Computer Security in
an Educational Environment
Dr.
Wayne C. Summers
Associate
Professor - Computer Science
ITM-Pusat Pendidikan Persediaan /
MUCIA - Indiana University
Section 17, 40200, Shah
Alam, Selangor, Malaysia
phone/fax:
(03) 541-5846
INTERNET:
wayne@mucia.itm.my
Abstract: The use of computer systems is changing
our lives and the way we teach and learn today.
They have increased our efficiency of doing work. We are now more productive, but at a cost. We have become dependent on these same
computer systems in our daily lives and for doing our job. Coupled with this is a lack of awareness of
how vulnerable our data, software and hardware are. This paper discusses the problems associated
with maintaining a secure computer system as well as proposing some solutions
to overcoming these problems. This paper
also summarizes the results of a series of surveys conducted in Malaysia by the
author. The surveys were used to
determine the status of computer security in Malaysia. They also provide a foundation for suggesting
some solutions to problems that are existent in Malaysian computer security.
Introduction
"Police warn of 'computer
hackers' infiltrating CDS" [5]
"Computer virus to hit next
month - it will wipe out all hard disks every day of March" [4]
"Many users still ignore
rampant virus threat" [6]
"Blackout creates havoc for
IT users" [1]
"Subang Airport fire: A
lesson for IT users" [3]
These are some headlines from
recent Malaysian newspapers. Has your
school taken precautions to keep out hackers?
Are you ready for the next big virus attack? Can your school survive a lengthy power
outage? Could your school recover from a
major fire? These are some questions
that you may be facing in the future.
We have become increasingly
dependent on our computer systems for processing information and soon these
same computers will become a necessity in teaching our students. Not only must we protect this information but
we must also protect the computer systems that process this information. There is a myriad of threats to the security
of our information and computer systems.
Most computer users take the computer system and its information for
granted. They turn off their computers
without giving any thought to the security of the information.
Is
there a security problem in computing?
Computer Hackers
One serious problem facing
computer users today is the rise in computer crime, i.e. crime committed with a
computer. How many of our computer
systems have been attacked by computer hackers?
It may be nothing more than a student playing a computer game on the
school computer without permission. Or it may be the angry student who deletes
everyone's files.
The total estimated losses due
to computer crime worldwide range from $300 million to $500 billion per
year. The reason for such a wide range
is that less than 1% of all computer crime fraud cases are detected and of
those detected, over 90% are unreported.
Is it any wonder that computer-related crime has been escalating at a
dramatic rate? Computer crime is almost
inevitable in any organization unless adequate protections are put in place.
Figure 1 |
In recent surveys conducted in
Malaysia by the author [Appendix A], less than 10% of those surveyed had been
victims of a computer crime [Figure 1].
Unfortunately these 10% may be among the 1% detected. How many others "got away with it?" Of those eleven instances of a computer
crime, over 60% went unreported to the authorities and only one individual was
reported to have lost their job.
Crimes using computers are easy
to commit, hard to detect and even harder to prove. If someone steals your computer, you know it
and may even have evidence. If someone
steals your data, how do you know it and where's your proof. As will be discussed throughout this paper,
one major problem is a lack of awareness.
Few individuals and schools are aware of the extent of computer crime
committed today.
Computer Viruses
Computer viruses are a leading
threat to secure computing. [see Glossary for definitions of virus-related
terms] There are over 3000 computer
viruses and strains with several new ones developed every day. Over eight million PCs have been hit by
viruses by 1992 with 90% of those infected being reinfected within a short
period. Almost 90% of those surveyed in
Malaysia have experienced a computer virus infection [Figure 2]. Almost 74% of those had at least five infections
[Figure 3]. It's also possible that some
of those who claim to have not been infected by viruses, may have not known how
to recognize an infection.
Figure 2 |
Fortunately in Malaysia, the
number of virulent viruses is probably less than 100. Most of these are relatively harmless. One reasons for so many occurrences of
viruses both here and elsewhere is the widespread copying of software. This is especially a problem with students
and computer games. How many of our students
actually buy legal copies of games? Stop
the illegal copying and use of illegal software and the spread of viruses would
diminish greatly.
Figure 3 |
Natural Disasters
Malaysia has the fortune to not
suffer from many natural disasters, but there are some. For example, within seven months last year
the Subang International Airport suffered two fires. The fire in April at
Subang International Airport knocked out the computers controlling the flight
display system. A post office near the
DCA computer room was also affected by the soot that decommissioned the post
office counter terminals. The computers were not burnt but crashed because soot
entered the hard disks. The fire in
October damaged newly installed computer equipment worth 400,000 ringgit as
well as 7 million ringgit worth of equipment in the air traffic control
tower[3].
