDDDD?
|
|
3 Founded By: 3 : Network Information Access : 3 Mother Earth BBS 3
|
|
3 Guardian Of Time 3D: 17APR90 :D3 NUP:> DECnet 3
|
|
3 Judge Dredd 3 : Judge Dredd : 3Text File Archives3
|
|
@DDDDDDDDBDDDDDDDDDY : File 26 : @DDDDDDDDDBDDDDDDDDY
|
|
3 HMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM< 3
|
|
3 IMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM; 3
|
|
@DDDDDDDDDDD6 Computer Viruses & Threats IV GDDDDDDDDDDDY
|
|
HMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM<
|
|
|
|
$_Virus Prevention for Personal Computers and Associated Networks
|
|
|
|
Virus prevention in the personal computer environment differs
|
|
from that of the multi-user computer environment mainly in the
|
|
following two respects: the relative lack of technical controls,
|
|
and the resultant emphasis this places on less-technically
|
|
oriented means of protection which necessitates more reliance on
|
|
user involvement. Personal computers typically do not provide
|
|
technical controls for such things as user authorization, access
|
|
controls, or memory protection that differentiates between system
|
|
memory and memory used by user applications. Because of the lack
|
|
of controls and the resultant freedom with which users can share
|
|
and modify software, personal computers are more prone to attack
|
|
by viruses, unauthorized users, and related threats.
|
|
|
|
Virus prevention in the personal computer environment must rely
|
|
on continual user awareness to adequately detect potential
|
|
threats and then to contain and recover from the damage.
|
|
|
|
Personal computer users are in essence personal computer
|
|
managers, and must practice their management as a part of their
|
|
general computing. Personal computers generally do not contain
|
|
auditing features, thus a user needs to be aware at all times of
|
|
the computer's performance, i.e., what it is doing, or what is
|
|
normal or abnormal activity. Ultimately, personal computer users
|
|
need to understand some of the technical aspects of their
|
|
computers in order to protect, deter, contain, and recover. Not
|
|
all personal computer users are technically oriented, thus this
|
|
poses some problems and places even more emphasis on user
|
|
education and involvement in virus prevention.
|
|
|
|
Because of the dependance on user involvement, policies for the
|
|
personal computer environment are more difficult to implement
|
|
than in the multi-user computer environment. However,
|
|
emphasizing these policies as part of a user education program
|
|
will help to ingrain them in users' behavior. Users should be
|
|
shown via examples what can happen if they don't follow the
|
|
policies. An example where users share infected software and
|
|
then spread the software throughout an organization would serve
|
|
to effectively illustrate the point, thus making the purpose of
|
|
the policy more clear and more likely to be followed. Another
|
|
effective method for increasing user cooperation is to create a
|
|
list of effective personal computer management practices specific
|
|
to each personal computing environment. Creating such a list
|
|
would save users the problem of determining how best to enact the
|
|
policies, and would serve as a convenient checklist that users
|
|
could reference as necessary.
|
|
|
|
It will likely be years before personal computers incorporate
|
|
strong technical controls in their architectures. In the
|
|
meantime, managers and users must be actively involved in
|
|
protecting their computers from viruses and related threats. The
|
|
following sections provide guidance to help achieve that aim.
|
|
|
|
$_General Policies
|
|
|
|
Two general policies are suggested here. The first requires that
|
|
management make firm, unambiguous decisions as to how users
|
|
should operate personal computers, and state that policy in
|
|
writing. This policy will be a general re-statement of all other
|
|
policies affecting personal computer use. It is important that
|
|
users read this policy and agree to its conditions as a
|
|
prerequisite to personal computer use. The purposes of the
|
|
policy are to (1) ensure that users are aware of all policies,
|
|
and (2) impress upon users the need for their active involvement
|
|
in computer security.
|
|
|
|
The second policy is that every personal computer should have an
|
|
"owner" or "system manager" who is responsible for the
|
|
maintenance and security of the computer, and for following all
|
|
policies and procedures associated with the use of the computer.
