Protective layers

When the Nimda worm struck in 2001, one of its many victims was a hospital where the worm crashed servers, erased data and forced it to hire a consultant.

"The worm deleted files and brought a couple of servers to their knees," says IT director Mark Rein, who joined the hospital a year after Nimda struck. "We had to have a company come in and eradicate the virus."

Fortunately, the virus didn't attack patient data. But it did give hospital administrators a wake-up call, making them aware that they needed better e-mail security. There wasn't a silver bullet that could stop all viruses and -- nearly as bad -- spam, so the hospital opted for multiple, overlapping defences.

Today, the hospital has five layers of antivirus and antispam defences: an e-mail relay and antivirus product called eSafe from Aladdin Knowledge Systems; an antispam and antivirus device from MailFrontier; antivirus software from Symantec on the e-mail servers and desktops; and a Web filter from Websense to monitor HTTP traffic and prevent employees from accidentally downloading viruses from the Web. Finally, the hospital uses a Juniper Networks intrusion-detection and -prevention product to alert IT staff to anomalies in network traffic or unauthorized software on the system.

Sound excessive? In this era of massive malware attacks, such multiple layers of defence are, in fact, not paranoid but prudent.

In a March report from Ferris Research, antivirus software vendors said that there were nearly 100,000 viruses in existence then and that the number is increasing each month. F-Secure, a vendor of antivirus products, notes that the largest virus outbreak in 2004, MyDoom.A, churned out nearly 10 percent of global e-mail at its peak.

Another problem is spyware and adware, small programs that install themselves on a PC and either push out advertising or, in the case of spyware, track user activities. Such programs can come from the most innocent of sources.

In the second half of last year, for example, the US Department of Energy's New Mexico office was perplexed by a sudden flood of pop-up pornographic ads on employee PCs. "We couldn't understand how we were getting all this traffic from adult sites," says Paul DeVito, information systems site security manager.

His staff traced it to a weather site used by the department that had been hacked and was downloading X-rated adware to visitors' PCs.

Double trouble

Besides cutting productivity, adware and spyware can also cause computer problems and worse. "They can cause instability in PCs, operations to crash, slow performance," says Chris Williams, a senior analyst at Ferris Research. "And [malware] can log your keystrokes and report those back to a Web site, so your network log-in is being compromised."

How can a company shore up its servers and desktops against this rising tide of malware? First, say experts, educate employees on spam and viruses. But education can go only so far; technology is also needed. Here are five steps in the defence against malware:

1) Restrict user privileges: The fewer system privileges on a user's desktop, the fewer opportunities there are for viruses and spyware to take over, says Andrew Jaquith, an analyst at The Yankee Group. "The biggest reason companies have spyware problems is that user privileges are set too high," he says.

IT may also choose to block certain types of attachments, such as executable or Zip files, and prevent access to certain Web sites. The DOE's Carlsbad office now uses Websense software to block access to adware- and spyware-heavy sites, such as gambling sites. It also relies on an e-mail firewall from Tumbleweed Communications with built-in McAfee antivirus and spyware filtering tools.

2) Apply patches immediately: Installing security patches and updates is critical, regardless of how much antivirus protection you may have. JetBlue Airways in New York, for example, has layers of antivirus and antispam defences, but its IT staffers also apply new security patches promptly, says Lesen Wang, IT e-mail systems administrator at JetBlue.

"Even with an antivirus program, a virus can get through," he says. Two years ago, for example, JetBlue's desktops were infected by the Blaster virus because they hadn't been patched, but the airline's servers, which had received regular updates, remained unaffected.

3) Switch to alternative e-mail packages: While not guaranteed to be shielded against viruses, nonstandard (that is, not Microsoft) software is less likely to be targeted by virus writers.

For example, Brett McKeachnie, network systems administrator at a state school, reports that the school, which uses Novell's GroupWise, never had a virus problem and didn't realize it was receiving viruses until it installed iSolation Server, an e-mail security product from Avinti.

"Avinti put [iSolation Server] into the mail stream, and the next thing you know, we've got 40 to 50 viruses hitting the filter," McKeachnie says. However, not everyone at the school uses GroupWise -- some are on Outlook -- so the school remains vulnerable to virus attacks and, of course, spam.

4) Build a multilayered defence: There are several approaches to antivirus and antispam protection, none of which is 100 percent effective. So using two or more is a useful strategy, experts say.

Techniques for blocking spam include maintaining blacklists of spammers' Internet addresses and employing the challenge/response strategy, which attempts to catch spammers by asking a suspicious sender to resend the message, the assumption being that an automated spam program won't reply. Another option is Bayesian filters, which "learn" to recognize spam from samples that an IT administrator or an end user feeds it. The filter then uses probability scores to decide whether an e-mail is likely to be spam.

