From: CRDGW2::CRDGW2::MRGATE::"SMTP::CRVAX.SRI.COM::RELAY-INFO-VAX" 27-SEP-1989 16:50 To: MRGATE::"ARISIA::EVERHART" Subj: Review of NIST anti-virus paper... Received: From GATEWAY.MITRE.ORG by CRVAX.SRI.COM with TCP; Wed, 27 SEP 89 13:01:48 PDT Received: by gateway.mitre.org (5.54/SMI-2.2) id AA06795; Wed, 27 Sep 89 15:46:13 EDT Received: by lid.mitre.org.mitre.org (4.0/SMI-4.0) id AA00214; Wed, 27 Sep 89 15:43:11 EDT Date: Wed, 27 Sep 89 15:43:11 EDT From: dmg@lid.mitre.org (David Gursky) Message-Id: <8909271943.AA00214@lid.mitre.org.mitre.org> To: virus-l@ibm1.cc.lehigh.edu Subject: Review of NIST anti-virus paper... Cc: INFO-VAX@KL.SRI.COM, Info-IBMPC@WSMR-SIMTEL20.ARMY.MIL, Info-Mac@sumex-aim.stanford.edu, SUN-SPOTS@RICE.EDU [Note to the editors of Info-Mac, Info-IBMPC, Info-VAX, and SunSpots: While your various digests do not focus directly on viruses, some of your readers may be interested in this review I wrote up of the recent NIST paper: _Computer Viruses and Related Threats: A Management Guide_. Feel free to include this in your digests if you wish, but do not alter it. You may remove this header if you so wish. -- David Gursky] Recently, the National Institute of Standards and Technology (NIST, the successor to the National Bureau of Standards) published a short paper entitled: _Computer Viruses and Related Threats: A Management Guide_. I have had a chance to read through it, and here are my comments: NIST Virus study comments First and formost, the NIST paper is an excellent, broad summary of knowledge of prevention measures for "electronic threats". It does not deal with the specifics of protecting this system, or that system, but rather looks at two classes of systems (multi-user and single-user) in two different environments (stand-alone or networked) and discusses six aspects of the security issue: General Policies, Software Management, Technical Controls, Monitoring, Contingency Planning, and Network Concerns. As much as I want to say this is an excellent paper, I find two flaws that hold it back: 1 -- The paper is not always consistent in its tone and advice 2 -- Some advice presented in the paper is based on false assumptions Inconsistency -- The authors of the paper appear to have a problem accepting that any successful policy to deal with electronic threats must rely on the cooperation of the user community. At certain points, it explictly states system managers must *prevent* users from performing actions of questionable risk altogether, and later on it states that users can do the same thing under controlled circumstances. The problem of electronic threats is *everyone's* problem, and *everyone* must be part of the solution. The underlying attitude of the authors seems to be "users cannot be counted on". For better or for worse, users *must* be counted on, and when that is not possible, made accountable. Other examples of where the authors make one statement, and then back down from it elsewhere in the paper exist; this is the one that I happen to have picked up. By the same token, there are only a few instances of this type of hemming and hawing. False Assumptions -- The paper forwards the myth that programs obtained from public sources (bulletin boards; public network libraries) are inheritely tainted, and that shareware/freeware/etc. should really be avoided. Certainly applications obtained from these sources are riskier, but these risks can be minimized through careful selection of sources, (i.e. public sources with a large pool of experienced users feeding from it), by judicious testing of software obtained from these sources, and by maintaining an internal library of these applications. This last step (completely overlooked by Wack and Carnahan) of providing users access to shareware from a corporate-sanctioned libraray can go far in ensuring that applications from riskier, public sources are not brought into the corporate computing environment. By the same token, the paper forwards the myth that commercially obtained applications are inheritly untainted. The Aldus Freehand infection (among others) demonstrates that this is clearly not true. Summary -- Summarizing, I would say this paper is a very good source for technical users looking to gain information about how to go about addressing the virus problem, and a good source for corporate managers looking at the same question. The paper's inconsistency on the role users must play in a successful anti-virus strategy, and it's partial reliance on a false assumption hold it back from being excellent on both counts. Copies of the NIST paper can be obtained for $2.50 from the U.S. Government Printing Office, 202.783.3238. The document is NIST Special Publication 500-166, GPO #003-003-02955-6. The opinion expressed in this review is mine, and does not in any way reflect the official policy of the MITRE Corporation, or any of MITRE's clients. Please do not redistribute this review without my consent first. Thank you. Submitted 27 September 1989 David M. Gursky Member of the Technical Staff, W-143 Special Projects Department The MITRE Corporation