SLAC COMPUTER SECURITY

AntiVirus Process

Marilyn Cariola

Heather Larrieu (audio)

Chris Mayfield

October 14, 2008

1

SLAC COMPUTER SECURITY

Computer Security AntiVirus

Source: Quarterly Report PandaLabs – July-Sept 08

SLAC COMPUTER SECURITY

Malicious Software• More trojan attacks• Coming via web browsing• Using SQL injections techniques• Battery of exploit attempts

– 3rd party applications– OS vulnerabilities

• Goal is Silent Infection– Trojan.ZLOB– Trojan.PANDEX– Trojan.ASPROX

3

SLAC COMPUTER SECURITY

What you see

4

SLAC COMPUTER SECURITY

Virus Alert Alert: Virus FoundComputer: XXXXXXXXXXXXXVirus: Trojan HorsePath: C:\WINDOWS\Temp\VBR49FD.exeDate: 9/29/2008Time: 9:54:46 AMSeverity: CriticalRequested Action: CleanAction Taken: Leave AloneUser: XXXXXXXXXXXXXSource: Symantec AntiVirus Corporate Edition

5

SLAC COMPUTER SECURITY

AV Process & ActionsType(1)

Actions

AV Cyber Admin User

Trojan horse, Spyware Leave alone, access denied, undefined Isolate/ Email

Scan(2) format and rebuild(3)

Change password

Adware Leave alone, access denied, undefined Email Scan(2) Chg pwd

Worm Leave alone, access denied, undefined Email Scan(2) Chg pwd

Virus Leave alone, access denied, undefined Email Scan(2) Chg pwd

Trojan horse, Spyware Clean, quarantine, delete Email Scan(2) Chg pwd

Adware Clean, quarantine, delete None None None

Worm Clean, quarantine, delete None None None

Virus Clean, quarantine, delete None None None

Notes: 1.The results of malware research could change the actions to be taken2.All scans must be full AV scans in safe mode with system restore turned off.

a) Results need to be shared with Cyber, screen captures or exported files.b) Depending on the results of the scan, further actions could include format and rebuild or Cyber taking the computer

or hard drive for further investigation.3.Computer security may not request a rebuild if the virus is found in cache.4.Computers used to access personally identifiable information (PII) will receive more scrutiny when they generate virus alerts..

6

SLAC COMPUTER SECURITY

Other Actions• Additional viruses or issues

– Isolate / scan / rebuild

• Several (3 or more) alerts on same computer / same day– Isolate / scan / rebuild

• Unauthorized / prohibited software– Must be removed– Some cases sent to HR

7

SLAC COMPUTER SECURITY

Further ReviewAffirmative duty to report abuse of SLAC resources•Device taken, including USB devices

– Illegally licensed software– Hacker tools

• Key generators, password sniffing, vulnerability assessment

– Illicit material • Pornography, gambling, evidence of running a

personal business

•Reported to HR

8

SLAC COMPUTER SECURITY 9

SLAC COMPUTER SECURITY

References

10

• Computer Security website– Restricted/Prohibited software

• Policies– Limited Personal Use of Government Offic

e Equipment including Information Technology

– Use of SLAC Information Resources

SLAC COMPUTER SECURITY

Questions / answers / discussion

11

• What would happen if we didn’t do this?– A computer gets compromised

• Becomes a bot for additional attacks• Information is lost

– During a Site Assessment• Non-job related data is found

– Unlicensed / illegal software– Pornography

• SLAC fined, lose contract?