Printer Friendly

Keeping the contagion at bay.


EXECUTIVES AND MANAGERS across the country are becoming increasingly aware of a plague threatening the lifeblood of their corporations - information contamination. If the sixties and seventies were the beginning of the computer era, the eighties and nineties might be termed the information revolution. Businesses worldwide are using and managing information as a viable corporate asset. In fact, information is often called the heart of an organization, as it pumps blood into corporate planning, decision making, product design, and marketing methods and is incorporated into measurements of performance and profitability.

However, just as cholesterol threatens the healthy heart, outbreaks of computer viruses can incapacitate modern corporations. The information age has certainly paved the way to opportunity for computer programmers and data processing managers. Recent outbreaks of computers viruses have some executives crying for help from data and computer security experts. An increasing number of recent computer virus cases illustrates the threat posed by high-tech bandits.

"Mysterious `virus' hits computers nationwide" was the headline of one article. In what was being called the most serious computer virus outbreak in history, Robert Morris, Jr., a 23-year-old computer science student, infiltrated and ultimately jammed an estimated 6,000 computers at universities and military laboratories.(1) Although this particular virus did not destroy any information, it did manage to use vast amounts of computer storage space in the infected InterNet system. Consequently, computer operations were showed and managers were forced to shut down computers and erase unwanted programs. The cost of battling the virus was estimated to be in the millions of dollars.(2)

Stevan Milunovich, director of information systems at Stanford Research Center International (SRI), described how this particular virus affected his company: "I thought this is the catastrophe we've all been anticipating, and it's finally come." Symptoms of the disease soon became apparent. "We had a very sluggish system response; some systems were virtually unusable."(3) According to Milunovich, SRI had to disconnect some 80 computer systems, remove the virus program, and bring the systems back on-line. He added, "An incident like this will make us all a lot more security conscious."(4)

In another incident, an electronic virus sabotaged computer systems in several US government agencies including the Environmental Protection Agency, the National Aeronautics and Space Administration, the National Oceanic and Atmospheric Administration, and the US Sentencing Commission. However, this time the virus destroyed sensitive information files stored on personal computers at these agencies. Additionally, many private computer consultants have warned users of various government computer networks, including those with national security functions, to be on the alert for such computer virus attacks.(5)

Although publicity about the computer virus threat is on the rise, many managers have yet to take the computer break-in problem seriously. These managers believe such a catastrophe cannot or will not happen to their systems. Many experts put the blame for poor computer security on top-level management. Often security is a low priority. As such, it is not allocated enough personnel and financial resources to focus on prevention.

Unfortunately, some companies take a reactive rather than proactive approach to computer security. They don't believe a computer virus can infect their systems until it's too late. According to Fred Cohen, a computer engineering professor at the University of Cincinnati, this ignorant attitude may have contributed to the damage of the Morris computer virus. "For at least five years," Cohen says, "they [university and military research networks] had been alerted to the possibility of viruses. They were told it's inevitable. But they ignored the warning."(6) Cohen estimates that during 1988 more than 100,000 computers were infected.

So what exactly is this disease known as a computer virus? In their simplest form, viruses are programs that infiltrate a computer system. They can send a harmless message or destroy information. On entering a computer, they proceed to take over the computer's operations and give their own instructions.(7) By definition, viruses are designed to lie dormant and remain undetected until a particular program is run a particular number of times or a certain period elapses.

Viruses are usually first created by a computer programmer or hacker as a tiny bit of computer code. They can be programmed into the computer by direct penetration. This type of attack is initiated within the perimeter of the target facility. However, with the increased sophistication of computer technology, viruses can be transmitted electronically to a computer system via modem hookup from any external telephone location.

The most dangerous characteristic of a computer virus is its contagious nature. A virus can multiply by geometric progression in a multiuser computer. A particular piece of infected programmed logic can replicate and attach itself to other programs, data files, utility programs, operating systems, and shared resources of the computer system.(8) Each time an infected program is run, it searches for other programs to infect. Therefore, pirated or shared software can actually carry the virus into other computer systems and ultimately other corporate facilities.

Often, the most sensitive corporate information is processed and stored on large mainframe computer systems. Therefore, the threat of a virus migrating to a mainframe computer from minicomputers or microcomputers presents an even more significant problem for corporate managers. In fact, a virus can spread exponentially and infect an entire network of 3,000 computers in less than two weeks.(9) Last December, a virus-like program infiltrated IBM's 145-country electronic mail network, forcing the entire system to be shut down.(10)

A computer virus can present problems even after it has been detected in a system or network. One hidden infected file that remains undetected can quickly multiply and infect other files. Consequently, computer experts must vaccinate all elements of a contaminated system or they run the risk of having the virus begin again.