Signature-based scanning is the most common approach for identifying viruses, but it doesn't help when there's a brand-new virus on the loose. The "zero hour" problem -- the time lag between the initial release of a new virus and the point when an antivirus software vendor can issue a patch update -- is the biggest problem with signature-based products, especially since the gap can be as long as eight hours. Companies relying solely on pattern-based antivirus protection are vulnerable to new viruses during that time.

One technique that attempts to close this gap is blocking technology that shuts down access to certain systems if it detects any initial virus activity. For example, JetBlue used Trend Micro's signature-based ServerProtect, but it opted to add IronPort Systems' C-Series antivirus and antispam device, which includes a blocking technology called Virus Outbreak Filter. The filter quarantines suspect e-mail if it detects a new virus outbreak based on data from IronPort's SenderBase e-mail monitoring network.

Yet another approach to blocking viruses is heuristics scanning, which detects viruses by analyzing a file's structure, behaviour and other attributes instead of looking for a pattern match in the code.

The bottom line, experts say, is that two or more defensive technologies -- whether in different products or combined in one -- are better than one.

Just as using two types of antivirus or antispam software can increase your odds of catching malware, so, too, can locating defensive products at different points on your network. Firewalls, SMTP gateways, HTTP gateways, e-mail and file servers, and desktops are all good places to defend.

Monrovia Nursery, a plant and flower wholesaler, recently added its fourth layer of security: an antispam and antivirus gateway from MailFrontier. The new gateway complements an existing firewall -- which blocks attachments such as Visual Basic scripts -- and antivirus software from Symantec on its e-mail servers and desktops. "It's another layer of protection," says Ray Martin, Monrovia's IS technical manager. "Redundancy and variety are good when it comes to e-mail security."

The main point of a multilayered defence, says Richi Jennings, a Ferris Research analyst, is to cover all the potential points where a virus could enter. Too often, he says, companies think they're immune to viruses, when in fact they've failed to cover a key point of entry.

"You may feel you have a clean architecture, with virus scanning on the perimeter of the network," Jennings says. "But if you've forgotten a vector -- such as a laptop that has a virus and gets plugged into the company network -- then suddenly you've got a bunch of infected machines because you didn't put antivirus on the desktops."

5) Use an outside service: If you want a multi-tiered defence without having to purchase individual products and implement them, an outside antivirus and antispam service may be the answer. Companies such as MessageLabs and Postini will intercept and clean your e-mail of viruses and spam before sending it to your e-mail server, thus sparing you the software and hardware expense of scanning and processing your own e-mail.

Internet service providers may offer antivirus and antispam filtering services to corporate clients. For example, virus and spam filtering at Bata Canada, a unit of shoe manufacturer and retailer Bata International, is handled by Bata's service provider.

A significant advantage, according to Eli Gabbay, manager of IT technical support at Bata, is the ability to offload some of the administrative chores to the service provider. "I found [antispam and antivirus software] to be very complicated. . . . There's a lot of work for me to do to maintain it," he explains. "Now the only thing I need to do is put any spam that gets through into a folder, and the provider adds it to its database." Typically, antivirus services use signature-based scanning in combination with other approaches to optimize their success rates. And they clean up the e-mail before it ever reaches their customers' servers. Some users are also turning to antivirus and antispam service providers to clean up their e-mail before it even hits their firewalls.

Euro RSCG Worldwide, an international advertising and marketing firm with 233 agencies, turned to MessageLabs for help in dealing with a rising flood of spam that threatened to overload its e-mail servers.

"We had more spam coming in than legitimate e-mail," says CIO John Tanner. "It got to the point, last August, where we were going to have to increase our hardware by 33 percent."

The agency tried blocking spam at the firewall with blacklists, but that approach resulted sometimes in blocked mail from prospective clients whose addresses or e-mail servers had been hijacked by spammers. So the ad agency tried the MessageLabs service, which culls spam and viruses before sending the clean mail on.

Of course, the company still uses antivirus software on its servers and desktops to be safe. But so far, spam has ceased to be a problem. "I don't have to manage any hardware or software. I don't have to worry about upgrading hardware because spam has increased," says Tanner. "Spam has disappeared from the planet for us."

Spam choked the traveller's tale

With 2000 inboxes to protect and the interests of customers, airlines, hotels and suppliers, spam's extra load was grinding servers at Harvey World Travel to a near halt.

Matthew Harris, the travel agent's IT manager, said the combination of an increase in regular business together with spam and viruses, while not crashing the e-mail server, caused it to run slow so that users' e-mail clients would time out.

Harvey World Travel has 350 franchises in Australia and Harris said the problem with spam started when the e-mail server couldn't cope. "Spam gave us many more problems than viruses ... e-mail is very important to our business."

Harris signed up for a 30-day free trial with Messagelabs which, he said, "fixed the problem overnight and we have been using the solution ever since; we just had to change the MS records in DNS and make a few firewall changes - we spent more time reading the contract than deploying".

