Computer viruses - is there a vaccine?
Is your computer system susceptible to a computer virus? A systems security specialist tells why viruses implanted into computer software are becoming more common, how they can affect an otherwise stable system, and what companies can do to avoid catching a virus. The Wall Street Journal recently covered a story about a computer program called "Christmas Card" that infected one of IBM's large computer mail networks. Each time the card was opened--that is, the program was executed--by an unsuspecting user, it would display an attractive greeting. It would also send a duplicate of itself to every name and address in the opening user's directory. In a short time, the network was so overloaded sending copies of this program to users that a warning could not be sent to users to avoid the "Christmas Card."
Indeed, The New York Times, The Washington Post, and the Dallas Morning News have all carried articles citing damage done by malicious computer viruses. Lehigh University, IBM, EDS, and NASA have all been cited as victims. Most recently, a highly publicized "worm" program propagated through a multi-institution network called the Internet. Estimates of the cost of the damage done by this virus range into the tens of millions of dollars. And two "copy-cat" attacks have been noted.
How do these programs differ from other malicious programs? Do they represent a threat to the integrity of your business systems and data, or are the accounts simply another chapter in a litany of reports on such incidences?
What are viruses?
Computer viruses are one of a class of malicious computer programs. They are distinguished from others by the fact that they produce one or more copies of themselves whenever they are executed. Usually, they attempt to cause the copies to be distributed to other systems by attaching themselves to something shared with or destined for that system.
Of course, as the Christmas Card caper suggests, simply making copies can be disruptive. But these programs also can do anything that any other computer program can do. They can copy, disclose, modify, or erase data. They can spoof, dupe, or mislead users and managers. They can do these things immediately or later, based upon some trigger condition. And they can do them in any combination.
From a business point of view, the biggest potential mischief of a virus is to break down the compartmentation that system controls often depend upon. In one demonstration, a virus succeeded in infecting the domain of every user of a system in a matter of hours. This included the highly privileged users of the system, such as the system manager, the security administrator, and the user authorized to update production copies of business application programs. The owner of the virus now had a program operating on his behalf but with the privileges and authority of the system managers.
Indeed, computer users have always had some exposure to erroneous or malicious programs. While damage from malicious computer programs has been noticeable, it has also been tolerable. While the potential damage from a single malicious program is very high, collectively they have done less damage than erroneous programs.
However, the risk is being affected by: * the increased number of computers. * the sharing of computer programs, which often means using cheap portable media to transfer software or establishing two-way networks that are vulnerable to intrusion by viruses. * the generality of the computers.
Like the plague
The concept of the virus is almost a decade old, and examples of virus-like programs were identified almost a generation ago. However, it is only within the past year or two, with the rapid proliferation of the personal computer, that we have seen real, live, and successful viruses.
This may be because computer viruses, like biological viruses, require a large host population in which to thrive. For example, herpes simplex and chicken pox would die out in communities of much less than one hundred thousand. In these smaller communities, all the potential hosts would die or become immune, and the virus would have no place to go.
As for sharing programs, the word "community" is key. No matter how large the total number of computers, if there were no contact among them, there could be no spread of viruses. The risk results from our desire to share programs and other data. The spread of the bubonic plague, for example, was directly related to an increase in trade, travel, and commerce. In a group of small, isolated communities, it might have died out unnoticed.
We normally think of a community or population as being made up of a single species. Viruses are often species specific; that is, one that will kill humans may be harmless to fish. So it is with computer programs in general, including viruses. A program designed to run in an IBM may not run in an Apple. If your computer were unique, it would not be vulnerable to a virus. However, it would likely be very expensive; the industry keeps the unit cost down by making a lot of them alike. Therefore, it is more likely that your computer is one of a large population of similar computers and vulnerable to a virus specific to that population.
