Virus Risk Management
October 2000
Infection by a hidden virus in e-mail is perhaps
the biggest technology hazard most companies face. An e-mail virus can literally
shut down a business in a matter of minutes. This article provides steps for
managing this risk.
by Steve
Anderson
SteveAnderson.com,
Inc.
E-mail use is skyrocketing. As a larger share of business communication is
completed using e-mail, the risks associated with e-mail must be recognized
and managed. Infection by a hidden virus in an e-mail is perhaps the biggest
hazard a company faces. An e-mail virus can literally shut down a business in
a matter of minutes. This risk must be managed just like any other risk a business
faces.
A computer virus is a small software program designed to replicate and spread,
generally with the recipient being oblivious to its existence. Viruses can come
from a variety of sources and be spread in a variety of ways. In the past, computer
viruses spread by attaching themselves to other programs (e.g., word processors
or spreadsheets application files) or to the boot sector of a floppy disk. The
virus can infect or become resident in almost any software module, including
an application, operating system, and system boot code or device driver. Today,
virus programs are distributed as an attachment to an e-mail message. When the
e-mail is opened, the attached virus program is activated—or executed.
What makes viruses dangerous is their ability to perform an event. While
some events are benign (e.g., displaying a message on a certain date) and others
annoying (e.g., slowing performance or altering the screen display), some viruses
can be catastrophic by damaging files, destroying data, and crashing systems.
At the very least, viruses expand file size and slow real-time interaction,
hindering computer performance.
Many virus writers seek only to infect systems, not to damage them—so their
viruses do not inflict intentional harm. However, because viruses are often
flawed, even benign viruses can inadvertently interact with other software or
hardware and slow or stop the system. Other viruses are more dangerous. They
can continually modify or destroy data, intercept input/output devices, overwrite
files, and reformat hard disks.
Virus authors have learned how to extend their reach by using the macro-programming
language included with Microsoft Word to include a virus in a Word document.
Documents and other virus-infected files can be attached to an e-mail message
and sent to literally hundreds of people in a matter of minutes.
Perhaps one of the more well-known e-mail viruses is the Love Bug virus.
When activated by opening an e-mail attachment, this virus sent a copy of itself
to every e-mail address listed in the recipients' Outlook address book. Once
received, the process was repeated. Thousands of e-mail messages, all the same,
were sent in a matter of hours. E-mail systems became so overloaded with the
huge volume of messages, they had to be shut down. Add to this the loss of credibility
suffered by businesses that were attacked, and the Love Bug earned the notoriety
as the most destructive virus to date.
Virus protection software can now scan e-mail messages looking for viruses.
You need to make sure your software is up to date and is being used by your
staff. Every program also has the ability to update the virus definition files
used to keep track of new virus. Make sure these are updated every couple of
weeks.
Protection
The extent to which we rely on e-mail is only going to increase and, although
most people haven't thought about e-mail in the context of virus infections,
they need to. Any technology that increases communication among computers also
increases the likelihood of being infected by a virus. A number of steps can
be taken to provide better protection.
Establish an electronic communication policy. This should spell out guidelines and etiquette that will minimize the use and
size of copy lists and outline rules for e-mail that is only for business content.
Guidelines for Internet access should also be included. (Refer to the second
article in this series, Managing Electronic
Communications, for more information on this topic.)
Have users contribute to the policy. Look at
work habits to make sure that new policies complement corporate work styles.
Make sure you put policies in place that will enhance the ability to use e-mail,
not stifle its use.
Block junk mail by working with your Internet service
provider (ISP) and teach employees how to use built-in filtering tools. Offer new employees a tutorial on the filtering and filing tools available in
the e-mail application you use. Outlook includes a "Rules Wizard" that will
help you manage your e-mail inbox.
Create project databases where teams can share information,
meeting minutes, etc. Intranet sites can easily support discussion threads,
action items, meeting minutes, and more. Also, knowledge databases can be created
that capture specific types of information, such as policies, procedures, product
information, etc. This will give employees one place to go for standard information,
cutting down on e-mail.