Productivity ploys

It's not just the bottleneck aggravation that spam causes, employee efficiency can take a significant hit.

The amount of minute-by-minute so-called 'urgent' e-mails that demand attention drives down worker productivity considerably.

Managing and cleaning up staff e-mail accounts, or even keeping employees productive, is an issue all businesses have to deal with constantly now e-mail is considered an essential practice. E-mail's intrusive, immediate and possibly not work-related nature has led to companies such as Telecom New Zealand to implement no e-mail Fridays . A Hewlett-Packard study early this year reported that 62 percent of British adults are addicted to their e-mail. Half of the workers surveyed felt they needed to respond to e-mails immediately or within an hour, and one in five people reported being happy to interrupt a business or social gathering to respond to an e-mail or phone message.

According to Frost & Sullivan security analyst James Turner, e-mail for users today is similar to a DDOS attack on a network - packets of information (e-mail) is thrown thick and fast at a user and if they cannot process that information fast enough they fall in a heap.

"The companies that are thinking about their employees are going to start coming up with strategies to make the working day more productive, and that is not squeezing out productivity by responding to e-mails every 30 seconds ... people need thinking time," Turner said.

"Not all companies can implement a no e-mail day because it might not be viable but it is an interesting backlash against the intrusion e-mail has made on working capacity; companies that are doing e-mail packages are watching this and instant messaging with great interest because humans are at a point where they are so busy chatting and typing that they are not doing anything - that is not a sustainable business model." Stricter identity management, including using multiple e-mail addresses for work projects and social agendas, is the area where e-mail can be better managed and therefore create a more organized workflow, Turner said.

While doing without e-mail may not be an option for many companies, clamping down on spam is critical and not just to reclaim bandwidth. Spam has turned as insidious as viruses. Security vendors are starting to see spam used as a mechanism for delivering malicious content in the form of viruses, worms, trojans and the like.

ISP freed up for complementary service

ISPs, at the top of the e-mail food chain, suffer more than users in respect to combating spam, and not just in regards to the amount of mail they pass on. As bastions of mail, ISPs walk the fine line of ensuring legitimate mails gets through, while clamping down on spam and other malicious code.

iiNet (which acquired OzEmail in February 2005) has a user base of 630,000 customers in Australia and New Zealand and recently moved from using a collection of open source antivirus tools to an outsourced solution.

Iinet specifically wanted to offer a free antispam service for subscribers due to the fact that late 2004, two competitors in New Zealand were doing so and no ISP in Australia was offering it free as a premium-level service.

After deploying a Brightmail solution from Symantec, Greg Bader, iinet CTO, said there was a 50 percent load reduction on back-end servers, fewer customer support calls and fewer false positives (Brightmail claims less than a one in a million chance of an e-mail message being incorrectly filtered).

Bader said the previous open source solution had needed a lot of tinkering, and Brightmail was chosen because Iinet wanted to outsource the task completely.

"The main problem with the open source solution was it constantly needed updating and this meant that to get it operating at a reasonable level, we had to use manpower, which just wasn't an effective use of resources," Bader said.

"By reducing the influx of e-mails we have to handle, the processing engine requirements have been reduced, which in turn has resulted in increasing our storage life-span.

Andrew Gordon, senior Symantec security analyst, said the challenge for the Iinet project was a mixture of infrastructure and fear of customer churn.

Gordon added that most ISPs usually get between five and seven e-mail addresses per customer and if they were all filled with spam the ISP would suffer not only storage problems, but critical mail delivery issues as well.

"For ISPs the biggest fear is customer churn, whether they are leaving an ISP due to natural causes or because customers are unhappy with [the service] so they have to get legitimate mail through and for Iinet, Brightmail is a shock absorber on the front end," Gordon said.

"Previously iinet was using bits and pieces of open source and the usual access control lists which block lists of open relays and malicious IP addresses but you need a lot of experience or expertise in writing code and scripts to do this, whereas we have teams of people around the world providing updates every 10 minutes.

It's 11pm -- Do you know what your computer is doing?

Are your PCs moonlighting? If you haven't been safeguarding them against viruses, they might be part of a "botnet", or a network of robots. Virus writers create botnets by taking over hundreds or thousands of PCs that are then used by spammers to spew out spam mailings.

This is the result of a problematic trend: the collusion between spammers and virus writers, according to Ferris Research. Virus writers create malware to infect users' servers and desktops. These zombie botnets are then rented out to spammers. Because the spam is coming from multiple addresses, none of which actually belongs to the spamming organization, it's impossible to track the true origin of the spam and punish the spammer. Instead, unwitting victims suddenly find their organizations' e-mail domains blacklisted.

Besides putting antivirus protection on PCs and filtering incoming e-mail attachments, it's wise to filter outgoing e-mail, so you can tell if you've got a potential bot infestation inside your company.