One of the things that adds to the value of using computers is the sharing of data without the need to transcribe it. We do this by moving data onto storage and transporting media, such as floppy disks, or by connecting the computers together. As the media carry ever more data, the disks get smaller, cheaper, and more portable. As a result, there is more chance for informational "garbage" to appear on floppies than on the outdated tape reels.
The other way that we are sharing data and programs is by connecting the computers with telephone lines into networks. Until recently, when two computers were connected in a network, one usually had control over the behavior of the other. The flow of programs was normally in the same direction--that is, from the dominant system to the subordinate.
But it is hard to visualize a successful virus that can flow in only one direction. Today, there is a dramatic increase in the peer connection of computers, in which neither directly controls the behavior of the other, and in which programs can flow in either direction. For example, the user of a personal computer may dial up another personal computer, perhaps specially configured to function as a "bulletin board," and transfer an attractive program to his own system. Later, he may transfer the same program to yet another computer or take it to work and share it with colleagues. While this process adds value to all of the computers involved, it also makes them vulnerable to infection.
The last factor influencing our vulnerability to viruses is the flexibility or generality of the systems that we use. Most computers are "general purpose" and can be programmed for any application. Indeed, one popular use is creating and modifying programs to be run on them. Many systems offer a large variety of ways to do this, and the capability adds a great deal of both real and potential value to these computers. Of course, it also helps expose them to viruses.
While we usually consider this multi-use capability an important aspect of a computer, it is not a capability that is required. For example, neither automatic teller systems nor arcade games have this flexibility. It is not even needed in most computers. Indeed, it is possible to conceive of a world of "application-only" machines that do not have the ability to add new programs or modify existing ones. Such a world would offer many--but not all--of the benefits that we associate with computers. And it would be significantly more resistant to viruses.
What should you do to ward off viruses?
So far, the effect of viruses has been disruptive but tolerable. There have been dozens of viruses written, but only a few have spread widely (one of which circled the globe). Thousands of systems have been affected, but most have been personal computers or discretionary applications. Few, if any, have been mainframes running business applications. Most have been spread by floppy disk, but there have been some spread via personal computer bulletin boards. At least three have spread in open networks.
Personal computers and applications are the most likely to be infected, but the consequences are limited. On the other hand, because business systems are more focused in their use and purpose, they are more resistant to viruses, yet the potential consequences are greater.
Awareness, prevention, and early detection can help minimize your exposure to viruses and other malicious programs.
Employees should be cautioned about the dangers of accepting programs and other data from unauthorized sources and of using them in business systems. Permission to "write" software into your business application program libraries should be severely limited.
In personal computing, where sharing is normally the greatest, users should be instructed to accept programs only from known, expected, and authorized sources. Programs from public, unknown, or untrusted sources should never be shared. When running programs from untrusted sources, users should be instructed to use such precautions as running the program only in a closed and isolated environment and executing the software without giving any "write" privileges to the source. For example, a suspect program could be run in a test system or in a stand-alone personal computer with "write-protect" tabs on the diskettes.
Finally, companies should monitor their systems and applications for unusual behavior or unexpected results. Usually such results are caused by errors, but since they may be indications of a virus or other disorderly program, the system should be shut down until the cause can be identified and eliminated.
Because the appearance of viruses in business systems will be rare but still pose a threat to the continued health of the business, the issue should be addressed in the business continuity plan.
Special knowledge or skills may be required to identify and eliminate viruses. Firms can develop these skills internally. Or, since most organizations may never need to use these skills, companies may want to rely on outside help if a virus does appear, instead of investing in training for in-house personnel.
If you live in a big city, there is always some small risk that you will be hit by a penny dropped from a skyscraper by a small boy motivated only by the excitement. In New York, you might even be hit by part of a building facade.
But the sky is not falling. This is a genuine vulnerability, but it is one of many that confront us as we depend more and more on computers in a complex society. There has been measurable damage done. There is potential for much more. Management must be prepared. We may have to limit sharing. We may have to change our style of use. But it is not yet time to give up the use of the biggest productivity tool since the plow.