martes, 16 de mayo de 2017

Virus attack procedure

After our last performance to prevent a virus attack, I have taken the following notes that might be useful.

This is a firt draft.

==================
ORGANIZATION PART:
==================

  • Choose someone to lead the event and give you authority to do so a Incident Manager profile. This person have works to coordinate business information how goal, security, applications, etc ... with Technical part. He will be responsabel to send Emails to business and coordinate verifications. He would avoid the massive emails exchange for some less much more detailed.

  • Choose someone to coordinate the technical part (Filter, sort, prioritize information received). Make a log. Talk to a Whatsup, Telegram group, conference group, etc...


===============
TECHNICAL PART:
===============

 Depent the infraestructure all option aren't necessary.

 [ ] FW / Anti-spam / IDS-IPS

                 Apply recommended security rules department or owner solution. Filter URL / IP

 [ ] GPOs:
               ( ) Start logon info message

                    - Configuration:

                     - Result:
               
               ( ) Background information desk message

                ( ) Lock Screen Information message

                   - Configuration:
 

                     - Result:
              


                 ( ) Block executable "Dangerous"

                () GPOs prepared with WMI filters for each version of S.O. To distribute executables (shots, patches, etc.)

                () Restriction, blocking dangerous users.

 [ ] Nas and File Servers:
                In the Activate blocking dangerous extensions files with the FRS

[ ] Antivirus:
                Download and distribute latest patterns

 [ ] DNS
               New DNS records for the killswitch

[ ] Mail:
                To Block "Dangerous" message or attachment filters

 [ ] Wsus:
                Validate and distribute security patches.

[ ] Backup
                Save / plan backups of the most sensitive information.

 [ ] Nesus / NMap

                 Periodic scans to know the status of the alert.

 [ ] Search and contrast internet documentation of the most effective ways to act / prevent this incidents.

 [ ] Review monitoring systems (Nagios, Syslogs, Colasoft, IDS/IPS) as support to identify outbreaks, problems or irregularities.

 [ ] Identify key users who help find or verify behaviors in business activities.

 [ ]- Provide emails and help phones to users in case they can provide new information

 Once completed it would be nice to have a standard form to make a more detailed report of what happened and other with checks.

 Working to improve it ....

by GoN | Published: May 16, 2017 | Last Updated:
Publicado por en
Etiquetas: , ,

No hay comentarios:

Publicar un comentario

Suscribirse a: Enviar comentarios (Atom)