Does GSPI need an Information Security Policy?

In reply to the IT Administrator’s Virus Advisory, I sent him this email^[1], entitled “Does GSPI need an Information Security Policy?”

---

>> Brontok Virus is a hard virus [sic] to fight and we need to completely isolate a hard drive to properly clean it.

Brontok^[2], affecting all versions of Windows except 3.1, discovered last 02 October 2005, already has three known worm variants, A, B, and C. BitDefender and Kapersky classed it as Win32.Nyxem. A-E@mm while Norton Symantec labels it as W32.Blackmal.E@mm and W32.rontokbro.an@mm. ISD had “unofficially” issued users a Brontok remover by GData’s AntiVirenkit of Poland, which could only remove variants A and C. Refer to its attached documentation. Major AV producers [Symantec, Bit Defender, Kapersky, McAfee] classified the Brontok worm with:

Risk Level: Low to Moderate
Threat containment: Easy
Removal: Moderate

Thus unlike, the PE.Nimda, BugBear, MyTOB and Sasser worm, Brontok worm is not “a hard virus to fight”. At [our division], we finally “killed” the Brontok worm on two computer systems, namely:

(a) Admin: WinXP SP1
(b) QA: WinXP SP2 on “D” drive and SP1 on “C” Drive.

[Note: the need for the existence of two WinXP systems installed on this PC is beyond comprehension! After a five-day worm-free operation, however, due to the presence of the worm in the network, the QA PC failed and was brought to ISD, sigh :-/ It was found out last Sunday, 06 August that the assigned Administrator tinkered with the settings, disabled the Norton antivirus and released the virus again from one of the hidden or private folder in his account.]

This was done using only the Windows Restore function, plus the help of free-to-try AntiVirus [Norton 2006], free spyware [SpyBot] and free utility tools [HJT] available on the Internet. With the Windows Restore option, the three hard drives were not even “completely isolated” from the network to properly clean it, as we tried cleaning it from another system.

There are numerous websites detailing the procedure on how to get rid of this worm. Although the process is tedious, time-consuming and requires a lot of patience, it can be done. The last resort method of re-formatting the drive, reinstalling the applications, re-activating the softwares, etc. should be avoided because that’s not what you experts should do. Aside from losing the “activated” state of raw Windows XP or SP1, users would have to start from scratch on their settings, connections, and the like, plus the possibility of malware regeneration when the old files are recopied to the newly formatted drive.

>> The Virus alert is to aware users of the new viruses that might be present on mails that they received or files that they are downloading so that they may know the symptoms if they are infected.

In theory, your Virus Alert is a very noble act, but maybe you should summarize the website’s tech-savvy version with your OWN user-friendly one-screen version instead of quoting the whole web page verbatim and with due acknowledgment of the author’s copyright or the source [http://www.net-security.org/virus_news.php?id=669]. Most of us, Lotus notes’ users, have a limited mail box capacity that your verbose Virus Alerts tend to fill it to maximum. Neither archiving the old mails nor emptying the thrash after deleting it reclaims the mailbox space due to “defective” Lotus Notes server’ configuration.
On the Virus Alert, most of those mentioned viruses, worms and spywares are not that too critical to GSPI operations. As an example: in your very recent Virus Alert: Dengis.A which affects Matlab source files. At GSPI, who uses Matlab [used in complex mathematical models] anyway? ASPLux.A affects ASP hosts and files. At GSPI, we use IIS and no real Active Server Pages or its eXtended relative [ASPX] is used. Most GSPI users are either using Firefox or Microsoft IE, thus when webpages are saved to local disk they are saved with .HTML or .HTM or .TXT extensions and not as .ASP, unless of course a user specifically save them as ASP.

Furthermore, these malware are readily detected and removed by even the free version of any AntiVirus software. Maybe you should pay attention to those viruses, worms, Trojan horses which are a) mission-critical to GSPI operations, b) its emergence is eminent or c) a particular GSPI’s corporate computer already has it, then send out a Virus Advisory, instead.

