Natasha Staley, Sophos Plc
A growing reliance on the Internet as a business tool has seen the web grow from being a small village - where all users knew and trusted each other - to a sprawling metropolis. Much like a real city, this growth has brought more choice and diversity, but it has also heralded more dangers. The internet now has its own 'no go' areas complete with bad guys.
However - again much like the real world - there is a difference between real and perceived threats. Reading many IT security vendors' promotional material is enough to make a financial company think twice about incorporating any internet communications into their critical business systems. But, in today's connected age, this option is as unrealistic as not crossing the road for fear of being knocked over by a bus. With internet banking, email communications and networked computing integral to all financial institutions' business activities, it is time to debunk the security hype and look at the real threats, their costs and solutions.
Virus writers in particular have been taken advantage of the ubiquity of the Internet. There are currently more than 73,000 viruses in existence; this figure is rising by between 500 and 1,000 each month. The typical virus writer is a single man in his teens or twenties, often with a chip on his shoulder about society at large. Banks and other institutions, which are perceived to represent the 'evils' of capitalism, are a prime target for these virus writers. In addition, because viruses can spread without the sender actually being aware of their actions, institutions are just as likely to receive an unprovoked attack from their customers, colleagues and business partners.
That said, only 3 percent of these viruses are actually circulating in the wild and fewer still have had the impact of the Love Bug, Anna Kournikova or the current most prevalent worm, Klez-H. However, those that do hit are capable of doing considerable damage. It is impossible to pinpoint the exact monetary cost of infection, but by looking at the cost of network downtime, the amount of data lost or damaged and the negative impact on corporate reputation, it becomes apparent that multi-level virus protection is both necessary and cost-effective.
Viruses are not just about inconveniencing computer users; some delete files, corrupt data or modify hard disks. The more high profile infections have come from email aware viruses, which have forced companies to shut down their email servers and vital systems, simply because of the volume of email created.
The most 'successful' pieces of malware are those which do not deliberately make their presence known. These viruses, which sit quietly in the background, forwarding themselves or subtly corrupting data, can often remain undetected for weeks or even months.
For the financial community, the most damaging type of virus is often the 'data diddler'. This code will surreptitiously modify the data within a spreadsheet, perhaps multiplying cells D4 and F8 by 1.001 on the first Monday of the month. The chances are that it will be some time before anyone notices that the figures have changed. By this time the likelihood is that back ups will also be corrupted. Unauthorised changes can be difficult to unravel and correct, but if the spreadsheet in question happens to hold customer account details this could represent a PR disaster. Even worse, what if you a company were compiling its financial results and the data diddler altered these figures?
Another particular concern is the increasing use hackers are making of backdoor Trojan horses or Remote Access Trojans (RATs). This code allows hackers to gain remote control of a PC across the Internet even if they are located on the other side of the world. With a RAT, hackers can view what is on the infected user's machine, steal data, take control of the remote keyboard and mouse and even send emails using the infected computer's username.
Virus infection can also compromise a company's reputation. In 1999, Fuji Bank became infected with a word macro virus called WM97/Class-D. At the time the bank was embarking on a merger, and was sending vital and sensitive information via email to potential investors. Unfortunately the virus managed to intercept one of these communications. When the document was opened its recipients were told that they were 'big stupid jerks'. Not the best way to impress potential business associates...
The Fuji Bank example is an extreme case, but every financial runs the risk of damaging its reputation if it becomes infected with a virus. Today, many commonly encountered viruses are capable of scooping up confidential documents and spreadsheets from the infected computer, and distribute them across the Internet. Again, these may pose a serious risk to the fortunes of financial organisations.
Anti-virus software has a crucial part to play in protecting against computer viruses - but no vendor can provide a perfect solution. Some anti-virus companies are now releasing technology which reduces the threat by blocking suspicious filetypes, or files with double extensions, at the email gateway. This can dramatically reduce the chances of a network's security being breached by a new or unknown virus. Vendors are also incorporating heuristics into their products, these search for and block 'virus-like' characteristics. Again, heuristics technology guards against future viruses, but it does run the risk of throwing up false positives (where the software false alarms on emails and code which are not strictly viral). Here the impact can be as great as a real virus infection; IT managers are just as likely to close down mail servers over a false alarm as they are with real malicious code.
To be effective, software must be updated on a frequent basis. In April 2002, 80 percent of calls to Sophos's helpdesk were from users infected with the relatively virulent Klez worm. Users were still becoming infected even though protection against this worm was issued some two months earlier. To counter this, some companies are now choosing to outsource these updates to the IT security solutions providers. However, in the financial sector particularly, some businesses are reticent to lose control of these vital network elements, opting instead to manage updates in-house.
There are other measures that can be introduced. Policies advising users not to open unsolicited attachments or download material from the internet help combat viruses and are completely free to implement. Some companies are also reducing the risk of infection by restricting users' web access - this helps protect against viruses such as Nimda which can be contracted simply by visiting an infected website.
Viruses are a serious threat to financial institutions but they do not herald the Cyber-Armageddon predicted by many IT security 'experts'. A comprehensive anti-virus strategy, combining products and policy, will ward off the vast majority of dangers and will underpin the relationships of trust so crucial to the financial community.