The Battle to Protect Sensitive Information on Government and Education Systems
For the highest level of protection, you must understand the interrelationship of all connected systems.
by Christopher Jones
It's impossible to use an Internet-connected computer today without being surrounded by threats from viruses, hackers, and malicious code. Spam is everywhere; no doubt you received some (or a lot) just today. And though it might seem like a mere nuisance, spam actually represents just one of many fronts in the battle to protect our sensitive information.
There are criminals out there who want our names, our social security numbers, and our financial information. Email phishing is one way of obtaining this data from the source, but grabbing the vitals of thousands in one fell swoop is even more effective. And who could be a better target for such schemes than government agencies and educational institutions? If your organization is in one of these areas and hasn't yet taken protective steps, now is the time to do so—not only because it is key to overall security, but because regulations have begun demanding it.
A War on Many Fronts
In the early days of the virus threat, email was the most common method of transmission. And it was assumed that email scanning and local virus scanning on desktop systems was deemed sufficient protection. But threats have evolved, and there are now many more ways that would-be thieves can get at your data. In addition to the traditional risk of your organization receiving an email virus and a staff member opening the infected attachment, now you must guard against email and Web pages that can infect a system with no user activation. In addition, worms can enter your network through open ports to the Internet with no user knowledge at all, and malicious code can be placed on systems by insiders. The list goes on. Danger is coming from so many vectors that it can be overwhelming.
This diversification of threats has come about because of the interconnectedness of the modern world, a reality that many long-time users of systems such as System i have been slow to accept. Just as a business in Hong Kong is a mere phone call or Web chat away from a business in New York, two servers in these locations are even closer. One can infect the other in a matter of seconds. Platforms that were once viewed as invulnerable are now at risk and in some sense present a greater danger than the ever-maligned Windows.
You may be running your operations on i5/OS, Linux, AIX, or other UNIX systems. All of these platforms are vulnerable to virus and malicious code infection just as Windows is, although they may show no symptoms. Having multiple, interconnected systems can create a "Typhoid Mary" effect that can increase the danger of infection. More about this shortly.
Fortunately, guarding against these threats can be achieved through enhancements to the systems made by IBM and other OS developers, through third-party software, and through well-developed and well-enforced security policies.
Because Uncle Sam Said So
No doubt the implications of having sensitive information compromised are enough to motivate any IT manager to take a closer look at security. But to be sure, Congress has taken additional steps in the form of regulatory legislation to make certain that every organization covers its bases. Of particular interest to the government sector is the Federal Information Security Management Act of 2002 (FISMA) and a series of documents from the National Institute of Standards and Technology (NIST). Also of great interest and usefulness, the Control Objectives for Information and Related Technology (COBIT) guidelines and recommendations are being used by much of the corporate world to implement compliance with the Sarbanes-Oxley Act of 2002 (SOX) . The measures taken to comply with the requirements and recommendations of FISMA, NIST, COBIT, and SOX are equally beneficial to educational institutions.
You probably know a bit about SOX, which has received a lot of media attention over the past few years and is intended to hold corporations responsible for accounting and financial matters (and includes security practices as well). But just what is FISMA? In summary, the purpose of FISMA is to provide a comprehensive framework for ensuring the effectiveness and compliance of information security controls. FISMA allows for the development, implementation, and compliance of policies, principles, standards, and guidelines on information security requirements.
The FISMA and NIST findings and warnings highlight the security risks we now face. Failure to acknowledge security exposures could result in compromised data, compromised system integrity, and the potential for criminal liability. Because the FISMA and NIST documents are quite lengthy, here are a few highlights that relate to virus and malicious code threats:
- "Malware has become the most significant external threat against most systems, causing widespread damage and disruption, and necessitating extensive recovery efforts within most organizations." (From NIST 800-83 draft "Guide to Malware Incident Prevention and Handling," page ES-1.)
- "NIST strongly recommends that organization deploy anti-virus software on all systems for which satisfactory anti-virus software is available." (From NIST 800-83 draft "Guide to Malware Incident Prevention and Handling," page ES-3.)
