Infogram

March 15, 2001

NOTE: This INFOGRAM will be distributed weekly to provide members of the emergency services sector with news and information concerning the protection of their critical infrastructures. For further information please contact the U.S. Fire Administration's Critical Infrastructure Protection Information Center at (301) 447-1325 or e-mail at usfacipc@dhs.gov.

Computer Security Basics

Last week's issue of this INFOGRAM reported that computers and associated networks must be included among critical infrastructures of fire and emergency services. Computer security is an intimidating topic that is actually easier than some leaders realize. According to David Raikow, intruders typically gain access to computers by taking advantage of glitches in networking software. The software required for web sites and networks is considerably complex and vulnerable to viruses. However, with just a little more caution and common sense, department officers can make their organization's hardware almost impervious to attack. Robert Vamosi, an information systems security expert, offers the following suggestions:

  1. Maintain Control Over Your Software. Always know what programs are running on department machines. Never run anything unless you know how to configure securely. The accountable authority may need to consider a firewall for more reliable security. The same is true if you want to use any sort of network server or remote access software.
  2. Download Security Patches. If not already done, then immediately download the latest security patch or patches from the department's software vendor.
  3. Turn Off The Windows Scripting Host. Limit risk of contamination by turning off the windows scripting host.
  4. Do Not Open Attachments. Prevent virus infections by avoiding attachments to electronic mail when possible. Delete attachments unless they are definitely expected. Always scan an attachment for viruses even if it is from a known and trusted source.
  5. Stay Informed. Virus and computer information security alerts are usually daily events. Keep up-to-date on the latest viruses and solutions.
  6. Get Protected. Ensure current virus protection software is resident on all machines.
  7. Scan Department Systems Regularly. Anti-virus programs should be set to automatically scan each time the computer is rebooted. Alternatively, the program can be set to scan on a periodic schedule.
  8. Update The Anti-Virus Software. Accountable officers must guarantee that the installed anti-virus software is updated at frequent intervals.

Computer Virus Clarification

Not a week passes without hearing about another computer virus. It is safe to say that fire and emergency service organizations will deal regularly with virus outbreaks. There is no immunity from a computer virus, which is a software program-a piece of executable code-that has the unique ability to replicate. Just like the "common cold," a virus spreads quickly and is often difficult to eradicate. Besides replication, some computer viruses have something else in common: a damage routine that can deliver the virus payload. While payloads may only display messages or images, they can also destroy files, reformat hard drives, or cause other kinds of damage. According to the International Computer Security Association, the majority of viruses fall into four main classes:

  1. Boot Sector Viruses. Previously the most prevalent virus type, boot sector viruses infect the boot sector on a floppy disk and spread to a user's hard disk. These viruses are usually transmitted when an infected floppy disk is left in the drive and the system is rebooted. Once the boot sector on the hard drive is infected, the virus attempts to infect the boot sector of every floppy disk inserted into the computer and accessed.
  2. File Infecting Viruses. File infectors, also known as parasitic viruses, are pieces of viral code. They operate in memory and usually infect executable files with the following extensions: *.COM, *.EXE, *.DRV, *.DLL, *.BIN, *.OVL, *.SYS. They activate every time the infected file is executed by copying themselves into other executable files and can remain in memory long after the virus has activated.
  3. Macro Viruses. Macro viruses currently account for the majority of all viruses. They infect files run by applications that use macro languages, like Microsoft Word or Excel. Unlike other virus types, these are not specific to an operating system and spread with ease via e-mail attachments, floppy disks, Web downloads, file transfers, and cooperative applications.
  4. Multi-Partite Viruses. These viruses have characteristics of both boot sector viruses and file infecting viruses. They may start out in the boot sector and spread to applications, or vice versa.

While not technically viruses, other malicious programs like worms and Trojan horses are closely associated because they typically have the same type of results. A worm is a program that replicates itself, but does not necessarily infect other programs. Frequently worms replicate themselves by e-mail, making use of any Microsoft Outlook or Outlook Express address books. Trojan horses contain a concealed surprise just like in the Greek myth. These programs reside hidden in another seemingly harmless piece of software until some condition triggers its awakening. Just remember, since new viruses are being introduced all the time, experts strongly recommend that anti-virus databases be updated on a weekly basis. This is the most important thing department officers can do to protect their computer systems.

"Magistr" Virus/Worm Alert

The Federal Computer Incident Response Center (FedCIRC) issued a precautionary alert about the new "Magistr" virus/worm. Given a medium to high risk evaluation, this worm propagates itself using most e-mail applications such as Microsoft Outlook, Outlook Express, and Netscape Navigator, and then sends infected files to all addresses listed in the infected user's address book. It is a Win 32 application written in Assembly language using complex routines and anti-debugging techniques designed to hide from the anti-virus detection tools. Besides infecting all non-DLL (Dynamic Link Library) executable files in the victim's system, it can damage the system by overwriting sectors of the hard disk, CMOS (Complimentary Metal Oxide Semiconductor) erasing, and BIOS (Basic Input/Output System) flashing. FedCIRC recommends immediate update of anti-virus databases and blocking any ".EXE" e-mail attachments.

USFACIPC Weekly Lexicon: Accountability

(adapted from the Critical Infrastructure Glossary of Terms by the Critical Infrastructure Assurance Office)

The principle that responsibilities for ownership and/or oversight of the department's physical and cyber-based systems are explicitly assigned, and that assignees are answerable to proper authorities for the stewardship of these systems and resources under their control.

FAIR USE NOTICE

This INFOGRAM may contain copyrighted material that was not specifically authorized by the copyright owner. EMR-ISAC personnel believe this constitutes "fair use" of copyrighted material as provided for in section 107 of the U.S. Copyright Law. If you wish to use copyrighted material contained within this document for your own purposes that go beyond "fair use," you must obtain permission from the copyright owner.

Reporting Notice

DHS and the FBI encourage recipients of this document to report information concerning suspicious or criminal activity to DHS and/or the FBI. The DHS National Operation Center (NOC) can be reached by telephone at 202-282-9685 or by e-mail at NOC.Fusion@dhs.gov.

The FBI regional phone numbers can be found online at www.fbi.gov/contact/fo/fo.htm

For information affecting the private sector and critical infrastructure, contact the National Infrastructure Coordinating Center (NICC), a sub-element of the NOC. The NICC can be reached by telephone at 202-282-9201 or by e-mail at NICC@dhs.gov.

When available, each report submitted should include the date, time, location, type of activity, number of people and type of equipment used for the activity, the name of the submitting company or organization, and a designated point of contact.

RSS FeedWeekly INFOGRAM's are now available as an RSS Feed. More Information »