CSC Strives to Ensure a Virus-Free Environment

by Raymond Poon

The Sasser virus and its variants have been rampaging on the Internet since May 2004. According to the information provided by Symantec, Sasser is an Internet worm spreading through the MS04-011 (LSASS) vulnerability.

This vulnerability is caused by a buffer overrun in the Local Security Authority Subsystem Service, and will affect all machines that are:

- Running Windows XP or Windows 2000
- Haven't been patched against this vulnerability
- Are connected to the Internet without a firewall

Once infected with the Sasser worm, the following symptoms may occur:

- Computer performance is decreased or network connection is slow
- One may see a dialog box that contains text that refers to LSA Shell
- Computer may restart every few minutes without user input

Many organizations and universities worldwide were hit really hard at the time. Fortunately, most of our users hardly noticed this epidemic because:

  1. We, the Computing Services Centre (CSC), have been taking preventive measures by automatically forcing security patches of Windows as well as updates of virus signature files to all PCs on our Staff LAN as soon as these patches and updates become available.
  2. We have been proactively urging those users whose PCs are not managed by the CSC (e.g. PC for research, LAB PC, etc) but are detected by our security software tools to be vulnerable to either hacking activities or contracting viruses to take immediate remedial action. If they do not cooperate, their machines will be forced to disconnect from the campus network in order to protect other users on the network.
  3. From the past experience learnt, we have been able to identify threats well before they get worse and are deploying security devices at critical parts of the network infrastructure to monitor for abnormal traffic and to limit the potential damages done by new threats or unidentifiable attacks.
  4. For those publicly accessible PCs (e.g. those in Lecture Theatres, classrooms, etc) or kiosks that we manage, we install additional security hardware and procedures to further protect our users. For those we do not manage, we have been providing departments with best practices and guidelines on how to secure them which actually are the first point of entry to our network and thus also served as its first line of defense.
  5. We have been making use of the Departmental Network Administrators (DNA) and the System & Network Technical Group (SYSNET) to communicate well and share experience with one another on tackling security problems.
  6. We have been using statistics gathered from the Help Desk on types and causes of security breaches, users' awareness levels, etc. to establish policies, devise preventive measures and promote user awareness.

Despite these, we still see room for improving our preparation for the next wave of attacks. We still have lots of fire-fighting work to tame the viruses spread by improperly protected PCs on campus as well as those at the student hostels and at home that we practically have little or no control of.

The University community must work hand in hand as a whole to secure our network. After all, the security of our network is only as strong as its weakest link.