News Items: Understanding Virus Risk Assessments
Breaking Virus/Security News
On the virus front, the numbers keep shooting up: since January 1, 2003, almost 400 new threats have been identified and signatures created. For more details, visit Symantec’s “Virus Definitions Added” (http://www.symantec.com/avcenter/defs.added.html).
At Microsoft, things have picked up since the last newsletter: five security alerts have been posted in the last week, including their first three new alerts for 2003 and two updates from 2002. Also, the recently rediscovered Slammer worm that affects SQL servers has wreaked havoc at ISPs and corporate sites in the recent past:
- For a current list of security bulletins and updates, including MS03-001, -002, and -003, plus other later breaking news, see http://www.microsoft.com/technet/security/default.asp
- For the story on the Slammer worm, see http://www.searchsecurity.com/originalContent/0,289142,sid14_gci876675,00.html)
- For the original Slammer Microsoft Security Bulletin (MS02-039), see http://www.microsoft.com/technet/security/bulletin/MS02-039.asp
- For a “customer update” on the Slammer worm, visit http://www.microsoft.com/technet/security/virus/alerts/slammer.asp.
FYI, MS03-003 deals with a way in which Outlook 2002 deals with V1 Exchange Server Security certifications, MS03-002 provides a cumulative patch for Microsoft Content Management Server, and MS03-001 deals with yet another unchecked buffer problem that can affect Windows NT 4.0, 2000, and XP machines (worth fixing).
Understanding Virus Risk Assessments
Remember that when it comes to viruses, worms, Trojans, and so forth, overall risk assessment rates such malware across the three components covered in the last newsletter—wild (degree to which it’s encountered “in the wild”—out there on systems and networks, so to speak), damage (the nature and extent of damage or loss of service caused), and distribution (speed and virulence, or degree of infectiousness)—on a scale of Categories 1 to 5, where Category 5 is very severe and Category 1 is very low. Here’s where I explain categories in more detail (remember also that terms vary somewhat from site to site, and that I draw on information from Symantec for this discussion from http://www.symantec.com/avcenter/threat.severity.html):
- Category 5 is rated Very Severe
Represents an extreme threat; one that’s quite difficult to contain. To respond, all machines should update virus definitions immediate and scan for infection; e-mail servers may need to be temporarily shut down as well. Category 5 means that all three metrics—wild, damage, and distribution—rate high.
- Category 4 is rated Severe
Represents a dangerous threat, difficult to contain. Download and deploy latest virus definitions immediately. Category 4 means wild is rated high, and that either damage or distribution is also rated high.
- Category 3 is rated Moderate
Represents a highly wild (but relatively harmless or containable) threat or potentially dangerous but not widely encountered in the wild. Thus, Category 3 means that either wild is rated high, or that damage and distribution is rated high.
- Category 2 is rated Low
Represents a low or moderate wild threat with a relatively harmless or containable payload, or a non-wild threat that may show interesting damage or distribution potential. Often associated with viruses that make the news. Category 2 means that either damage or distribution is rated high, but that wild is rated only low or moderate.
- Category 1 is rated Very Low
Represents a minor threat, that rarely makes the news and has no reports in the wild. All three metrics are low in this case.