23.4 Entry

The most important questions that arise in our discussion of programmed threats is this: How do these threats find their way into your computer system and how do they reproduce?

These days, most programmed threats arrive via the Internet in the form of either an email message or a direct attack on a network-based server. A received email message or direct attack may be the result of a random event (your organization's web server might be randomly chosen) or it may be deliberate (you may have been specifically targeted by an adversary). It is easy to mistake a direct attack for a random one, and vice-versa. A direct attack is much more worrisome than a random one, as a motivated attacker may continue to assault your organization until the attacker is successful or is stopped.

Users may also be unwitting agents of the transmission of viruses, worms, and other such threats. They may install new software from outside, and install embedded malicious code at the same time. They may run a "screen saver" or download a pornographic "viewer" from the Internet that contains a Trojan horse. Of course, most programs that are downloaded from the Internet do not contain any hostile code at all. However, the widespread practice of downloading and running code from untrusted sources makes it that much easier for hostile programs to be successful.

If you are targeted by a knowledgeable insider, that insider may write back doors, logic bombs, Trojan horses, and bacteria directly on the target system using readily available tools. Your users and especially your staff pose a significant threat to your system's overall security: these people understand the system, know its weaknesses, and know the auditing and control systems that are in place. Legitimate users often have access with sufficient privilege to write and introduce malicious code into the system. Especially ironic, perhaps, is the idea that at many companies the person responsible for security and control is also the person who could cause the most damage if he wished to issue the appropriate commands. Frequently, there is no technical auditing or other checks and balances for senior system management.

Programmed threats can easily enter most machines. Environments with poor controls abound, caused in part by the general lack of security training and expertise within the computing community. For example, even though anti-virus software is now considered a base requirement for corporate and home PCs, more machines lack anti-virus software than have it. Almost as unfortunate is the fact that many people who have purchased anti-virus software fail to update the virus signatures on a regular basis, thus rendering the software largely useless against current threats.

No matter how systems initially become infected, the situation is usually made worse when the software spreads throughout all susceptible systems within the same office or plant. Most systems are configured to trust the users, machines, and services in the local environment. Thus, there are even fewer restrictions and restraints in place to prevent the spread of malicious software within a local cluster or network of computers. Because the users of such an environment often share resources (including mail systems, file servers, shared programs, and so on), the spread of malicious software within such an environment is hastened considerably. Eradicating malicious software from such an environment is also more difficult because identifying all sources of the problem is almost impossible, as is purging all those locations at the same time.