Malware Incident Response Plan

Malware Incident Response Plan For

Malicious Software IAE 677 – Fall 2008 By

Daniel Simons

Nov. 18, 2008

1. Preparation: A. Develop an acceptable use policy – An acceptable usage policy explains what company computer assets should and should not be used for. This policy should be distributed to all company employees. Identifying and discouraging activities that are not work related will decrease the likelihood of malware infection. For instance, many of the web sites that host malicious scripts do not typically fall into the category of sites identified as being work related. Other activities which should be banned or closely monitored include peer-to-peer file sharing and instant messaging. Both are breeding grounds for malware and provide methods for users to circumvent security controls. In addition, the majority of files hosted on peer-to-peer file sharing networks are often protected by copyright laws, and may involve legal liability. Using work email systems for personal purposes should also be kept to a minimum, reducing the possibility of users opening unexpected email content, or forwarded messages from friends that may contain harmful attachments. An acceptable usage policy should be drafted to communicate the proper use of business systems. The policy should be carefully reviewed by management and legal counsel to determine the effectiveness and legal implications of the document. The policy will be distributed to all corporate employees. B. Educate end users – It is equally important to provide adequate malware awareness training to end users. Educating users about the dangers of opening unexpected or suspicious email attachments, installing adware supported shareware software, running malicious scripts from insecure web sites, using p2p file sharing, etc., is an essential step to prevent the likelihood of a malware incident from occurring. Computer security

personnel will provide training to end users through a series of group training sessions, through regular email bulletins reminding users about common security threats, and through an as needed basis via the helpdesk incident reporting system. C. Outbreak procedures –An appropriate type of response should be designed for the varying degrees of infection frequency, the role of the infected host in relation to business continuity, and the risk of replication. To meet these goals the detailed chart below will help computer personnel identify the correct response type. Infection Frequency:

Critical Nature of Host:

Risk of replication:

Response Type: