Part 8 - Information Resources Management
Chapter 10 - Prevention, Detection, Removal, &
Reporting of Malicious Software
- PURPOSE. The purpose of this chapter is to ensure that proactive security measures are taken to:
- prevent malicious software from occurring,
- raise awareness for recognizing and immediately reporting the occurrence of malicious software, and
- ensure appropriate action is taken to minimize the consequences of a malicious software attack.
- BACKGROUND. The Indian Health Service (IHS) Security Program complies with Federal laws, regulations, and directives, and communicates uniform policies for the protection and control of Information Technology (IT) resources directly or indirectly relating to the activities of the Agency. Computer systems and communication networks are subject to a variety of threats, many of which have emerged with the enormous growth in the use of personal computers, Local Area Networks, Wide Area Networks, and the Internet. Non-malicious threats can be through human error, hardware/software failures, and natural disasters. Malicious threats can range from the rational (e.g., obtaining something of value at no cost) to the irrational (e.g., destroying information or causing embarrassment). These threats must be adequately addressed through proper controls. In addition, the IHS has an obligation to protect the privacy and security of personal data.
Malicious software has the potential to cause harm to an organization through the modification, destruction, or release of information or processing resources and the denial of critical services. Traditional computer safeguards and malware detection efforts play important roles in the implementation of an organization's malicious software prevention strategy.
Originally the most common "carrier" of viruses was the diskette, since "sneaker net" was the most common means of transferring software and data between computers. However, all organizations with Internet access are now more vulnerable to viruses. Since e-mail is widely used as a business communication tool, e-mail is a favorite infection vehicle for virus writers. As information systems grow in complexity, effective security safeguards must evolve. Security is enforced through a combination of technical and traditional management methods.
- SCOPE. This chapter applies to all IHS organizational components including but not limited to Headquarters, Area Offices, and service units conducting business for and on behalf of the IHS through contractual relationships when using IHS IT resources. The chapter applies to all IHS IT activities including the equipment, procedures, and technologies that are employed in managing these activities. The chapter includes all IHS office locations and teleworking, travel, or other off-site locations. Agency officials shall apply this chapter to contractor personnel, interns, externs, and other non-Government employees by incorporating such reference in contracts or memorandums of agreement as conditions for using Government-provided IT resources. This chapter applies to all operating system environments.
- “Information Technology Management Reform Act of 1996,” Clinger-Cohen Act, Division E, Public Law (P.L.) 104-106
- “Standards of Ethical Conduct for Employees of the Executive Branch,” 5 Code of Federal Regulations (CFR), 2635A
- “Computer Fraud and Abuse Act of 1986,” P.L. 99-474
- “Computer Security Act of 1987,” P.L. 100-235
- “Implementing Standards of Ethical Conduct for Employees of the Executive Branch,” Executive Order 12674 B, Part 1
- Department of Health and Human Services (HHS) Information Resources Management (IRM) Policies:
- “Establishing an Incident Response Capability,” HHS-IRM-2000-0006, January 8, 2001
- “Prevention, Detection, Removal, and Reporting of Malicious Software,” HHS-IRM-2000-0007, January 8, 2001
- The “HHS Automated Information Systems Security Program Handbook,” May 1994
- Office of Management and Budget Circular No. A-130, “Management of Federal Resources,” Appendix III, “Security of Federal Automated Information Resources”
- Presidential Decision Directive 63, “Critical Infrastructure Protection,” May 22, 1998
- “Privacy Act of 1974,” P.L. 93-579, “Inspector General Act,” 5 United States Code, Appendix 3, Section 4
- CFR Code of Federal Regulations
- CIO Chief Information Officer
- EIM Enterprise Infrastructure Managment
- GSA General Services Administration
- HHS Department of Health and Human Services
- IHS Indian Health Service
- IRM Information Resources Management
- ISSO Information Systems Security Officer
- IT Information Technology
- Computer Security Incident. An event that may result in, or has resulted in, unauthorized access to, or disclosure of, sensitive or classified information; unauthorized modification or destruction of systems data; reduced, interrupted, or terminated processing capability; malicious logic or virus activity; or the loss, theft, damage, or destruction of any IT resource. Examples of incidents include: unauthorized use of another user's account, unauthorized scans or probes, successful or unsuccessful intrusions, unauthorized use of system privileges, execution of malicious code (e.g., viruses, Trojan horses, or back doors); and insider attacks. Events such as natural disasters and power-related disruptions are not generally within the scope of Incident Response Teams and should be addressed in the IHS's business continuity and contingency plan.
