High quality information and incident response
In order to effectively detect and respond to computer security incidents, an incident manager needs information. That information must have sufficient detail and enough coverage. This is why I get a little miffed, when I see a work ticket get closed out with only the following information:
How did you notice there were viruses on the machine? What tool detected them? How many machines were infected? Which machines were infected? What were those machines used for? Who had access to them? Was it the same virus on all machines, or were there different ones? Which viruses did you find? Was there antivirus installed? Was the antivirus running? Were the antivirus definitions up to date? Was the machine's operating system patched? Which users were logged on locally? What drive mappings did the user have open? How did you kill the viruses? Did you see the virus(es) somewhere else?
Right now, I have no information and as a result I have to declare an information security incident. I get to find an answer to all these questions, probably resulting in a finding that one user does stupid stuff on multiple workstations, or that the office is doing bad stuff as a whole. Either way, I anticipate some very targeted awareness training in my near future.
Oh yes, due to this particular environment, users have local administrator access and are free to mess up there own machines as much as they want.
"Lots of these machines were infected with virus. I killed them all."There is (almost) no useful information in this update.
How did you notice there were viruses on the machine? What tool detected them? How many machines were infected? Which machines were infected? What were those machines used for? Who had access to them? Was it the same virus on all machines, or were there different ones? Which viruses did you find? Was there antivirus installed? Was the antivirus running? Were the antivirus definitions up to date? Was the machine's operating system patched? Which users were logged on locally? What drive mappings did the user have open? How did you kill the viruses? Did you see the virus(es) somewhere else?
Right now, I have no information and as a result I have to declare an information security incident. I get to find an answer to all these questions, probably resulting in a finding that one user does stupid stuff on multiple workstations, or that the office is doing bad stuff as a whole. Either way, I anticipate some very targeted awareness training in my near future.
Oh yes, due to this particular environment, users have local administrator access and are free to mess up there own machines as much as they want.