Tip

Keys to an effective virus incident-response team

Over the past year, worms and viruses have caused tremendous harm to networks around the world. To minimize future damage from fast-moving malware, you need to prepare your incident-response team in advance.

  • Plan around-the-clock

    Requires Free Membership to View

  • incident handling capabilities.
    Regardless of your organization's size, have at least one member of your IT or security staff, who is well versed in handling worms and viruses, available 24x7x365 via pager. So that one person isn't burdened all of the time, rotate the pager between individuals on a regular schedule.
  • Distribute the incident-response pager number to your help desk and network management personnel. Publish a list of suspicious events that should trigger a call to the handler, such as an unexpected spike in network traffic, numerous IDS events or a rash of virus alerts.
  • Work with your network management team to create a list of routers and firewalls distributed throughout your network that can act as choke points to arrest the spread of a worm. In developing your list, pay special attention to Internet gateways, extranet connections and internal routers segmenting important business units. Depending on your organization's size, your list of choke points might include five, 10 or even 50 network gateways.
  • For your various choke points, create sample filter rules that can be deployed in times of crisis to block worm-related traffic. Because we don't know which protocols tomorrow's nasty worms will use, define a set of rules for blocking various individual protocols, especially ICMP, TCP and UDP. Write filter rules for each vendor product you plan to use as a choke point. By keeping these sample rules ready to roll, you'll be able to quickly tweak them to the specific characteristics of a worm and deploy them early during an incident.

No security strategy can make you completely impervious to attack. Yet, by preparing your incident response team in advance, you'll have far greater success in weathering the next major worm and virus storm.

About the author
Ed Skoudis is a security consultant with International Network Services, and the author of the books Malware: Fighting Malicious Code and Counter Hack: A Step-by-Step Guide to Computer Attacks and Effective Defenses.


FOR MORE INFORMATION:
  • Our sister publication, Information Security magazine, has a feature titled Are you prepared? that offers a business blueprint for an effective incident management program.
  • Also take a look at this Incident Response Matrix from Information Security.
  • SearchSecurity Featured Topic: Incident response

This was first published in January 2004

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.