With this proposed one-screen mission-critical Virus Alert, it would help ease the mail server’s burden, free some management’s time in reading or deleting the said Virus Alert file and focus more attention to other pressing concerns.
Of late, emails with attachments such as pif, vbs, ini, exe, .eml are suspect that each user should be wary about. Opening files with these extensions almost always trigger the infection. The symptoms of virus, spyware and Trojan horse infection are all atypical, namely:

1. Computer runs more slowly than normal
2. Computer stops responding or locks up often
3. Computer crashes and restarts every few minutes
4. Computer restarts on its own and then fails to run normally
5. Applications don’t work correctly, new additional components
6. Disks or disk drives are inaccessible
7. Can’t print correctly
8. Unusual error messages or pop-up advertisements
9. Distorted menus and dialog boxes

Everybody experience this, or a combination, once in their computing life. Personally, I do recommend the following vital utilities for installation on all Windows XP PCs, especially for those with Internet access.

1. ) SpyBot – Application to scan for spyware, adware, hijackers and other malicious software. [http://www.spybot.com/en/mirrors/index.html] – free for all
2. ) SpyBlaster – Spyware, adware, browser hijackers, and dialers protection program while on-line [http://www.javacoolsoftware.com/spywareblaster.html] – free for individuals, say Laptop users, but not for corporate use.
3. ) Ad-Aware Personal – Advanced protection from known data-mining, aggressive advertising, Trojans, dialers, malware, browser hijackers, and tracking components. This software is downloaded free of charge. [http://www.lavasoft.com/software/adaware/] Ad-Aware SE Enterprise, volume-priced, even has a centralized management for networks.

There are a lot of similar products out there but these three are the pioneer ones and all others are clones, copycats and not at-par with those mentioned above. For a full comparative chart, read: [Spywarewarrior's Family Resemblances article.]

>> Unfortunately presently the symantec antivirus corporate server is down and we are still troubleshooting the problem. OfficeScan is not our corporate antivirus and we are not supporting it for updates.

With the Symantec Antivirus Corporate Server down, ISD should have reverted each of the applicable PCs to use the LiveUpdate button for the meantime or deployed the Symantec Virus Definitions Intelligent Updater, which are free to download each week either by ISD personnel then saved in a shared folder on the network, or by users with internet connection. As of this time, the default Corporate Symantec application installation by ISD on users’ PCs, the LiveUpdate is disabled. Sharing a downloaded Symantec Virus Definition Intelligent Updater would also free out Internet traffic.
Dispelling one of the Common Security Myths, which states “It’s Always Better to Wait for an Official Solution to a Problem,” many users attempted to install virus scanners whether or not they are practical solution to the problem on hand. Most are not aware that a fix might not be the one needed to cure the ailment. Case in Point: cleaning the Brontok worm variant B with off-the-shelf Brontok cleaner cited above.

>>The account settings is a way to make folders private. An owner of a said account doesn’t want his files that is important quarantined or altered by other users and we are respecting that situation.

Account settings on all GSPI desktop computers should be in such a way that every user could access the documents in these folders. You forget that these corporate computers are for corporate use and there should be no private files. Important files should be backed-up off-line, not hidden in private folders, to guarantee that AV software could access or quarantine them if need be. Recently, there was a case regarding this situation in the US and the court ruled that company had precedence over these files. Maybe what we need is an Information Security Policy ^[3].

>>Per computer at least one or two virus scanners are allowed and should complement each other to work properly. To ensure that no two virus scanners scan at the same time and your computer won’t crawl you should try changing the schedule for the scanning.

Although, the GFI Whitepaper “One Virus Engine is Not Enough” found out that “Many organizations don’t deploy multiple scanning engines,” GFI CEO Nick Galea says, “because they don’t want to pay twice for two overlapping sets of tools. A more cost-effective alternative is to deploy a single product that uses multiple scanning engines for checking email content and attachments while providing email intrusion detection and defense.” Interestingly, this paper only dealt with mail server level, during the Sober outbreak.

Moreover, the practice of allowing at most two virus scanners in one system is not a recommended approach and even Microsoft advises against this practice.

In Microsoft’s Antivirus Defense in Depth whitepaper, it cited four problems caused by interoperability issues of running antivirus applications from a number of different application vendors on the same machine, i.e., memory overhead, system crashes or stop errors, performance loss and loss of system access.

In layman’s terms, the whitepaper can be summarized as: most of these virus scanners are installed with default settings, which unfortunately includes that their respective active protection or real-time scanning is enabled after installation. Unless, of course, the user tweaks the configuration of these scanners to disable one active protection, there is no guarantee that a PC is running only one scanner actively, in real-time, but rather they run along side each other once the PC is ON.

