By Hui Zhu
Anti-virus and Patch Management
It was a beautiful sunny morning. As usual, I got to the office at 8:00AM. I made a cup of coffee to warm myself up as a good start of another busy day, and waded through the flood of email that had accumulated last night. Suddenly, an email from a security mailing list caught my eye; a new virus targeted at a vulnerability in a popular operating
system was spreading quickly throughout the internet. According to the description of the vulnerability, I knew all the computers in this company could become infected with this virus. After fiddling around with the search engine, I realized that we needed to install the new virus pattern file to the anti-virus software and deploy a vendor patch that would fix the vulnerability exploited by the virus.
Armed with the information, I informed the CIO of the problem immediately. Per the CIO’s request, IT took immediate action. An IT support team ran around the office to help our staff to install the patches; our anti-virus administrator downloaded the latest virus pattern file, and pushed it to the desktops. Luckily, our company’s quick response saved us from a virus outbreak in our network except for a few virus infection cases on a few unattended computers.
A few days later, I heard that most of the other companies in the same building were hit hard by the virus, which brought down their entire network without warning. Their IT departments spent 24 hours in the office to clean up the virus and put everything back in order.
In the aftermath of all this, I couldn’t help but think that there must be a more predictable and efficient way to deal with the threat of viruses. No ideas came to me immediately, but I spent some time considering why we had these kinds of problems and how we could solve them.
What is Malware?
Looking from a broader view, the problem seems to be malware, a piece of malicious code, planted on user’s computer, which causes unexpected and unwanted events in the computing environment. Viruses, worms, spyware, malicious mobile codes, back doors and Trojans are all different categories of malicious codes. Malicious codes use different mechanisms through different avenues to plant themselves in the system. The mechanisms for the delivery of malicious code are quite different; some of them self- replicate themselves through email attachment and file infection with/without human intervention; some of them exploit system vulnerabilities to squeeze a malicious
executable into the system. The common avenues for malicious codes to attack and infect a system are network, removable media and storage, email, share directory, and so on. Often, malware will take advantage of the system vulnerabilities to insert itself into the victim systems as we have witnessed over the last few years.
Security Advisory Monitoring
In this case, what saved us is that we knew about the problem beforehand and we took action quickly. But what would have happened if I had been on vacation or I had not had time to read my email in the morning, my company would not have escaped the disaster. Of course, quick notification of a security alert is important to prevent such an incident; but one can not rely casual email or voluntary web browsing. Security advisory monitoring should be established as a well-defined and repeatable process instead of a random activity. A virus can come at any time; the company needs to handle this threat proactively.
Most companies will not be so lucky as to have unlimited resource to follow up on every security alert; thus, only those relevant to the company’s specific IT environment should be monitored. The company can start by compiling a complete hardware and software inventory, which will form the scope of the security advisory monitoring process. Using appropriate vendor security alerts and security mailing lists, a security advisory should be identified based on the hardware and software inventory. Monitoring of the advisory should be assigned to a security team or delegated to individuals who are responsible for the information system in accordance with IT supporting structures. However, one team should be ultimately responsible for the coordination of the overall process, so that the process can be tracked and measured, the information consolidated for management decision, and the response coordinated.
Everyday, the relevant security advisory should be monitored and reviewed by responsible individuals. The relevant security alerts or patch releases should be rated for the criticality and such ratings reported to the coordination team. All temporary fixes or patches should be reviewed and evaluated by IT administrators and managers to minimize the risk of interruption of IT operations. After that, a fast-track change request is a good way to get it approved and implemented as quickly as possible.
The security advisory monitoring process must be well designed and managed to ensure the timely identification and mitigation of serious security risks.
As we all know anti-virus solutions can only detect those viruses they “know” about. This information is usually referred to as virus definition/signature/pattern. This virus definition/signature/pattern must be updated regularly since new viruses appear all the time. Most anti-virus solutions update their definition/signature/pattern automatically via internet at regular intervals. This feature provides improved protection against new viruses. Companies should enable the auto update feature at appropriate intervals to get the latest virus update in a timely manner.
