Picking at a Virus-Ridden Corpse: <br>Lessons from a Post-Blaster, Post-Welchia, Post-Nachi, Post Mortem

J'e St Sauver, director of user services and network applications at the University of Oregon Computing Center, has just gone through what everyone else has: the epidemic of viruses and worms that rained down on campus networks over the last several months.

As our guest editorialist this week, J'e has some strong opinions on why some people got hit so hard and others didn’t. He also has some good lessons-learned. Oh, J'e also wanted me to point out that his perspectives here do not reflect difficulties or conditions at either his institution or any one particular institution. They are "a synthesized view that reflects the collective higher education experience."

—Terry Calhoun, IT Trends Commentator, Society for College and University Planning (SCUP), University of Michigan.
------------------------------------------------

Sick of the Blaster/Lovsan, Welchia, Nachi experience? I know I am.

Let's do a brief post mortem and see what good we can glean from the latest virus follies.

1. It's Windows PCs (again)
D'es your campus rely on PCs running a current version of Microsoft Windows? If so, I suspect you were hit hard. Campuses that use Macs (or Unix/Linux workstations, or a mixture of different types of systems) experienced fewer direct problems, although even the most innocent shouldered part of the collective burden.

Do we never learn? Just as these viruses targeted PCs running Microsoft Windows, so have virtually all the previous ones. Time after time, infestation after infestation, the viruses and the worms have come for the PCs running Microsoft Windows, and time after time, the PCs running Microsoft Windows have fallen.

Given that pattern, what is surprising (at least to me), is that few universities seem to notice this pattern, and even fewer of them "vote with their purchase orders" in favor of more secure/less commonly attacked systems.

D'es this mean that I would like all sales of Windows PCs to cease? No. What I do want is a healthy level of operating system diversity, because in computing (as in agriculture or a stock portfolio) diversity is key to managing risk and building resilience.

2. That Perimeter Fence Sure Looked Good

Institutional firewalls are a staple security recommendation on every IT auditor's checklist. Unfortunately, the recent viruses have illustrated just how ineffectual they can be. Failure modes were numerous at many sites and for many reasons, including:

  • A firewall was present, but consensus was never reached in the trenches (or at managerial levels) on the tough rule sets that would have made a real difference.
  • Infested dialup users connected on the internal ("secure") side of the institutional firewall (oops!)
  • Laptops went home, got contaminated, and then came back to work—shiny black and silver coughing sources of network contagion.
  • VPNs tunneled right past firewall filters. VPNs which were intentionally present, and VPNs which were intentionally unfiltered, so as to appease "those who could not be refused."

So for those who may need a reality check, let me be blunt: the "intranet" is dead. The inside of your institutional firewall is just like the outside of your institutional firewall: it is all ablaze.

You (and your personal desktop workstation) may be an "intranet," everyone else, including your well-meaning but somewhat distracted and forgetful (now infested) colleague in the office down the corridor, is part of that gigantic germ-infested, petting zoo we call the global Internet.

At one point hardware firewalls were expensive and complicated: only an institution could afford one, and only a geek could run one.

Those days are over: perfectly serviceable, personal hardware firewalls
are available now as commodity items for fifty bucks or less. They are not perfect, but they're a heck of a lot better than nothing.

Admittedly, personal firewalls are contrary to the philosophical ideal of Internet transparency and may choke end-to-end Internet performance, but let's get real: most users really don't care as long as they can handle email, browse the Web at some reasonable speed, and accomplish other mundane tasks without getting hit by a virus.

If a particular user suddenly changes circumstances and needs to do something exotic, a personal hardware firewall is not a tattoo: remove it and throw it away.

Oh, yes: if you think you can get away using just some software firewall product, be sure to look at yearly update subscription costs, and you might also want to talk with some of the folks who got infested during the interval of time after their system had begun to boot, but before Windows got their software firewall service launched.

If you're on a PC running Windows, you need a personal hardware firewall.

3. The Quality of Network Documentation; Out of Band Access to Your Users
The recent virus infestations were also a good opportunity to review your network's documentation. Did you have an out-of-band way to get in touch with people you had to take "off the air?" Could you physically locate a given jack that was emitting unacceptable traffic? Was the point of contact information for that jack current? Most sites could use a little housekeeping attention on their internal network documentation.

4. Network Monitoring
If your network backbone isn't instrumented in a way that will let you detect attacks and compromised systems, maybe it's time to rethink that. You can't run a network blind. Well, you can, but those who do were among those who suffered the most. Here are a couple of links to sites that can help you learn more about network intrusion detection:

http://www.snort.org target
http://www.icir.org/vern/bro.html

We’ll hear more from J'e next week, including: how everyone’s a system admin, but few do it well; how no one *really* takes security seriously . . . yet; why we have to bite the bullet and license antiviral software for students, too; and more.

Note: I guess it was the "worst of times," because I attributed the Charles Dickens; quote in last week’s Opinion to Ernest Hemingway. Mea culpa. Be assured that I do know the difference, having read nearly everything either of them ever wrote, but I have had Hemingway on my mind a lot lately, and my fingers just typed the wrong name in.

Featured