First published: 29th April 2003
The outbreak of SARS is a serious concern, and many people are doing excellent work in fighting its spread. However, some of the measures might lead to an outbreak of rather different viruses: computer viruses. Fortunately, no one is going to die from a computer virus, but they can have an impact on our work and economically. In the current economic climate we should try to prevent the avoidable damage caused by computer viruses.
So how will measures to control SARS affect computer viruses? The impact is via the increased interest in teleworking. Staff may need to be quarantined, or a company might seek to minimise risky human contact in general. What better way to minimise human contact than by keeping staff in their homes, linked to the outside world electronically? Obviously, there are security concerns when staff utilise office resources from their home computers, and VPN vendors are promoting their products for this purpose. A VPN (Virtual Private Network) creates an encrypted link between two locations (the company office and the staff's home, in this application) so outsiders cannot eavesdrop or insert their own data or documents in the communications channel. Combined with suitable access control, a VPN can makes sure that only staff on their home PCs are connected to the corporate data. However, this only solves one part of the security problem - the channel is secure, but are the endpoints secure? Hopefully the office already has adequate security in place, but the average home PC is vulnerable - personal firewalls are not very common, and the only anti-virus software used might be the free version, bundled with the new PC and now hopelessly out of date. A hacker or virus that takes over the home PC can then make use of the secure VPN connection to access corporate information.
Companies, particularly SME's, might dismiss the hacker threat - there are only a limited number of hackers, and why would they be interested in attacking one particular SME among thousands? There are some good answers to that, but the more likely threat is viruses. Viruses are generally indiscriminate, and, because they replicate, there is no limit to the number of simultaneous attacks they can make. Many home PCs are probably already harbouring a variety of viruses, using those machines all day is giving the viruses more time to act, staying online is giving them more time to spread and connecting those machines to corporate networks is giving them access to new address books to contact and new data to damage. The result of large numbers of people teleworking could be a sudden jump in computer virus incidents.
One virus that could benefit from teleworking is W32/Klez.H@mm, which is currently at the top of various incident lists. In fact, W32/Klez.H@mm has been at the top of incident lists for most of the past year. Occasionally, another virus has spread quickly and temporarily eclipsed it, but soon the usurper fades away leaving Klez triumphant. Why is Klez so persistent? Klez, like many other successful viruses, sends itself in email to as many addresses as it can find. Klez not only looks for addresses in address books, but also in text files, web pages, word documents and many other file types. However, Klez also uses one of these addresses in the From: field of the email, so the email appears to have originated from a different location. I think that this is the key reason why Klez has persisted so long. When an "ordinary" mass-mailing email virus infects a machine, it sends out many messages and users or mail gateways with up-to-date anti-virus software detect it and send back a complaint or warning, "you're sending viruses". The user of the infected machine (who may not care about viruses) is pressured to do something about it. In the case of Klez, the complaint/warning either gets sent to the wrong address, or, if the receiver understands Klez's nature, never gets sent. The user of the infected machine is never warned, and never cleans their machine or updates their anti-virus software. As Klez is currently the most prevalent virus, it is in a good position to benefit from a jump in virus incidents due to increased teleworking.
So, companies considering implementing teleworking should remember to secure the endpoints as well as the communications channel. The home PC should be protected to the same level as the corporate network, which probably includes patching with the latest security patches, installing up-to-date anti-virus software (and keeping it up-to-date) and installing a personal or distributed firewall. Educating the teleworkers about their essential role in corporate security is also essential. A computer virus is not going to kill you, but it might be the last straw that breaks a company facing a difficult economic environment.