Tuesday, February 3, 2009

Update on Conficker

Last week, I wrote about the effort to proactively protect BIDMC and Harvard from the Conficker virus.

Our efforts continue with the following:

1. IT Security is verifying whether or not the MS08-067 vulneribilty shows up on our scan on an infected machine. We have been assuming that machines showing the vulnerability are the only machines we need to worry about. It is possible the virus does some type of masking once it is introduced to make the machine look like it has been patched.

2. We are verifying that the update of the anti-virus agent on an infected machine cleans the virus. If not, the machine will need to be rebuilt from scratch.

3. The daily reports of virus activity will be closely monitored to identify any sign of infected machines. So far, we have seen only one in the entire enteprise. Infected machines try to infect other machines on the same subnet so they get reported by our intrusion detection tools.

4. To add more surveillance to the data center, Security is engineering a report that will list all active IP's in the data center and disaster recovery site. This list will be compared to those registered in McAfee ePolicy Orchestrator (EPO). Any exception, i.e. data center device not registered in EPO or device not up-to-date with anti-virus per EPO, will be immediately pursued. Our expectation is that all Windows hosts in the data center are updated daily.

5. We are examining what is typical in the Active logs for account lockouts, similar to what we do for patient access. If we can establish what's typical, we can threshold it and create an alert when something unusual occurs.

6. We now have a list of devices that the scan showed do not have the MS08-067 patch. We are pushing them out to managed machines and contacting others who have private machines. Some of the latter are medical devices, e.g. GE PACS, etc.

7. We are using this incident to fine tune our virus incident response process. It's been awhile (good news/bad news) since we had such a notable virus in the field. When you don't exercise, you get out of tune.

8. We continue to learn more about the sophistication of the virus and its ability to hide, morph, and so forth. There continues to be questions as to what it's ultimate intentions will be.

One thing this episode reinforces is the need to have security in depth, i.e. layers. Although we discovered many devices with the vulnerability, our anti-virus was up-to-date on them. For some hosts, we also had the host-based intrusion detection and prevent (Third Brigade) turned on. The combination of aggressive patching, constant monitoring, daily anti-virus updates, and host based intrustion prevention has limited the impact of Conficker on our networks thus far.


MyFreindJason said...

Sounds like you guys are on top of it....I do wonder however how your organization is handling FDA devices that cannot be patched or have AntiVirus installed?

Richard O. DeWald RN said...

I did one thing you don't mention, I sent an e-mail to my users instructing them on protection, detection and removal practices for their home machines. This thing can move over a USB device, and while our policy explicitly forbids the use of devices on both home and corporate machines, people do it. So, I took this additional step.