Virus, Worm & Spam Costs 1: An Episode at the University of Florida [1]
Richard A. Elnicki, D.B.A.
Professor of Information and Decision Sciences
Computing and Networking Services Associate Director
University of Florida

Executive Summary
            MSBlast, SoBig, and NACHI attacked users on the networks at the University of Florida (UF) mid-August, 2003.   All most all academic and administrative groups were affected directly or indirectly by these viruses, worms, and spam (VWS).   By the end of the first week of September, 2003, an extensive cleanup and maintenance effort was in process across the 85,000-member UF community.   And, the UF Provost for IT requested an estimate of the costs of the episode to the UF.
            A review of literature on VWS showed wide variations in impacts.   It also pointed to an exponential growth from about 200 identified viruses in 1990 to over 70,000 today.   A number of cost models were found.   One of the most comprehensive is by mi2g Limited, a British firm.   It rated SoBig as the most expensive worldwide at a cost of $37.1 billion.
            A decision was made early in this study to estimate the paid personnel time the UF lost from its primary teaching, research, and service activities.   The UF provides office-based hardware, software, and network access for all office-based employees.   These resources are also made available for work at home by faculty and staff.   All UF faculty, staff, and students have ethernet 10/100/1000 megabyte access on campus and dial-up access (56K) from home with monthly connect-time quotas paid by the UF Provost.   DSL and cable access are also common.   Wireless is being distributed throughout campus and the use of VPN software is strongly encouraged by all wireless users.
            Four employee groups were identified for a survey: 1. faculty, 2. administrative and office staff (excluding two next two), 3. information technology (IT) staff (excluding the next group), and 4. network management staff.   These 4 groups could be identified by official records giving full-time equivalents and salaries, wages and fringe benefits by group Fall Semester, 2003.   Structured sampling was used for the survey.   The faculty and administration and office respondents were almost exactly the same as the population proportions.   The expected number of IT staff responded, but three times the expected number of network management staff members responded.   In total, 178 survey forms returned could be used in the statistical analysis of results.
            All participants were asked to provide detailed information on the micros they had in their offices, homes, or carried (laptops).   They were asked whether they had automated downloads of operating system and virus scan software upgrades.   All were asked for estimates of the time they spent cleaning and maintaining their micros.   Network managers were asked to estimate the time they spent supporting others as their final question, while all other respondents were asked how much time they were not able to use their micro systems because of VWS.   The detailed results are shown below in Table 1.
            Over the approximate four-week period of the attack and cleanup, the survey results of invdividuals' lost time applied to the UF population gave an estimate of 54,556 lost hours, or 32 man-years based on the typical UF leave, sick and vacation days.   It was also about 2.3 percent of the work hours in the 4-week period of the VWS attacks and cleanup.   Based on the pay and fringe benefit rates of the population groups, the dollar cost to the UF was $1,902,730.   No systematic results related to automatic downloading of software has been found to date.

C o n t e n t s
   1. Introduction    2. UF Cost Study Structure    3. Structured Sampling
   4. Survey Results    5. Prevention Policies    6. Conclusions
1. Introduction
In the middle of August, 2003, MSBlast, SoBIG, and NACHI (a.k.a. Walchia) hit the networks at the University of Florida (UF).   These viruses, worms, and spam (from SoBig, detailed definitions are in [2] below), or "VWS", targeted 85,000 individuals in the UF community.   Most academic departments and administrative groups at the UF were affected by the VWS attack directly or indirectly.   The network supporting Internet access for about 7,000 students in UF residence halls was closed down for a period, as were some other networks.

By the end of August an extensive cleanup and maintenance effort was in process.   At the end of the first week in September, the UF's Provost for IT asked the director of the UF's Computing and Networking Services (CNS) for an estimate the costs of this attack episode to the UF.   The author was assigned this task.   A review of published work on the subject continued and work on the task at the UF was initiated.

