DCSIMG

Virus Protection & Patch Management

Date Instituted:         2012

Introduction

Malware, also known as malicious code and malicious software, refers to a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victims data, applications, or operating system or otherwise annoying or disrupting the victim. Malware has become the most significant external threat to most systems, causing widespread damage and disruption, and necessitating extensive recovery efforts within most organizations. Spyware/malware intended to violate a users privacy has also become a major concern to organizations. Although privacy-violating malware has been in use for many years, it has become much more widespread recently, with spyware invading many systems to monitor personal activities and conduct financial fraud. Organizations also face similar threats from a few forms of non-malware threats that are often associated with malware. One of these forms that has become commonplace is phishing, which is using deceptive computer-based means to trick individuals into disclosing sensitive information. Another common form is virus hoaxes, which are false warnings of new malware threats.

Preparation

Centenary College will perform preparatory measures to ensure we can ward off virus infection and spyware, and other forms of malicious code. In the cases where we cannot prevent an infection, Centenary College has put an incident response policy in place. Both of which will be reviewed annually to ensure up-to-date standards, both for prevention and response. (Refer to Centenary College incident response policy for more information). Centenary College regularly updates all security appliances and software with recommended industry best practices, as well as “home-grown” security countermeasures. Centenary College has also put several communication mechanisms in place to coordinate incident handlers with technical staff and management to facilitate prevention and response.

Detection + Analysis

Centenary College attempts early detection and remediation of all valid malware incidents as infections are easily spread throughout an organization, possibly within a matter of minutes. This early detection can aid in the organizations ability to minimize the number of infected systems, as well as mitigate the corruption of data if it occurs. This can lessen the need for recovery efforts and incident response procedures, as well as limit the overall damage that some malicious code may inflict.

 Centenary College attempts the following:

  1. Monitoring for malicious activity with alerts (both from hardware and software solutions.) to identify impending incidents. This monitoring grants Centenary College the opportunity to prevent incidents eliminating the need for response.
  2. Review malware incident data (both internal and external sources) such as user reports, whitepapers, and daily virus signature updates from vendors.
  3. Construct trusted toolkits on removable media as well as network locations for the identification and remediation of malware/spyware.
  4. Establish a prioritized set of response criteria for the incident response team, based on the appropriate level of needed response on a case by case basis.

Containment

In addressing an incident, it is important for an organization to decide which methods of containment to employ early in the response. Centenary College will implement strategies for containment based on the level of infection and degree of threat on a per incident basis. Any containment efforts put forth by the Centenary College technical staff should be documented as needed for later review. Containment strategies will support incident handlers in selection of the appropriate combination of containment and remediation. More specific containment procedure and recommendation are as follows:

  1. Provide users with instructions on how to identify infections and what measures to take if a system becomes infected. The organization should, however, not rely on end users for malware containment.
  2. If malware/spyware cannot be identified by the end user, Centenary College will be prepared to use other security tools and countermeasures to contain and quarantine a threat. Centenary College should also be prepared to review and document unknown (0-day threat) viruses and signatures and report these to our security and antivirus vendors to facilitate their analysis of new threats.
  3. Centenary College must be prepared to block, or even shut down, services such as e-mail and network connectivity to crucial computer systems and appliances to aid in infection containment as needed, and should understand the consequences of doing so. Centenary College should also be prepared to respond to problems caused by other organizations to which we connect in the event that those systems become compromised by infection.
  4. Centenary College should be prepared to put in place any temporary restrictions on network resources and connectivity to contain a malware infection such as suspending internet access or even physically disconnecting systems from these network resources. We must recognize the impact that these restrictions might have on our organizational functions.

Removal and Eradication

Identification of infected hosts is another vital step in malware containment, especially considering the dynamic nature of computing, mobile computing, and remote access. Centenary College will carefully consider host identification issues before a malware incident occurs, and will be prepared to use multiple strategies for both the identification of infected systems and containment efforts. The primary goal of virus eradication is to permanently remove malware from our infected systems. Centenary College will be prepared for use of various eradication techniques to be used simultaneously for different situations which should reduce the stress a major malware incident might cause.

Recovery

Centenary College will concentrate on two main aspects for the recovery from a malicious incident to restore functionality to our vital systems. We will prioritize this recovery on a per incident basis and attempt to recover and restore the most crucial system resources first. Centenary College should consider the possibility of a “worst case scenario” to determine how recoveries should be performed, including the complete from scratch rebuild of certain systems and resources in the case where a restore from good backup is not a viable solution. The incident response team should perform a risk assessment of restoring services and network/internet connectivity, and the CIO/COO will make the final decision to restore connectivity based on the data provided by the incident response team. The members of the Centenary College community should understand the business impact of maintaining these containment and recovery measures. The handling of malicious incidents can potentially be extremely expensive, so it will be important for Centenary College to conduct a robust assessment of the lessons learned for each individual infection. These assessments should facilitate the implementation of up-to-date prevention techniques, help mitigate loss of both data/hardware and connectivity in future events, and identify any need to change security policy or detection/prevention techniques.