Taking a stand against computer viruses.by Warner, Paul D.
When the 1983 movie "War-Games" raised the specter of computer hackers tampering with secret military data located in a single computer system, the military's computer experts shrugged off the fictional scenario. "It can't happen here," they said.
Now there is a new, perhaps even more devastating threat to data security. Computer viruses--destructive computer programs that can spread from computer to computer and system to system--have seriously altered or destroyed data and produced costly system downtime. But, most important, computer viruses have created a serious lack of confidence in overall data security.
Consider the unauthorized intrusion last year into Arpanet, the Department of Defense's worldwide data communications network. Cornell University graduate student Robert I. Morris, Jr., who was recently found guilty of violating federal computer laws, slipped into the system through a "trap door" in the program and committed an inadvertent programming error that caused a virus to replicate itself wildly and to spread from system to system. Nearly 6,000 computers worldwide were eventually infected by Morris's virus, and it took 24 hours--at a considerable cost in system downtime--to purge the virus from the network and return Arpanet to working order.
It is important to note that Arpanet is a mainframe-based network that allows various computer systems to communicate and share data. Because shared use and central control are basic to large mainframe networks such as Arpanet, security V ufeatures have generally been built into their operating systems (collections of programs that control computers' internal functions).
Microcomputers, on the other hand, were originally conceived as single-user processors. When only one person was using a microcomputer, the need for security controls was virtually nonexistent. But technology has progressed to the point where these single users are often linked to one another and to large mainframe computer systems through vast networks. The security features that are incorporated into the microcomputers' operating systems often are not sophisticated enough in light of today's networking realities.
Numerous incidents involving micros can be cited. At Hebrew University in Jerusalem, a computer virus--programmed to appear on the 40th anniversary of the creation of the State of Israel--destroyed a number of university files before being purged from the system. And at USPA & IRA, a Texas-based securities trading and insurance firm, a disgruntled employee planted a program into the company's computer system that destroyed 168,000 sales records in the two days before it was identified and removed.
The universal problem with computer viruses--as these examples indicate--is that users never know when they may appear. In many cases, computer viruses are a game, a prank, a challenge to their creators. But management must take viruses very seriously.
One reason is that they are occurring with increasing frequency. According to the Computer Virus Industry Association, which is made up of 47 companies that track viruses, there were 16,500 infections reported in December 1988 alone--compared to just 2,700 in January of that year. The problem may be underestimated since most companies kept virus attacks secret due to embarrassment and an obvious reluctance to highlight security gaps in particular systems. Only the most notable cases--such as Arpanet--receive widespread attention.
Clearly, systems are not completely safe from virus attack. After all, computer networks are excellent breeding grounds for viruses. Introduced at a PC at some point along the network, a virus can infect the entire network--every computer tied into it--immediately. Once allowed to enter the system, a virus can be removed only with a sophisticated combination of procedural and technical countermeasures. While safeguards are essential, no system or software package is immune to a cleverly installed virus. What's more, the more safeguards that are in place to protect the system, the less user-friendly it becomes.
Seven Point Security Checklist
The following seven steps should be undertaken with particular attention paid to security gaps on the more vulnerable micro side.
1. Establish corporate data security policies. It is essential that senior management send a clear signal to employees regarding the gravity of the computer virus threat. This can be accomplished by drafting a clear and concise corporate data security policy and distributing it throughout the organization. The policy should spell out standards and guidelines for protecting information assets based on their sensitivity, including each employee's responsibility for maintaining security within the organization. Then employees should read and sign a security statement acknowledging having a role and a responsibility in maintaining security.
As part of these policies, businesses should institute a data security awareness program.
It is not enough to distribute a standardized security contract to all employees and then file away the signed copies. To ensure that a corporate commitment to data security is communicated and, more importantly, upheld throughout the organization, businesses should institute ongoing data security awareness programs, including internal training and the distribution of written instructions dealing with specific problem areas.
As part of the security awareness program, for example, employees should be instructed to "log off" (turn off) their terminals when they are away from them for a coffee break or meeting.
Employees should also be trained to identify early signs and symptoms of computer viruses or suspected security breaches. These include reduced system performance, unexplained data loss or alteration, out-of- balance accounting data, activation of obsolete accounts, presence of unfamiliar graphics or messages, file size and data changes, unnecessary activation of devices during program execution, and a disproportionate number of computations for simple instructions.
Most importantly, employees must be drilled in the proper procedures to follow should a virus be identified.
2. Establish password management procedures. A common data security oversight involves failure to change vendor-supplied passwords that come with new software. A software package from, say, ABC Systems Corp., may use the vendor password "ABC Test." This password should be changed immediately--to a confidential, six-to-eight alphametric password--to prevent unauthorized access to the system.
Employees should be instructed to take password selection seriously, they shouldn't use their first or last names or a spouse's name. And, during baseball season, they shouldn't use METS or CUBS. It's not all that difficult for an unauthorized user to figure out these kinds of passwords.
The frustrating part is that changing a password involves little more than pressing a few buttons--it's not a technical process at all. The problem is that many users are either unaware of its importance or have a nonchalant attitude toward computer security.
3. Control the uploading of programs from the micro to the mainframe computer. Businesses should be very reluctant when it comes to allowing programmers on microcomputers to upload new programs into the mainframe.
4. Test new or upgraded software in an isolated computer environment. Computer environments have both test and production machines and for very good reason. New or upgraded software should always be run through the test machine first. Many companies have minimized virus penetration by testing microcomputer software on an isolated test or "quarantined" microcomputer. Some businesses try to cut corners by implementing the system in the production machine and building in back-out procedures in the event a problem is discovered. This is particularly true with micros.
5. Purchase software from reputable sources. There's no such thing as a free lunch; employees who copy free software from electronic bulletin boards are asking for trouble.
It is quite common for microcomputer users to rely on electronic bulletin boards and "shareware." But many viruses have been identified with these bulletin boards, including one "antiviral" software package that actually caused more damage than it was intended to prevent.
6. Back up data and programs on a regular basis and store them offsite. This defensive step allows businesses to go back to earlier software versions to eliminate a virus and identify corrupt data. The only other option is to re-key essential data from existing paper records--and that would be extremely time-consuming or, in some case, impossible.
Many times backups are stored right next to the computers. That defeats the purpose of backups because, in the event of a fire, flood, or simply a plumbing or electrical problem, these disks would likely be destroyed along with the originals.
Similarly, when a company purchases a new software package, it should make a copy of the package and work off the copy, storing the original offsite. In this way, it will be possible to restore a system that has been infected by a time-released virus.
7. Establish an effective disaster recovery plan. Such a plan won't help companies prevent virus attacks, but it will expedite resumption of normal operations following an emergency. And emergencies come in all shapes and sizes--floods, fires, electrical blackouts, as well as viruses.
The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.
©2009 The New York State Society of CPAs. Legal Notices
Visit the new cpajournal.com.