Thus, “Changing the schedule for the scanning,” as you claimed doesn’t change the fact that the Active Protection or real-time scan of a virus scanner is also changed.

Microsoft recommends that Windows Defender should be installed or a third-party Virus scanner, Norton and McAfee are MS partners, but not both. WD is only available for registered and licensed Windows XP PCs, though. Furthermore, Norton Symantec conflicts with Microsoft Firewall, but there is a workaround for it. Bit Defender sometimes encounters errors in kernel32. McAfee McShield service crashes explorer.exe, leaving the user hung at a background with no objects, aside from its tendency to mis-diagnose some viruses. Kaspersky Anti-Virus 6.0 and Kaspersky Internet Security 6.0 – errors in HTTP web antivirus monitor and POP3 monitor handling.

>> Everything is always available on the help option of the program.

This is a false positive. Not everything is there. For recent fixes on software, you have to be connected to the WWW; otherwise the help option only offers the most common ones when the program was created. Since most of us at GSPI deploy the free versions, the help is not that robust compared to the commercial version and sometimes the Help file is only accessed through the internet, where only a few can access. Also in a recent informal survey at MSU-IIT College of Business Adm, only 1 of 20 computer users ever click on the Help or pressed F1 to access the Help file on Microsoft Office application; 1 out of 25 clicked Help on Microsoft Windows. 1 out of 40 clicked Help on other software applications, including virus scanners.

>> The upgrade for SP2 is free on windows site and the no. 1 requirement is that it should be a licensed Windows.

This is a misconception. A license is not required to upgrade Windows XP SP1 to Windows XP SP2^[4]. The license is ONLY REQUIRED if

1. You attempt to download updates from the Microsoft Update or the Windows Update web sites, this is called the Windows XP Product Activation [WPA] module, for its “Windows Genuine Advantage” updates. [Note: But a user could still download updates not belonging to the WGA types, such as updates for pre-Windows XP, which our old computers might need.]
2. You want to activate a near-to-expire Windows; usually the limit to activate is 30 days from installation. [Most of GSPI's Windows XP has been running for almost two years now, and most have Internet connection, thus it is assumed that it is already activated, else the user could have complained that he cannot access his computer any longer.]

Unfortunately, On 06 June, 2006, Microsoft announced that starting October 10, 2006, Microsoft will end assisted support and security updates for Service Pack 1 as part of the life-cycle policy for all Microsoft software. They recommend the free upgrade to Service Pack 2 for users of Windows XP to continue receiving the latest security updates.^[5]
The problem of PCs unable to upgrade from raw or SP1 to SP2 lies not on a whether or not the Windows XP is licensed software but rather a bug in Windows XP SP1. This had been addressed by several threads of fixes and workarounds in the Microsoft Support group. It occurs mainly on pre-installed raw Windows XP sometimes on pre-installed Windows XP SP1, as well as systems where there are legacy components, which would need SP2-format drivers and what not. That’s where you IS Specialists should come in to fix, or simply refer to KB885894 article on the MS website.

Windows SP2 offers a myriad of security and per website’s sales pitch: With features like Windows Firewall, Pop-up Blocker for Internet Explorer, and Windows Security Center, you can be confident that your computer has the right tools to stay more secure and up to date. See http://www.microsoft.com/windowsxp/sp2/default.mspx. This is not to say that I personally am very much impressed with SP2, there are still a lot room for improvements as shown in the constant issuance of security updates from Microsoft even with the release of Windows Vista, but with the fact that most GSPI PCs and laptops uses Microsoft Windows, there is no escape, unless we all shift to an Open System such as Linux. I do reiterate my recommendation that you request for the free copy of WinXP SP2 from Microsoft Philippines, if this critical update is still not available at ISD. Downloading it through the net could take hours if not days.
I personally have used Windows XP SP2 at my home notebook PC since 2003. My notebook, a gift from Canada, was pre-installed with licensed Windows XP SP1, have activated once online in 2003 and once through phone, after the PE.Nimda.A-E outbreak during NSC on liquidation. I have upgraded to SP2 shortly thereafter when all the necessary updates prior to SP2 were downloaded through Automatic Updates. That was before the advent of Microsoft Update, which is different from Windows Update.