Preliminary results published August 29, 2003 based on a TruSecure/ICSA Labs survey [3] of 882 corporations world wide published indicated wide variation in impacts of MSBlaster.   Fifty-five percent reported no impact, 30 percent minor impacts, and 15 percent moderate or major impacts: the latter group had average estimated costs of $475,000.   A number of viruses and worms have appeared world wide since the episode that started September, 2003.   This was certainly nothing new.   Since John Von Newmann researched self-reproducing automatia in the 1950's, and the first virus, Pervade, spread through UNIVACs in 1975, they have become part of the IT landscape:

"Although viruses and worms took more than a decade to emerge in
significant numbers, they soared in subsequent years. By the end of
1990, about 200 viruses had been identified. Today, that number has
jumped to more than 70,000. Although less than 1 percent of those
viruses have compromised computers on the Internet, more than 80
percent of companies suffered a digital infection, according to
Computer Security Institute." URL: http://www.gocsi.com/ [4]

A number of cost models were found in published work since the research was started.   One of the more comprehensive models was developed by mi2g Limited, a British firm.   A member of the mi2G Limited Intelligence Unit stated in an e-mail to the author their, "...algorithm used to calculate economic damage is proprietary and I am unable to disclose its contents explicitly."[5]   He did include the following list of components used in their algorithm.

  1. overtime payments
  2. contingency outsourcing
  3. loss of business
  4. bandwidth clogging
  5. productivity erosion
  6. management time reallocation
  7. cost of recovery software upgrades
  8. and bandwidth
He also noted that other factors, such as brand damage, were not included.   A historical summary of "the worst viruses" by the mi2g Intelligence Unit was publicized by e-Week on February 19, 2004, in their "e-WEEK.com Special Report: E-mail Worms 2004."   The mi2g list put SoBig in first place at $37 billion worldwide as of January 19, 2004.  
  1. Sobig ($37.1 billion)
  2. MyDoom ($22.6 billion)
  3. Klez ($19.8 billion)
  4. Mimail ($11.5 billion)
  5. Yaha ($11.5 billion)
  6. Swen ($10.4 billion)
  7. Love Bug ($8.8 billion)
  8. Bugbear ($3.9 billion)
  9. Dumaru ($3.8 billion)
  10. SirCam ($3 billion)
The mi2g cost estimate cost for SoBig is very large absolutely (37 followed by 9 zeros!).   SoBig was so big!  The e-Week publication did not include a relative for comparison, but a relative comparison will be included below.   [Go to the table of
contents.]

2. UF Cost Study Structure
Early in this task, it was decided to not include students in this study.   While about 7,000 UF students were in UF residence halls, the other 40,890 were in apartments and homes in or close to Gainesville.   Detailed analysis of how their costs might be structured and then sampled led to the conclusion this study would consider only UF faculty and staff.   Part of this decision was due to factors in the following paragraphs.

The UF provides office-based hardware, software and network access for all faculty and staff with office-based positions.   The same resources are provided for home-based work when approved by a staff member's supervisor and department.   Faculty also have home-based micro systems provided by various UF funds.   Many faculty and staff members also have laptops provided by UF funds or purchased by those individuals.

The software supported by UF on micros in offices and residences and on laptops included operating systems, work applications, and anti-virus packages.   While students have access to this software, the UF does not provide micro hardware for students.   On campus sites for faculty, staff, and students have ethernet 10/100/1000 megabyte access.   All UF students, faculty, and staff have dial-up (56K) access to UF systems; monthly quotas paid by the UF Provost total 30 hours for undergraduates, 60 hours for graduate students, and 120 hours for faculty and staff.   Individuals pay for connection time (at $.008/minute) over these quotas.   In addition, many users have DSL or cable access from their residences; these higher-speed connectivity modes can be paid by the UF if an individual often does employment-related work from their residence.   Wireless is being distributed throughout the campus: Cisco virtual private network (VPN) software is provided by the UF and its use by all wireless users is strongly encouraged.

