Review of NIST anti-virus paper... (L

David Gursky dmg at lid.mitre.org
Thu Sep 28 05:43:11 AEST 1989 

[Note to the editors of Info-Mac, Info-IBMPC, Info-VAX, and SunSpots:  While
 your various digests do not focus directly on viruses, some of your readers
 may be interested in this review I wrote up of the recent NIST paper:
 _Computer Viruses and Related Threats:  A Management Guide_.  Feel
 free to include this in your digests if you wish, but do not alter it.
 You may remove this header if you so wish. -- David Gursky]

Recently, the National Institute of Standards and Technology (NIST, the
successor to the National Bureau of Standards) published a short paper
entitled:  _Computer Viruses and Related Threats: A Management Guide_.  I
have had a chance to read through it, and here are my comments:

NIST Virus study comments

First and formost, the NIST paper is an excellent, broad summary of
knowledge of prevention measures for "electronic threats".  It does not
deal with the specifics of protecting this system, or that system, but
rather looks at two classes of systems (multi-user and single-user) in two
different environments (stand-alone or networked) and discusses six
aspects of the security issue: General Policies, Software Management,
Technical Controls, Monitoring, Contingency Planning, and Network
Concerns.

As much as I want to say this is an excellent paper, I find two flaws that
hold it back:

1 -- The paper is not always consistent in its tone and advice

2 -- Some advice presented in the paper is based on false assumptions

Inconsistency --

The authors of the paper appear to have a problem accepting that any
successful policy to deal with electronic threats must rely on the
cooperation of the user community.  At certain points, it explictly states
system managers must *prevent* users from performing actions of
questionable risk altogether, and later on it states that users can do the
same thing under controlled circumstances.

The problem of electronic threats is *everyone's* problem, and *everyone*
must be part of the solution.  The underlying attitude of the authors
seems to be "users cannot be counted on".  For better or for worse, users
*must* be counted on, and when that is not possible, made accountable.

Other examples of where the authors make one statement, and then back down
from it elsewhere in the paper exist; this is the one that I happen to
have picked up.  By the same token, there are only a few instances of this
type of hemming and hawing.

False Assumptions --

The paper forwards the myth that programs obtained from public sources
(bulletin boards; public network libraries) are inheritely tainted, and
that shareware/freeware/etc. should really be avoided.  Certainly
applications obtained from these sources are riskier, but these risks can
be minimized through careful selection of sources, (i.e. public sources
with a large pool of experienced users feeding from it), by judicious
testing of software obtained from these sources, and by maintaining an
internal library of these applications.  This last step (completely
overlooked by Wack and Carnahan) of providing users access to shareware
from a corporate-sanctioned libraray can go far in ensuring that
applications from riskier, public sources are not brought into the
corporate computing environment.

By the same token, the paper forwards the myth that commercially obtained
applications are inheritly untainted.  The Aldus Freehand infection (among
others) demonstrates that this is clearly not true.

Summary --

Summarizing, I would say this paper is a very good source for technical
users looking to gain information about how to go about addressing the
virus problem, and a good source for corporate managers looking at the
same question.  The paper's inconsistency on the role users must play in a
successful anti-virus strategy, and it's partial reliance on a false
assumption hold it back from being excellent on both counts.

Copies of the NIST paper can be obtained for $2.50 from the U.S.
Government Printing Office, 202.783.3238.  The document is NIST Special
Publication 500-166, GPO #003-003-02955-6.

The opinion expressed in this review is mine, and does not in any way
reflect the official policy of the MITRE Corporation, or any of MITRE's
clients.

Please do not redistribute this review without my consent first.

Thank you.

Submitted 27 September 1989

David M. Gursky
Member of the Technical Staff, W-143
Special Projects Department
The MITRE Corporation

More information about the Comp.sys.sun mailing list