Admins: Users Share the Blame

The scene playing out on Nick Gass' computer screen last week was sadly familiar: dozens of copies of the same e-mail message clogging in-boxes throughout his company.

The scene playing out on Nick Gass computer screen last week was sadly familiar: dozens of copies of the same e-mail message clogging in-boxes throughout his company. Recalling the mess caused by the ILoveYou virus last May, Gass, a systems administrator at Color Kinetics Inc., in Boston, knew that the messages were the result of another Visual Basic Script virus.

This time, enough was enough.

In the aftermath of the attack, the company stepped up plans for a strict e-mail filtering policy to weed out executables like .vbs files and other attachments, with the hope of preventing careless users from abetting another such attack.

"We rely on users to do a couple of things: regularly update their virus definitions and exercise some wisdom when it comes to e-mails and attachments," Gass said. "My experience has taught me you cannot count on either of these things taking place regularly."

Color Kinetics is not alone. Following the damage done by the so-called Anna Kournikova worm last week, many companies are re-examining their mail usage and filtering policies and are also starting to point fingers at end users who have shirked their responsibilities regarding attachments.

For instance, one Boston-based investment company, after being hit hard by the Kournikova virus, began seeking employees who had opened the infected attachment and issuing them warnings.

The worm, which acted like the ILoveYou bug, arrived with a subject of "Here you have ;0" and carried the annakournikova.jpg.vbs attachment. Once opened, the virus accessed the users Outlook address book and mailed itself to every address it found.

Many IT administrators are surprised users havent learned the lesson about attachments. "Most users dont get it," said Andy Palley, MIS manager at Capacity Group, an insurance holding company in Saddle River, N.J. "No amount of education will stop [these outbreaks]."

As a result, many managers are taking action. One company ahead of the game is Owens Corning, which has been filtering attachments from e-mail since early last year. After the ILoveYou bug, the Toledo, Ohio, manufacturer screened out .vbs and other file types, eventually stopping everything but .txt files from going in or out. As a result, Owens Corning was untouched by Anna but bounced more than 500 instances. "[Viruses are] potentially a very big problem, and you have to take a layered approach and not rely on anti-virus software," said Mark Amos, Owens Corning manager of information security.

Most companies still do rely on anti-virus software and hope that by telling users not to open attachments, theyll be protected. Since thats not working, they have to stop the mail before it causes harm. At the University of Texas in Dallas, Paul Schmehl, the universitys manager of support services, reports that 57 percent of the attachments that were blocked in January alone were viruses. "Thats 1,500 opportunities for infection that didnt get in to give the user a chance to open it," Schmehl said.

While Color Kinetics decision to block most attachments seems logical, some IT administrators have balked at such a plan, fearing recriminations and complaints of privacy invasions.

"In our IT shop, we dont think tougher policies and procedures placed on the users are the way to go," said Mike Zboray, chief technology officer of Gartner Group Inc., in Stamford, Conn. "We believe that ... security technology to safeguard the environment is less intrusive to the users and enables us to focus on our business rather than on being policy police."

Color Kinetics Gass agreed that some restraint is necessary, saying he does not plan to screen internal mail. However, he said screening and filtering inbound mail for attachments at the e-mail gateway is a must.

"A lot of people ... got used to using [e-mail] as a file transfer tool," said Amos of Owens Corning. "Thats a convenient way to do it, but there are other ways that wont spread a virus. Most of the stuff we filter isnt business content."

But even with high levels of junk mail moving through their networks, many companies still dont feel the need to take the next step and screen their employees mail. "Our policy is no personal e-mails, but it is done," said Howard Jones, CIO of Snapper Inc., in McDonough, Ga. "We are struggling with the junk mail, but until it gets out of hand, we will not try to filter the nonbusiness stuff."