Dangerous Corporate Internet Use
Two Cases
Copyright (C) 09/1997 by Howard FuhsContent:
Introduction
In this brief article, Howard Fuhs describes two recent cases with both similarities and differences. Howard Fuhs is a practicing information security consultant in the Frankfurt area in Germany (as well as a wellknown lecturer and author of books and articles about IT security and electronic warfare), and in both these cases he was called in to deal with an emergency. As you will see he quickly identified more deep-rooted problems in the companies in question.
Caught in the Web
With the increasing expansion of the World Wide Web it is getting easier to download things, which constitute a danger to corporations and the contents of their information systems. Thus, it has lately become possible to download comprehensive virus collections containing several thousand viruses.Two cases, which took place within a time span of only two weeks, serve to illustrate the practical consequences of this in cases where
- no policies controlling corporate access to the Internet exist
- no policies guiding the use of the corporate network exist
- the users have not been trained in and informed about computer security measures
- no or insufficient back-up procedures exist, and
- access rights are administered too lightly or not at all.
Case Study no. 1
An employee passed time by downloading a collection of computer viruses from the Internet as well as some Virus Construction Kits to his company computer. This employee did actually not conduct experiments with the computer viruses as such, but rather with a number of tools designed to produce and distribute viruses.These tests were conducted on a computer, which was connected to the corporate network that
- was used to conduct the necessary daily computational work in the company
- used to store important corporate data
- was not properly backed up
- was not in any way protected (no AV software, no resident protection, etc).
The damage caused by the destruction of important data could not subsequently be properly assessed because no-one was able to tell which information was supposed to be stored on the machine in question in the first place.
However, restoring the data which were known to have been on that machine and consequently lost took over two weeks.
The employee did not according to a statement he made in connection with the cleaning-up operation in any way feel guilty and he was shocked to see the effects of his research urge. He had never even heard about Trojans.
Case Study no. 2
An employee downloaded a collection of viruses from the Internet and stored it in his corporate computer. He sorted the viruses according to virus scanner data and built a collection of over 3000 different viruses in this manner.As rumours about his 'hobby' spread through the corporation, work colleagues began to ask him for access to the virus collection. In order to facilitate this the employee installed the collection on the company network server. To avoid the detection of the viruses by the daily virus scanning, these were packed into archives. None of the used scanners were able to, or configured to, scan inside archives. This "Virus Exchange Market' on the corporate server was further expanded and tended to, and over a period of four months the circle of users increased to over 35 employees.
It became conspicuous after a while that the company suffered an increasing number of problems with computer virus infestations despite the fact that further protective measures had been introduced in the company. The anti-virus security measures included:
- Installation of three different anti-virus products on the server and the workstations
- Installation of TSR programs on the workstations
- Diskette drives, which were not absolutely necessary, were locked
- Introduction of three 'sheep-dip' computers containing three anti-virus scanners through which all incoming diskettes must be examined and approved.
- Introduction of automatic scan of workstations when these logged onto the network.
Finally, a computer security professional discovered the virus collection on the server more or less incidentally because the collection had grown to over 4000 sub-directories, each carrying the names of the viruses stored inside.
Also in this case it was difficult for the corporation to add up all the costs. No data were known to be lost. The time it took to install software and handle the acute cases of virus infections added up to several thousand man-hours.
The employee, who had started the virus collection protested that no rules in the organisation had indicated that his activities were illegal or even unwanted or dangerous. Thus, he had done nothing wrong.
In connection with the unraveing of this case emploees' access to the Internet was seriously curtailed. The same was the case with regard to write access to the network server. Access was critically reviewed and revised.
Conclusion
Proper information security awareness training programs for employees could easily and inexpensively have prevented both cases.Copyright (C) 09/1997 by Howard Fuhs