Data on the costs of hardware, software and connectivity provided was in the UF's financial systems.   Except for a contract with Networks Associates Technology, Inc., to provide McAfee VirusScan Enterprise, no other central object-specific expenditures had been made by the UF for user software to prevent attacks and minimize consequences.   Substantial resources have been allocated for all IT security issues in general, and a dedicated full-time IT security staff was started in April, 1999.

This work focused on the time UF employees used to respond to the attacks and lost because systems were disabled, i.e., productivity erosion, Number 5 in mi2g's list.   The other components in the mi2G list were (a) not applicable to the UF or (b) could not be measured in a timely manner.   Four groups of UF employees were defined for this study.   They were as follows.

  1. Faculty.
  2. Administrative and Office Staff excluding 3 and 4.
  3. Information Technology (IT) Staff excluding 4.
  4. Network Management Staff.
Two survey forms were developed.   This was done by working through 6 drafts and revisions based on critiques and suggestions by IT staff at the UF's CNS and by faculty colleagues of the author.   The result of this effort was that the two forms that were identical except for a final question(s).   The forms are included here as Exhibits 1 and 2.

The survey forms for all four UF employee groups included common information requests regarding individuals'

  • departments and classification,
  • office workstations,
  • residence workstations,
  • laptops,
  • access from residences,
  • time spent cleaning up and maintaining hardware on 2, 3, & 4 in this list,
It was very common for individuals to have 2 workstations in their offices and/or homes, and some had more.   During the development of the form, it was concluded individuals could give estimates of time devoted to clean up and maintenance in their office (A), residence (B), and on laptops (C), but could not give reasonable estimates of times for each device in a location.   So, question D. on both forms asked the following.

"D.   Your time spent on all activities including reading and deciding what you should do, getting software, installing and running software, and/or deleting garbage e-mails and files in response to the MSBLAST, SoBIG and Nachi attacks:

Estimated Time for A: ____ Hours. ____ None.

Estimated Time for B: ____ Hours. ____ None.

Estimated Time for C: ____ Hours. ____ None."

Individual were asked to supply the following information on each of their workstations at their office (A), at their residence (B) and (C)laptops.   Space was provided for two micros in each group; respondents were asked to add columns if they had more than two.

"Operating System (s)     ______________     _________________
 Scheduled System
  Upgrade Downloads:     (   ) Yes (   ) No       (   ) Yes (   ) No
 Scheduled Virus Scan
  Upgrade Downloads:     (   ) Yes (   ) No       (   ) Yes (   ) No"

The intent of the questions on scheduled downloads of operating system and virus scan upgrades and patches was to be able to determine whether such automatic action would be correlated with the amount of time individuals lost due to the attacks.   A much more detailed form that would have attempted to capture more relevant information on this question was not used because of its length and difficulty.   For example, following the saying, "The only safe computer is one that is not turned on." [4] asking questions about when a given micro in a location was or was not turned on increased the form by a factor of four.

It was expected there would be major differences in time lost due to clean up and maintenance by the four employee groups defined for this study.   In addition, it was expected that some individuals would be denied access for their system for some time due to the attacks.   So, all groups excluding the network managers were asked the following.

"E.   Excluding your time estimates in D., what amount of time were you not able to work on your system(s) because of required maintenance and clean up caused by the viruses and worms?

      ___________ Hours.     (   ) None."

The network managers were not asked this question about lost down time.   Rather, they were asked for estimates of their total support time for their users and whether they run centralized department or group automated software updates and patches in Questions E and F.

"E.   Excluding your time estimates in D., what amount of time did you spend supporting others as part of your normal job duties for maintenance and cleanup. Include time spent on direct support with user workstations and maintaining and cleaning servers.

      ____Hours.     ____None.

F.   Does your department/group use any automated systems for installing operating system and/or virus updates to end-user workstations?

      ____ Yes     ___No"

Both forms ended with an open-ended question.   It asked for general comments and comments about department/college and UF support.   [Go to the table of contents.]

