How to cost-effectively battle viruses

The best way to battle viruses is still by using up-to-date antivirus programs and definitions from the major antivirus vendors. Depending on your risk and budget, a multi-layered approach covering desktops, servers and gateways in that order is best. Ideally, use a mix of products from different vendors, so that a flaw or missing signature in one product is covered by another. Obviously that adds to the cost and complexity of the solution, so that approach may not be feasible for everyone. There are a few "free" antivirus programs out there, but they are mostly for non-commercial use only.

There are frequent questions in the Snort-users mailing list about using Snort to detect viruses and worms. Using Snort for this purpose is not ideal, since by the time any IDS (intrusion-detection system) detects the infection it's already too late. In some environments (notably education) this may be your only option. Join the Snort-users and Snort-sigs lists, and read the archives for more information.

As far as prevention goes, again you need a layered approach that begins with policies and user education, and encompasses antivirus software, strict firewall rules and hardening all your hosts as much as possible. One particular challenge is the laptop user who plugs into an unprotected broadband at home, gets infected, then brings the infection back inside the firewall on Monday morning. You need to have an e-mail policy and make sure all users are educated about these dangers.

You may need to consider strict workstation policies, such as not allowing the local user to have administrative rights, and install software and so-called personal firewalls for laptops or even all users. Firewall rules and device hardening reduce the avenues by which worms may spread, as well as improving overall security. Vulnerabilities in software that is not installed are not a threat to your organization.

IPSes (intrusion-prevention systems) are another possible layer. These take the form of a gateway (like a firewall) or transparent bridge in the network, or as agent software on each host. IPSes aim to actively prevent activity perceived as malicious. It turns out that all malicious code tries to do is a relatively small number of things, so the idea is to prevent those things from happening, rather than reactively build giant signature or definition lists of known malicious code. The problem is that it's often difficult to distinguish between benign and malicious activity, and an IPS can actively break your network, host or application if you are not very careful (and maybe a little lucky). They are improving rapidly, so they may be worth a look.

Network segmentation or compartmentalization is another possible containment strategy. See Marcus Ranum's The Big Red Button from the February 2004 issue of Information Security magazine for a discussion.

Finally, to sell the idea to management you have to have the numbers, and you have to have management that is aware of infosec issues and risks. The latter is improving as more infosec issues hit the mainstream press and as various legislation with serious impact on corporations and/or senior management (notably Sarbanes-Oxley, the Gramm-Leach-Bliley Act, California's SB 1386 and HIPAA). "The numbers" are different for every organization and environment, but the idea is to show the costs of the last infection, predict the cost of the next one and then show that an once of prevention is better than a pound of cure. The various products above are capital expenses, but there are other things you can do such as education, device hardening, tightening up the firewall rules and possibly network segmentation which only require your time and effort. In the end it all comes down to risk. Can you afford to take the time to do this? Can you afford not to?

Security Tip: Keys to an effective virus incident-response team

Rate this Tip To rate tips, you must be a member of SearchNetworking.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Application-specific network intrusion detection systems emerge Anomaly-based intrusion protection configuration and installation Preventing hacker attacks with network behavior analysis IPS Rogue access points: Preventing, detecting and handling best practices The TPM chip: An unexploited resource for network security Shifting defenses and dynamic perimeters challenge network security Compliance in a virtualized world: Server virtualization and NAC security Securing the new network architecture: Security for distributed, dynamic networks How to configure Windows Server 2008 advanced firewall MMC snap-in USB storage devices: Two ways to stop the threat to network security Network Engineering How to test LAN switch energy efficiency Testing LAN switch power consumption: A best practices guide Desktop virtualization network requirements Preventing hacker attacks with network behavior analysis IPS Internal cloud computing on the cheap: Free automated provisioning? Improved storage performance without adding more disk Troubleshooting -- 'Network Know-How' Chapter 17 Windows Server 2008 IP routing configuration: Static and dynamic RIPv2 Understand Windows tracert output to troubleshoot network connectivity Using tracert and TTL to troubleshoot network connectivity problems Network Security Monitoring and Analysis Application-specific network intrusion detection systems emerge Anomaly-based intrusion protection configuration and installation How can I calculate perimeter firewall throughput? How do I find the application on my network that's dropping packets? Integrating NAC with network security tools Where can I find a sample security audit report? How can I run my own? The firewall remains the network traffic cop, but its role is changing Troubleshooting VLANs: How to monitor 802.1q tagged traffic Poor data-loss prevention practices almost cost Intel a billion How can I block my competitor's IP address range from my website? RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary deep packet inspection (DPI)  (SearchNetworking.com) FCAPS  (SearchNetworking.com) Nessus  (SearchNetworking.com) netstat  (SearchNetworking.com) port mirroring  (SearchNetworking.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.