Information Security: The Melissa Computer Virus

United States Government Publishing Office publisher pbl distributor dst United States Government Accountability Office Accounting and Information Management Division author aut Government Organization text government publication eng GAOREPORTS Legislative Agency Publications gao legislative 2010-08-12 U.S. Government Printing Office 1999-04-15 monographic deposited born digital 12 p. GA 1.13:T-AIMD-99-146 https://www.govinfo.gov/app/details/GAOREPORTS-T-AIMD-99-146 P0b002ee18038ad19 f:ai99146t DGPO 2010-08-12 2011-03-28 GAOREPORTS-T-AIMD-99-146 machine generated eng fdlp REPORT GAOREPORTS-T-AIMD-99-146 T-AIMD-99-146 Computer security Data integrity Computer crimes Information resources management Electronic mail Computer viruses Internal controls Confidential communication Application software Melissa Computer Virus Testimony AIMD I99146 Information Security: The Melissa Computer Virus Pursuant to a congressional request, GAO discussed: (1) the immediate effects of the Melissa virus and variations of it as well as its broader implications for the federal government; and (2) critical measures that should be taken to ensure that federal departments and agencies are better prepared for future viruses and other forms of attack. GAO noted that: (1) Melissa is a macro virus that can affect users of Microsoft's Word 97 or Word 2000; (2) macro viruses are computer viruses that use an application's own macro programming language to reproduce themselves; (3) Melissa itself is delivered in a Word document; (4) once the Word document is opened, and the virus is allowed to run, Melissa: (a) checks to see if Word 97 or Word 2000 is installed; (b) disables certain features of the software, which makes it difficult to detect the virus in action; (c) generally sends copies of the infected document to up to 50 other addresses using compatible versions of Microsoft's Outlook electronic mail program; and (d) modifies the Word software so that the virus infects any document that the user may open and close; (5) under some circumstances, Melissa could cause confidential documents to be disclosed without the user knowing it; (6) in the course of spreading, variations of the Melissa virus also surfaced, including the Papa virus that can also be delivered by electronic mail; (7) although the Melissa virus reportedly did not compromise sensitive government data or damage systems, it demonstrated the formidable challenge the federal government faces in protecting its information technology assets and sensitive data; (8) Melissa showed just how quickly viruses can proliferate due to the intricate and extensive connectivity of today's networks and how hard it is to trace any virus back to its source; (9) Melissa demonstrated that vulnerabilities in widely adopted commercial-off-the-shelf products can be easily exploited to attack all their users; (10) Melissa illustrated that there are no effective agency and governmentwide processes for reporting and analyzing the effects of computer attacks; (11) to help strengthen computer security practices, GAO issued an executive guide in May 1998, which describes a framework for managing risks through an ongoing cycle of activity coordinated by a central focal point; (12) by adopting the practices recommended by the guide, agencies can be better prepared to protect their systems, detect attacks and react to security breaches; and (13) a comprehensive governmentwide strategy for increasing computer security should: (a) clearly delineate the roles of federal organizations with responsibilities for information security; (b) rank the greatest risks; (c) promote the use of proven security tools and best practices; (d) ensure the adequacy of workforce skills; (e) provide for evaluating systems on a regular basis; and (f) identify long-term goals, as well as timeframes, priorities, and annual performance goals. https://www.govinfo.gov/content/pkg/GAOREPORTS-T-AIMD-99-146/html/GAOREPORTS-T-AIMD-99-146.htm https://www.govinfo.gov/content/pkg/GAOREPORTS-T-AIMD-99-146/pdf/GAOREPORTS-T-AIMD-99-146.pdf GAO/T-AIMD-99-146 https://www.govinfo.gov/app/details/GAOREPORTS-T-AIMD-99-146 Testimony GAO/T-AIMD-99-146; Information Security: The Melissa Computer Virus; Computer security Data integrity Computer crimes Information resources management Electronic mail Computer viruses Internal controls Confidential communication Application software Melissa Computer Virus