S 2.155 Identification of IT systems potentially threatened by computer viruses

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Head of IT Section

When creating a virus protection concept, the first essential step is to identify the IT systems at the agency or institution which are potentially under threat from computer viruses. From an overview of all IT systems currently in service or whose use is planned, it is possible to pick out all IT systems for which computer viruses represent a threat or via which computer viruses may be distributed. This overview can also be obtained from the results of the determination of protection requirements in accordance with the IT Baseline Protection Manual, Chapter 2.2.

Systems typically affected by computer viruses are all IT systems with PC-based operating systems such as DOS, Windows 3.x, 95/98 or NT, or those running application programs such as Microsoft Word or Excel, which may be infected by macro viruses.

Although servers are not generally threatened directly by computer viruses themselves, they may be a distribution point for infected programs and files.

The possibility of computer viruses also posing a threat where other operating systems or IT application programs are used cannot be ruled out. In a few individual cases this applies to Unix systems and OS/2 systems, for example, but in view of the lack of widespread use these constitute only a low potential threat (see G 5.23).

For each IT system that is identified in this way, the possible infection paths which computer viruses may take can also be determined in a subsequent step. This information can be used for the later selection of which action to take. An infection by computer viruses may take place in the following ways, for example:

• When using floppy disks, CD-ROMs or other exchangeable data media

• When installing new software

• As a result of access to files that are not stored on the local hard disk but on a server in the network or in a shared directory within a peer-to-peer network

• As a result of access to files received from an external source (for example an email attachment or files from the Internet)

• In the course of external maintenance work

It makes sense to draw up a table showing the interfaces via which a computer virus infection may occur for each identified IT system or, by way of example, for each identified IT system type. These interfaces may be as follows:

• Any reading devices for exchangeable data media available locally at the computer (floppy disk drives, CD-ROM drives, streamers, removable hard disks etc.)

• Any portable reading devices for exchangeable data media that can be connected locally to the computers (floppy disk drives, CD-ROM drives, streamers, removable hard disks etc.)

• Links to other IT systems in the local security area (LAN servers, peer-to-peer connections)

• Interfaces via which data can be transferred from external IT systems to the local IT system (modem, Internet connection)

The most important aspect of an overview of this nature is the nomination of people to contact for the respective IT systems, who are responsible for implementing the necessary measures and who are the people who users turn to when needed. As the IT landscape in any organisation is subject to constant change, this information must be updated whenever necessary to reflect changes to existing systems.

Example of a survey:

• How is it ensured that the necessary measures within the virus protection concept will be taken into account when changes are made to existing IT systems or new IT systems are put into service?