Educause Security Discussion mailing list archives
In absentia BOF - Anti-virus in a Breach Disclosure World
From: James H Moore <jhmfa () RIT EDU>
Date: Tue, 11 Apr 2006 10:31:01 -0400
I really wish that I was at the Security Professionals Workshop this year. I have so much that I would like some good face to face discussion. I would love to hear the talks. I think that I am budgeted for next year. The topic I would most like to discuss is Anti-virus in a Breach Disclosure World. New York has an Information Security Breach Notification law on the books. It is similar to California's and about 20+ other state laws. Most everything hinges on if there is reason to believe that information has been acquired by an unauthorized individual. Move from there to the most common event on campus, someone finds a virus, worm, or spyware on their computer. This used to be simple enough. Update to the latest version of the "anti" , get the latest signatures, clean it, and walk away. Our system admin staffing model has been built on ubiquitous anti-virus, a little bit less ubiquitous anti-spyware (but the a/v companies are covering some/most/haven't checked in a few weeks, spyware). And so most of it is supposed to be caught and disabled, at worst case when it runs, before there is any damage. Damage. Hmm. Many worms have the ability to send email. Some spyware has ftp built-in to retrieve more spyware. So what about unauthorized access? If the worms and spyware are caught and cleaned when they first execute, then you are safe. But in the odd instance where some log fills and the update fails, or something slips past the signature with a variant, etc. What do you do? The safe thing is to run the "anti" product in detect or quarantine mode, and then research everything it finds (if the PC has personal information on it). If any malware has file transfer capability of any sort, then dive into access dates and times for files containing sensitive data (even here you have to be careful, because finding out if there is sensitive data on the computer probably affected access times, so you have to either proactively backup the system, or restore files from backup, looking at access times.) In short, you need to do an investigation. How many people do that? If you do, how many people do you have doing investigations, or how do you resource your systems administrators? If a BOF or lunch conversation centers around this, please let me know. And for the rest of you stuck in the office, like me, if you have any wisdom that you would like to share, please do. Jim - - - - Jim Moore, CISSP, IAM Information Security Officer Rochester Institute of Technology 13 Lomb Memorial Drive Rochester, NY 14623-5603 (585) 475-5406 (office) (585) 475-4122 (lab) (585) 475-7950 (fax) "We will have a chance when we are as efficient at communicating information security best practices, as hackers and criminals are at sharing attack information" - Peter Presidio
Current thread:
- In absentia BOF - Anti-virus in a Breach Disclosure World James H Moore (Apr 11)
- <Possible follow-ups>
- Re: In absentia BOF - Anti-virus in a Breach Disclosure World Gary Flynn (Apr 12)