Cast your mind back 15 years and there were only two ways of getting something nasty on your computer or suffering some sort of data loss: either you had an employee who decided to steal or corrupt your data or someone would put a virus-infected floppy disk into one computer.
Today the potential for mischief and destruction is huge. It’s possible to infect a whole network with a virus from email, the web, a CD or even an iPod. A hacker or disgruntled employee can access your data without having to enter the building via the internet, a WiFi wireless or Bluetooth connection. You can have your data stolen via a Trojan horse, a keylogger or phishing, or someone can just steal your laptop or PDA complete with data, (and probably every password you have ever used), as well as a guaranteed connection into your email and your company network.
Unsurprisingly then, it’s now a lot harder to be secure. In the past you either instigated a decent password regime or installed some anti-virus software. Today, you need a whole suite of programs and, depending on the size of your company, an expert you can call on quickly.
Security is not just a product or service you use, it’s an attitude as well – and one that has to be applied from the top down. In other words, security is increasingly not a technology issue but a case of risk management. Someone on your board should have security as part of their responsibility – and a proper budget. Security is nearly always one of those things that you only get serious about after a near miss.
It’s also something you usually leave to your IT department and although security is never far from their minds, it’s not one of the things they are usually taught or necessarily understand. Lastly the one thing you must do regardless of what system you choose – and this goes for all of the categories of security breach – is to update your software’s lists of security attacks on a daily basis. Most packages have ‘check for updates from the web’ as a standard option – make sure yours is switched to ‘on’.
Viruses (including worms and trojans)
An anti-virus company recently claimed there are 100,000 viruses worming their way around our computer systems. It’s a big figure, but it’s also a lie. Out of the 100,000 there are only around 6,000 ‘live’ or ‘in the wild’ viruses. All the rest are potential viruses, or variations of existing viruses and only exist in a lab. In addition, not all of the 6,000 are harmful. However, if you don’t use anti-virus software in your business then you’re leaving yourself completely open to those nasties with the ability to seriously hurt you. So which anti-virus package do you choose?
The big anti-virus companies (McAfee, ISS, Sophos, Computer Associates, F-Prot, Microsoft, Grisoft, Kaspersky, Trend, Symantec – there are around 20) all belong to one organisation, the Anti-Virus Product Developers’ Consortium (AVPD). It’s the AVPD’s job to hold all of those 100,000 viruses and record new ones within hours of them being found. Then each company sends out a new update to their own virus signature database so that their software can identify and block it. In parallel they also develop a fix for the new virus if necessary. So the difference between one vendor’s software and another’s is basically the time it takes for them to grab the new virus info and for you to get the latest update. All of the companies operate services around the globe, on a 24/7/365 basis, so that at any one time there is always someone working on fixing new viruses.
So in effect there’s zero-difference between any of the packages when it comes to detection. The main differences are how they work on an enterprise level, how simple they are to maintain, and if they cope with all the different flavours of systems the average mid-size company has, including Windows 2000/XP/98/Me, Unix, Linux, Symbian, Pocket PC etc. Anti-virus vendors now also cater for file server protection, mail server protection and internet gateway protection among other offerings – but rarely are all the solutions available from one company.
The other thing to look at is where you position your anti-virus software, the desktop is traditionally where the anti-virus package has sat, but more companies are looking to extract viruses at a level-above the desktop. Companies such as Messagelabs, Avecho and Postini filter your email before it even gets to your company’s email system – on both the way in and out.
The main advantage is that the updating is left up to the vendor, and the offending virus is stopped before it gets to your system, plus there’s a certain amount of spam-filtering added in. Avecho also archives emails so you’re protected if your system goes down. However, it won’t stop a virus from a download or from a CD so you will still need anti-virus software.
Costs for anti-virus software are either produced on a per email name, per desktop or per server basis. External solutions such as Avecho can start from as little as £1 per user per month. Desktop solutions nearly always work out cheaper in the enterprise solution packages, as the management overheads are reduced, and the cost per head works out cheaper.
Recommended desktop anti-virus products: McAfee Active Virus Defense, Computer Associates eTrust Antivirus, Symantec Antivirus Enterprise Edition and Trend Micro InterScan Web Security Suite.
