Doug Palmer's network was hit by the Nimda virus. Andrew Iwamoto's network got a double whammy, falling prey to both Melissa and Nimda. Once burnt, these systems administrators are twice shy, and both now have an arsenal of security weapons for fighting hackers.
Palmer, Iwamoto and several IT professionals responded to SearchWindowsManageability's call for IT managers' system security disaster stories and survival strategies. We're passing their harrowing tales on in this article. To help others avoid these administrators' fates, we asked our resident Ask the Expert security gurus -- Scott Blake, BindView Corp. vice president of information, and network security administrator Laura Hunter -- to comment on each security horror story. Links to their opinions about these security issues and tips for dealing with them are embedded in the article.
Tell Iwamoto that lightning doesn't strike in the same place twice, and he'll laugh. On separate occasions, the Melissa and Nimda viruses each disabled Iwamoto's network. In fact, both cracked his systems right after he had run his daily virus updates. Unfortunately, neither was a known virus, and Iwamoto's virus updates were useless.
In the Melissa incident, a user opened an infected attachment and the virus spread quickly to every users' inbox. "It only takes one user to hose everything," Iwamoto said.
As soon as Iwamoto saw "instantaneous messages with the same subject" appear in his inbox, he took action. He disconnected
At a later date, inadequate patches gave the Nimda virus an opening into Iwamoto's network. To repair the damage, he reloaded the test machines and IIS servers that were poorly patched. This attack only caused three hours of downtime, but any downtime is unacceptable, Iwamoto said.
What could Iwamoto have done to prevent these attacks? Read Scott Blake's opinion.
Doug Palmer, a PC coordinator for The Montreal Gazette, also fell victim to the Nimda virus. "We are a metro daily newspaper, which means we are often a target for DoS attacks and spamming," he explained.
Two NT servers that access the Associated Press, the United Press and the Canadian Press wire services were the points of entry for the virus. Unbeknownst to Palmer, an inexperienced network technician had loaded Internet Information Server (IIS) on the two servers. The file transfer protocol (FTP) service IIS offers made the network susceptible, Palmer said.
Palmer shut down the Internet and IIS servers affected by Nimda. He told his 350 PC users not to run Microsoft Outlook or Outlook Express to stop the virus from spreading. It took him two days to get up-to-date patches and Norton anti-virus software on all servers.
Even with these precautions, security holes constantly pop up on Palmer's IIS servers. The patches and hotfixes work only sometimes. "There has to be a trade-off between the risk of not being up-to-date versus the possibility that your server may be fried after installing the latest patch/hotfix," he said.
Is IIS security a lost cause? Read Scott Blake's opinion.
The Funlove32 virus, downloaded directly downloaded from a Web page, infiltrated John Jenkin's network. The McAfee Corporate anti-virus software in use at the time didn't stop the virus from infecting many Office 2000 files.
"We had to blat Office off the system, and re-install," said "But it didn't work properly due to close integration between Internet Explorer and Office." So, he re-installed IE 5.0 and Office 2000 and applied Windows NT workstation service packs to fix some damaged files. "Now, we use Norton," he said.
Is it possible to find an anti-virus software product that isn't vulnerable to new bugs? Read Blake's opinion.
Beyond viruses, IT managers worry about the security risks of VPN usage and spam, as well as privacy issues.
An unknown intruder has been able to spam Palmer's network and send users to pornography sites. Palmer doesn't know how the intruder got his internal addresses. "The e-mail appears to be sent to ourselves as 'firstname.lastname@example.org, where xxx.xxxxx.xxx is the name of any organization," he said. There is no mailbox in Palmer's network called "data." Further, "there appears to be nothing outstanding within the headers or components of the messages." For now, Palmer and his team are bewildered.
How can a hacker cause a spam attack? Read Hunter's opinion.
Several IT managers wrote in to express concern about VPN usage. They worry that home PC users accessing the corporate network via a VPN will spread viruses. It's virtually impossible, they say, to monitor these remote machines to make sure they have up-to-date firewalls and anti-virus protection.
Should IT managers be worried about security issues related to VPN users? Read Blake's opinion.
Finally, Jenkins reported that his users worried about another aspect of security: privacy. "We are allowed privacy on personal 'phone calls - but not on e-mails," said Jenkins. Others IT managers agree, noting that their users have asked for ways to keep others within the company from eavesdropping on their e-mail.
Can IT managers protect their users' e-mail privacy? Should they? Read Blake's opinion.
As these IT managers' stories show, security attacks can come in many forms. The one way to protect themselves from many types of attacks is to install security patches regularly and religiously, according to Blake. Almost all recent high-profile security problems have occurred because administrators didn't keep patches up to date, he said.
Very few breaches result from "new flaws that somebody discovered and used to break into systems before anybody knew what was going on," Blake concluded. "If everyone installed patches, life would be a lot harder for hackers."
For more information:
Can you stump our experts with your security problem? Pose your questions to Scott Blake and Laura Hunter.
Here's more expert advice on system security: