E-mail virus |
1.Identify the attack
What kind of virus are you facing?E-mail viruses can take three forms. Knowing what kind of virus you're dealing with will help you better figure out the severity. Don’t forget that some viruses are actually hoaxes.
Where did the virus come from?Find out where the virus came from—who e-mailed it and who in the organization got the e-mail first. This will help you warn people your organization deals with or find out how they handled it.
What virus is it?The machine you're using to make the connection needs to have one interface connected to the Internet, even if it's only a modem, and another connected to the internal network.
What e-mail software is your server running?Different e-mail systems are affected by different viruses. For example, a virus that reacts one way on Outlook/Exchange may not affect GroupWise and GroupWise clients.
What virus scanner are you running?You should know what virus scanner is running on both your e-mail server and your clients, in case you need emergency updates.
2.Communicate with end users
What do the virus protection makers say?
Check with the virus protection maker to see whether it has provided a patch for your virus and whether you need to obtain updates or patches.
How do I communicate if e-mail is down?
Let users know that there's an e-mail virus attacking the network, but do so in a manner that doesn't cause panic. If need be, use instant messages or phone calls for notification. In a small organization, you may be able to personally deliver the warnings.
Who has been affected?
Find out who has been infected with the virus and who hasn’t. It may help identify the source of the virus and how it's spreading in your organization.
3.Stop the attack
Do I need to bring down the e-mail server?
If the virus is spreading fast, you may need to immediately disconnect your e-mail server from the network.
Do I need to bring down the network?
Some viruses propagate from client workstation to client workstation. If many clients are affected, you may need to bring down the whole network. The fastest way to do so may be by just shutting down hubs, routers, and switches in your organization. Warn users before doing this.
Do I need updates or patches?
If you haven't recently obtained virus signature updates for the server, do so immediately using a machine that hasn't been infected. You may also need to download any special cleaning utilities the vendor has.
4.Clean up the mess
How do I get rid of the virus?
Using the updated virus scanner or utilities you've downloaded, run them against the server and any affected workstations. You may need to use a utility like IISScan or ExMerge from Microsoft to physically delete infected messages.
Do I need to recover mailboxes?
Some viruses damage user mailboxes. Make sure you have backups handy to recover the mailboxes.
Do I need to reinstall client software?
You may need to completely reinstall the operating system, applications, and e-mail clients on client workstations. Make sure you have backups handy.
5.Perform a postmortem
Who was affected?
Determine who was affected by the virus and, most important, find out the complete configuration of their workstations to discover whether there was any common security hole, such as an outdated security update or virus signature.
Where did the attack come from?Once you've determined the source of the attack, go to the source and find out whether they've made precautions to keep it from happening again.
What viruses act the same way?Like biological viruses, computer viruses run in strains that are similar. Check security Web sites to find out whether there are any other viruses similar to the one you just faced.
How long did it take to fix the problem?Document the amount of time it took to fix the problem. You may need this information for insurance purposes. Additionally, you may be able to cost-justify more staff or a different virus scanning solution if the one you had was inadequate.
Do I need to upgrade or replace my virus scanner?Some applications don’t work well through proxy servers or NATs. Check your application to see whether it will work before going to the trouble of installing a NAT.
How do I educate users?
Make sure users know how to identify possible virus messages. Teach them to keep virus signatures up to date. Let them know the potential for data loss. Educate them using different approaches, including training sessions, e-mails, and newsletters.
How do I keep up to date on threats?Sign up for updates from CERT, Microsoft, and antivirus software manufacturers about virus threats. Don't just count on getting all of the information from one source. You'll get lots of redundant information, but it's better than missing a potential attack.
How important are backups?Make sure you have regular, complete backups of your e-mail server. Rotate backups on the e-mail server just as you do on your file server. Encourage users to back up their software as well and to store personal mailboxes on a server share so the server backup software can access it too.
No comments:
Post a Comment