Figure 4 |
Power outages are a regular
occurrence here culminating in the major blackout in September 1992. The
blackout crippled port operations when the Port Klang Authority's computer
network went blank[1]. Almost 25% of
those surveyed reported downtime due to a "natural disaster." [Figure
4] Most
of these were a result of power outages and hard disk crashes.
Negligence
Over 85% of the destruction of
valuable computer data involve inadvertent acts. This includes accidents, errors and omissions
by employees. This would typically
include accidental erasure of files or entire disks. Often students and teachers may inadvertently
alter files beyond recovery.
HOW
MUCH SECURITY IS ENOUGH?
Computer Security
What is computer security? It can be thought of as the protection of the
computer and its resources against accidental or intentional disclosure of
confidential data, unlawful modification of data or programs, the destruction
of data, software or hardware. It includes the denial of use of one's computer
facilities for criminal activities including computer‑related fraud and
blackmail. Computer security involves
the elimination of weaknesses or vulnerabilities that might be exploited to cause
loss or harm. How can we minimize the
vulnerabilities in our computer system?
A computerized system for
processing information is composed of five major components: hardware,
software, data, people and procedures.
We need effective controls for all five components that will reduce the
system's vulnerabilities.
Data
Data is the most important of
the five components. It is the
life-blood of the company. The easiest
way to protect the data is to hide it from prying eyes. One way of doing this is by encryption. Encryption uses an algorithm that hides the
meaning of the text[Fig. 5].
plaintext ______ ciphertext ________
original
---------------->
|_______| -------------->|________| ----------->
plaintext
Figure
5
A good cryptographic algorithm
should be simple to use by authorized users but difficult and time consuming
for non-authorized users to decrypt. The security of the data should not depend
on the secrecy of the algorithm. The
efficiency and security of the algorithm should not be data dependent. More programs are appearing that include and
support encryption. Less than 35% of
those surveyed [Appendix A - Question 17] use encryption to hide their data.
Software
Software can be easily corrupted
by computer viruses. Computer viruses
typically infect executable programs, boot sectors and partition tables of hard
disks. Two major approaches can be used
to minimize the danger of infection.
One approach is to scan for
viruses. This won't stop the infection,
but it will notify you if an infection has occurred so that you can remove
it. To be effective, scanning must be
done any time new software is introduced into a computer system. The scanner must also be able to identify all
known viruses including viruses that were not released when the scanner was
designed. Most of those individuals
surveyed are using some type of scanner [Appendix A - Question 8] but nearly
half seldom use it.
Another approach is to use a TSR
(Terminate and Stay Resident) program that will monitor for attempts by viruses to infect your system. The disadvantage of a TSR is that it might
give a false alarm if a legitimate program tries to do something similar in
characteristic to a virus's action.
Malaysia is fortunate that there are three excellent local products
(V-buster, PC-Medic and Armour) which have both scanners and TSR programs. The advantage of a local product is that the
development team should have access to viruses that are creating the most havoc
locally and design the anti-virus program for that. There are also many imported scanners and TSR
programs. Many users are using more than
one product to combat viruses. [Appendix B lists addresses of distributors for
some of these products.]
Anti-virus software alone won't
protect you from computer viruses. You
need to practice "safe computing".
Appendix B gives a list of guidelines for safe computing. Even the best protection plan may eventually
break down and you may find yourself with an infected computer disk. Most anti-virus software will include a
program for removing the infection.
However there may be a rare infection that cannot be removed with the
standard anti-virus software. Appendix C
provides some guidelines for virus removal when that occurs.
Don't assume that everything
that goes wrong with the computer is caused by viruses. Computer viruses are often blamed for
occasional hardware failures and software bugs.
If you suspect a problem is caused by a computer virus, use an antivirus
software to try to detect the infection.
If the antivirus software doesn't identify a virus but you still suspect
an infection, fill in a copy of the
checklist in Appendix D.
The next level of software
protection are the Access Control Systems.
ACS's lets you selectively restrict access to files, directories, floppy
disk drives, and even external ports.
Many systems can also track program use through logging and audit
trails. ACS's should also include encryption facilities. Some ACS's can also make the hard disk drive
"inaccessible" on a boot from a floppy. Some examples of Access Control Systems
include Watchdog, PC-FORT( which is a well written program by a
team of Malaysians), DiskLock, and PC/DACS.
