You may be surprised to know that following three simple steps could guarantee that your firm is protected from computer viruses. (To be accurate, there are many forms of malicious programs and scripts, including viruses, worms, Trojan Horses, etc. For simplicity, we will refer to all of these as viruses. Our apologies to the purists.) To spare you the discomfort of remaining on the edge of your seat, here they are: 1) disconnect your network from all other networks, including the Internet; 2) prohibit the exchange of electronic documents, mail or applications with the outside world; 3) for good measure develop your own software.

We did say "simple" and we did say, "guarantee." Unfortunately, we did not say "practical" or "easy." While only the most paranoid would seriously consider these drastic steps, it illustrates a point often forgotten when systems administrators lose sight of the forest while focusing on the trees. The goal of virus defense is not to provide the absolute lowest possible risk of disruption from viruses. If it were, the measures outlined above would be applied, and the virus problem would be eliminated.

A more practical approach to virus protection is to balance the benefits (reducing potential damage) against the costs (resources and productivity) of preventing infection. This approach requires administrators to think through the impact that security measures and policies will have on technology consumers. After all, the primary purposes for technology in a law firm is to promote productivity of attorneys and staff and to enhance client service. This means the focus for crafting security measures should be striking the proper balance between achieving high levels of protection and corresponding levels of costs and system usability.

As the uses of information technology and the nature of virus threats continue to evolve, policies and effective preventive measures must also evolve. Though the technical nature of virus threats has changed considerably over the past decade, administrators can focus on two key attributes that have remained constant: 1) each virus requires an entry point into your computers, and, 2) a virus must be executed before it can do anything. Ten years ago, we focused on the floppy disk as the primary method of entry, as there tended to be two types of viruses: Boot - works when a computer started with a floppy disk in the drive; and Executables - aka programs.

Today, the primary entry point for viruses is the Internet, with e-mail as the most common entry chokepoint. E-mail messages can carry viruses through file attachments or executable scripts embedded in HTML code. To a lesser extent, downloads from a website are also known to carry viruses. The primary execution point for these viruses remains on the desktop, usually requiring user intervention in the form of a double-click to open a document, execute a file or start a script.

It is not practical to expect a final solution on virus defense. Rather, it is most appropriate to establish general principles that can be applied to virus security policy and procedures. We suggest taking the following general steps as the foundation for policies and procedures to protect the firm's computer assets from viruses:

• 1) Identify system chokepoints through which a virus must pass to infect, damage and/or spread. These are the most cost-effective points to combat potential threats.
• 2) Apply cost/benefit analysis to alternative solutions aimed at closing (protecting) each chokepoint. Keep in mind that an effective cost analysis must consider not only hard costs (software, services, hardware, etc.), but also soft costs that include system usability and the impact on consumer productivity.
• 3) Include a healthy blend of preventative measures with efficient and effective recovery capabilities. As achieving a protection level of 100% is not practical, it is essential to have effective and efficient processes in place to quickly recover in the event of a disruption.

System Backup and Recovery

While discussions on backups may appear to be a "no brainer," we are frequently astounded to find firms that have not effectively covered this base. System backups and database transaction logs will not reduce the risk of virus infection. However, effective and reliable backup and recovery processes can limit the impact a virus has on data loss and, most importantly, the time and effort required to recover and get people working again. Most firms do have adequate backup procedures in place, but few have taken the additional step of establishing regularly scheduled restore/recovery practice sessions. These practice runs will not only verify that backups are comprehensive and effective, but they also will keep systems administrators in practice so that disruption is kept to a minimum and recovery can be completed quickly.

Server-Based Scanning Software

This is the most cost-effective solution in the entire anti-virus arsenal. Filtering software and virus scanning serve as the first line of defense at virus entry points by continually scanning in-bound network traffic. Files containing suspected viruses are blocked or quarantined for inspection by system administrators. Anti-virus software that has virus updates, coupled with filtering software, search for known virus signatures, attachment types, even known subject lines, such as the infamous "I love you," "Anna Kornikova," and " … naked wife" viruses. Proxy servers that search IP packets for virus signatures can also search file downloads from websites. If you have outsourced your firewall and/or mail servers, your ISP should be providing this service. If not, pull out your service agreement and update it NOW.

Desktop

An effective server-based virus protection strategy can provide an adequate level of protection, although there is always the chance that viruses may slip through. Server and client-based solutions are not necessarily mutually exclusive, and can work in tandem to provide an optimum solution. Virus scanning is not perfect. Even perfectly running and maintained virus protection software can fail against new, cleverly designed viruses. Consequently, additional steps are required. One alternative that has generated much debate is limiting the use of certain file types that might transmit viruses via e-mail. We believe limiting file types is like using a chainsaw when a nail file is needed. Let's take a closer look at the most common file types and see what is most practical:

• JPG, TXT, GIF, PDF (picture and text files). These files pose little threat as they simply do not have the ability to transfer executable code. No code, no virus. Even if executable code were mislabeled, double-clicking would not execute it.
• Word / WordPerfect documents. These files can contain viruses embedded in macros. Banning these file types as e-mail attachments can reduce the chance of viruses but can also severely reduce productivity and the client service benefits of electronic sharing of documents. Historically, these virus types are most likely to be caught by anti-virus scanning software, and are less likely to spread on a massive scale. Our anecdotal experience indicates that allowing these documents to pass into the network environment after going through the virus scanning process (assuming virus updates are current) poses an extremely small threat. That being said, we believe it is still a good practice to take additional precautions with documents that come from someone you do not know. If you do not know the sender, it is always best to delete the e-mail message and the attached file.
• VBS (Visual Basic Script). These files pose the most significant virus threat and are responsible for the worst virus outbreaks of the past 18 months. These pervasive and infamous viruses spread through the use of Visual Basic Script file attachments (.vbs) to e-mail messages. The most practical and cost-effective solution for dealing with this threat requires a fairly straightforward, easy to implement solution: Disable the file association for .vbs files on each desktop to prevent the user from launching a .vbs program by double-clicking on an attachment. VBS can still be run by other methods, so any inconvenience to end-users is minimal.

Conclusion

Following a practical approach to virus defense should prove useful to most firms and should result in few disruptions, minimal additional work for network administrators and, most importantly, productive technology consumers. But the nature of the threat will continue to evolve, as will the required response. Apply these general principles, balance risks and protection and, by all means, keep your clients in mind: protect them, but let them work!

About our author...

Tom Gelbmann and Allan Muchmore are Consultants with the Information Services and Technology Group at Hildebrandt International. Tom can be reached at (651) 483-0022 or by e-mail at tagelbmann@hildebrandt.com. Allan can be reached at (415) 956-9191 or by e-mail at ahmuchmore@hildebrandt.com.