- Computer Virus. A computer virus is an executable or self-replicating program spread from executables, boot records, and macros as a set of instructions that attaches itself to programs, files, diskettes, or other storage media. This set of instructions can then be spread to other programs, files, disks, systems, or networks. The instructions can display a message; erase or alter files or stored data; or potentially render a workstation or network inoperable. Sometimes, instead of providing disruptive instructions, a virus can cause damage by replicating itself and depleting resources, such as disk space, memory, or network connections. Non-virus threats to user systems include worms, Trojan horses, and logic bombs.
- Detection. Determining that a record, data file, or storage media is contaminated with a virus.
- Firmware. The Read-Only-Memory (R0M)-based software that controls a computer between the time it is turned on and the time the primary operating system takes control of the machine. The firmware's responsibilities include testing and initializing the hardware, determining the hardware configuration, loading (or booting) the operating system, and providing interactive debugging facilities in case of faulty hardware or software.
- Malicious Software. Any code that is intentionally included in software or firmware for an unauthorized purpose. (Also known as “Malware.”)
- Unauthorized Software. Any software that does not have a certificate of authority to operate.
- POLICY. The IHS shall ensure that all reasonable measures are taken to prevent, detect, remove, and report malicious computer software from IHS systems and data.
- Protection Against Unauthorized Access. The IHS will ensure that its systems and data are safe and secure from unauthorized access that might lead to the alteration, damage, or destruction of automated resources and data, the unintended release of data, or the denial of service.
- The IHS shall establish access controls that limit or detect access to critical resources (e.g., data, files, application programs, and computer-related facilities and hardware) that help to prevent unauthorized modification, disclosure, loss, or impairment of data.
- The IHS shall have controls to prevent the implementation of unauthorized or risk-inducing programs or modifications to existing programs and, thus, the possible interruption of critical processes.
- As specified in the “HHS Automated Information Systems Security Program Handbook,” users shall be informed of the following:
- The policy of permitting only authorized software on computers.
- The possibility of receiving viruses and other malicious software from the Internet.
- The use of virus scanning tools and their responsibility for regularly using these scanning tools.
- How to handle and report suspected or actual viral infections.
- Procedures for detecting viruses and limiting the spread of infection.
- All software and data imported onto computers through physical (e.g., floppy disks, tapes) or electronic means (e.g., e-mail, file transfer protocol, downloading from the Web) shall be scanned before the file is opened and read by the user. All files shall be scanned prior to opening.
- Through the use of Enterprise Infrastructure Management (EIM) tools, software configurations shall be scanned by the IHS on a daily basis to validate that no unauthorized software has been added to any computer or server, further reducing the likelihood of malicious software or virus introduction to the network. The IHS shall implement the EIM asset management program registry.
- The IHS shall employ the prevention technique of isolating or segmenting the network with firewalls to block unauthorized incoming traffic, direct incoming traffic, and protect vulnerable systems.
- Anti-virus software shall be installed at the network perimeters (e.g., entrances to the IHS, at the junctions between the IHS and the Internet, and at other locations if the sensitivity of data and risk of spreading a virus between sections of a network warrant it) and deployed to file servers, e-mail servers, and Internet gateways to limit the spread of viruses within the network. This virus checking shall allow centralized and/or localized virus scanning for an entire organization and reduce overhead by simultaneously scanning incoming messages that have multiple destinations. It also allows for the centralized administration of the virus scanning software, thus limiting the locations at which the latest virus scanning software needs to be maintained and updated.
- Detection. The IHS shall use anti-virus software to scan all incoming and outgoing e-mail messages, attachments, and files for viruses and other malicious software. The IHS shall scan in real time all network servers.
- The virus scanning software engine shall be updated when the next update is available to maintain currency. The virus software signature files shall be updated within 24 hours of the manufacturer's release (unless it is needed immediately for an emergency) with the latest viruses.
- Virus scanning results shall be logged, automatically collected, and audited by system administrators or security staff.
- If an unknown virus is discovered and no cleansing routine is available, the IHS system administrators shall isolate the virus and keep a copy for analysis.
- Any machine thought to be infected by an unknown virus with no known cleaning routine available, shall immediately be isolated and appropriate measures shall be taken to remove the virus. If necessary, the machine should be disconnected from all networks. If the virus cannot be removed, the machine shall remain unconnected from the network.
- Off-the-shelf virus scanning tools shall be used to remove a virus from an infected file, program, or storage media. If scanning tools still do not remove the virus and the scanning tool manufacturer cannot provide an update in a satisfactory timeframe, all software on the device shall be deleted including boot records. The software shall then be reinstalled from uninfected sources and re-scanned for viruses. All devices shall be carefully checked for suspected sources and locations of viruses, including any shared network services, programs, e-mail messages, and files. All devices shall be cleaned and re-scanned promptly upon discovery of a virus.