Once the infected corporation has successfully counterattacked its deadly disease, does it have any recourse against the perpetrator? Unfortunately, computer intruders are difficult to prosecute because effective legislation has yet to be enacted. A case in point is the Robert Morris incident. Prosecutors are still trying to determine whether Morris violated a 1986 law. The law. Title 18 United States Code Section 1030, Computer Fraud and Abuse Act, is perhaps the best law on the books at the present time. However, it has more than its share of loopholes. The Computer Fraud and Abuse Act, which applies only to government computers, makes it a crime to intentionally gain unauthorized access to a computer and effect its operation so that it cannot function normally. Modifying, destroying, or disclosing information gained from an unauthorized entry into a computer is also illegal.(11)

In the Morris case, authorities believe that although the virus prevented computer users from performing their normal work, it did not destroy or damage any files. As one can certainly imagine, investigating such an incident is extremely difficult, especially when so many computers from many diverse locations throughout the country are affected. Additionally, legal precedent concerning computer virus crime is virtually nonexistent.

One case that was successfully prosecuted involved a former computer programmer, Donald Burleson, who planted a computer time bomb that ultimately destroyed 168,000 payroll records in two Fort Worth, TX, companies. Burleson set the time bomb to activate on September 21, 1985, two days after he as fired from his job as programmer.(12) Burleson was convicted of harmful access to a computer, a third-degree felony in Texas. The crime carries a 10-year sentence and $5,000 fine. However, according to Jay BloomBecker, director of the Los Angeles-based National Center for Computer Crime, the Burleson incident was not a virus case because the unauthorized programming did not replicate itself like a virus. BloomBecker further stated that he did not know of any prosecution or conviction in a case where an alien program reproduced itself and traveled from one computer system to another.(13)

Perhaps the lack of computer crime legislation has evolved from an era when hackers were revered as computer cult heroes. In his book, Hackers: Heroes of the Computer Revolution, Steven Levy claims that computer hackers were the precursors of the computer revolution. He writes, "The Hacker Ethic was an idealist and obsessive standard that led to weird lifestyles, to hilarious clashes with bureaucracies, and even to potential illegalities: in their urge to explore computers, hackers don't necessarily care whose computer is being explored. But their hands-on, antiauthority ethic, along with their technical brilliance, enabled them to triumph."(14)

Corporations and federal bureaucracies are laughing no longer. "Legislation was introduced in the House of Representatives [last] year to make it a federal crime to use interstate commerce to insert unauthorized information into a computer knowing it would cause a loss in the system."(15) The proposed law, the Computer Virus Eradication Act of 1988, would have applied to private as well as government computers. It was not passed. However, Congress did pass the Computer Security Act of 1987. Theoretically, this noncriminal law was designed to improve security of government computers and make introducing any outside virus into such systems more difficult. The act "ties in various technical protection measures with training policies so as to improve the way the government manages its computers."(16)

Since corporations have had difficulties combating computer virus crimes in the legal arena, some are beginning to practice their own preventive medicine. Senator Patrick J. Leahy, (D-VT), sponsor of the 1987 Computer Security Act, recently called for an increased emphasis on corporate computer security. "We can pass laws that make criminal penalties for unauthorized access to computers, but we also need improvements to increase security. It is a sad truth of modern life that laws against burglary will never safeguard a home like good locks."(17)

The complexities of protecting a corporate information system are directly correlated with the increased emphasis of the modern information era on technological sophistication. Consequently, no computer-based information system is 100 percent immune to the ever present threat of computer viruses. However, just as a routine dental examination reduces the risk of tooth decay, an effective computer security program can significantly diminish the threat of an infectious virus.

A successful computer security program encompasses a proactive, two-fold approach that balances physical access controls with internal administrative controls. Outside intruders, hackers, and competitors are hazards. However, disgruntled, egotistical, and financially unstable employees must also be viewed as potential risks to corporate computer systems. Surprisingly, many firms fail to implement even the most elementary security measures to protect information, their most valuable asset. Some of these measures are not sophisticated but rather are based largely on common sense.

Certainly, employee selection and screening is an important variable in the computer security equation. Weeding out potential problems at the outset is much easier than firing employees who have turned sour. Other physical security controls that warrant special attention include controlling access to computer systems - particularly on a need-to-know basis, managing computer passwords effectively, maintaining computer audit trails, monitoring after-hours and weekend computer usage, establishing a visitor control system, and reprimanding employees who violate computer policy and procedures. Perhaps the most fundamental method of identifying potential computer intrusions before they occur is establishing a whistle-blowing system that encourages-reports of employee misconduct.

Establishing stringent backup procedures is one method of protecting important information. However, backing up all data is a time-consuming and often expensive task. Therefore, management should establish a backup plan that includes identification of all critical data, programs, and documentation necessary to support operations during a disaster recovery period. Once critical data is identified, it should be backed up on a regular basis and stored at two separate locations, on-site and off-site. Similarly, write-protect tabs should be used on program and backup disks.