ACS's won't prevent an
experienced programmer from looking at the raw disk sectors. Most ACS's also won't prevent a user from
doing a low-level format from a floppy disk drive.
Access Control Systems usually
include some type of password protection to control access to different parts
of the computer system. These provide a
very important line of defense.
Passwords are easy to use but also easy to misuse. Many computer users either select passwords
that are not only easy to remember but also easy to guess by an intruder. Other users select a password that is so hard
to remember that they have to write it down where the intruder can find it.
Some rules of thumb for
passwords include selecting a password that is over five characters long
containing upper and lowercase letters, digits and punctuation characters if
possible. Pick a password that can be
easily memorized but not easily guessed.
Don't share it with anyone.
Passwords can accidentally be divulged over time, so they should be
changed periodically. Many application
packages like WordPerfect and Quattro Pro also have password protection options
for the data files, but few individuals are using them.
Hardware
How valuable is your computer,
your printer, your monitor, etc.? You
could bolt it to the desks like a quarter of those surveyed [Appendix A -
Question 23]. You could put in a limited
access room like 60% of those surveyed [Appendix A - Question 25]. Computers are very sensitive electrical
devices and need to be protected from electrical surges. Surprisingly, 37% of those surveyed [Appendix
A - Question 26] do not use voltage regulators or surge protectors. With the frequent fluctuations of current in
Malaysia, which is a gamble you're sure to lose on.
If you cannot afford to have
your computers or network going down unexpectedly, then you should invest in a
UPS (Uninterruptible Power Supply). Less
than 50% of those surveyed [Appendix A - Question 27] use UPSs.
People and Procedures
Computers do not commit crimes
and computers do not write computer viruses.
Most of the problems associated with computer security are people
problems. These problems can generally
be solved with appropriate procedures.
Establish a computer security policy and educate the users about the
procedures they are expected to follow.
A good computer security program involves everyone in the organization
from senior management down. Almost 60%
of those surveyed [Appendix A - Question 14] state that their company or school
has no computer security policy. It is
important that computer users understand the issues of computer security,
computer ethics as well as the legal issues involved in using a computer.
Figure 6 |
Procedures must be developed for
using secure computing systems. Users
must not leave PCs unattended without securing both the PC and any storage
media. Printers should not be left
unattended when printing confidential information. Secure all software and hardware with
passwords and if possible lock and key.
It is ironic that 78% of those surveyed [Figure 6] lock up their office
supplies while over 50% [Figure 7 & 8] leave their software and data
unsecured at night. Are paper clips and
pencils more important than our data?
Figure 7 |
Do not allow eating, drinking
and smoking near the computers. Computer
personnel in mainframe and minicomputer environments recognized early the
importance and necessity of placing the computer and storage media in a clean
environment. Unfortunately, this concern
is lost when we move to PCs and networks.
Figure 8 |
Backup
One most important procedure to
establish is the one of backup. Data and
software can be lost due to a virus attack, sabotage or by negligence. It is necessary to have current backups to
recover from the loss. Where should
those backups be kept? Although most of
those surveyed [Figure 9] made regular backups, over 40% keep the backups on‑site
with the computer. If a disaster were to
suddenly strike the computing facility, not only is the computer and original
data lost, but so is the backup.
Mainframe computer personnel have procedures for keeping two generations
of backups. The first is kept on‑site
while the second generation of backups is kept in another building preferably
far away.
Contingency Planning
Figure 9 |
How long can you survive without your
computers? Studies have shown that over
90% of the companies that suffered a "catastrophic loss" in their
computer systems never recover. You must
plan for the unlikely. Unfortunately, of
those surveyed [Figure 10], less than 35% have a disaster recovery plan.
RECOMMENDATIONS
Here are some final
recommendations. Keep the hardware,
software and data in a secure place.
Don't leave your PC unattended.
If you are in a network environment, log off before leaving your
computer or terminal. Protect your
software with some type of anti-virus software.
Invest in an access control system.
This will provide you with password protection for your files and
devices. Access control systems can also
keep track of who is doing what on your computer system. Protect your data using encryption. That way if some one does break into your
system, your data is still secure.
Design a security plan and
define policies to be followed by all computer users. Educate students and fellow teachers about
the legal and ethical issues involving the use of computers. Do not allow anyone to use their own software
on the school's computers, especially pirated software. Do not allow any one to remove software or
data from school. Educate all computer
users about the importance of computer security.
Create a security planning team
with 5-9 members. These should include
teachers, parents, students and administrators.
The headmaster must be involved in the security of the computer
facilities. If the headmaster does not
see the importance of computer security, all may be lost.
