Single Point of Failure

I arrived at work the other day and went through my e-mail. There was the usual spam, a few messages about stories I was working on, and an e-mail from a colleague with the subject “foto.” I clicked on the e-mail and tried to launch the file attached to it, but couldn’t open it—which isn’t unusual since I use a Mac and I’m not as diligent as I should be about software upgrades. So I sent back a message saying I couldn’t launch the attachment.



She told me she didn’t send the file.

Uh oh.

Turns out it was a computer virus—and a pretty neat one at that.

I know enough (or thought I did) not to open attachments from unknown sources or with suspicious subject lines. But this was from someone I work with, and we both had attended a party where people took pictures with their digital cameras.

Luckily, my company’s e-mail server scans incoming messages and corrupts “zip” attachments, such as the one I received. Zip, a format that squeezes files for fast delivery over the Web, is used by virus writers to deliver malicious payloads.

But then I started thinking: If my information-technology department can save me from myself, why can’t other shops save their employees from making similar mistakes? How was MyDoom, the last big virus, able to embed itself in a reported one of every 12 e-mails and infect millions of machines? What were smart companies doing to stop dumb (or merely groggy) users like me?

Well, I checked around and found, a bit to my surprise, that not every company gets hit with viruses.

First American Credco, which provides one of every three credit reports used by mortgage companies, says it has gone 3 1/2 years without getting hit by a virus. Pitney Bowes, the mail and document processing company, says it has been virtually virus-free for almost as long.

The key to good health, says Benjamin Powell, Credco’s network service manager, is to have many layers of defense. Credco has a Cisco firewall, an Internet Security Systems intrusion detection barrier and a Trend Micro antivirus software package. It also has a contract with computer security company TruSecure, which regularly checks the company’s defenses, provides risk assessments and has an early warning service to alert Credco when new viruses appear.

Powell also says Credco reminds people to avoid downloading attachments unless they’re sure the files are from trusted sources, and to scan PCs for malicious code before hooking up machines to the corporate network.

Teaching users what to do—and what not to do—is perhaps the most important step. “User education is always your last line of defense,” says Marty Lindner, a virus and worm expert at the Computer Emergency Response Team Coordination Center (CERT/CC), a federally funded research and development center that was set up to help prevent computer attacks.

Lindner says companies can have the latest, greatest security software, but if they don’t properly educate users, they’re still vulnerable. Security software, in most instances, can only recognize what it’s told to recognize. Virus authors know this and are constantly coming up with new ways to circumvent recognition—like making messages look like they’re coming from friends or colleagues.

“The bad guys know how to make mail look real,” he says. “We need to educate corporate users, home users, my grandma, [that] reading e-mail is dangerous.”

That’s a sad, but real, point. Pitney Bowes is now initiating a program that will require all of its 13,000 PC users to take an annual refresher on not downloading attachments, not hooking up PCs to the corporate network before they are scanned, and other common-sense instructions.

A company can have all the technology in place, says Mark Ramsey, Pitney Bowes director of data security, but a single act by a careless employee can infect the whole network. “All it takes is one person,” he points out.

One person, just like me.

John McCormick is Executive Editor of Baseline magazine. He can be reached at [email protected].