3. Structured Sampling
A structured sampling was used for the study.   It was expected that individuals managing network would have the highest total average times since they were responsible for the network systems, servers, and supporting users.   All known individuals doing network management were contacted via a network managers listserv e-mail list.   They were not required to have a formal management position, but, rather, were responsible for managing networks in their departments or groups as well as other IT direct or support duties.   Of the estimated 289 UF employees with these network management duties, 83 responded to the on-line questionnaire shown in Exhibit 1 below.   This was about 3 times more than the number of respondents expected from individuals managing networks.   Of these, 10 (12 percent) reported they were on faculty lines.

The user form shown in Exhibit 2 below was distributed in paper form to a mix of faculty, administrative and office staff, and non-network manager IT employees.   In total, 95 forms usable forms were returned to the author.   It was anticipated that all IT employees would have the lowest lost cleaning and maintenance time of the three groups and that administrative and staff employees would have the highest lost time.   The reverse was the case.   [Go to the table of contents.]

4. Survey Results
The population and sample sizes and some general descriptive statistics are shown in Table 1.

Table 1: Population, Samples, and General Results

Fall 2003 Faculty
Positions
Adm. & Office
Staff
IT Excluding
NW Mgt.
Network
Management
UF
Total
  University F.T.E.'s (A)     4,326.2        7,089.7             353.1            289.0        12,058
     Non-IT Proportions 37.9% 62.1%
     IT Proportions 55.0% 45.0%
Sampled 24 43 28 83 178
Proportions 35.8% 64% 25.2% 74.8%
Micros per Individual 3.79 2.49 4.07 3.35
Cleaning & Maint. per Micro 0.65 0.86 1.03 3.26
Cleaning & Maint. per Individual 2.48 2.15 4.20 10.91  
Down Time Per Individual 1.46 1.22 0.23
Support Time Per NW Manager 30.8
Individual Total Lost Time [B] 3.94 3.37 4.43 41.71
UF Total Lost Time [A  x B = C]       17,045         23,892             1,564          12,054        54,556
UF Work Hours Per Week: 5 Days
  8 @ Office & 2 @ Home [D] [D]     216,310       354,485           17,655          14,450       602,900
Hours Lost If Episode Spanned
   1 Week for All [C / D = E] 7.9% 6.7% 8.9% 83.4% 9.0%
   4 Weeks for All [D / 4 = F] 2.0% 1.7% 2.2% 20.9% 2.3%
Lost Man Years [C/1,703.1]          10.0            14.0                0.9               7.1            32.0
 One Man-Year at UF Net of  
 Leave, Sick & Vacation Days 
  is 1,703.1 hours.

The average time spent on cleaning and maintenance per micro by groups differed from initial expectations.   Individuals involved in network management spent more time by a factor of 3 or more than the other groups with an average of 3.26 hours per micro.   Perhaps this was due to their likely higher concern about potential problems and knowledge of what could and should be done.   Faculty had more average down time per individual than the other two groups addressing this question.

The support time per individual managing networks was 30.8 hours.   This statistic was presumably affected by the number of networks, servers, and users a given network manager supported.   Complications in elaborating on this dimension of demand on their times resulted in a large number of detailed questions being eliminated from the questionnaire.  

Imputing the average sample results, Table 1 [B], to the UF populations by group gave a total 54,556 hours, Table 1 [C], of lost time due to the attack episode.   Caveats on this imputation include known problems with the initial UF population F.T.E. values.   There was no way to reconcile the "official" line designations shown on Table 1 [A] with what activities individuals were actually performing.   It is likely the F.T.E.'s for faculty, administration and office staff positions are overstated and those for IT, excluding network management, are understated.

Given this and other caveats, and a work week defined as 5 days at 8 hours in office and 2 in residences, work hours for each of the employee groups were calculated as shown in Table 1 [D] .   Then, given that the episode and remedy work lasted

          * 1 week, the episode cost the UF 9.0 percent of all work hours, and

          * 4 weeks, the episode cost the UF 2.3 percent of all work hours.

