Handle Virus & Malicious Code Outbreak

Given that attackers are now moving away from attacks that are merely a nuisance or destructive towards activity that is motivated by financial gain, malicious code attacks have become more sophisticated and a significant concern to organisations. A large-scale malicious code attack, often referred to as a malicious code outbreak, can cause widespread damage and disruption to an organisation, and necessitate extensive recovery time and effort. It is therefore crucial to implement adequate preventive measures, such as deploying protection and detection tools, to safeguard an organisation from malicious code attacks.

However, there is no such thing as bulletproof protection in the world of information security. It is also important that the organisation develop a robust information security incident procedure so that personnel are better prepared to handle malicious code outbreaks in a more organised, efficient and effective manner.

As defined in the "Security Incident Handling for Company" section, an incident response process should have three main stages: "Planning and Preparation", "Response" and "Aftermath". This section outlines the steps in the stages "Response" and "Aftermath" which are important to the complete handling of a malicious code outbreak. For more information about the "Planning and Preparation" stage, please refer to the section "Security Incident Handling for Company" mentioned above.

The "Response" Stage consists of the following five steps:

• Detection and Identification

• Escalation

• Containment

• Eradication

• Recovery

Aftermath

Restoring infected systems to normal operation does not mark the end of a malicious code outbreak. It is also important to perform necessary follow up action. This may include full evaluation of the damage caused, system refinements to prevent recurrence of the incident, updates to security policies and procedures, and investigation of the case for subsequent prosecution. Activities in this stage can include the following:

• Review the effectiveness of existing virus / malicious code protection procedures and mechanisms, including central control and management on virus signature distribution and detection and repair engine update, scheduled regular virus scanning, etc.

• Update relevant policies, guidelines and procedures whenever necessary.

• Enforce the new security measures introduced in the reviewed policy / guidelines / procedures to protect systems against future attacks.

• Remind users to follow security best practices, such as not opening email from unknown/suspicious email sources, updating security patches and virus definitions on a regular basis and whenever necessary, etc.