|
|
It would be preferable that the primary user of the computer fill
|
|
this role. It would not be too extreme to make this
|
|
responsibility a part of the user's job description. This policy
|
|
will require that resources be spent on educating users so that
|
|
they can adequately follow all policies and procedures.
|
|
|
|
$_Software Management
|
|
|
|
Due to the wide variety of software available for many types of
|
|
personal computers, it is especially important that software be
|
|
carefully controlled. The following policies are suggested:
|
|
|
|
- Use only licensed copies of vendor software for personal
|
|
computers. Ensure that the license numbers are logged,
|
|
that warranty information is completed, and that updates
|
|
or update notices will be mailed to the appropriate
|
|
users. Ensure that software versions are uniform on all
|
|
personal computers. Purchase software from known,
|
|
reputable sources - do not purchase software that is
|
|
priced suspiciously low and do not use pirated software,
|
|
even on a trial basis. As possible, buy software with
|
|
built-in security features.
|
|
|
|
- Do not install software that is not clearly needed. For
|
|
example, software tools such as compilers or debuggers
|
|
should not be installed on machines where they are not
|
|
needed.
|
|
|
|
- Store the original copies of vendor software in a secure
|
|
location for use when restoring the software.
|
|
|
|
- Develop a clear policy for use of public-domain software
|
|
and shareware. It is recommended that the policy
|
|
prohibit indiscriminate downloading from software
|
|
bulletin boards. A special isolated system should be
|
|
configured to perform the downloading, as well as for
|
|
testing downloaded and other software or shareware. The
|
|
operation of the system should be managed by a
|
|
technically skilled user who can use anti-virus software
|
|
and other techniques to test new software before it is
|
|
released for use by other users.
|
|
|
|
- Maintain an easily-updated database of installed
|
|
software. For each type of software, the database should
|
|
list the computers where the software is installed, the
|
|
license numbers, software version number, the vendor
|
|
contact information, and the responsible person for each
|
|
computer listed. This database should be used to quickly
|
|
identify users, machines, and software when problems or
|
|
emergencies arise, such as when a particular type of
|
|
software is discovered to contain a virus or other
|
|
harmful aspects.
|
|
|
|
- Minimize software sharing within the organization. Do
|
|
not permit software to be placed on computers unless the
|
|
proper manager is notified and the software database is
|
|
updated. If computer networks permit software to be
|
|
mailed or otherwise transferred among machines, prohibit
|
|
this as a policy. Instruct users not to run software
|
|
that has been mailed to them.
|
|
|
|
- If using software repositories on LAN servers, set up the
|
|
server directory such that users can copy from the
|
|
directory, but not add software to the directory. Assign
|
|
a user to manage the repository; all updates to the
|
|
repository should be cleared through this individual.
|
|
The software should be tested on an isolated system as
|
|
described earlier.
|
|
|
|
- If developing software, consider the use of software
|
|
management and control programs that automate record
|
|
keeping for software updates, and that provide a degree
|
|
of protection against unauthorized modifications to the
|
|
software under development.
|
|
|
|
- Prohibit users from using software or disks from their
|
|
home systems. A home system that is used to access
|
|
software bulletin boards or that uses shared copies of
|
|
software could be infected with viruses or other
|
|
malicious software.
|
|
|
|
|
|
$_Technical Controls
|
|
|
|
As stated earlier, personal computers suffer from a relative lack
|
|
of technical controls. There are usually no mechanisms for user
|
|
authentication and for preventing users or software from
|
|
modifying system and application software. Generally, all
|
|
software and hardware is accessible by the personal computer
|
|
user, thus the potential for misuse is substantially greater than
|
|
in the multi-user computer environment.
