Wednesday, June 3, 2009

High quality information and incident response

In order to effectively detect and respond to computer security incidents, an incident manager needs information. That information must have sufficient detail and enough coverage. This is why I get a little miffed, when I see a work ticket get closed out with only the following information:

"Lots of these machines were infected with virus.  I killed them all."
There is (almost) no useful information in this update.

How did you notice there were viruses on the machine? What tool detected them? How many machines were infected? Which machines were infected? What were those machines used for? Who had access to them? Was it the same virus on all machines, or were there different ones? Which viruses did you find? Was there antivirus installed? Was the antivirus running? Were the antivirus definitions up to date? Was the machine's operating system patched? Which users were logged on locally? What drive mappings did the user have open? How did you kill the viruses? Did you see the virus(es) somewhere else?

Right now, I have no information and as a result I have to declare an information security incident. I get to find an answer to all these questions, probably resulting in a finding that one user does stupid stuff on multiple workstations, or that the office is doing bad stuff as a whole. Either way, I anticipate some very targeted awareness training in my near future.

Oh yes, due to this particular environment, users have local administrator access and are free to mess up there own machines as much as they want.



No comments:

Post a Comment

Please share your view and opinions on what I wrote. In order to maintain quality, all comments will be moderated for merit. Contributions that call me out on statements that appear unfounded, wrong, or simply with which you disagree are highly appreciated and are even encouraged. Spam and 'me too' answers will be ignored.