13.6 Virus Protection

Among the dangers of inadequate network security are the alteration and destruction of valuable records and whole databases by worms and viruses introduced onto the network through unauthorized programs brought into the workplace by unknowing users. Worms and viruses are usually differentiated according to their degree of transferability. A virus, for example, limits its damage to the LAN workstation through which it entered and is transported by external action, such as by disks and software downloads from bulletin boards. Worms are self-replicating and move throughout the network—node to node. Some viruses and worms are timed for activation far into the future, making it even more difficult to track down their source.

Viruses can have a multiplier effect on networks. If a standalone PC gets infected, there is little chance that the virus will spread to other machines, unless handing disks around distributes the virus. If a mainframe gets infected, the damage can be more severe, but there still is only one system to disinfect. But when a virus invades a LAN, the damage can be far-reaching. Disks used to boot servers are a prime cause of LAN infections. Since workstations communicate with the network file server to obtain shared programs and data files, a virus can spread rapidly to every computer that accesses the server.

A virus presents a major threat to security because of the damage it can do to information, especially in distributed processing environments where any one user accesses an array of network resources on a regular basis. Once a virus program has been introduced into a system, it can cause the following problems:

• Longer than normal program load times;

• Excessive disk accesses for simple tasks;

• Unusual system error messages;

• Disk activity for no apparent reason;

• Reduced available RAM;

• Reduced available disk space;

• Unexplained file or directory disappearances;

• Changes in executable program size;

• Changes in appearance of screen icons;

• Screens that blank out or jitter;

• Text that dribbles to the bottom of the screen.

To protect against a catastrophic virus attack, network administrators should implement internal barriers between connecting systems. These barriers (e.g., different encryption codes for separate programs or network devices) will not completely insulate a network from a virus attack, but they will restrict damage only to that area of the network where the virus has entered. If a subsystem (e.g., a LAN) is only a “pass through” from a data source to a major interior system, a virus can be detected and blocked from entering the interior system. The technique involves making hash totals at the input and output of the subsystem and matching them. If a virus has intervened, the total will not match and the data will be blocked from passage. Networks that can be accessed by dial-up lines should have a barrier, such as an encryption change, at the second entry port or interface of the access server.

Some anti-virus data security software packages only identify changes being made to files, while others identify and remove viruses and repair the damage the viruses inflict. Boot sector viruses locate themselves on the first sector of a floppy disk, while file viruses invade files, particularly executable files. Sometimes file allocation tables (FATs), files, and directories can be recovered after a virus attack, but anti-virus software can identify and eliminate viruses before the damage occurs. Some packages disinfect files, boot sectors, and memory without harming the infected portions of the system, while others are less sensitive. As yet, no product can guarantee complete protection against a virus attack, and new types of viruses are constantly being discovered.

Once viruses enter the network, they often begin by destroying crucial operating system files. Some virus protection programs can monitor the status of these files by periodically verifying byte count. Other programs can often isolate and detect an abnormal file condition, such as an excess byte count, but cannot resolve the problem. In these cases, companies must enlist the aid of skilled computer analysts and programmers to correct the problem. Since no product can completely secure the network, companies must strike a balance between data accessibility and the level of data protection needed to maintain security. Inevitably, cost will also become a consideration. Unfortunately, the cost of security measures can be difficult to justify, since the benefits of additional security (i.e., reduced exposure to security threats) cannot be predicted or directly measured until an attack actually occurs.