|
|
|
|
However, some technical controls can be added to personal
|
|
computers, e.g., user authentication devices. The technical
|
|
controls that do not exist can be simulated by other controls,
|
|
such as a lock on an office door to substitute for a user
|
|
authentication device, or anti-virus software to take the place
|
|
of system auditing software. Lastly, some of the personal
|
|
computer's accessibility can be reduced, such as by the removal
|
|
of floppy diskette drives or by the use of diskless computers
|
|
that must download their software from a LAN server. The
|
|
following items are suggested:
|
|
|
|
|
|
- Where technical controls exist, use them. If basic file
|
|
access controls are available to make files read-only,
|
|
make sure that operating system files and other
|
|
executable files are marked as read-only. Use write-
|
|
protect tabs on floppy diskettes and tapes. If LAN
|
|
access requires a password, ensure that passwords are
|
|
used carefully - follow the guidelines for password
|
|
usage presented in in file III.
|
|
|
|
- Use new cost-effective forms of user identification such
|
|
as magnetic access cards. Or, setup other software such
|
|
as password mechanism that at a minimum deters
|
|
unauthorized users.
|
|
|
|
- If using a LAN, consider downloading the personal
|
|
computer's operating system and other applications from a
|
|
read-only directory on the LAN server (instead of the
|
|
personal computer's hard disk). If the LAN server is
|
|
well protected, this arrangement would significantly
|
|
reduce chances of the software becoming infected, and
|
|
would simplify software management.
|
|
|
|
- Consider booting personal computers from write-protected
|
|
floppy diskettes (instead of the computer's hard disk).
|
|
Use a unique diskette per computer, and keep the diskette
|
|
secured when not in use.
|
|
|
|
- Do not leave a personal computer running but unattended.
|
|
Lock the computer with a hardware lock (if possible), or
|
|
purchase vendor add-on software to "lock" the keyboard
|
|
using a password mechanism. Alternatively, turn off the
|
|
computer and lock the office door. Shut down and lock
|
|
the computer at the end of the day.
|
|
|
|
- When using modems connected to personal computers, do not
|
|
provide more access to the computer than necessary. If
|
|
only dial-out service is required, configure the modem so
|
|
that it won't answer calls. If dial-in service is
|
|
necessary, consider purchasing modems that require a
|
|
password or that use a call-back mechanism to force a
|
|
caller to call from a telephone number that is known to
|
|
the modem.
|
|
|
|
- Consider using "limited-use" systems, whereby the
|
|
capabilities of a system are restricted to only what is
|
|
absolutely required. For example, users who run only a
|
|
certain application (such as word-processor) may not
|
|
require the flexibility of a personal computer. At the
|
|
minimum, do not install applications or network
|
|
connections where they are not needed.
|
|
|
|
|
|
$_Monitoring
|
|
|
|
Personal computer operating systems typically do not provide any
|
|
software or user monitoring/auditing features. Monitoring, then,
|
|
is largely a user function whereby the user must be aware of what
|
|
the computer is doing, such as when the computer is accessing the
|
|
disk or the general speed of its response to commands, and then
|
|
must decide whether the activity is normal or abnormal. Anti-
|
|
viral software can be added to the operating system and run in
|
|
such a way that the software flags or in some way alerts a user
|
|
when suspicious activity occurs, such as when critical files or
|
|
memory regions are written.
|
|
|
|
Effective monitoring depends on user education. Users must know
|
|
what constitutes normal and abnormal activity on their personal
|
|
computers. They need to have a reporting structure available so
|
|
that they can alert an informed individual to determine whether
|
|
there is indeed a problem. They need to know the steps to take
|
|
to contain the damage, and how to recover. Thus, the following
|
|
policies and procedures are recommended:
|
|
|
|
- Form a team of skilled technical people to investigate
|
|
problems reported by users. This same group could be
|
|
responsible for other aspects of virus prevention, such
|
|
as testing new software and handling the containment and
|
|
recovery from virus-related incidents. Ensure that users
|
|
have quick access to this group, e.g., via a telephone
|
|
number.
|
|
|
|
- Educate users so that they are familiar with how their
|
|
computers function. Show them how to use such items as
|
|
anti-viral software. Acquaint them with how their
|
|
computers boot, what files are loaded, whether start-up
|
|
batch files are executed, and so forth.