Urge users to be prudent about giving out their e-mail
address. We recommend you never give out your "private" e-mail address
to any Internet site. This helps prevent junk mail before it starts.
Use one of the free e-mail services to create a "public"
e-mail address. Whenever you sign up on a Web site, you open yourself
up to receiving unwanted e-mails. You can send the e-mails from this public
address to a separate folder and scan the messages at your leisure and delete
anything that looks suspicious. Some of the free e-mail services (i.e., Hotmail)
have virus scanning built into their e-mail servers adding another level of
protection.
Set up virus protection software on your e-mail server
and every desktop. A number of products are available to search all incoming
e-mail for viruses before they are sent to the recipient's desktop. If an e-mail
contains a known virus, the program stops the e-mail and notifies the sender,
the receiver, and anyone else selected about the problem. In addition, install
a virus protection program on every desktop. It can be helpful to use two different
software companies to increase the odds that one of them will detect a new virus.
[Two examples are Symantec (Norton AntiVirus)—http://www.symantec.com/index.htm
and Network Associations (McAfee VirusScan)—http://home.mcafee.com/]
Keep in mind that these programs can only stop known viruses (those included
in the program's virus definition files). Therefore it is important to make
sure every virus program is updated with the latest virus definition files automatically
online every night.
Create a humor database as an outlet. While
it may seem counterintuitive, it is more palatable than banning humorous e-mail
messages entirely.
Educate your staff. Your staff is the final
defense against virus infections. The Love Bug virus e-mail has a subject line
that says "I Love You." Using some common sense, if you receive an e-mail like
that from your boss, you should realize it is unusual and be skeptical about
opening it.
Write protect Word's Normal.dot. Whenever you
start Word or create a new document, Word uses a "Master Template" (NORMAL.DOT
- usually located in a folder named "...\MSOffice\Templates" or "...\Microsoft\Templates")
to: establish the document's formatting and predefined content; set up AutoText
entries, macros, and toolbars; and initialize the custom menu settings and shortcut
keys that you routinely use. Since this master template is applied to all new
documents as they are created, the large majority of Word macro viruses infect
this file. Once this master template is infected, each time you create a new
blank document or open an existing document, that document will become infected
with the macro virus. Then, if you send that infected document as an attachment
file to an e-mail, you will be spreading the macro virus to your colleagues/friends.
To prevent this template file from becoming infected by a virus, you can
make it a "Read-Only" file. This means that Windows will not let the file be
changed (i.e., written over). To make this file Read-Only (applicable to all
Windows operating systems),: Open Word. Go to File, and then New. This will
bring you to the General page where several document templates will appear.
Right click on the icon named "Blank Document" and left click on Properties.
This will bring up a Normal Properties window. Near the bottom, you will see
an area named Attributes. Check the box beside Read-Only, click Apply to save
the changes, and OK to exit the window. Now, this master template file is protected
from being altered by any Word macro virus. If a macro virus does attempt to
write to this file, the write action will be stopped.
Note: You will need to reverse this procedure
and uncheck this box if you need to install a legitimate Word macro or if you
need to modify your standard document preferences. After you have made these
changes, enable the "Read-Only" function once more.
Conclusion
E-mail is an important productivity tool. More and more clients will be seeking
to communicate with you and your staff using this tool. Sadly, there is no panacea
for the virus problem. It requires everyone in your organization to be alert,
exercise common sense, and take some reasonable precautions. You need to pick
the settings that are most comfortable (least annoying) for you. As with any
tool, only when it is used and managed properly will the users be able to reap
its full benefits.
Opinions expressed in Expert Commentary articles are those of the author and are
not necessarily held by the author's employer or IRMI. Expert Commentary articles
and other IRMI Online content do not purport to provide legal, accounting, or other
professional advice or opinion. If such advice is needed, consult with your attorney,
accountant, or other qualified adviser.