These precautionary measures provide universal protection against any number of generic computer security threats including natural disasters, wiretaps, electronic eavesdropping, employee tampering, sneak attacks by outside hackers, and, of course, computer viruses. However, one particular preventive security practice is perhaps most important and unique to the problem of combating computer viruses. The elimination of dirty software that can ultimately infect and spread contagious computer viruses throughout a computer system is essential.

Some security conscious corporations, such as AT&T, have instituted a corporate disciplinary policy that prohibits the downloading of public-domain software.(18) Public electronic bulletin boards, another source of contaminated software, are likewise banned from many corporate computer systems. Testing public domain software or shareware prior to use is another option for companies using these types of software.

The computer security/computer virus relationship is analogous to the cable television/cable television descrambler relationship. That is, the technological advancement that enabled cable television companies to scramble their pay-per-view stations is the same technology that individuals are using to descramble these stations. Similarly, the technology that originally cultivated the computer virus threat is currently being used to develop software vaccine packages that will actually search for and destroy these viruses. Specifically, antiviral programs attempt to stop viruses from entering software and prevent their replication. Eastman Kodak Co., based in Rochester, NY, is one corporation using an antiviral program, Vaccine, toward off computer viruses. Vaccine was developed by Foundation Ware Inc. and is a multifunctional program that prevents and repairs accidental or malicious attempts to harm the integrity of legitimate programs.(19)

The techniques used in an antiviral program vary from product to product. General characteristics of these programs include text search, signature checks, disk-access lockout, hard-disk lockout, and scanning of executable files for viruses.(20) Security precautions, particularly antiviral programs, have enhanced corporate computer security tremendously. However, corporations cannot afford to be complacent when it comes to protecting information. As the next decade of technology is invented, it will surely bring with it new methods of circumventing its accompanying safeguards for illegitimate purposes.

"The appearance of these subtle new threats (computer viruses) warns us that the Information Age is a crucial step in the evolution of technology - a step that poses its own unique dangers. Human affairs are being thrust into a level of development where a fragile and precious commodity - information - becomes the key resource driving our economy and even our personal welfare. We had better learn to treat this valuable store of knowledge more wisely."(21)

(1) Mark Lewyn and Kathy Rebello, "Computer Alarms Set Since Infection," USA Today, November 7, 1988, p. 1.

(2) Joel Dresang and Leslie Werstein, "Virus Shows Vulnerability of Networks," USA Today, November 7, 1988, p. 1

(3) Lawrence M. Fisher, "On the Front Lines Battling Electronic Invader," The New York Times, November 5, 1988, p. 7.

(4) Fisher.

(5) "Virus Strikes Federal Computers," National Security Institute's Advisory, October 1988, p. 10.

(6) Dresang and Werstein.

(7) "How Computer Viruses Infect," USA Today, November 7, 1988, p. 1B.

(8) Douglas Campbell, "Computer Contagion," Security Management, October 1988, p. 83.

(9) Dale Boll, "The United States Secret Service and Computer Fraud Investigations," presentation to the American Society for Industrial Security, Boston, MA, September 28, 1988.

(10) K.M. Hafner, "Is Your Computer Secure?" Business Week, August 1, 1988, p. 66.

(11) Jeff Gerth, "Intruders into Computer Systems Still Hard to Prosecute," The New York Times, November 5, 1988, p. 7.

(12) "Programmer Convicted For Planting Virus," Naional Security Institute's Advisory, November 1988, p. 10.

(13) Gerth.

(14) Steven Levy, Hackers: Heroes of the Computer Revolution, (Anchor Press/Doubleday: New York, 1984) back flap.

(15) Gerth.

(16) Gerth.

(17) Gerth.

(18) Dorothy Pearson, "MIS Managers Launch Counterattack to Stem Rising Virus Epidemic," PC Week, August 29, 1988, p. 23.

(19) Pearson.

(20) Pearson.

(21) William E. Halal, "Computer Viruses: The AIDS of the Information Age," The Futurist, September-October 1988, p. 60.
COPYRIGHT 1989 American Society for Industrial Security
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1989 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:computer viruses
Author:Vaiciulis, Mark
Publication:Security Management
Date:Dec 1, 1989
Previous Article:Bucking bribery abroad.
Next Article:Computer and Communications Security.

Related Articles
Protection against computer viruses.
Health care for computers: protect your computer and your business from viruses.
Facts and fables about computer viruses.
Virus patrol.
The Day The E-Mail Died.
Sophos Anti-Virus six month summary.
Sophos warns on password security.
MyDoom-0 computer worm spreading quickly.

Terms of use | Copyright © 2016 Farlex, Inc. | Feedback | For webmasters