Printer Friendly

Conquering computer viruses.

Conquering Computer Viruses

ON NOVEMBER 3, 1988, AN ugly aspect of computerization was exposed to the world by a student's almost innocent act. A graduate of Cornell University launched a malicious computer program into a major national computer network. The virus attacked 6,000 computers that were linked to the network. Because the event was picturesque--in its resemblance to a natural viral attack on a human body--the media covered it prominently.

This time the damage was not too heavy. Only $100 million worth of damage occurred, and that was spread over many sites. The program didn't contain a destructive warhead; it was more of a disturbing entity that sent a message to those it touched. Next time the damage might be worse.

Few persons, if any, would argue that this computer virus attack was an isolated incident. Rather, the attack was a vivid demonstration of computer abuse. Computer viruses are a natural, negative aspect of the information revolution. They are a permanent, threatening shadow.

The prospect of controlling computer systems with powerful, private programs tempts many outstanding young computer experts to demonstrate their competence. The prospect of control also attracts the attention of others. Among those others are dangerous persons with dangerous plans: sabotage, anarchy, and pure madness.

The next time bomb is being prepared right now. The countdown has started, and the next disaster is on its way. If you listen carefully, you might hear the bomb ticking in your own office.

Professionals coping with the negative aspects of automation now have a rare opportunity to observe whether this "free of charge" lesson (at least to those not exposed to the computer virus) is being learned by the people in command: top management. What really took place in corporate headquarters, government agencies, or financial institutions after the dust of the sensational media coverage settled and life returned to normal? Is anyone in charge evaluating the risks hinted at so powerfully by the virus? More important, if managers are concerned, are they translating their fears into actual protective steps to meet future disasters?

The answer to these questions, in most cases, is no. This national omission, not the virus threat itself, is the real time bomb.

It is hard to be anything but pessimistic when evaluating what is being done about computer security. Experience suggests that more than one catastrophe of the size and nature of the last episode will be needed to stir attitude changes at the decision-making level.

If companies are to shift from lip service to action backed by appropriate funding, they are, unfortunately, going to need a real disaster. They will close the barn door only after the horse has fled.

Why is computer security not currently the focus of managers' attention? Psychologically, their motivation might be similar to that of the man who lost his wallet in a dark corner and went to look for it under a bright street lamp, far from where he lost the wallet. When asked why he was searching there, he pointed out that he could see much better with the bright light.

Managers tend to smile when they hear this story with its twisted logic. However, many of them act exactly like the man under the lamp. They do what is convenient and what they know best, not necessarily what they should do under the actual circumstances.

Most people, including managers, learn the bright side of computers first. Not much time is left for learning about the dark side. With the right education in and understanding of what is really at stake, perhaps companies will give computer security the attention it deserves--before a terrible incident happens to them.

However, changes occur so fast in the computer world that it is all managers can do to keep up with the innovations. It is not likely that managers will find time to study the protection issues in depth.

Part of the computer security problem is a lack of time, but another aspect is that security, accounting, and insurance solutions are lagging behind innovations in computer storage media and communications. A security gap is barely plugged before a new wave of hardware and software swells onto the market.

The time and technology factors make professional expertise almost indispensable in fighting computer crime. However, the main solution is still to convince people at the decision-making level to acknowledge computer security risks and listen to possible solutions.

In the short time senior managers will probably spend studying the immediate crisis that got their attention, the following points need to be driven home to them:

* Computer systems are vulnerable.

* Should a virus or other computer attack occur, the damage to the company could be the same magnitude as the benefits computers offer.

* Companies depend vitally on computer systems. Sharing computer resources with the outside world makes a company even more vulnerable.

* Dealing with computer risk is a direct responsibility of a company executive. He or she must create conditions that secure the future of the business.

* It is crucial to protect sensitive-information systems and secure their operation under such pressures as intentional attacks, negligence, and accidents. Top managers must develop policies, priorities, regular plans, and contingency plans. They must also allocate resources and assign supervision.

The information revolution has its drawbacks. In the wrong hands, the power of computers linked in networks can be devastating. Recent incidents prove such abuse is feasible. The combination of a regular criminal mind with the solutions of a computer genius can result in major disasters. The best that managers can hope for is a defend-and-retreat battle to minimize damage--not a quick victory.

The role of information security professionals is to hammer on the issues until they become a concern of top management. Those in command must know that the dark side of automation is a Siamese twin of the bright side.

Translating management awareness into programs is the only way to defuse the time bomb and stop--or at least slow down--the next computer incident. And the odds of risk ensure that that incident is coming now, full speed ahead.

Shlomo Yovel is senior consultant and chief executive officer of Sophisticated Security Consultants in Phoenix, AZ. He served for 23 years in the Israeli Defense Force in intelligence, counterintelligence, and computer assignments. He is a member of ASIS.
COPYRIGHT 1989 American Society for Industrial Security
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1989 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Author:Yovel, Shlomo
Publication:Security Management
Date:Feb 1, 1989
Previous Article:SPI versus spy.
Next Article:Why classify?

Related Articles
The computer flu blues.
Keeping the contagion at bay.
Don't catch the bug.
An immune system for computer viruses.
Health care for computers: protect your computer and your business from viruses.
Facts and fables about computer viruses.
Computer viruses.
Beyond Virtual Vaccinations.

Terms of use | Copyright © 2016 Farlex, Inc. | Feedback | For webmasters