Figure 10 |
When designing a security plan,
consider the following:
-
specify goals regarding security
-
specify where responsibility for security lies
-
specify the school's commitment to security
-
identify current security status
-
make recommendations
-
identify responsibilities for implementation
-
draw up a timetable
-
provide continuing attention to security
-
involve the school's administrators
These plans will hopefully make
our computing more productive and safer.
Keep your computer system secure and practice safe computing.
References
1. CompuTimes, New Straits
Times newspaper, "Blackout creates havoc for IT users," Malaysia,
October 5, 1992, pg. 1.
2. Fites, Philip E., Kratz,
Martin P.J. and Brebner, Alan F., Control and Security of Computer
Information Systems, Computer Science Press, Rockville (MD), 1989.
3. IT Asia, "Subang Airport fire: A
lesson for IT users," November, 1992.
4. Malay Mail newspaper,
"Computer virus to hit next month - it will wipe out all hard disks every
day of March," Malaysia, February 24, 1993.
5. New Straits Times
newspaper, "Police warn of 'computer hackers' infiltrating CDS,"
Malaysia, May 26, 1993, pg. 4.
6. PC Week Asia,
"Many users still ignore rampant virus threat," May 8-21.
7. Pfeeger, Charles P., Security
in Computing, Prentice- Hall, Englewood Cliffs (NJ), 1989.
8. Star newspaper,
"17,712 bank fraud cases since 1986," Malaysia, September 8, 1992.
9. Stoll, Cliff, The Cuckoo's
Egg: Tracing a Spy Through the Maze of Computer Espionage, Doubleday, New
York (NY), 1989.
10. Summers, Wayne C. seminar
notes for "Computer Security, Computer Crime and Combatting Computer
Viruses," April 1993.
11. Summers, Wayne, Zaidah
Ibrahim and Naimah Mohd. Hussin, COMPUTER VIRUSES: What They Are and How to
Prevent Them, Federal Publications, Malaysia, 1993.
APPENDIX
A - COMPUTER SECURITY IN MALAYSIA
Location: INTAN MCCE
MCCE PC‑Fort MCCE Totals
K.L.
K.L. Sabah Launch Penang
Date: Aug.
92 April 93 Aug. 93 May 93 Sept. 1993
# of respondees: 55 6 23 26 18 128
1. Type of Company:
Gov't/Semi‑Gov't 43 2 1 6 1 53 41.41%
Education 9 3 22 5 17 56 43.75%
Banking 1 8 9 7.03%
Computer Related 1 1 1 3 2.34%
Trading & Services 4 3 7 5.47%
2. Number of Employees:
1‑10 3 2 3 8 6.35%
11‑99 12 2 12 10 12 48 38.10%
100‑999 22 3 9 7 2 43 34.13%
>1000 18 8 1 27 21.43%
3. Number of Computers:
1‑10 7 2 12 2 11 34 27.87%
11‑99 27 3 9 14 6 59 48.36%
100‑999 15 6 21 17.21%
>1000 4 4 8 6.56%
4. Type of Computers:
PCs 55 6 23 25 18 127 99.22%
minicomputer 24 1 13 38 29.69%
mainframe 33 10 43 33.59%
network 19 18 2 39 30.47%
5. Have you
experienced a computer virus infection?
yes 45 6 19 23 17 110 89.43%
no 10 0 2 0 1 13 10.57%
5a. If yes how many times?
once 2 4 3 9 8.11%
2‑5 times 5 2 4 6 3 20 18.02%
>5 times 38 4 13 14 13 82 73.87%
6. Is there an individual to contact in case of a
computer infection?
yes 35 1 8 20 8 72 56.25%
no 16 5 13 6 8 48 37.50%
7. Do you use a TSR to monitor for computer virus
infections?
yes 19 3 4 15 7 48 37.50%
no 24 2 12 11 10 59 46.09%
8. What type of antivirus program are you using?
Vbuster 11 6 2 5 24 18.75%
Scan 36 4 14 16 12 82 64.06%
CPAV 23 2 2 14 3 44 34.38%
NAV 8 1 2 3 5 19 14.84%
Dr. Solomon 6 1 1 3 11 8.59%
TNT 11 1 3 1 16 12.50%
UTipac 1 4 5 3.91%
Pc‑cillin 17 2 10 29 22.66%
PC‑Medic 5 5 3.91%
Armour 1 5 2 8 6.25%
Serum 1 1 0.78%
None 3 1 4 3.13%
9. How often do you scan for viruses?
daily 24 2 15 4 45 35.16%
weekly 13 3 5 3 3 27 21.09%
monthly 2 3 1 2 8 6.25%
seldom 14 1 10 6 7 38 29.69%
never 1 3 1 5 3.91%
10. Has your computer system suffered downtime due to
a natural disaster?