So based on the sample results and assumptions regarding imputing them to the UF populations, the episode cost the UF between 2.3 and 9.0 percent of all employees' work hours since it spanned between one and 4 week for most all users.   A different view based on the average man-year hours at the UF leads to the conclusion the VWS episode cost the UF 32 man-years of time: 32 employee-years were diverted from expected teaching, research, and service activities in response to the attack on IT resources.   Based on the pay and fringe benefit rates of the four identified population subgroups, the dollar cost to the UF was $1,902,730 Fall Semester, 2003.   [Go to the table of contents.]  

4. Prevention Policies
Some of the cleaning and maintenance activities will, presumably, help prevent the scope and extent of future attacks.   A logical question follows.   What policies should the UF adopt and/or recommend to the various classes of employees to minimize the scope and extent of future attacks.   All respondents were asked whether they used scheduled downloads of software: upgrades and patches that could help any individual minimize the effects of future attacks.

The responses on the existing use of scheduled downloads and related times for cleaning and maintaining systems after the attack episode does not support the conclusion such scheduled downloads did reduce time required for cleaning and maintaining systems.  All 178 respondents are included in the following results shown in Table 2.   The designation "...-Yes" indicates that all office, home, and laptop micros had scheduled updates and patches.   The designation "...-No" indicates that at least one micro did not have them.   While this strict logic was used in classifying users as "...-Yes" or "...-No", most users either had all their micros scheduled for updates and patches or had none so scheduled.  

  Table 2: Cleaning & Maintenance Hours per Micro  
  Scheduled Updates & Patches:   N     Mean    S.D.  
  Operating Systems-No    66     1.12    2.26  
  Operating Systems-Yes   112     1.96    2.83  
     Difference        .84   Not Normally Distributed  
  Virus Scan Software-No  114     1.55    2.68  
  Virus Scan Software-Yes   64     2.00    2.60  
     Difference        .45   Not Normally Distributed  
  Both-No   118     1.51    2.76  
  Both-Yes    60     1.92    2.46  
     Difference        .41   Not Normally Distributed  

Users responding No to operating system, virus scan, and both had lower average cleaning and maintenance times than users responding Yes.   In all cases, the standard deviations are greater than the means meaning the results are not normally distributed (Normal distributions with these means and standard deviations would have to have negative hour values, a physical impossibility).   So, t-statistic tests are inappropriate for comparisons.

More detailed analysis is needed for tests of statistical significance.   Review of the data suggests that employee group may significantly influence these results.   This could be in part to a perceived lower degree of confidence in scheduled, as compared to manually controlled updates and patches by more technically proficient users.  

Another complicating variable is the communication mode.  Dial-up phone service was used from residences by 59.6 percent of all respondents.   Software downloads take very much larger by phone as contrasted with DSL (10.7 percent of all respondents) or cable (29.8 percent), so users may find carrying updates home more efficient and safe if they have dial-up connectivity.   In addition, firewall packages such as the free version of Zone Alarm [7] recommend turning off traffic to one's system if it is to be unattended for long periods of time, e.g., while away from one's residence at work, regardless of the type of connectivity.   In addition, some users prefer to have manual control over what gets downloaded on their systems.[8]

Yet another plausible explanation of the inconclusive results shown in Table 2 is that the less technically proficient users at the UF have their system managed in part by the network managers that are, in fact, doing an excellent job for these users.   If this is, in fact, the case, low cleaning and maintenance times on the part of the administrative and office staff members would be expected.   The function for these users is carried on continuously by their network support managers with the result they own work times are lower than would otherwise be the case.

Other factors that were not in the questions -- in part because long, involved questionnaires tend to get ignored -- may be keys to the process.   For example, a user with the current operating system updates and patches and virus scan updates could still get infected if a virus or worm arrived after the last updates but before the operating system defect was discovered and fixed by the vendor or before the virus cleaner was released by the vendor.   Simple timing patterns with frequent use of virus scans and full-time use of firewalls may be the most significant factors in the continuing battle against VWS attacks.

