In case of an organization’s operations are affected by virus outbreak, as a rule business departments try to pass the buck to Information Technologies department for the incident and sustained loss. If IT departments had been able to design, develop, implement and manage IT services and applications without limitations for protection directly or indirectly demanded by business departments and always had had sufficient budget, there would were by several digits less virus outbreaks at organizations’ networks.
What CIO and CISO can try to do for restoration of organization’s operations and protecting the team and him/herself in case of virus outbreak?
What CIO and CISO can try to do for restoration of organization’s operations and protecting the team and him/herself in case of virus outbreak?
1. Do NOT panic. Take it as a valuable lesson of life. Dealing with virus outbreak will provide you with new experience which can be helpful for the future.
2. Notify TOP management about the incident.
3. Mobilize members of your team for virus outbreak elimination. If off-hours work is required, agree with TOP-management applicable in your country and organization compensation for it and off-hours working conditions, for example, food delivery to the office.
4. Do not allow distracting members of you team from work; for example, ask your team to answer on your calls only.
5. Assign the following tasks to members of your team:
a. Identify malicious software spreading across your network;
Note: Possible actions:
- Take HDDs from several infected systems, attach them (for example, via USB adapter) in turn to computers with different up to date antivirus software and perform scan
- Scan suspicious files by free online service containing tens of antivirus engines: http://www.virustotal.com/
- Contact antivirus vendors or local IT security companies for technical instructions and help
b. Identify techniques used by the malicious software for spreading;
Note: Analysis of network traffic from infected systems is helpful
c. Try to identify how malicious software affects the organization and third-parties, for example, steals sensitive information or performs attacks against third-parties’ networks;
Note: Description of large quantity of malicious software can be found on antivirus vendors’ sites
d. Identify possible approaches to stopping the spread and malicious software curing on the infected nodes;
e. Identify steps necessary for each approach.
6. Report the findings to TOP management and agree preferable virus outbreak elimination approach and steps. This step is especially critical if additional interruption of organization’s operations is required.
7. When virus outbreak is eliminated and organization’s operations are restored, perform together with members of your team:
a. Identify the main reasons – why the virus outbreak was possible;
Note: From my particular experience of participation at and management of virus outbreaks elimination at the networks from thousands up to tens of thousands of nodes all over the world - the main three reasons of virus outbreaks are:
- Users have Local Administrator Rights on their organization’s computers
- Non patched vulnerability
- Budgeted deficit or lack of staff at Information Technologies department
So for defending against imputation that Information Technologies department is the only department responsible for the virus outbreak, it would be useful to find evidences (emails, meeting minutes) that implemented by virus outbreak risks were reported to and discussed with management of business departments.
b. Develop report about the incident;
c. Develop a plan and budget for such kind of incidents avoiding in the future.
8. Present to TOP management incident report, plan and budget developed on the previous step.
