@ Computerweekly, © 2000 Reed Business
The Love Bug
A lack of diversity among corporate
IT systems allowed the virus to spread, aided by inadequate corporate policy.
Guy Campos learns the lessons of Love
The I Love You bug was able to spread easily from one
UK company to another because of a lack of "biodiversity" in systems,
according to financial information security specialists. In nature, Darwinian
natural selection has produced species that share enough genetic code to be
interoperable but differ enough to vary in their susceptibility to diseases.
And we should aim for similar diversity in corporate IT systems, says DK Matai,
managing director of mi2g, which helps companies implement bespoke
Matai says IT managers can gain the power to shut down
parts of an information network in the same way that a submarine commander
can hermetically seal compartments within a vessel. Likewise, the ability
to receive executable files can be restricted to members of the IT department
and approved members of staff, with an IT manager acting as a gateway for
other users. Executable files come in many forms, such as Word and Excel macros,
but it is possible to detect hidden executables even if they are wrapped up
in zip files, says Matai.
It is also possible to monitor any changes to a PC's configuration,
such as a user downloading a Flash plug-in to view hot Web sites, with IT
managers receiving an e-mail alert about the potential threat to data security.
As with any IT investment, companies need to balance expense against the cost
of failure, says Simon Owen, a senior management consultant at Arthur Andersen.
And there are many companies that have yet to implement common sense controls
such as putting in anti-virus scanners that are regularly updated by their
"Companies have become so focused
on speed to market that corners have been cut," says
Owen. Companies can open every executable in a soundbox which tests the effect
of the file before allowing it to proceed to its recipient. But this is costly,
requiring an IT professional to supervise each test, and slows down communication
- removing one of the prime benefits of e-mail. There has also to be a balance
between technological controls and human resources policies. "It
is quite clear that the Love Bug would not have spread so easily had personnel
been reminded that they should delete any attachment that they were not expecting,"
The culture of sending jokes as executable attachments
is rife and there is a need for the most basic education about the danger
of e-mail, says Owen. Michael Chapman-Pincher, head of operations at The User
Group, which advises on e-business issues, says that if employees are to take
Internet security seriously a lead must come from the top. There should be
a designated person responsible for security, the IT director or other senior
member of staff.
Chapman-Pincher says many users still view e-mail as a
novelty and open every message and attachment they get. They do not throw
away unsolicited e-mail, as they would junk mail. However, he warned that
attempts to restrict access to e-mail to limit the spread of viruses could
make people feel excluded from the loop. Many people have huge e-mail address
books because management wants to make them feel included and make it easy
to communicate with anyone in the company. "But why should anyone have 1,800 names in
their address book?" asked Matai.
He holds to a theory that there are four elements to e-security
- not just the technological and the human but the legal and insurance aspects
In consultation with lawyers, companies should advise recipients of their
e-mails that it is their responsibility to check for viruses. Companies can
also now take out insurance policies to cover the cost of security failures.
Despite repeated scares over Internet security, many users are still living
in an age of innocence. "Corporate
Internet access reminds me of flower power in the 1960s when people thought
you could share your love with anyone," says Matai. "It
was only later that people realised that there was no room for casual behaviour
and so it will be with Internet security."