|
|
|
|
- Users need to watch for changes in patterns of system
|
|
activity. They need to watch for program loads that
|
|
suddenly take longer, whether disk accesses seem
|
|
excessive for simple tasks, do unusual error messages
|
|
occur, do access lights for disks turn on when no disk
|
|
activity should occur, is less memory available than
|
|
usual, do files disappear mysteriously, is there less
|
|
disk space than normal?
|
|
|
|
- Users also need to examine whether important files have
|
|
changed in size, date, or content. Such files would
|
|
include the operating system, regularly-run applications,
|
|
and other batch files. System sweep programs may be
|
|
purchased or built to perform checksums on selected
|
|
files, and then to report whether changes have occurred
|
|
since the last time the program was run.
|
|
|
|
- Purchase virus prevention software as applicable. At a
|
|
minimum, use anti-viral software to test new software
|
|
before releasing it to other users. However, do not
|
|
download or use pirated copies of anti-viral software.
|
|
|
|
- Always report, log, and investigate security problems,
|
|
even when the problems appear insignificant. Then use
|
|
the log as input into regular security reviews. Use the
|
|
reviews as a means for evaluating the effectiveness of
|
|
security policies and procedures.
|
|
|
|
$_Contingency Planning
|
|
|
|
As described in file II, backups are the single most important
|
|
contingency procedure. It is especially important to emphasize
|
|
regular backups for personal computers, due to their greater
|
|
susceptibility to misuse and due to the usual requirement of
|
|
direct user involvement in the backup procedure, unlike that of
|
|
multi-user computers. Because of the second factor, where users
|
|
must directly copy files to one or more floppy diskettes,
|
|
personal computer backups are sometimes ignored or not done
|
|
completely. To help ensure that backups are done regularly,
|
|
external backup mechanisms that use a high-density tape cartridge
|
|
can be purchased and a user assigned to run the backup procedure
|
|
on a regular basis. Additionally, some personal computer
|
|
networks contain a personal computer backup feature, where a
|
|
computer can directly access a network server's backup mechanism,
|
|
sometimes in an off-line mode at a selected time. If neither of
|
|
these mechanisms are available, then users must be supplied with
|
|
an adequate number of diskettes to make complete backups and to
|
|
maintain a reasonable amount of backup history, with a minimum of
|
|
several weeks.
|
|
|
|
Users should maintain the original installation media for
|
|
software applications and store it in a secure area, such as a
|
|
locked cabinet, container, or desk. If a user needs to restore
|
|
software, the user should use only the original media; the user
|
|
should not use any other type of backup or a copy belonging to
|
|
another user, as they could be infected or damaged by some form
|
|
of malicious software.
|
|
|
|
The effectiveness of a backup policy can be judged by whether a
|
|
user is able to recover with a minimum loss of data from a
|
|
situation whereby the user would have to format the computer's
|
|
disk and reload all software. Several incidents of malicious
|
|
software have required that users go to this length to recover -
|
|
|
|
Other important contingency procedures are described below:
|
|
|
|
- Maintain a database of personal computer information.
|
|
Each record should include items such as the computer's
|
|
configuration, i.e., network connections, disks, modems,
|
|
etc., the computer's location, how it is used, the
|
|
software it runs, and the name of the computer's primary
|
|
user/manager. Maintain this database to facilitate rapid
|
|
communication and identification when security problems
|
|
arise.
|
|
|
|
- Create a security distribution list for each user. The
|
|
list should include names of people to contact who can
|
|
help identify the cause of unusual computer activity, and
|
|
other appropriate security personnel to contact when
|
|
actual problems arise.
|
|
|
|
- Create a group of skilled users who can respond to users'
|
|
inquiries regarding virus detection. This group should
|
|
be able to determine when a computer has been attacked,
|
|
and how best to contain and recover from the problem.
|
|
|
|
- Set up some means of distributing information rapidly to
|
|
all affected users in the event of an emergency. This
|
|
should not rely upon a computer network, as the network
|
|
could actually be attacked, but could use other means
|
|
such as telephone mail or a general announcement
|
|
mechanism.