yes 11 2 4 6 3 26 24.76%
no 31 4 16 17 11 79 75.24%
11. How often do you make backups?
daily 16 2 1 12 6 37 28.91%
weekly 25 1 4 8 3 41 32.03%
monthly 6 1 5 2 3 17 13.28%
quarterly 2 1 1 1 5 3.91%
yearly 2 1 3 6 4.69%
seldom 3 4 7 5.47%
never 5 5 3 13 10.16%
11a. Are these backups kept off site?
yes 28 4 10 18 12 72 66.06%
no 20 2 6 8 1 37 33.94%
12. Does your company have a disaster recovery plan? yes 19 0 2 17 3 41 33.88%
no 31 6 21 8 14 80 66.12%
13. Does your company have a security evaluation team?
yes 18 1 2 16 2 39 31.71%
no 34 5 21 9 15 84 68.29%
14. Does your company have a computer security policy?
yes 20 2 2 19 5 48 40.68%
no 28 4 20 6 12 70 59.32%
15. Does your company educate your employees about the
importance of
computer security?
yes 32 2 2 22 6 64 53.33%
no 21 4 20 3 8 56 46.67%
computer ethics?
yes 23 2 0 23 5 53 46.49%
no 27 3 20 2 9 61 53.51%
computer viruses?
yes 31 3 8 24 8 74 61.67%
no 22 2 13 1 8 46 38.33%
16 Are your computers protected with passwords?
yes 27 2 6 18 4 57 44.88%
no 28 5 16 7 14 70 55.12%
16a. How often are they changed?
weekly 2 3 5 12.50%
monthly 6 1 6 1 14 35.00%
quarterly 1 1 2.50%
seldom 4 2 1 7 17.50%
never 6 1 2 4 13 32.50%
17. Are your sensitive data files encrypted?
yes 17 1 3 14 3 38 33.93%
no 28 5 18 9 14 74 66.07%
18. Do you keep a log of computer usage?
yes 14 4 7 9 6 40 33.33%
no 36 2 15 15 12 80 66.67%
19. Are employees allowed to take software/data home
with them?
yes 26 3 15 4 9 57 44.88%
no 27 7 8 20 8 70 55.12%
20. Are employees allowed to use their own software in
the workplace?
yes 32 3 18 7 11 71 56.80%
no 22 3 4 19 6 54 43.20%
21. Is your software locked up at night?
yes 27 3 7 12 9 58 47.93%
no 26 3 16 12 6 63 52.07%
22. Is your data locked up at night?
yes 28 2 7 13 8 58 48.33%
no 25 4 15 11 7 62 51.67%
23. Is your hardware bolted down?
yes 9 0 8 2 6 25 25.00%
no 30 5 11 20 9 75 75.00%
24. Are your office supplies locked up?
yes 40 5 14 17 15 91 77.78%
no 12 0 6 8 0 26 22.22%
25. Are your computing facilities in a limited access
room?
yes 29 3 15 12 15 74 63.25%
no 21 3 7 12 0 43 36.75%
26. Do you use voltage regulators/surge protectors?
yes 32 4 14 16 5 71 63.39%
no 14 2 6 9 10 41 36.61%
27. Do you use uninterruptable power supplies(UPS)?
yes 31 2 5 16 4 58 49.57%
no 23 3 13 9 11 59 50.43%
28. Have you been a victim of computer crime?
yes 2 2 2 2 3 11 9.82%
no 46 2 18 23 12 101 90.18%
28a. If yes was
it reported to the authorities?
yes 0 2 0 1 1 4 36.36%
no 2 0 2 1 2 7 63.64%
28b. What
happened to the suspect?
fired 0
arrested 0
convicted 0
warning 1 1 1 3
29. Do you have procedures for reporting and handling
computer crime?
yes 10 0 1 7 1 19 16.24%
no 42 6 19 18 13 98 83.76%
APPENDIX
B - SAFE COMPUTING
The spread of computer virus infections can be stopped
through the practice of "safe computing." The following are a list of do's and don't's
for safe computing.
1.Don't use
illegal software! If the software has
been obtained illegally, how can you assume that it doesn't contain a virus.