Spam is the single biggest contributor to company downtime. And as Andrew Lochart, director of product marketing at Postini, says: “80% of all current emails are spam and it’s smaller companies that are hit more as spammers assume larger companies have filters and so don’t bother, plus larger companies have time to educate their users. Smaller companies also tend to operate in more risk-taking areas.” Whatever the risk, the truth is that we spend a lot of time deleting, reading and even interacting with them. The question is, where do you start to filter them out?
Mark Sunner, CTO at MessageLabs thinks the landscape needs to change for an effective end to spam. “In much the same way as utility services such as power and water ultimately progressed towards centralised purification, filtering internet traffic within the internet itself is an entirely logical progression,” he says. “Unfortunately, the majority still resort to outdated filtering techniques – as if they’re still boiling their own water – so for the moment at least the current email landscape resembles the email equivalent of the black plague.” Anti-spam software is priced on a per email per-month basis and is independent of the amount of emails you send or receive. Typically it starts from a few pounds per month per user, but like all enterprise software the price depends on the size of your company and what discounts you can negotiate.
Recommended anti-spam software: Surfcontrol, Messagelabs, Postini, Avecho.
Surf the internet for long enough and you’ll start to find that strange things begin to happen to your computer. Uninvited pop-up boxes may appear offering you bargain buys, your ‘favourites list’ will become invaded by sites you haven’t visited and your homepage will randomly change. The truly nasty pieces of software are the ones you can’t see. They sit in the background and just watch what you do and report back. The benign ones report back to commercial companies who are interested in how you navigate their site and how long you stay. The nasty ones record your keystrokes looking for passwords and usernames. The name for these various ‘nasties’ is spyware or malware and you will need some specialist software to get rid of them – although anti-spyware testing has started to be added to most of the conventional anti-virus packages.
The two best packages come from a freeware background and they really should be supplied with every new computer as standard. Go to any company large or small and you will find copies of Lavasoft’s AdAware and Spybot running and between them they kill 99.99% of all spyware / malware currently doing the rounds. Download them and run them frequently and you will never be plagued by spyware again. Microsoft is currently testing a currently free utility / product called Antispyware which is good but is a long way off being a competitor to the aforementioned products. It’s a third choice worth considering.
Prices for commercial versions of AdAware start at around £15 per user per year but prices vary depending on the size of the company. Spybot is freeware and is funded on a donation basis, software is downloadable only and is automatically updated on a daily basis or when new threats are analysed.
Recommended anti-spyware: Lavasoft AdAware, Safre Networking Spybot and Surfcontrol.
Phishing is the latest internet hazard. You receive an email purporting to be from your bank or a company such as eBay or Amazon asking you to input your name and password to check that the details they hold are correct. You click on the link provided, put in your details and, hey presto, someone now has all the details they need to order anything they want using your credit card.
Phishing attacks, according to Lochart, are rising but are probably overstated. “It currently accounts for around 1% of spam, but the sort of criminal that perpetrates them is quite sophisticated,” he says. “You can’t be a lazy spammer, there’s a sophisticated level of expertise required to build a phishing site so it’s never going to be a massive problem. Plus the banks usually close the sites down within hours of them going live.”
There’s no current commercial software to prevent phishing 100%, but a combination of a spam filter and the free downloadable address validity checker from internet security company Netcraft, as well as some common sense should solve the problem.
Recommended anti-phishing software: see anti-spam solutions plus anti-phishing IE toolbar from Netcraft.com.
The problem with IT security at the moment is that there is no single right answer. You now have to have a suite of software or a single hardware solution (see box) plus management policies in place to enforce their use if you are to stand any chance of winning the battle.
If your IT supplier offers you one package from one vendor then they’re offering you 50% of the answer. If you’re just looking for an anti-virus solution then you will be able to get a one-stop type of solution.
If you’re a small company looking for a solution to spam, phishing, anti-virus and malware then you will need to look to different suppliers for your solution. Or you could outsource your IT and let someone else deal with it. If you’re a slightly larger company then the black-box approach, which is a little bit more expensive initially, starts to become the best solution for your company.
No matter what solution you choose you have to remember that above all security should be 90% common sense. The people responsible for security threats are cunning and skilled in IT, but they are largely taking advantage of our basic insecurities and ignorance to make us do something without thinking. A little less haste and a little more thought will save everyone a huge amount of time and expense in the long run.