Some time since I posted here (work, travel. holiday and other excuses) but I hope to have a little more spare time in the future.
I woud like to use this post to raise some awareness on basic incident handling procedures. I learned some time ago at SANS that Incident Handling is a process which consists of the following steps:
- Preparation
- Identification
- Containment
- Eradication
- Recovery
- Special Actions for Responding to Different Types of Incidents
- Incident Record Keeping
- Incident Follow-Up
I am not going to explain each step of the process as this would take this article too far. I would just like to stress that there is more to it than just eradicating the problem.
The reason why I am stressing on this, is that in most cases, people who are infected with some kind of malware tend to think of only one thing: get the thing removed from their system and carry on. It is interesting to see that most people don’t really care what the purpose of the malware was! And some companies do so too.
Let’s say you were infected with some kind of banking trojan, wouldn’t you want to make sure that your bank account isn’t missing a few euros? And if it was a password stealing malware, wouldn’t it be a good idea to change that password you use at every site you visit?
I am not saying that you should start going through the complete incident handling process every time your non-IT savvy friend’s PCs are infected with the latest spyware but at least keep the incident handling process somewhere in the back of your mind. If it is only one kind of malware, investigate and inform your friend what the malware’s purpose was and what he or she should do with that information. If it is a whole zoo of malware living on your friend’s system, I would not only flatten & rebuild the system but would also give some generic advice on what he/she should do now after the mass infection. This would include basic housekeeping like change passwords, keep an eye on his accounts, etc. I also would give some advice on how to prevent infection in the future and explain how he/she might likely have been infected.
Off course, your non-savvy friend might not understand or even be frightened and you might think that their ignorance is your bliss but I am convinced that without spreading a little awareness, you are fighting a fire with a very limited supply of water.