2.Never boot
your computer system from a diskette other than the original DOS diskette. Only one write‑protected boot disk
should be assigned to a floppy‑based system. The diskette should be clearly marked, write‑protected
and used only for booting up the designated computer. If you accidentally try to boot from a non‑system
disk, turn the computer off and boot with the write‑protected system
disk.
3.If your
system uses a fixed disk, never boot from a diskette. In some situations, write protection software
for the hard disk should be employed.
4.Always
write‑protect your systems and program disks. Write‑protect tabs are easy to use and
very effective. You should write only on
data disks.
5.Only copy
files from the original distribution disks.
6.Always
keep at least one set of back‑up copies of all original disks. (This
won't prevent a virus infection, but it will help in the recovery process if an
infection occurs.)
7.Do not
loan out program disks. They may be
infected when they are returned. If you
must loan a disk, always check it for viruses or format it before using the
disk on your computer system.
8.Never use
a computer that has already been turned on by another user. Always use a cold boot to restart the
computer. Do not assume that a warm boot
will remove a virus.
9.Make all
the .COM and .EXE system and program files read only by using the command
ATTRIB+R. Some viruses can now
circumvent this method.
10. Always keep a lookout for strange
occurrences:
a. When
you do a directory listing, look at the volume label.
b.
Observe whether your computer system is slowing down.
c. Watch
for files that disappear.
d.
Notice when there are attempts to access the disks when there should not be any
read or write
activity.
e. Watch
whether the loading of programs takes longer.
f. Keep
a lookout for decreases in the main memory or reduction of disk space.
g. Watch
for unusually large sizes on program files.
h. Watch
for recent creation dates on old program files.
i. Watch
for unusual displays on the computer screen.
11.Use
caution when using public domain and shareware software or any new
software. There have been instances
where commercial software has been sold with a virus.
12.If you are
downloading software from a bulletin board or other computer network, always
download to a diskette. You should then
scan the diskette for possible virus infections. (You may want to write‑protect your
hard disk during this operation.)
13.In a lab environment,
do not allow users to run their own programs or boot the computer system with
their own disks. Users should only have
data disks that are not bootable. All
program disks and hard disks in a lab must be checked frequently for
viruses. If users are allowed to use
their own program disks, they must be scanned before they are used in the
computer lab.
14.Most
important of all is to teach computer users about computer viruses so that they
can recognize them. Computer users need
to be able to identify viruses so that they will be able to prevent their
spread.
APPENDIX
C - PROCEDURES FOR VIRUS REMOVAL
If an infection is detected, follow the procedures
listed below:
1.DON'T
PANIC. First, decide how extensive the
infection is. If the infection has only
attacked the floppy disks, skip steps 2 through 11.
If possible use an antivirus program to remove the
virus. Most viruses can be removed with
most virus removal program. In very
serious infections, you may need to follow the procedures outlined below:
2. Shut
off the infected computer system.
3. Power up the system with the original write‑protected system diskette.
4.
Make sure that the system
has booted properly.
5.Backup all the nonexecutable data
files from all directories onto newly formatted diskettes or do a tape backup.
(If backing up to another hard disk, make sure that the hard disk has not also
been infected). DO NOT EXECUTE OR BACKUP ANY OF THE PROGRAMS FROM THE
INFECTED HARD DISK!!!
6.Check each batch files on the infected
hard disk. If any of the lines within
the batch file look suspicious, do not back up that file. Otherwise backup all the batch files.
7.
Do a low‑level format
of the infected hard disk.
8.
Install the operating system
onto the hard disk.
9.
Rebuild all
directories.
10.Install all the executable programs
from the original write‑protected distribution disks.
11.
Restore all the files that had
been backed up in steps 5 and 6.
12.Gather all the diskettes that have
been used with the computer system during the past six months. It is difficult to tell when the original
infection occurred. Either check each
disk for viruses and remove the viruses or follow the following steps.
13.Backup all the nonexecutable data
files from the suspect disks onto newly formatted diskettes.
14.
Reformat the suspect
diskettes.
If the virus is a boot sector infector, then the
recovery process is simpler. The boot
infector viruses do not infect executable programs. This means that the infection is isolated in
the boot system on the infected disk. To
recover from this type of infection proceed with the following steps:
1. Shut
off the infected computer system.
2.
Power up the system with the
original write‑protected
system diskette.
3.
Make sure that the system
has booted properly.
4.Replace the operating system and the
boot sector of the infected disk or run an antivirus program.
(NOTE: The virus may remain intact in the bad sectors
created by the virus in the data files, but these virus segments are not
active).
