S 2.156 Selection of a suitable computer virus protection strategy

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Head of IT Section

In order to implement computer virus protection it is necessary to deploy human and financial resources, which must be in reasonable proportion to the actual potential threat. Details of the following influencing factors must be collected for all of the identified IT systems potentially threatened by computer viruses:

• How often does a data transfer that could lead to an infection or the dissemination of computer viruses take place via the existing interfaces?

• What consequences can be expected in the event of an actual infection if no protective measures are taken?

• How reliably do the IT users perform IT security measures which need to be initiated periodically?

• How much time can the IT users be expected to spend on computer virus protection measures?

Given knowledge of the frequency of computer virus infections derived from the data collected as described above and from technical publications, and knowledge of the possible consequential damage, a decision has to be taken in conjunction with management as to which financial resources have to be made available for necessary measures and which human resources will be made available.

Once it is known which financial and human resources are available to provide protection against computer viruses and which IT systems have been identified as being potentially threatened, strategies for achieving suitable protection can be chosen.

A number of possible strategies are described in the following.

Computer virus scanning programs on every terminal

The use of an up-to-date resident computer virus scanning program (i.e. a program that runs permanently in the background) in an IT system ensures that an infected program cannot be executed or a file with a macro virus cannot be loaded. Checking of the interfaces on the terminal is taken care of by the resident scanning program. This ensures that no viruses are transferred to the IT system. It is not advisable to rely solely on the exclusive use of non-resident computer virus scanning programs (which are only activated when the program is explicitly started by the user). There is no significant financial advantage to be obtained from this nowadays, but the disadvantages on the part of the IT users are considerably increased because they must be relied upon to activate the program on a regular basis.

If all terminals are equipped with a resident computer virus scanning program, it can be guaranteed that computer viruses will be identified immediately after they appear and that they will not be disseminated from the terminal. In addition, even where resident virus scanning programs are used it should be possible to activate a program on a case-by-case basis on every client as the need arises, for example to check e-mail attachments selectively before they are opened.

Advantages:

• An appropriate, up-to-date and resident computer virus scanning program ensures maximum protection while at the same time minimising effort and complexity for the IT user.

Disadvantages:

• Procurement costs and administration work are applicable to every terminal.

• Older IT systems may not have sufficient main memory. There may also be complications with regard to interoperation with other programs.

Computer virus scanning programs on all terminals with external interfaces

In networked IT systems a resident computer virus scanning program is only installed on those IT systems which in addition to interfaces to their own internal network also have other external interfaces (floppy disk drive, CD-ROM, modem). Networked IT systems without direct external interfaces are not equipped with computer virus scanning programs.

Advantages:

• Procurement costs and administration work are limited to those IT systems with external interfaces.

Disadvantages:

• Changes to the IT systems which result in the setting up of new external interfaces must be painstakingly followed up because it may become necessary to retrofit IT systems with computer virus scanning programs.

• Encrypted files or programs which contain computer viruses and which are not decrypted until they are on an unprotected terminal will cause infections. This may also be true of compressed files in the same way, if the scanning program is not suitable.

Computer virus scanning programs on all servers

In this case every server in a networked IT system is equipped with a resident computer virus scanning program, but the terminals connected to the server are not. This ensures that it is impossible for computer viruses to be transferred from one terminal to another, and that therefore a possible infection remains locally isolated.

Advantages:

• Procurement costs and administration work are restricted to the servers.

• Protecting the servers prevents re-infections, for example after archived files are retrieved.

Disadvantages:

• For terminals with external interfaces, users have to start the computer virus scanning program located on the server manually in order to check incoming external data media, but also to check data media and files being sent.

• Encrypted files or programs which contain computer viruses and which are not decrypted until they are on an unprotected terminal will cause infections if there is no incoming check. This may also be true of compressed files in the same way, if the scanning program is not suitable.

• It is impossible to rule out the possibility of a terminal with external interfaces becoming infected with a computer virus.

• If use is also made of peer-to-peer functionality, computer viruses can also be transferred between terminals without being checked by the protected servers.

• Detrimental effect on performance, because all communication content has to be checked.

Computer virus scanning programs on all servers and terminals

This combination of the above strategies offers the greatest protection, because computer viruses are immediately detected when they appear and are not distributed further via servers. In addition, computer virus scanning programs from various vebdors can be used, so as in that way to increase the detection rate for computer viruses.

Advantages:

• An appropriate, up-to-date and resident computer virus scanning program ensures maximum protection while at the same time minimising effort and complexity for the IT user.

• Computer viruses are not disseminated further via servers.

Disadvantages:

• Procurement costs and administration work for every server and every terminal.

Computer virus scanning programs on the communication servers

Computer virus protection programs can be installed exclusively or additionally on all communication servers, i.e. the IT systems via which data exchange with external IT systems is carried out, for example firewalls or mail servers. However, the effect of this is that the terminals are only protected against computer viruses if they do not have any other interfaces, such as CD-ROM drives etc.

Advantages:

• All files are checked at the entrance to the LAN, and not only when they are inside.

• Computer viruses are not disseminated further via servers. They can, however, be spread on the terminals if files are exchanged between them directly (for example on floppy disk).

Disadvantages:

• This method is susceptible to error: in some circumstances, e-mail attachments may not all be recognised. Often scanning programs only check for the presence of attachments within the first few lines of an e-mail or in the mail header. It can also happen that the procedure with which the attachment has been processed (e.g. uuencode) is not supported by the virus scanning program. This is possible with MIME, for example: problems may arise if one or more files encoded with uuencode are simply inserted into the body of the e-mail.

• Detrimental effect on performance, because all communication content has to be checked.

• Only a minimal operating system should be installed on all communication servers, in other words only the most essential services (see also S 4.95 Minimal operating system).

• In order to avoid denial-of-service attacks, a computer virus scanning program should never be installed on a firewall - at most on a proxy, if at all.

Data hygiene and central checking of files

All incoming and outgoing files and data media are checked at a central point by a computer virus scanning program. In addition, there is a rule that the IT users must not use any files, programs or data media of doubtful origin.

Advantages:

• The number of licences for computer virus scanning programs that need to be purchased is considerably reduced.

Disadvantages:

• If external data media are used frequently, central checking for computer viruses takes up a great deal of time and delays operational procedures. It is impossible to rule out infection by a computer virus entirely, because checking of a data medium may be forgotten by mistake.

• All computers which do not have a computer virus scanning program must be checked for infection by a computer virus at regular intervals.

Regardless of which strategy is chosen for providing protection against computer viruses, there is always a residual risk that computer virus scanning programs will only detect those computer viruses that were known at the time when the program was developed. This means that new viruses may not be detected and could cause damage.

The choice of correct strategy, which must also be appropriate from the cost point of view, is dependent on the particular IT environment in each case. However, in view of the fact that the cost per licence is usually greatly reduced when purchasing multiple licences of the commonly used, suitable computer virus scanning programs, it is advisable to give consideration to fully equipping all servers and terminals.

Additional controls:

• Have computer viruses occurred in the past? What damage did they cause (financial losses, loss of working time, ...)?

• Is the decision about the commitment of resources for computer virus protection taken by management?

• Is there assurance that consideration will be given to adaptation of the computer virus protection strategy when changes are made to the IT environment?

• Have the disadvantages associated with the chosen strategy been made plain to IT security management?

• Will the resultant residual risks be covered?