Dangerous Corporate Internet Use
Two CasesCopyright (C) 09/1997 by Howard Fuhs
Two cases, which took place within a time span of only two weeks, serve to illustrate the practical consequences of this in cases where
- no policies controlling corporate access to the Internet exist
- no policies guiding the use of the corporate network exist
- the users have not been trained in and informed about computer security measures
- no or insufficient back-up procedures exist, and
- access rights are administered too lightly or not at all.
These tests were conducted on a computer, which was connected to the corporate network that
- was used to conduct the necessary daily computational work in the company
- used to store important corporate data
- was not properly backed up
- was not in any way protected (no AV software, no resident protection, etc).
The damage caused by the destruction of important data could not subsequently be properly assessed because no-one was able to tell which information was supposed to be stored on the machine in question in the first place.
However, restoring the data which were known to have been on that machine and consequently lost took over two weeks.
The employee did not according to a statement he made in connection with the cleaning-up operation in any way feel guilty and he was shocked to see the effects of his research urge. He had never even heard about Trojans.
As rumours about his 'hobby' spread through the corporation, work colleagues began to ask him for access to the virus collection. In order to facilitate this the employee installed the collection on the company network server. To avoid the detection of the viruses by the daily virus scanning, these were packed into archives. None of the used scanners were able to, or configured to, scan inside archives. This "Virus Exchange Market' on the corporate server was further expanded and tended to, and over a period of four months the circle of users increased to over 35 employees.
It became conspicuous after a while that the company suffered an increasing number of problems with computer virus infestations despite the fact that further protective measures had been introduced in the company. The anti-virus security measures included:
- Installation of three different anti-virus products on the server and the workstations
- Installation of TSR programs on the workstations
- Diskette drives, which were not absolutely necessary, were locked
- Introduction of three 'sheep-dip' computers containing three anti-virus scanners through which all incoming diskettes must be examined and approved.
- Introduction of automatic scan of workstations when these logged onto the network.
Finally, a computer security professional discovered the virus collection on the server more or less incidentally because the collection had grown to over 4000 sub-directories, each carrying the names of the viruses stored inside.
Also in this case it was difficult for the corporation to add up all the costs. No data were known to be lost. The time it took to install software and handle the acute cases of virus infections added up to several thousand man-hours.
The employee, who had started the virus collection protested that no rules in the organisation had indicated that his activities were illegal or even unwanted or dangerous. Thus, he had done nothing wrong.
In connection with the unraveing of this case emploees' access to the Internet was seriously curtailed. The same was the case with regard to write access to the network server. Access was critically reviewed and revised.