APPENDIX
D - VIRUS CHECKLIST
This checklist is for those of you out there that may
think that you have contracted a deadly and incurable computer virus... Before you go and destroy your computer,
please take the time to check this list out and see if your problem could be
caused by any of the following situations.
#1 DISKS
a) Floppy
Disks:
1)
Have you set your floppy disks near any magnetic fields lately? ie. Telephone,
T.V., C.R.T., Stereo, Speakers, Magnetic ID Holder?
2) Are
your disks in direct sunlight? Are they
stacked on top of each other? Did you leave
them in the car?
b) Hard
Drives:
Has
your Hard Drive suffered from any physical shocks lately? ie. Earthquake,
moving your computer from one room to another, kicking your tower case?
#2 DATA
a) Have you
run any Disk Fixing/Optimizing programs lately?
b) Could
you have accidently deleted or damaged your data files in any way?
c) Have you
installed any programs which modified your autoexec.bat or config.sys files?
d) Have
you formatted double-density disks as high-density?
#3
MISCELLANEOUS
a) Have you
dusted your work area lately?
b) Did
anything get dropped into your keyboard?
c) Is your
computer wired into the same circuit as your washing machine, air-con,
refrigerator?
d) Are your
computer cables coiled together?
e) If you
look down right now, are you on carpet?
If so, do you get static electricity shocks from it?
f) Do you
have a spike/surge filter between the outlet and your computer?
If you still think that you may have a virus, please
continue by filling out the following section.
#1 Is it
taking longer for a program to load or run?
a) YES
_____
b) NO _____
If yes
please fill out program name and what happened.
#2 Is disk
access taking longer than normal?
a) YES
_____
b) NO _____
If yes
please write down which drive, and how much longer than normal it took.
#3 Has the
computer malfunctioned?, If so, what happened?
a) YES
_____
b) NO _____
#4 Is there
any change in your files on disk?
a) YES
_____
b) NO _____
If yes,
what happened?
1)
Files have suddenly disappeared. _____
2)
Files have suddenly appeared. _____
3)
Files changed in size.
a) File increased in size.
_____
b) File decreased in size.
_____
Please write
down what files have changed and exactly what happened (if you can remember).
#5 Did
anything appear on your screen (ie. profanity or warnings?), or did any strange
sounds come from the speaker?.
a) YES
_____
b) NO _____
If yes
please explain.
#6 Did any
drive lights activate for no reason?
a) YES
_____
b) NO _____
If yes
please explain (Was it a floppy or hard drive, and how long did it stay on for,
did it lock up your system?)
#7 Was
computer memory reduced or increased?
a) YES
_____
b) NO _____
If yes,
what happened, and how did you notice this change?
#8 List
everybody else that has access to your computer, and who has recently used it.
#9 Please
list any and all new disks that have been introduced to your system recently.
a) Now,
collect all disks that are listed above and place them in an envelope and hold
on to them.
#10 (For
Businesses Only). Contact your MIS Mgr., Computer Consultant, or whoever is in‑charge
of your P.C.s and give them this completed check‑list and the disks from
item #8.
#11 Follow up
for item #10, if this problem is above your head, please feel free to contact
us at ITM-PPP (03) 548-2340 Or
contact me via Internet at wayne@mucia.itm.MY
GLOSSARY
Appliciation program infector - The most infectious type of computer viruses is the
application program infector or file virus.
They may attach to any executable file usually .COM and .EXE files. An application program infector takes control
after the initial use of the infected program.
Once the virus is in place in the RAM of the computer system, it will
potentially infect every program run on the computer until the computer is shut
off. The most widespread virus today is
the Jerusalem virus.
Backup ‑
copies of the latest files. Also the act
of copying all or some of the files as a security measure.
Boot sector infector - hides in the boot sector of a disk or the partition table of a hard
disk and takes over control of the computer system when it is booted. It then
copies itself into the computer's memory.
When other disks are used, the virus transfers to their boot
sectors. The most common boot sector
viruses are the Pakistani Brain virus and the Stoned/Marijuana virus.
Boot sector ‑ the sector of a disk that contains the programme for starting
the computer and its operating system.
Checksum ‑
result of a procedure used to verify the accuracy and integrity of sectors on a
disk by calculating the number of bits in each sector.
CRC (Cyclic Redundancy Checking) ‑ error checking technique used to ensure
accuracy. Can also be used to check for
viral infections.
Dark Avenger Mutation Engine - polymorphic encryption program used by virus
developers to encrypt the virus in order to avoid detection. The engine uses a special algorithm to
generate a completely variable decryption routine each time. No three bytes remain constant from one
sample to the next.
