This tip originally appeared on SearchWin2000.com, a sister site of SearchSmallBizIT.com.
A recent variant of Netsky
seeks to worm its way onto people's desktops by claiming to patch various "hot" recent viruses or worms, including Sasser, Netsky itself, Beagle (aka Bagle in some listings),
Mydoom, and MSBlast (aka Blaster in some
listings), according to a recent news
report. As with any other e-mail attachments, it's essential to train your users never to use them to patch systems. In
another tip, in fact, I wrote about an
incredibly convincing hoax that looked and read exactly like a real Microsoft security bulletin. That is, except for one
thing: neither Microsoft nor any other reputable software vendors, including antivirus companies, ever send patches or
updates to subscribers or users via e-mail. The hoax asked users to install the attached update!
"Why don't vendors send updates via e-mail?" you might be tempted to ask. Although they could use mechanisms such as
public key encryption or digital signatures to prove their identities for e-mail delivery, software vendors uniformly choose
to send notification of updates by e-mail, and let users download patches from verifiable sources at their convenience.
Otherwise, in some cases vendors offer registered, up-to-date users subscription services that can initiate downloads (when
available, such as Symantec's LiveUpdate service) to keep software and data files current, or automated update services (such
as Windows Update) to do the same thing.
Making user software pick up downloads automatically or on demand is good policy from a security standpoint, as recent
events clearly illustrate. But there are also size and message fan-out issues to consider as well. Because Microsoft Service
packs are normally over 100 MB in size (if not much bigger), it's irresponsible to broadcast mail with attachments that big
to large numbers of users. This is not only because of the size of the attachment itself, but also because of the large
number of such messages that would be generated. The same thing is true, in fact, for most attachments over 1 MB in size. As
responsible Internet citizens, most companies won't send that much data attached to e-mail; it's simply more efficient to
have customers grab and use downloads when and as they need them (and many companies stage local copies of downloads as well,
to prevent their users from having to copy the same thing repeatedly across the Internet).
The simple rule of thumb to teach users is: Never open or install anything that calls itself an update, a patch, a fix or
whatever that shows up in your e-mail inbox. If you must install something (on a home or traveling machine, away from the
office, for example), go to the vendor's Web site or use an automatic update service to download the patch. These simple
words of advice, with properly patched and updated systems, will help users avoid nearly all sources of infection that might
show up in their inboxes.
Tom Lancaster, CCIE# 8829 CNX# 1105, is a consultant with 15 years experience in the networking industry, and co-author
of several books on networking, most recently, CCSPTM: Secure PIX and Secure VPN Study Guide published by
Sybex.
Do you have comments on this tip? Let us
know.
