Moving From Crisis to Event Management in Internet Security

By now there are very few of us who are not aware of last week’s rampant ‘MyDoom’ computer virus outbreak. Chances are you may have even experienced a few of these infected e-mails as they found their way into your inbox. Hopefully, no system in your credit union was infected although the odds are that at least a small handful of people reading this have a ‘crisis’ story to tell. Fear not - you weren’t alone, and these stories usually do have happy endings!

 
 

By now there are very few of us who are not aware of last week's rampant 'MyDoom' computer virus outbreak. Chances are you may have even experienced a few of these infected e-mails as they found their way into your inbox. Hopefully, no system in your credit union was infected although the odds are that at least a small handful of people reading this have a 'crisis' story to tell. Fear not - you weren't alone, and these stories usually do have happy endings!

Estimates from the world's leading antivirus companies revealed that at its peak one in every nine e-mails sent last week contained the virus. As expected, new variants of the virus have now appeared. We learned from the SoBig virus outbreak just a few months ago that the effects of a mass virus outbreak can be felt for several days or weeks, regardless of how well a network is protected.

Computer virus outbreaks are nothing new, but the speed at which these recent viruses have propagated has certainly kept us all on our toes. The instant global reach of the Internet, and e-mail in particular, has created a fertile playground for the hackers who create these malicious programs. Even the antivirus companies have had difficulty in releasing detection and cleaning updates in the time needed to provide initial protection for networks. Effective social engineering, or staff training, still appears to be one of the most effective lines of defense in combating virus outbreaks.

Still, building one deep moat around your castle will not keep out every intruder. All lines of defense are imperfect (especially the human kind). There is no one silver bullet solution that will fully protect your credit union's network from an unknown future virus. A layered e-mail security approach (or several deep moats) continues to be the weapon of choice in combating this problem.

However, many credit unions and banks have learned the hard way that even these carefully planned lines of defense can be rendered mostly ineffective if a staff member has access to a personal e-mail account from the credit union network. Hopefully we learn from these accidents, and are better prepared for the future. Some credit union networks now specifically block access to known personal e-mail account services - eg: Yahoo Mail, Hotmail, AOL, and the scores of other ISP web-mail services.

Infected computers and total outbreaks will happen at some point in the future in your organization. Count on it. How we all plan to deal with these events when they happen will show how effectively we have each addressed the bigger challenge of risk management.

One credit union industry organization shared their experiences last week in dealing with an e-mail server crash. The organization uses a layered approach to virus prevention, a systematic approach to dealing with critical systems failure, and details lessons learned to help with future event planning. In this case the event was not related to a virus infection, but instead occurred from an accidental change in the antivirus product settings from an automatic update that removed key files needed by the operating system. It reveals that even in a well-designed and protected network the risks, while reduced, will always remain. While the event was a major inconvenience for the organization, it didn't reach a crisis because the plan and support network process steps were already known.

Excerpts from the memo are below:


Our Layered Antivirus Approach:

Our virus protection processes use multiple layers of defense using different antivirus products (increasing our chances of more quickly stopping newer viruses). This protection starts with our e-mail relay at . They use one of the top three corporate antivirus products and also have their firewall set to block several types of attachments automatically. Initial spam filtering is done here also. Once e-mail makes it past the external relay it is routed though our DMZ relay and firewall systems (additional processing filtering conducted) before making to our mail server. On our mail server it is again scanned by a different major antivirus product before being delivered to a staff members mailbox. At this point the staff member's personal desktop antivirus will again scan the e-mail before allowing it to be opened. If all this fails, we rely on our staff training efforts on how to handle suspicious e-mail (this is our last line of defense).

Processes Confirmed & Lessons Learned:

1) Our Technology Partners are great assets to communicate with ASAP when events occur. This helps with ideas, real and moral support, and most importantly, makes everyone smarter.

2) Our best line of defense continues to be staff training. Antivirus companies can not necessarily be relied on at the beginning of a rapid outbreak. Continue to reinforce best practices in handling very suspicious attachments.

3) Even very well laid out and executed IT plans can fail. This needs to be expected and event worked in a collected and procedural way. Yesterday's server crash seemed to result from a variable in the equation that we had trained ourselves to trust implicitly (our antivirus vendor).

4) Our antivirus planning & process worked! (well, sort of). Again, it doesn't seem that any systems were actually infected with the virus. This is in large part due to everyone's awareness of viruses and avoiding attachments and the upgrades to our antivirus layering processes over the past two years.

5) Patience sometimes is needed with responding to technology events, but staff should be encouraged to find alternatives to conduct business. The time to fix the problem yesterday in our estimates really couldn't have been resolved any sooner then was realized. I was impressed by how many people were proactive yesterday in communicating via other available channels: phone and use of personal e-mail accounts. Business doesn't need to stop just because the e-mail server is down. These other methods of communicating internally and externally may not be as efficient, but they are effective.

6) Network Administrator appreciation day is April 21st. Start planning now.