NEW STRATEGIES FOR VIRUS PROTECTION By Charles Rutstein

NEW STRATEGIES FOR VIRUS PROTECTION
By Charles Rutstein, Research Director, Forrester Research

25_06_02

The first computer virus was seen in the wild about 15 years ago, and boy,
have things changed. Newer, more virulent code will require firms to
develop a layered antivirus model and hunt down virus breeding grounds
lurking in the infrastructure.

Today the virus problem is getting worse, not better; there's little
differentiation in antivirus products; and desktop antivirus software just
isn't enough.

The likelihood of virus infection rose 13 percent in 2001. Worse yet,
viruses are spreading faster than ever: In a matter of days, the Code Red
virus infected 28 percent of companies worldwide, while Nimda infected 68
percent of companies. The attribute users care most about when buying
antivirus software -- catching viruses -- is basically a dead heat among
the top ISVs. Within a few hours of a new virus appearing in the wild,
firms like Symantec and Network Associates all ship updates to their
products. And while about 98 percent of all corporate desktop systems run
antivirus software, the protection the software provides isn't sufficient
on its own. Further measures, like scanning email attachments at the
gateway, are used by only about 50 percent of firms.

The fight against viruses can be likened to an arms race -- as soon as
virus authors create a new means of hiding or propagating their creations,
antivirus vendors counter it with new code. Today's viruses attack security
vulnerabilities, target embedded software, and present a blended threat.

In the past, virus authors didn't pay much attention to the system
vulnerabilities found by their hacker cousins. But the latest crop of
viruses is different -- strains like Klez.h attack security vulnerabilities
in Internet Explorer, allowing them to spread far more quickly than ever
before. Increasingly, software products as diverse as voicemail gateways
and directory servers use the same underlying code for functions like Web
serving. And products like SQL Server underlie many of Microsoft's most
popular back-office apps. But few users think about the likelihood of these
systems becoming infected, and few of these systems run antivirus software
-- providing a perfect breeding ground for viruses. And originally, viruses
spread slowly via infected floppy disks. But today's most prevalent viruses
don't limit themselves to a single vector of attack ? it's not uncommon to
see viruses that can attack on multiple fronts like email blast, file-share
worming, and through code execution in a Web browser.

In the face of new threats, Global 3,500 firms must increase their
vigilance on the antivirus front. They must erect multiple barriers, update
software religiously, and root out hidden servers.

Forrester believes that firms must create a layered infrastructure for
virus defense -- including antivirus software at the desktop, the email
servers and Internet gateways. Why so much overlap? Because of the myriad
ways that viruses propagate -- for example, many of the Code Red infections
came into firms via infected notebook computers, even after the externally
facing servers were patched. IT shops tend to fall into one of two
categories: those who update their software very frequently and those who
never do. What's the right frequency? About once a month -- the greatest
threat comes from viruses that are either more than a month old or less
than a day old. So moving from monthly to daily updates only gives a 5
percent to 10 percent advantage. Finally, almost every piece of IT gear now
ships with a Web interface -- with a Web server underneath it. Many of
these are running common Web servers, such as IIS, making them vulnerable
to infection. Smart firms will figure out which gear is running which
embedded code and contact gear manufacturers to ensure that they're
up-to-date on security patches.