|
|
|
|
- Observe physical security for personal computers. Locate
|
|
them in offices that can be locked. Do not store
|
|
software and backups in unsecured cabinets.
|
|
|
|
$_Associated Network Concerns
|
|
|
|
Personal computer networks offer many advantages to users,
|
|
however they must be managed carefully so that they do not
|
|
increase vulnerability to viruses and related threats. Used
|
|
incorrectly, they can become an additional pathway to
|
|
unauthorized access to systems, and can be used to plant
|
|
malicious software such as network worms. This section does not
|
|
provide specific management guidance, as there are many different
|
|
types of personal computer networks with widely varying degrees
|
|
of similarity. However, some general suggestions for improving
|
|
basic management are listed below:
|
|
|
|
- Assign a network administrator, and make the required
|
|
duties part of the administrator's job description.
|
|
Personal computer networks are becoming increasingly
|
|
complex to administer, thus the administration should not
|
|
be left to an individual who cannot dedicate time as
|
|
necessary.
|
|
|
|
- Protect the network server(s) by locating them in secure
|
|
areas. Make sure that physical access is restricted
|
|
during off-hours. If possible, lock or remove a server's
|
|
keyboard to prevent tampering.
|
|
|
|
- Do not provide for more than one administrator account,
|
|
i.e., do not give other users administrator privileges.
|
|
Similar to the problem of multiple system manager
|
|
accounts on multi-user systems, this situation makes it
|
|
more likely that a password will become known, and makes
|
|
overall management more difficult to control. Users
|
|
should coordinate their requests through a single network
|
|
administrator.
|
|
|
|
- Do not permit users to connect personal computers to the
|
|
network cable without permission. The administrator
|
|
should keep an updated diagram of the network's topology,
|
|
complete with corresponding network addresses and users.
|
|
|
|
- Use the network monitoring tools that are available.
|
|
Track network usage and access to resources, and pinpoint
|
|
unauthorized access attempts. Take appropriate action
|
|
when violations consistently occur, such as requiring the
|
|
user in question to attend a network user class or
|
|
disabling the user's network account.
|
|
|
|
- Ensure that users know how to properly use the network.
|
|
Show them how to use all security features. Ensure that
|
|
users know how to use passwords and access controls
|
|
effectively - see for information on password usage.
|
|
Show them the difference between normal and
|
|
abnormal network activity or response. Encourage users
|
|
to contact the administrator if they detect unusual
|
|
activity. Log and investigate all problems.
|
|
|
|
- Do not give users more access to network resources than
|
|
they require. If using shared directories, make them
|
|
read-only if write permission is not required, or use a
|
|
password. Encourage users to do the same with their
|
|
shared directories.
|
|
|
|
- Do not set up directories for software repository unless
|
|
(1) someone can first verify whether the software is not
|
|
infected, and (2) users are not permitted to write to the
|
|
directory without prior approval.
|
|
|
|
- Backup the network server(s) regularly. If possible or
|
|
practical, backup personal computers using the network
|
|
server backup mechanism.
|
|
|
|
- Disable the network mail facility from transferring
|
|
executable files, if possible. This will prevent
|
|
software from being indiscriminately shared, and may
|
|
prevent network worm programs from accessing personal
|
|
computers.
|
|
|
|
- For network guest or anonymous accounts, limit the types
|
|
of commands that can be executed.
|
|
|
|
- Warn network users to be suspicious of any messages or
|
|
programs that are received from unidentified sources -
|
|
network users should have a critical and suspicious
|
|
attitude towards anything received from an unknown
|
|
source.
|
|
|
|
- Always remove old accounts or change passwords. Change
|
|
important passwords immediately when users leave the
|
|
organization or no longer require access to the network.
|
|
|
|
-JUDGE DREDD/NIA
|
|
|
|
[OTHER WORLD BBS]
|
|
|
|
|
|
|