Related Articles

Special Report
7 Things You Should Know About AV
When it comes to fighting viruses, don't assume the "standard" way is the best way.
More

Special Report
Building "Synergistic" AV
Signature scanners aren't enough to combat today's multivector viruses and worms.
More

Special Report
Command and Control
Centralized management solutions provide enterprises with a bird's-eye view of AV defenses.
More

Special Report
The Future of Malicious Code
Predictions on blended threats, e-mail exploits, social engineering and more.
More

Special Report
Combating Nonviral Malware
Combating Nonviral Malware - Trojans, sniffers and spyware, oh my!
More

May 2002

Special Report

Cyber-Menace

A six-part Information Security Special Report on the growing virus problem--and what to do about it.

BY Andy Briney

One of the great ironies of infosecurity is that almost every organization uses AV, yet viruses and worms continue to wipe us out. When you bring this to the attention of the antivirus vendors, they'll calmly explain that no security tool is 100 percent effective, and that as important as AV scanning is, it's only one part of a larger strategy for combating malcode. Fair enough. But whether there are gaps in the technology or gaps in enterprise strategy or gaps in both, this much is clear: whatever we're doing to fight viruses isn't enough.

 In this Information Security Special Report, we expose the root of today's malcode problem, offering insight on why viruses and worms continue to hit us so hard, as well as practical advice for improving your organization's antivirus posture. The report is broken down into six sections, each exploring a critical aspect of the war on malicious code.

How Bad Is It?

The first step in defending against any cybersecurity threat is to determine the severity of a given risk. So the first question we must ask is, "How bad is the virus problem?" In a word: bad. And getting worse.

The Seventh Annual ICSA Labs' Virus Prevalence Survey1, released this spring, shows that companies experience an increasing number of virus incidents year after year, and that the cost of recovering from those incidents continues to rise. The survey group of 300 organizations experienced nearly 1.2 million virus encounters on about 650,000 machines during the 20-month survey period. In the last two months of the 2001 survey, companies averaged 103 virus infections per 1,000 machines per month, up 13 percent from the 2000 survey (see Figure 1).


Given the increase in incidents, it's not surprising that the majority of survey respondents said the virus problem is getting worse (see Figure 2). One-third of companies (32 percent) said the problem was "much worse," while 40 percent said it was "somewhat worse." Only 2 percent said it was better.

On the positive side, the number of virus "disasters"--defined as 25 or more PCs or servers infected at the same time--decreased from 2000 to 2001. In 2001, 28 percent of respondents said they experienced a virus disaster, down from 51 percent in 2000 and 43 percent in 1999. The average server downtime for those experiencing disasters was 14 hours.

That virus disasters are decreasing overall is little consolation for those hit by them. Not surprisingly, Nimda was cited most often by respondents as the source of their most recent disaster, followed by LoveLetter--even though it's been in the wild for more than two years now (see Figure 3).

The effects of viruses on enterprise computing are wide-ranging and numerous (see Figure 5). Nearly three out of four respondents said viruses caused PC downtime and a loss of personnel and machine productivity. More than half said viruses corrupted their files, while a third said they lost data as a result.

What about AV coverage? Nine out of 10 respondents said that they run AV scanning on all corporate desktops, with Network Associates' McAfee Security (http://www.mcafeeb2b.com/) and Symantec (http://www.symantec/ . com) as the leading software choices (see Figure 4).



The survey also shows that many companies installed AV scanners on mail servers, proxy servers and firewalls for the first time in 2001. In 2000, almost no one protected these network services. But in 2001, 84 percent of respondents said they protect mail servers with AV, while 45 percent do so on proxy servers and 51 percent on firewalls. In addition, many more corporations are now blocking, filtering or quarantining selected files or objects at gateway servers. Nearly seven out of 10 do so on mail servers, while about 40 percent do so on both proxies and firewalls.

The Menace Is Loose Again

Overall, the ICSA Labs' Virus Prevalence Survey underscores the importance of a multilayered AV defense strategy. The prevalence and cost of virus infections are up, but the frequency of virus disasters is down. Why? One possibility is that the virus problem has become so common that it's now underreported. Another possibility is that many more corporations are supplementing desktop AV scanning with server-based scanning and gateway filtering.

As blended threats such as Nimda become more common, server-based security will become even more important. Companies must not only scan, block and filter at the gateway, but make sure vulnerable Web and application servers have been hardened and patched.

It's unrealistic to expect that we'll ever completely eradicate the threat of computer viruses. But a sound methodology that combines scanning, host hardening, gateway protection and other practical security controls will make malcode a little less menacing.

ANDY BRINEY (abriney@infosecuritymag.com) is editor-in-chief of Information Security.