Bug Watch: New strategies for a new era

This week Charles Rutstein, research director at Forrester Research, looks at new strategies for virus protection.

The first computer virus was seen in the wild about 15 years ago and, boy, have things changed. Newer, more virulent code will require firms to develop a layered antivirus model and hunt down virus breeding grounds lurking in the infrastructure.

Today the virus problem is getting worse, not better; there's little differentiation in antivirus products, and desktop antivirus software just isn't enough.

The likelihood of infection rose 13 per cent in 2001. Worse yet, viruses are spreading faster than ever. In a matter of days, Code Red infected 28 per cent of companies worldwide and Nimda infected 68 per cent.

The attribute users care most about when buying antivirus software, i.e. catching viruses, is basically a dead heat among the top independent software vendors.

Within a few hours of a new virus appearing in the wild, firms like Symantec and Network Associates all ship updates to their products.

And, while about 98 per cent of all corporate desktop systems run antivirus software, the protection it provides isn't sufficient on its own.

Further measures, like scanning email attachments at the gateway, are only used by about 50 per cent of firms.

The fight against viruses can be likened to an arms race: as soon as virus authors create a new means of hiding or propagating their creations, antivirus vendors counter it with new code. Today's viruses attack security vulnerabilities, target embedded software and present a blended threat.

In the past, virus authors didn't pay much attention to the system vulnerabilities found by their hacker cousins.

But the latest crop of viruses is different. Strains like Klez.h attack security vulnerabilities in Internet Explorer, allowing them to spread far more quickly than ever before.

Increasingly, software products as diverse as voicemail gateways and directory servers use the same underlying code for functions like web serving. And products like SQL Server underlie many of Microsoft's most popular back-office applications.

But few users think about the likelihood of these systems becoming infected and, because few of these systems run antivirus software, they provide a perfect breeding ground for viruses.

Originally, viruses spread slowly via infected floppy disks. But today's most prevalent examples don't limit themselves to a single line of attack

It's not uncommon to see viruses that can attack on multiple fronts like email blast, file-share worming, and code execution in a web browser.

In the face of new threats, firms must increase their vigilance on the antivirus front. They must erect multiple barriers, update software religiously and root out hidden servers.

Forrester believes that companies must create a layered infrastructure for virus defence, including antivirus software at the desktop, the email server and the internet gateway.

Why so much overlap? Because of the myriad ways that viruses propagate. For example, many of the Code Red infections came into firms via infected notebook computers, even after the externally facing servers were patched.

IT shops tend to fall into one of two categories: those who update their software very frequently and those who never do.

What's the right frequency? About once a month, as the greatest threat comes from viruses that are either more than a month old or less than a day old. So moving from monthly to daily updates only gives a five to 10 per cent advantage.

Finally, almost every piece of IT gear now ships with a web interface, with a web server underneath it. Many of these are running common web servers, such as IIS, making them vulnerable to infection.

Smart firms will figure out which gear is running which embedded code and contact manufacturers to ensure that they're up to date on security patches.