Data diddling ‑ unauthorized altering of data.
Encryption ‑ encoding of data by converting standard data code into a
proprietary code.
FAT (File Allocation Table) ‑ area on a disk that contains the addresses
that link clusters of a file together.
Hacker ‑
person who enjoys learning the details of computer systems and how to stretch
the systems' capabilities.
Host ‑
program to which a virus attaches itself.
Logic bomb ‑ programme which initiates an activity, often destructive, when
a certain condition is met.
Multiparite virus - virus which infects both the boot sector of a disk as well as
application programs.
Snapshot program ‑ anti‑virus program which records specific facts about a
file or the disk. Usually includes the
size of the file and its creation date.
Stealth viruses - viruses which attempt to hide their presence. Some of the simple techniques include hiding
the change in date and time and hiding the increase in file size. Some even prevent anti-virus software from
reading the part of the file where the virus is located. Some also encrypt the virus code using
variable encryption techniques.
System infector - attaches to one or more operating system modules or system device
drivers, usually COMMAND.COM. The virus
takes control after the initial use of the infected program. An example of a system infector virus is the
Lehigh virus that infects the COMMAND.COM program.
Timebomb ‑
programme which initiates an activity, often destructive, at a certain time or date
or when a certain amount of time has elapsed.
Trapdoor ‑ way
of accessing a computer system that bypasses security procedures. It is often created to enable a programmer to
gain access to a system.
Trojan horse ‑ named after the Greek wooden horse used to smuggle Greek troops
inside the walls of Troy. In computers,
it refers to an appealing programme that is in fact often destructive.
TSR (Terminate and Stay Resident) ‑ RAM resident programme that remains in memory
at all times so that it may be instantly activated.
Virus ‑ a
segment of self‑replicating code that is used to infect the operation of
a computer system. A virus must be
attached to another programme.
Worm ‑ stand‑alone
programme that changes another programme, data or the computer's memory, often
destructive.
COMPUTER SECURITY IN AN EDUCATIONAL ENVIRONMENT
(MCCE-KL 5/11/93)
Optional: Name:____________________________________________
Company: ____________________________________
____________________________________
Please answer the following questions (circle
your answers):
1. Type of Company: Government Education Computer-related
Trading Other:__________
2. Number of Employees: 1-10 11-100 100-999 >1000
3. Number of Computers: 1-10 11-100 100-999 >1000
4. Type of Computers:
PCs mini mainframe network
5. Have you
experienced a computer virus infection? Yes No
5a.
If yes, how many times? once 2-5 times more
than 5 times
5b.
What were the estimated losses?
5c. Which
viruses infected your computer?
6. Is there an individual to contact in case of a
computer virus infection? Yes
No
7. Do you use a TSR to monitor for computer virus infections? Yes No
8. What type of antivirus program are you using? V-Buster Scan
CPAV NAV Dr.
Solomon TNT UtiPac PC-cillin
PC-Medic Armour None Other:____________________
9. How often do you scan for viruses?
daily weekly monthly seldom never
10. Has your computer system suffered downtime due to
a natural disaster? Yes No
10a.
What happened? _______________________________________
10b.
What were the estimated losses?
11. How often do you make backups? daily weekly monthly
quarterly
yearly never
11a.
Are these backups kept off site? Yes No
12. Does your company have a disaster recovery plan? Yes No
13. Does your company have a security evaluation team?
Yes No
14. Does your company have a computer security policy?
Yes No
15. Does your company educate your employees about the
importance of
computer
security? Yes No
computer ethics? Yes No
computer viruses? Yes No
16. Are your computers protected with passwords? Yes No
16a.
How often are they changed? weekly monthly never
17. Are your sensitive data files encrypted? Yes No
18. Do you keep a log of computer usage? Yes No
19. Are employees allowed to take software/data home
with them? Yes No
20. Are employees allowed to use their own software in
the workplace? Yes No
21. Is your software locked up at night? Yes No
22. Is your data locked up at night? Yes No
23. Is your hardware bolted down? Yes No
24. Are your office supplies locked up? Yes No
25. Are your computing facilities in a limited access
room? Yes No
26. Do you use voltage regulators/surge protectors? Yes No
27. Do you use uninterruptable power supplies(UPS)? Yes No
28. Have you been a victim of computer crime? Yes No
28a. If yes was it reported to the authorities? Yes No
28b. What happened to the suspect? Fired Arrested
Convicted Warning
28c.
What were the estimated losses?
29. Do you have procedures for reporting and handling
computer crime? Yes No