In absentia BOF - Anti-virus in a Breach Disclosure World

[James H Moore <jhmfa () RIT EDU>]

I really wish that I was at the Security Professionals Workshop this
year.  I have so much that I would like some good face to face
discussion.  I would love to hear the talks.  I think that I am budgeted
for next year.

 

The topic I would most like to discuss is Anti-virus in a Breach
Disclosure World.  New York has an Information Security Breach
Notification law on the books.  It is similar to California's and about
20+ other state laws.  Most everything hinges on if there is reason to
believe that information has been acquired by an unauthorized
individual.

 

Move from there to the most common event on campus, someone finds a
virus, worm, or spyware on their computer.  This used to be simple
enough.  Update to the latest version of the "anti" , get the latest
signatures, clean it, and walk away.  Our system admin staffing model
has been built on ubiquitous anti-virus, a little bit less ubiquitous
anti-spyware (but the a/v companies are covering some/most/haven't
checked in a few weeks, spyware).    And so most of it is supposed to be
caught and disabled, at worst case when it runs, before there is any
damage.

 

Damage.  Hmm.  Many worms have the ability to send email.  Some spyware
has ftp built-in to retrieve more spyware.  So what about unauthorized
access?  If the worms and spyware are caught and cleaned when they first
execute, then you are safe.

But in the odd instance where some log fills and the update fails, or
something slips past the signature with a variant, etc.  What do you do?
The safe thing is to run the "anti" product in detect or quarantine
mode, and then research everything it finds (if the PC has personal
information on it).  If any malware has file transfer capability of any
sort, then dive into access dates and times for files containing
sensitive data (even here you have to be careful, because finding out if
there is sensitive data on the computer probably affected access times,
so you have to either proactively backup the system, or restore files
from backup, looking at access times.)  In short, you need to do an
investigation.  How many people do that?  If you do, how many people do
you have doing investigations, or how do you resource your systems
administrators?

 

If a BOF or lunch conversation centers around this, please let me know.
And for the rest of you stuck in the office, like me, if you have any
wisdom that you would like to share, please do.

 

Jim

- - - -
Jim Moore, CISSP, IAM
Information Security Officer
Rochester Institute of Technology
13 Lomb Memorial Drive
Rochester, NY 14623-5603
(585) 475-5406 (office)
(585) 475-4122 (lab)
(585) 475-7950 (fax)

"We will have a chance when we are as efficient at communicating
information security best practices, as hackers and criminals are at
sharing attack information"  - Peter Presidio