14.2 Malicious Mobile Code Defense Plan This part of the chapter will discuss how to create a Malicious Mobile Code Defense Plan and the steps and processes that it should contain. This plan should be part of the organization's larger Computer Security Defense Plan , along with Acceptable Use and Physical Security policies and procedures. 14.2.1 How to Create a Malicious Mobile Code Defense PlanHere are the steps to create a malicious mobile code defense plan. 14.2.1.1 Get management to buy inWhatever the outcome of the malicious mobile code defense plan, it will take time, money, and people to implement it. Make sure you have management buy in before you head down this road. Nothing hurts worse than building a good plan, but being denied the money and resources to make it happen. Some important justifications for a good defense plan are
You need a management champion to help things go smoothly. A good way to get that is to quantify the potential losses in relation to the estimated costs of a good approach to defense. 14.2.1.2 Pick a plan teamPick the people you will need to create and implement a defense plan. You will need someone on the team to spearhead the whole effort operationally. Include folks from the help desk, people who assist with laptop and remote connectivity issues, programmers, network technicians, security members , and even think about including the super-users of any large end user groups. If you get their buy-in during the planning process, end users should be more willing to help the team accomplish their goals. The size of your team depends on the size of your organization, but it should be small enough to manage in a reasonable timeframe. 14.2.1.3 Pick an operational teamDecide early on who will be the team members to implement the hardware and software mechanisms to prevent malicious mobile code solutions, who will keep them updated, and who will be involved during an malicious code outbreak. 14.2.1.4 Take a technology inventoryYou can't put an antivirus management plan into place until you take an enterprise inventory. Table 14-1 shows a basic inventory list. Besides noting the number of users, PCs, laptops, PDAs, file servers, email gateways, and Internet connection points, record the types of desktop operating systems, major types of software, remote locations, and wide area network connectivity platforms. All of this data will allow you to wrap your arms around what it is you have to defend. Your solution will have to consider all of these factors. Table 14-1. Computer inventory
14.2.1.5 Determine plan coverageNow it's time to discuss the objectives of the plan. Whom will it cover: corporate offices, field offices, remote users, laptop users, thin clients , etc.? What type of computer platforms is it going to cover: IBM-compatibles only, Windows NT, Windows 3.x, DOS, Macintosh, Unix, Linux, file servers, gateways, email servers, or Internet border devices? Will it cover all computer devices or just the devices most at risk? Whatever the conclusion, it should be written up at the beginning of the document and the plan should be built to protect those areas. 14.2.1.6 Discuss and write the planYour plan needs to spell out in detail what and where antivirus tools will be deployed, what assets will be protected, how the defense tools will be deployed and when, how updates will be done, how to define a communication pathway , end user education, and a rapid response team procedure for dealing with outbreaks. You can use the outline of this chapter as a plan skeleton to begin writing. The largest sections of your plan should detail antivirus software use and placement, and the steps needed to properly secure each PC. Section 14.2.2 will cover this in more detail. 14.2.1.7 Test the planBefore beginning wide-scale deployment to your production environment, make sure to test it on a bed of test servers and workstations. If everything is successful in the test environment, start limited testing in your production environment. Often this includes deployment to one entire department in your organization, followed by spot deployment in other areas. The intention is to test tools and modifications across a wide range of workstation and network types. I've seen much worse damaged caused by well-meaning IT staff trying to deploy protection tools than by the rogue programs they were trying to prevent. Make changes to your strategy as deemed necessary. 14.2.1.8 Implement the planDiscussing and writing the plan isn't the hardest part of this process, implementing it is. Taking what you've put on paper and deploying it to hundreds or thousands of workstations takes money, people, and time. You must decide what to buy and where to start to get the most protection for your efforts. A good strategy is to implement antivirus tools at email or file servers first, followed by installs and modifications made to end user workstations. Laptops and remote field offices can be covered in a second round, and can benefit from lessons learned from the first round of deployments. A checklist, like Table 14-2, needs to be maintained so every inventoried asset that needs protection gets it. Without a centralized list it is easy to miss computers. Table 14-2. Modification checklist
14.2.1.9 Provide quality assurance testingYou want to do lots of QA testing of tools and procedures during and after the implementation. First, test that they are doing their job. This can mean sending a virus test file or some other sort of test against a protected system. Don't use anything that would cause widespread problems if it got loose. Many companies use the EICAR test file. Test the mechanisms for software and signature database updating. Do spot checking around the company to make sure the deployment team protected all the assets they were supposed to.
