When you are brought onto a security project, spotting the weak points in your clients’ networks is often only half the battle. Convincing them to take preventive measures is likely a hard sell because many companies don’t see security as a mission-critical expenditure.

The same can be true with consulting firms themselves. When things are running smoothly, many firms don’t see the wisdom in investing the time, effort, and resources to keep on top of the plethora of patches and updates necessary to protect their network. Of course, the adage “pay now or pay later” truly applies in this case: You can either make the investment today or deal with the consequences when the next Nimda hits.

Although all the prevention in the world won’t guarantee against a virus infection, putting safeguards in place will go a long way to reduce the risk and minimize the impact of a possible infection. Consider the following points if you are involved in planning your firm’s security strategy or use them to help guide a client toward a stronger security plan.

Obviously, the most effective way of dealing with any virus threat is to completely prevent it from entering your system. As with a multilayer defense strategy, which directly involves antivirus software, many layers within your infrastructure need to be fortified in order to build a truly effective defense against viruses.

1. Access points
First, identify all of your organization’s access points, or places where viruses could be introduced. Potential access points include the SMTP gateway, Internet gateway, wireless Internet devices, and the CD-ROM drives and floppy drives on the company’s desktops and laptops.
In a worst-case Severity 1 outbreak, you may need to cut off all externally facing access points to prevent the virus from spreading. If you haven’t identified all access points, shutting off outside access will be difficult.

2. Server vulnerabilities
It’s important for employees to know where all of your company’s servers are. If a problem should arise and the regular IT staff is away from their office, damage may be more widespread if others can’t locate (or don’t have) documentation to locate company servers. Consequently, all servers may not receive all patches or updates, etc., in a time of crisis.
You should also consider your company’s “unknown” servers. With the recent Nimda outbreak, our company was quite surprised at how many Web servers were really in operation. A quick, unobtrusive, port-scan revealed many additional “servers” that needed attention.

3. Preparedness
Part of preventing viruses is to be prepared for their inevitability and to patch every known hole in your security. Independent security audits, ethical hacking, and diligent application of security patches can help you ready a company for a virus attack, but be aware that these steps can cost a considerable amount of money.
Address weaknesses once they have been fully identified and make sure the company stays on top of all the security bulletins and patches as they are released. I recommend the formation of a permanent security team to deal with the endless barrage of security notices, proper testing of patches, and assistance with the constant implementation of updates.

4. Detection
How can your organization tell when it’s been infected? Obviously, the symptoms will vary significantly depending on the virus. Some common signs include strange e-mail messages sent to many recipients or Web server logs that contain additional, irregular entries. Other signs include corrupted files or errors that appear when starting applications.
Regardless of the symptoms, communication is key to winning the battle. By itself, an incident reported to a help desk may be dismissed as an isolated case and may not garner the attention it deserves. But 10 incidents, all reported in a short period, will definitely get someone’s attention. Without sharing of information, it can take considerably longer to treat a virus as a virus, and the longer the delay, the greater the damage.
Criteria need to be established and lines of communications documented in order to promote proper escalation of severity. For simplicity, I recommend having no more than three or four escalation levels, based on proliferation, payload, and likelihood. For example:

  • Level 1: minimal spread (according to news services and security watches), minimal or no damage, obscure vulnerability
  • Level 2: medium infection, minor payload, easily exploitable vulnerability
  • Level 3: significant infection, minimal damage but major annoyance, widely known vulnerability

Informing your clients
As a virus makes its way up severity levels, and the number of people affected and the seniority of staff involved increases, the number of clients notified must increase appropriately. By the time a virus reaches Level 3, for example, tough decisions regarding discontinuation of services will need to be made.

For those working in a national or international operation, you should also use the variations in time zones to your advantage whenever possible. Those in the east will often observe signs of a virus ahead of their western counterparts, and as such, can function as early warning indicators.

If your firm is infected, it’s important to gather as much information as possible regarding the virus’ symptoms and cure(s), and then document a comprehensive and consistent approach for eradicating its infection. It’s also critical to develop an effective communications plan with your clients for notifying them of possible infection, apprising them of progress, and informing them when all systems are fully functional. Don’t rely strictly on e-mail for such communications; also give consideration to phone broadcasts and perhaps even postal mail.

What do you recommend for your clients?

As a consultant, what kinds of security measures and procedures do you recommend for your clients? Do you cover some of the elements mentioned here, or do you advise taking additional steps? Post your comments in a discussion below.