It may also be that different defense policies will be appropriate for office based systems, residence based systems, and laptops.   They may have to reflect individual preferences and possibilities across employee groups.   While managers can require practices of employees, faculty typically resist mandated policies.  

More sophisticated data analysis, perhaps with Analysis of Variance to isolate factors or conditions such as employee type, location, and/or connectivity, may give results that support the use of automatic or scheduled software updates and patches.   The inconclusive results shown in Table 2 do not suggest automatic or scheduled updates and patches are of no value for all users.   The results suggest setting prevention policies will be much more complicated than some simple one-for-all approach.   [Go to the table of contents.]

6. Conclusions, Implications, & VWS Costs 2
The cost of the VWS attack and response covering the period August 15, 2003 through September 15, 2003 was between 2.3 percent and 9.0 percent of employee time at the UF, depending on whether the average time span of the episode was 4 weeks or 1 week.   In absolute terms, the time costed out to $1,902,730 at the cost plus fringe benefit rates of the four employee groups identified for this work.   A different view based on a UF F.T.E. man years was that the episode took 32 employee man years away from normal work activities, or 32 man years of productive employee time was lost.   Given the official 12,058 F.T.E. UF employees at the time, this cost is relatively small, .26 percent, on an annual basis if it is not repeated.   The sky is not falling, or is it?

Analysis of cleaning and maintenance time per micro to date was inconclusive, raising questions and supporting no simple policy recommendation.   While there may not be any simple policy recommendations possible on this problem, work on variables and conditions likely affecting these outcomes will continue.   This will include various combinations of employee type, micro location, dial-up access, and IT support level.   A plausible hypothesis for the higher cleaning and maintenance times by network management staff members, 3.26 hours per micro, as compared to other IT employees at 1.03 hours per micro, administration and office employees at .86 hours, and faculty at .65 hours is that the more technically knowledgeable knew more that could be done and, in fact, took more time to care for their micros.

A follow-on study, VWS Costs 2, will look at how members of the UF community, including students, now defend their micros against attacks.   It will look at the way individuals are doing, using, or not using the following.

Finally, a fit to the trend suggested by the Computer Security Institute in the introduction above implies identified VWS will likely grow exponentially in the future.   The present 70,000 could grow to 1,399,000 by 2010!   A new component of the IT industry has come into being as a result of the growth from 200 identified viruses and worms in 1990.   The Yankee Group coined the term "vulnerability management services",VMS's.   It prepared a report that included recommendations for VMS vendors and enterprise buyers of its services.   One statement in their Executive Summary has the full endorsement of Kathy Bergsma, the UF's Information Security Manager.

"Enterprise security teams are overwhelmed with the volume of information from
intrusion detection systems (IDSs) and patch notifications from vendors." [9]

While the sky may not be falling, the following animated cartoon on how IT security managers may often view themselves provides comic relief at this ending.[10]

Dog Running
1:   A VIRUS;     A WORM;     SPAM;    GO TO 1;     STOP;     END;

[Go to the table of contents.]
/*


[1] Written for presentation at the Southern (Academic Computing Center) Directors' Conference, Atlanta Marriott Suites Midtown, February 26, 2004.   Special thanks to Kathy Bergsma, UF Information Security Manager, and to Chuck Logan and Jordan Wiens, her colleagues at the UF CNS, for their support and help on this project.   Jordan's work with coauthor Curtis Franklin on firewalls was recently published with the title "Are Your Web Apps SECURE?", INFOWORLD, February 9, 2004, Pp. 35-41.   It is recommended for anyone interested in Web security.

[2] The following definitions are from web.ask.com.   Virus:   A virus is a piece of programming code usually disguised as something else that causes some unexpected and usually undesirable event. A virus is often designed so that it is automatically spread to other computer users. Viruses can be transmitted as attachments to an e-mail note, as downloads, or be present on a diskette or CD. The source of the e-mail note, downloaded file, or diskette you've received is often unaware of the virus. Some viruses wreak their effect as soon as their code is executed; other viruses lie dormant until circumstances cause their code to be executed by the computer. Some viruses are playful in intent and effect ("Happy Birthday, Ludwig!") and some can be quite harmful, erasing data or causing your hard disk to require reformatting.