14.2.1.10 Protect new assetsLastly, put a policy and procedure into place to protect new computers. Often deployment teams are able to come together to protect all the assets as defined under the original plan, but fail to remember to modify new computers a month later. Random checks of new PCs should be done to make sure policy and procedures are working. 14.2.1.11 Test Rapid Response TeamA Rapid Response Team is used during malicious code outbreaks. Test the rapid Response Team with a preannounced pretend outbreak. This gives everyone a chance to practice their roles, test communication systems, and works out any kinks. In my experience, the little problems found in the practice test tend to grow during a live event if left unaddressed. Depending on whether or not you have periodic outbreaks to review performance against, you should test the team a few times per year and after operational changes. 14.2.1.12 Predefine a process for updating and reviewing planNo security plan is static. Software, hardware, and operating systems always change. User behavior and new technology will allow new risks to enter your environment. Your plan should be considered a "living document," and a predefined process to periodically review and evaluate its effectiveness should be written. Immediate reviews should be conducted when a new risk appears or when the effectiveness of the plan begins to wane. 14.2.2 The PlanNow that the team is assembled and your environment is documented, it is time to write the plan. Your malicious mobile code defense plan has to address all the ways malicious mobile code can enter the company. Most rogue programs enter primarily through Internet email systems. However, viruses, worms, and Trojans, can also enter as macro viruses from documents on disk, downloaded off the Internet, from an instant messaging client, or from infected diskettes. Fifteen years ago, scanning incoming diskettes and disabling floppy booting was enough. Today, you have to consider diskettes, the Internet, email, laptops, PDAs, remote users, and any other mechanism that allows incoming data or code to enter your protection domain (see Figure 14-1). Your defense plan even needs to include how to deal with hoax virus messages. Figure 14-1. Potential malicious mobile code entry points14.2.2.1 Remember to address foreign computers and networksIn most corporations foreign [1] networks and computers routinely attach to the company's already protected resources. If you have to worry about infecting other company's computers, it is only fair that they take the appropriate measures to minimize infecting your domain. Vendors, third parties, and business partners attaching foreign computers or networks to your own should be required to follow a minimum set of rules, and sign a document attesting to their understanding. Sometimes the efforts and tools applied in the company's defense plan can be shared with foreign computers and networks, or it can be as simple as requiring an updated antivirus scanner to be used.
14.2.2.2 Plan coreThe following three goals are the plan's cornerstones :
Using a reliable, up to date, antivirus scanner should be the cornerstone of any malicious mobile code defense. Antivirus scanners are great at protecting computers by detecting and removing malicious mobile code and every company should use them. However, it is a mistake to totally rely on the antivirus scanner. History has proven again and again that a scanner cannot and will not stop everything. You must assume that malicious code will get by your antivirus defenses, and take proactive steps to minimize its impact. If done correctly, malicious mobile code will not be able to function at all on a protected PC. Lastly, you should consider other types of defense and detection tools to protect your environment and to track down exploits quickly. I will cover all three of these defense tenets in detail in this chapter. 14.2.2.3 DeploymentYour plan should detail the human resources needed to implement the policies and procedures. It usually takes the coordinated effort of many skill sets to deploy all the malicious code tools and modifications. Network administrators will be needed to test and install software on file and email servers. Teams of hardworking technicians will be needed to modify the local workstations, unless you have sophisticated deployment tools. You need to calculate how much time each person will spend testing and installing software and create a deployment schedule. 14.2.2.4 Distributing updatesOnce the malicious mobile code defense tools and modifications are implemented, how do you keep them updated? Many antivirus tools allow you to download updates to a central server in your network that then pushes updates to local workstations. Workstation modifications can be made manually to one PC at a time, or using centralized login scripts, scripting languages, batch files, Microsoft SMS, etc. Avail yourself of any automated distribution tools, although always test big updates manually first. Large organizations with a variety of desktops and wide area network types always end up using a variety of methods , including automated distribution tools, CD-ROMs, diskettes, mapped drives , and FTP. Use the tools that work for your environment. Also, hold people, staff, and end users accountable for making sure updates are applied. There is always one team leader or department that would rather forget than install. 14.2.2.5 Communication planCentral to a defense plan is communication. End users and automated alerting systems should notify defense team members when a malicious code outbreak occurs. Team members need to contact each other to assemble the team. The team leader needs to notify management. Someone on the team should be designated as the primary contact between the company and the antivirus vendor. A chain-of-command process should be predefined so that status updates can be passed from the team to individual end users. In a typical plan, each team member that will be responding to an outbreak emergency (the Rapid Response Team) should be responsible for communicating with particular department or division heads. The contacted department leader then has the responsibility for informing employees under his control. Build in feedback mechanisms so end users and departments can communicate back to the team. Define clear roles and responsibilities. This part of the plan should not be assumed. 14.2.2.6 End user educationAlthough you should write your plan as if end users ignore all precautionary advice, make a concerted effort to inform and educate end users. Your education component should include a brief introduction to the world of malicious mobile code. It should talk about viruses, worms, Trojans, malicious emails, and rogue Internet code. Employees should know that downloading software from the Internet, installing fun-looking screensavers, and running joke executables are all large risks. The educational material should talk about the associated risks and the efforts the company is taking to minimize those risks. It should include the steps every employee should take to minimize the spread of malicious mobile code. Let end users know that only authorized software should be used on company computers. Software should not be downloaded from the Internet, brought from home, or installed from sources not previously authorized. And although you would think it goes without saying, users should be reminded to report malicious code outbreaks to the appropriate person or department. End users should be told that breaking the rules can result in a disciplinarian action. Users should be given documentation and required to sign a form indicating their understanding. This form should be filed in the employee's personnel record. Also a process should be put in place so that new hires are educated before they receive computer access. In most environments, the educational material is included with their hiring package. 14.2.2.7 Rapid response planEvery plan should define the steps team members should take in the event of a malicious code outbreak. 14.2.3 Rapid Response Plan StepsNormally, the defense tools implemented should protect your environment, but every now and then a new type of malicious code will slip by or an unprotected machine will spread an already known threat. In either case, you now have a widespread problem. Your plan should explain what happens if multiple infections become an outbreak. For example, 10 or more machines within 10 minutes should be considered an outbreak and result in alerting the Rapid Response Team. Anticipate occasional outbreaks and implement a plan to deal with the threat quickly and efficiently . Here are the steps that should be followed in an outbreak:
Now is the time to relax a little. The Rapid Response Team can disassemble and go back to their normal duties .
All malicious mobile code defense plans should include using a reliable antivirus scanner. The following sections detail how to pick a good antivirus scanner and where to install it. |
Team-Fly |
Top |