Do you have malware response procedures in place for Heartbleed?

By Alberto Jimenez, CBCP, PMP

Everyone is talking about the Heartbleed bug, a flaw in open-source software called OpenSSL that's widely used to encrypt Web communications. According to CNET, “Heartbleed can reveal the contents of a server's memory, where the most sensitive of data is stored. That includes private data such as usernames, passwords, and credit card numbers. It also means an attacker can get copies of a server's digital keys then use that to impersonate servers or to decrypt communications from the past or potentially the future, too.”
Organizations responding to this new and quite serious threat face several challenges.  But the biggest one is not the malware itself, but rather their ability, or lack thereof, to effectively respond to this type of incident.  
Malware response procedures provide the ability to respond in a timely and efficient manner to outbreaks of malware propagation. This is vital to an organization’s business continuity, and it requires a set of well-defined and formalized procedures to guide personnel in the event a malware incident is identified. 
The key elements of an effective response include, but are not limited to:

  • Communications – Once the incident is identified, who, what, and how to communicate the incident. This should vary by audience (internal vs. external) and severity levels.
  • Analysis - If malware (worm, bot, virus, etc.) has infected a system or is propagating, authorized personnel must determine the likely impact, as well as identify the type and behavior of the malware.
  • Containment - Identify the point of origin for the outbreak and how the infection began, and disconnect the infected device(s) from the network.
  • Eradication– This includes steps for preserving copies of the systems and data (if there is a need for further forensics investigation), and removal of infected systems.
  • Recovery - Restore systems and data from the most resent, clean backup.
  • Post Incident – Conduct forensic investigation (as needed) and document lessons learned.

Organizations that have well defined response procedures are much more effective in identifying and managing these incidents. Others that often rely on smarts and heroics run the risk of creating even bigger problems.
This is a great opportunity to ask yourself, how confident are you with the effectiveness of your malware response procedures?