Expert advice: How to cost-effectively battle viruses

The best way to battle viruses is still by using up-to-date antivirus programs and definitions from the major antivirus vendors. Depending on your risk and budget, a multi-layered approach covering desktops, servers and gateways in that order is best. Ideally, use a mix of products from different vendors, so that a flaw or missing signature in one product is covered by another. Obviously that adds to the cost and complexity of the solution, so that approach may not be feasible for everyone. There are a few "free" antivirus programs out there, but they are mostly for non-commercial use only.

There are frequent questions in the Snort-users mailing list about using Snort to detect viruses and worms. Using Snort for this purpose is not ideal, since by the time any IDS (intrusion-detection system) detects the infection it's already too late. In some environments (notably education) this may be your only option. Join the Snort-users and Snort-sigs lists, and read the archives for more information.

As far as prevention goes, again you need a layered approach that begins with policies and user education, and encompasses antivirus software, strict firewall rules and hardening all your hosts as much as possible. One particular challenge is the laptop user who plugs into an unprotected broadband at home, gets infected, then brings the infection back inside the firewall on Monday morning. You need to have an e-mail policy and make sure all users are educated about these dangers.

You may need to consider strict workstation policies, such as not allowing the local user to have administrative rights, and install software and so-called personal firewalls for laptops or even all users. Firewall rules and device hardening reduce the avenues by which worms may spread, as well as improving overall security. Vulnerabilities in software that is not installed are not a threat to your organization.

IPSes (intrusion-prevention systems) are another possible layer. These take the form of a gateway (like a firewall) or transparent bridge in the network, or as agent software on each host. IPSes aim to actively prevent activity perceived as malicious. It turns out that all malicious code tries to do is a relatively small number of things, so the idea is to prevent those things from happening, rather than reactively build giant signature or definition lists of known malicious code. The problem is that it's often difficult to distinguish between benign and malicious activity, and an IPS can actively break your network, host or application if you are not very careful (and maybe a little lucky). They are improving rapidly, so they may be worth a look.

Network segmentation or compartmentalization is another possible containment strategy. See Marcus Ranum's The Big Red Button from the February 2004 issue of Information Security magazine for a discussion.

Finally, to sell the idea to management you have to have the numbers, and you have to have management that is aware of infosec issues and risks. The latter is improving as more infosec issues hit the mainstream press and as various legislation with serious impact on corporations and/or senior management (notably Sarbanes-Oxley, the Gramm-Leach-Bliley Act, California's SB 1386 and HIPAA). "The numbers" are different for every organization and environment, but the idea is to show the costs of the last infection, predict the cost of the next one and then show that an once of prevention is better than a pound of cure. The various products above are capital expenses, but there are other things you can do such as education, device hardening, tightening up the firewall rules and possibly network segmentation which only require your time and effort. In the end it all comes down to risk. Can you afford to take the time to do this? Can you afford not to?

Security Tip: Keys to an effective virus incident-response team

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Threat Monitor How to stop malware in a 'Flash' How to detect system management mode (SMM) rootkits Windows registry forensics: Investigating system-wide settings Weaponizing Kaminsky's DNS discovery Debian: A niche OS with a not-so-niche security flaw Web advertising exploits: Protecting Web browsers and servers Ransomware: How to deal with advanced encryption algorithms Hidden endpoints: Mitigating the threat of non-traditional network devices Protecting exposed servers from Google hacks (and Google 'dorks') Countermeasures against targeted attacks in the enterprise Viruses, Worms and Other Malware Microsoft learns of successful RPC worm infections How to ensure the validity of Microsoft Windows updates Antimalware effectiveness put to the test Phishing, malware laden USB sticks stoke holiday attacks New worm attacks Windows smartphones McColo shutdown won't stop spam, malware, warn security experts Web-borne malware targets unexpected industries The value of application whitelists New blacklists: Highly predictive or hardly worth it? New malware exploits Microsoft RPC flaw RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) Mytob  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com) Zotob  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.