Melissa's Message: Know the Code

<a href="displayarticle.asp?ID=4219931744PM"><img src="archive/1999/pics/melissa.jpg" border="0" align="left"></a>What has the industry learned from the recent rampage of the Melissa virus? Primarily, to keep anti-virus programs up to date and to put policies in place that limit the entry of malicious code into a network. Stopping virus-laden code before it enters the network -- through signature technology -- is getting a serious look.

What has the industry learned from the recent rampage of the Melissa virus? Primarily, to keep anti-virus programs up to date and to put policies in place that limit the entry of malicious code into a network. Stopping virus-laden code before it enters the network -- through signature technology -- is getting a serious look.

Melissa signaled "an upping of the ante" in the battle against viruses, says Roger Thompson, technical director of malicious code research for ICSA (www.icsa.net), a security assurance services provider. Even Microsoft Corp. and Intel Corp. reported that the macro virus proliferated through their systems on the weekend that the virus struck. "Back when boot viruses were the most prominent virus type, we recommended updating your anti-virus software every six months. When macro viruses first came out, we shortened that to three months," Thompson says. Now, monthly updates are called for. Thompson estimates that 100 new macro viruses are unleashed each month -- a level that has remained constant over the past six months.

It won't be long before stringent anti-virus protection becomes part of doing business over the Web, predicts Helen Flynn, research director with GartnerGroup (www.gartner.com). "Electronic commerce over the Internet has raised the bar for security and privacy," Flynn says. "The prevalence of extranets and business-to-business communications using macros, Java and ActiveX will necessitate higher levels of malicious-code protection." Flynn predicts a rise in network-based content filtering of e-mail and other transactions.

But incidents such as Melissa continue to expose the vulnerabilities in network security. "When you have any big event, natural or man-made, it reveals laxity in preparation," says Michael Puldy, global solutions executive with IBM's Business Recovery Services unit. This latest episode demonstrated fissures in "keeping people up to date with the latest virus software, virus signatures, and just keeping the technology and software where it needs to be," he explains.

The insidiousness of Melissa was that "it was spread through e-mail that came from previous victims," says Scott Culp, security product manager with Microsoft. "A person who received one of these knows the person who sent it to them, and that made them more likely to go ahead and open the attachment. A little bit of social engineering is required for situations like that -- users need to understand that just because they received something from their friend down the hall, it doesn't mean that you necessarily ought to trust it."

Signature-based technology may offer some remedies to the trustworthiness of e-mail attachments by blocking downloads of code of unknown origin from the network. "The world is showing that it lacks a specific signature-based anti-virus solution," says ICSA's Thompson. "There's been generic solutions since day one, but they haven't proved as commercially acceptable as known virus detections, which have to be updated every time."

Microsoft is bringing signature-based capabilities to the market. The company recently introduced a security toolkit in Windows NT 4.0 Service Pack 4, which will also be incorporated into Windows 2000. The toolkit includes digital signing of macros and other applications. Similar anti-virus capabilities are being added to Office 2000. Users who write macros will now be able to digitally sign their macros, certifying that the code is from a trusted source. End-users and IT administrators can configure Office 2000 so only macros that are digitally signed by trusted sources will be run.

"Office 2000 is the first application that has an explicit setting that says, 'I don't want to run anything that's not signed,'" Microsoft's Culp says. "Windows 2000 will be similar, in that group policies can make checking of signatures on software a mandatory policy throughout your network." Microsoft's digital certificate technology, Authenticode, will facilitate and validate the authenticity of software -- including drivers -- that pass through the network. With the group policy support in Windows 2000, the "administrator can say, as a rule, they want their network to be configured in a certain way, with a certain certificate authority to be trusted, and certain privileges to be granted to their users," Culp says.

Still, it’s as important -- or more important -- to focus on the policy side of security rather than relying on technology alone, Culp says. Consistent management of policies across the network and user education are key, he notes. "It's important that users understand what the issues are and where there are some potential vulnerabilities," Culp explains. "We're providing tools that allow you to sign e-mail, that allow you to sign code, that allow you to make trust decisions. Ultimately, much of it is going to come down to user education, and whether they understand the danger of running untrusted code."