When viruses do hit, however, they often hit hard. In the last year, major companies' servers were brought down for hours, or even days, by such attacks--the ILOVEYOU bug, in particular. Dozens of the world's largest companies shut down their E-mail services after being hit by that virus--even the Pentagon and British parliament were caught in it.

Other institutions, such as Northern Illinois University in DeKalb, Ill., warded off the ILOVEYOU E-mail attack with common sense and due diligence. The university, which supports both Novell GroupWise and Microsoft Outlook installations, only had to take one of its 75 E-mail servers offline for a few hours, says Walter Czerniak, associate VP for IT. Czerniak attributes the university's ability to avert disaster partially to its having an internal mailing list, which very quickly helped tip off security and IT managers throughout the campus that something wicked could be heading their way.

What may have kept them out of real trouble was shying away from standardizing university-wide on Outlook. "The whole thing with Microsoft products and their concept with Outlook is mind-boggling," Czerniak says. If a GroupWise user clicked on the ILOVEYOU bug, that virus wouldn't spread from that machine--it would just destroy the files of that user and then die. But Outlook executes Visual Basic Scripts that can do a variety of things to a system. "Why you'd let a mail program run executables and do anything it wants to your operating system is pretty bizarre in the first place. Corporations didn't fear building that kind of flexibility into their networks, and now they're paying the price." Czerniak suggests that network managers disable Visual Basic Script attachments, if possible, or at least educate users about when not to click on attachments.

That's a lesson a few America Online employees may have skipped. In mid-June, AOL confirmed that some employees failed to heed this basic security precaution when they clicked on an E-mail attachment of unknown origin. A Web site staffed by former AOL insiders, Observers.net, was the first to report the breach; it said that once workers clicked on the attachment, a Trojan horse (a program that appears friendly but is malicious) was released that opened a gateway into AOL's internal network, including the company's customer-service application, which holds sensitive customer information such as credit-card data.

AOL is investigating the episode, according to a company spokesperson. The online service provider declined to provide many details but acknowledges that roughly 200 customer accounts were compromised. "We notified those customers and have taken measures to increase our security," he says. "We're continually taking measures to increase employee security awareness." The incident took place even though AOL has up-to-date virus scanning software in place.

While virus signature files are only effective once a virus is identified, they're still powerful tools for thwarting security breaches. As the workforce becomes more mobile, though, keeping these files up-to-date is more challenging. "We've had salespeople in the field with virus signatures that weren't updated in two years," laments Wendel Mentink, desktop administrator for Pemco Inc., a packaging equipment manufacturer in Sheboygan, Wis. Mentink says it's impossible to rely on users to update signatures on their own, even when it's an automatic process. And because mobile users aren't regularly connected to a network, it's harder to lasso them to broadcast updates, as well.

Mentink says he was fortunate to stumble on a novel way to keep the virus signatures of all 100 notebook-users on track while searching for software to more easily distribute patches and file updates to workers. The latest version of Orbiter, Callisto Software's mobile systems-management product, proved its value when the "Love Bug" hit computers worldwide on Wednesday, May 3. At 9 a.m. Thursday morning, the virus struck roughly 30 of Pemco's computer systems: Damage was minimal at the home office because only two users had clicked on the attachment, and word spread quickly there before any real damage was done. But Mentink was concerned about the company's far-flung mobile staff: Luckily, Orbiter enabled him to dispatch the updated signature files he downloaded for CA's InoculateIT, so that mobile users would receive it as soon as they checked E-mail. "I can confidently say we're no longer flying with out-of-date antivirus signatures," he says.

Of course, just as companies start getting a handle on keeping their notebooks virus-free, it looks like virus writers are taking the battle a step further. In recent weeks, E-mail-enabled mobile phones were hit for the first time by a virus, and experts agree it's just a matter of time before the critters begin attacking other intelligent handheld devices such as personal digital assistants.

"Timofonica," which blasted onto the scene on June 5, was written to target users of Spain's largest cell-phone network, Telefonica. It sent itself the same way the ILOVEYOU virus did, as an E-mail attachment. The virus randomly picked numbers on the network, sending them a note critical of the telecommunications company. Reports were that the virus hit fewer than 1,000 phones, and caused no disruptions in service. But such a virus could be easily tailored for use on any wireless network, and if tweaked, could send itself to more phone numbers, enough to clog telecommunications networks, analysts say.

Obviously, wireless telecommunications providers, enterprise network managers, and mobile users are going to have to become just as vigilant with handheld mobile devices as they are with their notebooks and PCs. The challenge will grow as mobile E-commerce gains steam, driven by the acceptance of such standards as the Wireless Application Protocol. "Enterprises need to think about security" in IT environments that support mobile E-commerce, says Tanya Candia, VP of worldwide marketing for F-Secure Corp., which provides centrally managed security as a service to businesses.

"As these devices get smarter, it's not going to be just about viruses and malicious code," she says. Candia imagines scenarios where, for example, hackers assume banks' identities to send out messages to handhelds welcoming new customers and asking for account numbers. "It will look like those messages came from a trusted provider," she says.

Analysts say mobile devices are also susceptible to denial-of-service attacks, which are attacks meant to deny access to a service. With a handheld system or smart phone and the WAP gateway, such an attack could be "someone sending multiple messages that send 2,000 dots to your phone. It's going to fill your display and you're not going to be able to see anything else," Candia says.

This year marked the first time prominent Web sites were taken down as a result of distributed denial-of-service attacks. Hackers launched a string of attacks against Buy.com, eBay, Yahoo, and other leading Web sites earlier this year, flooding them by making a slew of "zombie" systems send requests to them. This kept legitimate users from logging on or even crashed the site. Large companies, whose sites are typically more visible than smaller businesses, are particularly concerned about falling prey to these attacks: 64% of large companies say they're defending attacks by implementing protocol filtering vs. 45% of small companies. And 58% have developed a disaster recovery plan vs. 46% of small companies. Among large businesses, 59% say they're implementing intrusion-detection products for this reason.

Most experts agree that the industry has seen only the first waves of denial-of-service and distributed-denial-of-service attacks. Common sense and good network hygiene will go a long toward reducing the impact of large-scale attacks but won't eliminate the chances they will occur. "It's a matter of maintaining vigilant best practices," says analyst Prince. That includes outbound packet filtering, so that systems don't become a zombie launchpad to attack other sites, he says. Other precautions include staying up-to-date on known denial-of-service vulnerabilities specific to Web systems in place and always scanning for Trojan horses known to be used by crackers for launching distributed-denial-of-service attacks. The truly prepared will run many duplicate sites, because it's unlikely that an attack will concurrently cripple all servers at once.

There's no magic to keeping businesses safe and virus-free. Experts agree it's a matter of knowledge, diligence, and a bit of luck. Prince says that once a company has sound policies in place, and the resources to support them, "most security is simply grinding through the motions."

return to page 1, 2