Worm:
1) In a computer, a worm is a self-replicating virus that does not alter files but resides in active memory and duplicates itself. Worms use parts of an operating system that are automatic and usually invisible to the user. It is common for worms to be noticed only when their uncontrolled replication consumes system resources, slowing or halting other tasks.
2) In computer storage media, WORM (for write once, read many) is a data storage technology that allows information to be written to a disk a single time and prevents the drive from erasing the data. The disks are intentionally not rewritable, because they are especially intended to store data that the user does not want to erase accidentally. Because of this feature, WORM devices have long been used for the archival purposes of organizations such as government agencies or large enterprises.

Spam:
Spam is unsolicited e-mail on the Internet. From the sender's point-of-view, it's a form of bulk mail, often to a list obtained from a spambot or to a list obtained by companies that specialize in creating e-mail distribution lists. To the receiver, it usually seems like junk e-mail. It's roughly equivalent to unsolicited telephone marketing calls except that the user pays for part of the message since everyone shares the cost of maintaining the Internet. Spammers typically send a piece of e-mail to a distribution list in the millions, expecting that only a tiny number of readers will respond to their offer. Spam has become a major problem for all Internet users.
The term is said to derive from a famous Monty Python sketch ("Well, we have Spam, tomato & Spam, egg & Spam, Egg, bacon & Spam...") that was current when spam first began arriving on the Internet. SPAM is a trademarked Hormel meat product that was well-known in the U.S. Armed Forces during World War II.

[3] Russ Cooper, "TruSecure Blaster Impact Study," TruSecure/ICSA Labs, E-mail, August 29, 2003.   URL http://archives.neohapsis.com/archives/ntbugtraq/2003-q3/0190.html

[4] Robert Lemos, "The Computer virus--no cures to be found," CNET News.com. November 25, 2003. URL http://zdnet.com.com/2100-1105-5111442.html

[5] The e-mail to the author is available on request. mi2g has an on-line service that includes frequently asked questions: URL http://www.mi2g.com/cgi/mi2g/press/faq.pdf

[6] Al Johnson, FBI, "Forensic Pitfalls", Information Technology Security Awareness Day, Invited Speaker, Reitz Union Auditorium, UF, October 8, 2003. Powerpoint Presentation http://oak.at.ufl.edu/~video/itsa/itsa4.ram

[7] Zone Labs, Inc., URL: http://www.zonelabs.com/store/content/support/znalmMain.jsp The Program Control page in Zone alarm has a simple click on/click off toggle option to, "Enable the Automatic Lock if you leave your computer online and unattended for long periods."

[8] The author currently has 7 Windows XP updates in queue from MicroSoft.   They are for software that I've never used and likely will never use in the future. If downloaded, they would waste 41.6 Meg of disk space.

[9] The Yankee Group, Vulnerability Management: Processes Strengthen IT's Security Performance, November 10, 2003.   Guest userID & password required for URL: http://www.yankeegroup.com/custom/research/report_overview.jsp?ID=10358

[10] If the dog is not running when this file is accessed via the Web, click on your browser's reload button while holding down the shift key.   This will clear the cache and reset the time-out counter on the runningdog.gif file.

Jump to the top

Exhibit 1 Network Managers Survey Form:

Recent Worm & Virus Attack Maintenance and Clean Up Efforts:

Please answer sections A through D for you only, not for any others you may support voluntarily or as part of your regular work activity. (In section E we will ask you about your support of others.) The efforts in the questions refer to MSBLAST, SoBIG, and Nachi/Welchia.