Heuristics anti-virus is designed to detect previously unknown viruses, that is to say, viruses that are newly released into the wild for which antivirus vendors have no specific definition files to address the threat. This should be considered as a complementary solution in the anti-virus architecture, so that new viruses can be caught in case the virus definition is not available yet.
Patching is another proactive and effective approach to prevent virus infection. Timely patching of the system will prevent most of the malicious code attacks and infections. However, patching is not a trivial task, and people normally do not care much about patching the system unless the computer is compromised or infected with a virus. Given the variety and numbers of IT systems, administrators tend to forget to install patches as well.
Also, it is almost impossible to install patches on all the company’s IT systems manually. Patch management should be leveraged on automated solutions. Various patch management products on the market can help to allay the pain. However, a patch management solution itself won’t solve the entire problem; a well-defined process must be in place to enforce and police patch management activities. Effective patch management processes should also be leveraged on the security advisory monitoring process in order to identify the latest patches in time.
Furthermore, new patches must be evaluated in a test environment in order to minimize the risk of production interruption in case the patch itself should cause unexpected problem. Once the patches are tested, they should be deployed to all IT systems as quickly as possible. Fully automated patch deployment should be considered for low risk IT systems to further reduce the chances of virus infection or malicious attacks.
Defense in Depth
So far in order to deal with the risk of viruses, we put security advisory monitoring in place to get the latest security alerts and an automated patch management process in place in order to deploy the patches in time. It may seem as if we have an up-to-date anti-virus. However, what would happen if the company was hit by a newly released virus, or the virus definition and patches were not available before the virus attack, or the anti-virus could not get the latest pattern file? We should architect the anti-virus and virus protect in layer, based on commonly recognized defense-in-depth security principle.
Looking at the catalogue of anti-virus products, it is not hard to find various solutions working on different layers of the IT environment. Effective anti-virus architecture should have multiple layers of anti-virus, e.g. desktop anti-virus, server anti-virus, email anti-virus, and anti-virus gateway. An enterprise firewall, personal firewall, network and host based intrusion detection system should also be considered as complementary components in anti-virus architecture. A virus sneaking through one layer could be caught or blocked at other layers.
The IT architect should carefully review all the critical areas of the network; strategically deploy anti-virus solutions or other security solutions at various entry points, key routing paths and endpoints to achieve defense-in-depth.
Lessons Learned and Takeaways
As an IT architect, we must realize what we are fighting against is real (virus) attacks that have the intention and possibly enough intelligence to defeat our defense. As IT
architects, we can not rely solely on one anti-virus solution to protect our IT systems
from virus attacks. Virus intrusion is a perpetual threat. We must take proactive approach to defend against viruses; one of the most effective approaches is to keep informed of all the latest security advisories and act on them. Patch management is another proactive and effective way to secure our environments. IT systems should always be maintained up to date, so that there is no loophole for a virus to get in. We should always think of defense in depth and put up layers of defense to catch the virus in difference places.
With all those security measures in place, I was finally able to peacefully enjoy my morning coffee without fear about virus outbreak in my company.
Critical Thinking Questions
What is malware?
What is the best approach to tackle the malware problems?
How can patch management reduce the number of malware incidents?
What proactive approaches can prevent a malware outbreak in an enterprise environment?
Walker A. 2005. Absolute beginner’s guide to: security, spam, spyware & viruses. Que. Harley D, Slade R, Gattiker U. 2005. Virus revealed, McGraw-Hill.
Skoudis E, Zeltser L. 2003. Malware: fighting malicious code. Prentice Hall.
About the Author
Hui is a consultant with over ten years of extensive experience in security architecture design and implementation, security management systems, and security audit and review in varied IT environment. Leveraged on his expertise in both security management and security consulting, Hui has established proven methodology and approaches for various security architecture practices, and has successfully helped clients to manage risks and achieve their security objectives. You can contact Hui at firstname.lastname@example.org.