- "Antivirus software is a necessity to combat the threat of malicious code and limit damage. The software should be running on all hosts throughout the organization." (From NIST 800-61 "Computer Security Handling Guide" page 5-4, 5.2.2.)
You can obtain the full text of FISMA and NIST documents, in PDF format, online by visiting the Web site of the National Institute of Standards and Technology Computer Security Resource Center (CSRC).
Anti-Virus Software for All
As noted above, page ES-3 of NIST 800-83 strongly recommends that anti-virus software be deployed on all systems for which a satisfactory solution is available. This is a very critical statement because it highlights—although it doesn't explicitly explain—the heart of the risk. Everyone knows that a Windows-based system can be wiped out by a virus attack. Because of the overwhelming installation base of the Windows platform, the authors of viruses and malicious code focus their energies on attacks that take advantage of that operating system. This makes it easy to dismiss the danger to System i, AIX, or Linux systems. You may never see any symptoms of infection on these platforms, but the danger is that thise could inadvertently be the root cause of your virus problems without your knowing it. As file servers, these systems can quietly harbor viruses and malicious code.
This is where the Typhoid Mary effect jumps into action. Since the malicious code isn't written to execute on i5/OS, AIX, or Linux, it just sits there until accessed by a connected PC somewhere on your network. When Jane opens an infected file, her computer becomes infected and may in turn spread the virus throughout the network of PCs. Then, using Jane's open path to the file server, the virus deletes files off of the Systemi, AIX, or Linux system. Of course, then you have to devote resources to cleanup and recovery, and after a lot of work, you think the problem is solved. But later, the outbreak happens once more when Jane again opens the infected file. You're not sure why this virus keeps popping up because you've cleaned it and taken steps to avoid a recurrence. Meanwhile, the virus sits quietly on the System i, AIX, or Linux server just waiting for the next person to access it.
As you can see, it is critical to understand the misnomer of "PC virus." Knowing that viruses that affect PCs can reside on non-native servers is an important step toward winning the fight against malicious code. Some people think that a native System i antivirus solution means that it is scanning for viruses written to attack System i. A native System i antivirus solution is designed to run natively on the i5/OS operating system and includes features to meet the unique needs of the platform, such the ability to scan for the integrity of IBM's digital signatures on i5/OS objects or the ability to handle recursive links (paths that loop on themselves, common to i5/OS but not understandable by Windows anti-virus software).
As the authors of NIST 800-83 had hoped, there are in fact satisfactory solutions available for all of these platforms. Selecting and deploying a native solution for every System i, Linux, AIX, or other UNIX system in your operations should be the next step in your efforts to better secure your information.
Putting the Pieces Together
While anti-virus software on all systems is absolutely critical, it does not alone meet the security requirements and guidelines of FISMA, NIST, or even simple security best-practice tests. It is important to remember that this is a war on many fronts. As outlined in a previous article, "Building a Better Virus Trap," a layered approach to security is required to adequately fight today's threats. Architects of physical security have long understood the benefit of layers in achieving their protection goals. The same concept applies to system security in the computer world. In brief, the approach involves these layers in this order:
- The firewall
- User IDs and passwords
- Access control
- Scanning on all systems
- The safety net
Reviewing and strengthening all of these aspects of your security policies will help you to better protect your critical information and those you serve.
Now Hit the Battlefield!
If your organization is like most governmental and educational organizations, some areas of security are rock solid and some could use improvement. Twenty-first-century computing has become more dangerous than we may have expected (or hoped), but by knowing what the threat truly entails, what Congress is expecting, and what can result from failure to deploy adequate measures, you can better evaluate and implement policies and tools. By casting aside preconceptions of your platform's security and invulnerabilities while embracing the reality that viruses and malicious code can impact (or hide in) any system, you can get on the road to true protection that will help your organization avoid the headaches of bad publicity and lost public confidence.
This article was originally published on MC Press Online.