Your department or Group:

Your Position: Faculty Staff Student

Your Micro Information:

  1. Office Workstation(s):

    Operating System(s)
    Scheduled System
    Upgrade Downloads:
    Yes No Yes No
    Scheduled Virus Scan
    Upgrade Downloads:
    Yes No Yes No

  2. Home Workstation(s): [Check if don't have]:

    Operating System(s)
    Scheduled System
    Upgrade Downloads:
    Yes No Yes No
    Scheduled Virus Scan
    Upgrade Downloads:
    Yes No Yes No

    Network Access from Home: Cable DSL Phone

  3. Laptop(s): [Check if don't have]:

    Operating System(s)
    Scheduled System
    Upgrade Downloads:
    Yes No Yes No
    Scheduled Virus Scan
    Upgrade Downloads:
    Yes No Yes No

  4. Your time spent on all activities including reading and deciding what you should do, getting software, installing and running software, and/or deleting garbage e-mails and files in response to the MSBLAST, SoBIG and Nachi attacks:

    Estimated Time for A: Hours. None.

    Estimated Time for B: Hours. None.

    Estimated Time for C: Hours. None.

  5. Excluding your time estimates in D., what amount of time did you spend supporting others as part of your normal job duties for maintenance and cleanup. Include time spent on direct support with user workstations and maintaining and cleaning servers.

    Hours. None.

  6. Does your department/group use any automated systems for installing operating system and/or virus updates to end-user workstations?
    Yes No

  7. General comments and comments about department/college and UF support:

    Name (Optional):



Jump to the first exhibits reference in the text.       Jump to the top

Exhibit 1: User Survey Form:

Recent Worm & Virus Attack Maintenance and Clean Up Efforts:

 Please answer the following for you only, not for any others you may
 support voluntarily or as part of your regular work activity.  The
 efforts in questions refer to MSBLAST, SoBIG and NACHI (Walchia).

 Your Department or Group:________________________

 Your Position: Faculty ( )   Staff ( )   ( ) Student   

 Your Micro Information:

 A. Office Workstation(s): 
    
    Operating System(s) ______________,      ________________
    Scheduled System 
     Upgrade Downloads:   ( )Yes ( )No,      ( )Yes ( )No     
    Scheduled Virus Scan 
     Upgrade Downloads:   ( )Yes ( )No,      ( )Yes ( )No     
      
 B. Home Workstation(s) [Check ( ) if don't have]:

    Operating System(s) ______________,      ________________ 
    Scheduled System 
     Upgrade Downloads:   ( )Yes ( )No,      ( )Yes ( )No     
    Scheduled Virus Scan 
     Upgrade Downloads:   ( )Yes ( )No,      ( )Yes ( )No     
  
    Network Access from Home: ( ) Cable  ( ) DSL   ( ) Phone
  
 C. Laptop(s) [Check ( ) if don't have]: 

    Operating System(s) ______________,     ________________ 
    Scheduled System 
     Upgrade Downloads    ( )Yes ( )No,      ( )Yes ( )No     
    Scheduled Virus Scan 
     Upgrade Downloads:   ( )Yes ( )No,      ( )Yes ( )No     
 
 D. Your time spent on all activities including reading and deciding what 
    you should do, getting software, installing and running software, and/
    or deleting garbage e-mails and files in response to the MSBLAST,
    SoBIG and NACHI attacks:

   Estimated Time for A:  ______ Hours. (  ) None. 
 
   Estimated Time for B:  ______ Hours. (  ) None.

   Estimated Time for C:  ______ Hours. (  ) None. 

E. Excluding your time estimates in D., what amount of time were you not able 
   to work on your system(s) because of required maintenance and clean up
   caused by the viruses and worms?

       ___________ Hours.   (  ) None.

F. General comments and any about department/college and UF support:

 ____________________________________________________________________________

 ____________________________________________________________________________

 
 Name (Optional): __________________________________

Jump to the first exhibits reference in the text.             Jump to the top

MAILTO:dicke@ufl.edu

Open this paper at http://nersp.nerdc.ufl.edu/~dicke/vwsc.html.