My sons’ computer, a PC clone was pre-installed with WinXP SP1. Using even a cracked version of SP2, I was able to update that PC from SP1 to SP2 skipping registration, which legally you can do skip registration if you do not want to download updates from Microsoft website. Registration, by the way, is optional. Activation is not. I forgot to mention that my sons’ PC has no Internet connection.
The computer I used while I was with [Business Strategy], installed with raw Windows XP, thus already activated, was upgraded to SP1 online, then updated to SP2 after 5pm, that is unattended installation, and when I came in for work the next day, WinXP SP2 was already installed, up and running. When I visited Six6/TPM office lately, however, the PC which is now used by [name deleted], can still download Automatic Updates, except of course it is now very slow because the Symantec Antivirus CE’s definition file, the SpyBot’s definition database, the SpywareBlaster’s defs, and Lavasoft’s DTBs were all outdated.

Frankly, I had some difficulty upgrading raw to SP1 because the license of that computer was a well-known pirated number. The workaround work using the old license from the raw Windows XP without the service packs.

>> We can’t easilly identify who is using the SP1 or the raw XP so it is the responsibility of the user to request for an upgrade.

In 2004 to 2005, ISD conducted a survey on all corporate PCs and laptops which includes the hardware details as well as what system was installed into it. I am assuming that the data is still available somewhere in ISD and they only need to be retrieved and updated. For new PCs, all of them passed by ISD when suppliers delivered them to GSPI and thus it was the opportune time to know what system: hardware and software are present in the newly delivered computer. Of course, ISD could have retrieved the pertinent data as to the contents of the new PC. Furthermore, most of the GSPI computers in plant have a Remote Administration v 2.2, while others were even installed with BelArc Advisor [which needs a license to scan for multiple computers], unless of course the respective Administrator has had uninstalled these software, whereby from your loft at ISD you could see what software are installed in anyone’s computer in plant while it is turned on.
Incidentally, Windows XP computers have the Remote Assistance module that it loaded by default, unless circumvented by computer-savvy users, that you could probably see what software are running in another system, especially when the remote computer allows you to do so.

In the network neighborhood, you could also preview which computer uses what system. It only takes patience and perseverance to do this task. Have you tried right clicking a computer in the Network Neighborhood and selecting Properties? You could readily identify which uses FAT16, FAT32 or NTFS. [Most] Windows XP uses NTFS; FAT32 by Win98, SE and ME; and Win95 uses a mixture of FAT 16 and FAT32. [N.B. By the way, support for Windows 98, 98SE, ME ended 11 July, 2006] From that information you could then plan out the actual verification of SP1 or SP2. That’s the beauty of Networking, you don’t even have to be on site to know what is which; or which is what.

It is not the responsibility of the user to ask for an upgrade from raw XP or SP1 to SP2. This task must be centralized by ISD so that all systems are using the same service pack, if at all possible. Logistically, it is much easier to maintain, less costly and faster to update using transforms if all similar systems [say, all Windows XP with SP2, all pre-Windows XP with SP4], are installed with similar service packs. This should also be done for all MS Office products, but its sort of a daydream right now :-)

With ISD’s very lean, but talented, technical personnel, doing it centrally is much more desirable at present rather than doing it the hard way: troubleshooting every type of problem on different system environments. In sum, it is for ISD advantage if this could be done.
Thanks for your patience in reading this very long email.
Regards and happy computing!

---

Notes:

^[1] This email was sent last 08 August 2006. [back to text]

^[2] Almost two years after, the Brontok worm is still on the loose at GSPI. Apparently, NOTHING was done. This might be because of what happened next. See the Confessions of a Paranoid User [back to text]

^[3] Days later, the same IT Administrator became the Information Security Officer. Refer to the signature block of the ISO. I believe that although the Information Systems and Services Department would disavow such claim, there is an undeniable fact that this correspondence above triggered the creation of such position. [back to text]

^[4]. Windows Service Pack 3 can be downloaded from the Microsoft website or other sites irrespective of the license requirement. Applying Service Pack 3 to an unlicensed Windows XP, however, is another subject. [back to text]

^[5]. Service Pack 3 is available at Microsoft Update, Windows Update, or Microsoft Download Center to obtain Service Pack 3, first refer to this article. [back to text]

Disclaimer: The posts on this site do not necessarily represent any organization’s positions, strategies or opinions; and unless otherwise expressly stated, are licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 License.