Contagion: Why Our Dependency on Microsoft Makes Us Susceptible
Pages: 1, 2, 3
Number 1 is to make sure your anti-malware software is up-to-date to detect older, known viruses. We have site licenses for various NAI products if you don't have something installed yet. Also, install Tripwire if you are using NT or Unix boxes (we have this site-licensed, too). The use of Tripwire will help detect new, as-yet undetected viruses (after the fact, unfortunately) and also help in clean-up of damage by giving a snapshot of altered files and registry settings. (It also provides intrusion detection in addition to the change detection involved in detecting viruses.)
Number 2 is to ensure that your users understand good anti-malware practices. This can't stop all future problems, but it may help limit their spread. In particular, get users to cut and paste text in email rather than attach Word documents. If they need to send a file of some kind, then have them use ftp rather than embed the files in email. On the receiving side, users should simply reject any executable content rather than depend on virus screening.
Number 3, perform regular, comprehensive backups of all systems. If you do not perform regular, full backups of any systems, notify those users and ensure that they understand the procedures (and importance) to do it themselves. Files deleted by buggy software, viruses, worms, crashes or simple mistakes cannot always be recreated. Backups are critical for recovery. (Be sure to test your backups periodically to ensure they work!)
Number 4, be certain your systems are up-to-date on patches and security fixes, no matter what kind of platform you may be using.
Number 5 If you use Outlook, disable the Windows scripting host feature (see the same article at the URL given above). Alternatively, think about switching your users from Outlook to some other email client (e.g., Eudora). For this to work, however, you need to de-install Outlook rather than simply install something alongside it. (There was at least one case on campus where someone using Eudora on Windows saved the ILOVEYOU code to disk and started it, and it then activated Outlook to use the global address book to mail copies to other users.)
Number 6, if your users are using Internet Explorer, be certain they have their security settings on the highest level for all zones unless you *know* it is safe to use a lower setting. Also, in the security settings, disable ActiveX if at all possible -- ActiveX supports threats that cannot be defended against. In all WWW browsers users should be careful about enabling Javascript and Java, with Java being safer than Javascript in up-to-date browsers.
Number 7, When acquiring new systems, think carefully if you really need Windows/Word, or whether an alternative is available that is more resistant to attack. This is especially a concern if you don't have staff or expertise to be constantly dealing with security concerns. For instance, if you are only seeking a machine to run a WWW server, then a Mac makes a robust server with an almost non-existent history of security problems. In fact, last year the US Army replaced their NT-based WWW servers after repeated security problems and they have not had a single security incident since! Similarly, you can run Excel and Word on a Mac, and using StarOffice on a Unix box you can deal with the same files. There are also other word processing programs (e.g., Framemaker, AppleWorks, others) and spreadsheet systems. Windows and Office are not the only choices.
The key here is to think about total cost of operation and the needed core functionality. When you put a machine in service there may be the up-front cost of the box and the software, and in this regard a Wintel box seems the best choice. But add in the time spent applying security patches, strengthening the default installation, responding to (and cleaning up after) break-ins and malware incidents, and the time spent staring at blue screens -- time for you and your staff is valuable, as is the loss of productive work time by your users. Yes, Windows runs thousands more programs than does Unix or a Mac -- but do you ever need those in a work or lab environment? Most are games, or are versions of software you don't need or already have in another form. Consider carefully what you want: buying a system because it runs programs you will never use and that may cost more over its lifetime to operate is not a bargain.