- All the steps taken to recover from a virus infection incident shall be documented. These steps shall be useful as a future reference in updating procedures and educating personnel.
- Reporting. Employees shall inform the system administrator or other designated staff immediately of any different or out of the ordinary behavior that a computer or application exhibits, or any virus detected.
- When informed that a virus has been detected and is likely to be widespread, the system administrator or other designated personnel shall inform all users who may have been exposed to the same programs or data that a virus may have infected their systems.
- After the confirmation of the existence of a widespread virus, the system administrator shall notify a predetermined list of Agency management and security personnel and potentially infected users of the steps necessary to determine if their system is infected and the steps to take to remove the virus.
- Information Systems Security Officers (ISSO) shall report any incidents to the Agency's senior ISSO and Chief Information Officer (CIO), and directly to the General Services Administration (GSA) Federal Computer Incident Response Capability as required by GSA.
- The IHS system administrators shall report the quantity and location of machines that bypass the virus scanning to the IHS senior ISSO. The IHS senior ISSO shall report this information to the IHS CIO.
- ENFORCEMENT OR PENALTIES. Any IHS employee, contractor, or user who does not abide by the policies and procedures set forth herein, shall be warned once about their non-compliance and upon repeated offense shall have their access to the IHS IT system denied. The security of IHS IT systems is only as strong as the weakest link. Willful disregard of security controls cannot be tolerated.
- RESPONSIBILITIES. Information systems security responsibilities and accountability shall be explicit. The responsibilities and accountability of owners, providers of information services, and users of computer systems and other parties concerned with the security of information systems shall be documented.
- Chief Information Officer. The IHS CIO is responsible for the following:
- Monitoring and updating IHS security policies, standards, procedures, and architecture to enable better detection and response capability.
- Notifying IHS ISSOs and coordinating responses for incidents that span more than one IHS geographical location.
- Establishing and implementing policies, procedures, and practices to ensure that IHS systems, programs, and data are secure and are protected from unauthorized access that might lead to the alteration, damage, or destruction of automated resources; unintended release of data; and denial of service.
- Ensuring all IHS employees and other users of IHS IT resources comply with this policy.
- Ensuring IT security requirements, procedures, and practices are provided in computer security training materials.
- Ensuring security awareness and training is mandatory for all personnel who use, operate, supervise, or manage computer systems.
- Ensuring new employees receive orientation outlining their security responsibilities.
- Ensuring program managers provide periodic security training (minimum of once a year) to their employees.
- Senior Information Systems Security Officer. The IHS senior ISSO is responsible for developing and disseminating information concerning the potential dangers from malicious software, guidelines for its control, and serving as a central point for incident reporting, handling, prevention, and recognition. In addition, the IHS senior ISSO shall promptly notify the IHS CIO and ISSOs of computer security incidents, including the presence of viruses.
- Information System Security Officers. The IHS ISSOs are responsible for the following:
- Promptly notifying the IHS senior ISSO of computer viruses.
- Ensuring appropriate procedures are implemented and instructions issued for the detection and removal of viruses.
- Ensuring all IHS personnel are aware of this policy and incorporate it into computer security briefings and training programs.
- Ensuring the anti-virus scanning software engine is updated when the next update is available to maintain currency.
- Ensuring the virus software signature files are updated within 24 hours of the manufacturer's release (unless it is needed immediately for an emergency) with the latest viruses for the detection and removal of malicious software.
- Ensuring that when a virus infection is confirmed, the extent of contamination is determined.
- Serving as the point-of-contact for their respective organizations for incident reporting and subsequent resolution.
- Supervisors and Managers. Supervisors and managers shall ensure their staff (Federal and contractor) are aware of their security responsibilities for preventing and reporting viruses, and receive periodic security training.
- Employees. Employees shall not disable or otherwise change anti-virus software on their workstation or other systems without specific authorization; shall comply with virus prevention activities; and report any suspected or actual viruses immediately to their helpdesk, system administrator, or other designated personnel. In recent years, there has been a proliferation of hoaxes disguised as virus warnings. These hoaxes are usually transmitted through e-mail and contain messages to send the alert to as many others as possible. They are NOT viruses, but may cause work disruption through false scares or represent a denial of service attack through their proliferation by overloading the e-mail system. All such "virus warnings" should be immediately reported to the system administrator or other designated personnel but not forwarded to others.