¶ … Malware Incident Response Plan The Policy

This plan is devised to mitigate the effects of malware used during a cyber-attack on a company's security system. The plan uses three levels of staging -- set up, response and recovery. This plan is based on evidence from research that has been conducted to protect the highest levels of secure documents.

Set Up

The first priority of the plan is to educate all levels of the company regarding the danger incurred from breaching security protocols on their work stations. Whereas it may only seem necessary to conduct in-depth training with individuals new to the company, it has been shown that executives are the most lax when it comes to cyber security. Therefore, a training schedule which updates users regarding any new information and reminds them regarding what they need to be doing every day to protect the overall system is essential. This training will recur in a semiannual basis to make sure that it is fresh in the heads of the individuals concerned.

The training that every employee receives will not be at the same level as that received by the information technology personnel tasked with detection and response. These individuals need to be trained daily on the threats that could occur to the particular systems the company uses. This means that there will be a dedicated threat assessment team (consisting of at least two people) who are responsible for monitoring outbreaks that have occurred in other networks. These will be assessed to see if they could possibly endanger the operations of this company. The importance of this cannot be overstated. There are constant threats occurring against all manner of server systems, and it is necessary to determine if that type of threat, no matter how small a risk, could occur within this company's system. This team will report to the rest of the IT department on a daily basis to make sure that all are aware of the current threats plaguing the industry. Also, a "Threat Sheet" will be generated and distributed to these personnel daily to make sure that they have a constant reminder of the current issues. All company personnel will receive a daily email describing what threats they need to be aware of also.

The priority of training is something that should occur to any organization, but it is also necessary to devise layers of security that start with the people using the different stations. A person's position within the company dictates the level of information to which that individual should be privy. A line employee, depending on the type of employment, will have access only to that information that is crucial to their job description. It is unnecessary to give that individual access to information which does not have to do with their job unless that are promoted to another position or given a project for which it is required. All supervisory personnel will have a higher level of access because they have responsibility, at least in part, for a group of individuals and their employment. Thus, this person will have another level of access to the system. This procedure follows throughout the entire organization until it reaches the highest level of the company. Most likely information systems technicians and staff will also have the highest level of security clearance within the company because they may be required to service and station within the company. The policy may have a caveat that when an IT professional is working on a system, he or she must have that access checked by a supervisor or another officer. This plan requires that any IT access above the supervisory level have this protocol in place.

One of the duties of the IT office will be to protect all company computers with the latest security software. Threats happen constantly across the globe (though not necessarily to an individual company), so there also has be attention paid to updates for the software and an awareness by the IT office that some software designs are not updated often enough or may longer work with the hardware of this company. Therefore, there will be updates as often as they are available (sometimes this will happen daily, but the software should be routinely checked at least once per week), and technicians will constantly seek to upgrade the software as more appropriate programs become available. Since there are multiple detection systems available, this plan requires antivirus protection...

This includes threat protection, identification of suspicious activity and an advanced firewall that is installed on every computer.
The final issue that has to be taken care of in the preparation/set up stage is to ensure that all employees know how they can report a bug in their system. Because there are a vast array of threats, it is not possible for everyone to be caught by the IT team even if they are monitoring constantly. Employees are required to have the front desk check any electronic medium that is brought in from outside the company and can somehow be connected to a company computer. However, sometimes people become lax in their security and do not report something that they are working on or a website they have used which has not been properly vetted by the system. Thus, there will be a central call center that can be accessed by employees at any time. Personnel will have the number for the call center attached to their PCs in a conspicuous place so that they can access it in a moment's notice. This system will also be able to detect when a specific employees computer has been infected in some way and by what type of infection. This will allow the response to start even if the employee does not realize what has happened to their station.

Response

There will be a tiered plan in place due to the fact that there are different levels of attack. The first level will be for a low level outbreak which only affects one computer or a small group of computers. The second level is for a company-wide breach, which affects all computer systems in the company, but concerns documents which are of a low security level. The most important type of breach would be one in which high level sensitive material is in danger. The responses to the threat levels are necessarily different.

Although the lowest level of response only concerns a single computer or a small group, it is necessary to take immediate action after it is detected to make sure that it does not spread to other computers in the network. Initially, this level will probably be detected by the antivirus software, but it may also be phoned in by the system of an employee. The action is to isolate this computer or small group until the problem is solved and the threat is eradicated. It will be necessary for IT to run a systems check to detect the bug, then they can run the same diagnostic on the remainder of the system to make sure that it has no chance of recurring anywhere else.

The second level of response involves a larger number of computers, generally a system-wide issue that has does not have access to the most sensitive material. The response in this case will likely be triggered when employees make the system administrators aware of a glitch in their computers. This could also be triggered by multiple network red flags. The most important part of this malware response is to ensure that the entire system is tested to determine the extent of the problem and to stop it immediately. This may require shut down of the entire system, but this is not usually warranted until a level three issue. For this middle level, the crux of the issue will generally come down to a few centralized computers that need to be shut down for maintenance of the network issue.

The final level of response is by far the most serious and directly effects the continued, immediate functioning of the company. This is generally triggered by the system which is responding to a vulnerability in critical systems. This will require a shutdown of at least some of these critical areas to ensure that the whole system is not infected. This type of attack is also the most serious because it involves the most sensitive material that the company owns.

Recovery

Depending on the severity of the issue, recovery could be difficult. Some viruses that have been detected in the recent past have completely shut down major networks and caused a significant amount of damage and time lost. It is essential to know what level of threat is active quickly, and to take the appropriate action immediately. Recovering the system will always require, at the very least, that the system is rebooted after upgrades have been installed. It may require that data, which has been securely stored on another server is reinstalled on the…