Computerworld - A virus incident this week caused me a bit of anxiety about my last big undertaking. But once the infection was under control, it got me thinking about a pending project and the need to get it funded.
My anxiety arose from the timing of the incident: On Monday, we had 65 desktops infected with a variant of a well-known virus. Monday was the first workday after Friday evening, which is when we had installed a Multiprotocol Label Switching (MPLS) network circuit between our company’s corporate network and the 200-person remote office of a company that we recently acquired.
The reason my jaw dropped to the floor upon learning about this incident was that I had authorized the MPLS connection. If an infected desktop at the acquired company was the source of this propagation of malicious code, it wouldn’t be good for me. Prior to the authorization, I had completed a security assessment, and one of its main purposes was to ensure that after connecting our two offices, we wouldn’t become infected by a virus lurking within the acquired company’s network. Naturally, I couldn’t help but see direct cause and effect in this situation.
Fortunately, the infection was pure coincidence, and we quickly quarantined the infestation. I have a really good incident response process in place to deal with viruses and worms. We were able to conduct some forensics on the virus and then send that information to Trend Micro, which in turn created an interim detection and removal tool for us. The tool was quickly installed on the infected desktops, and we were able to stop the propagation. As standard practice, we also blocked the ability of this variant to communicate with an external Web site by putting the URL on our Web caching gateways, thus preventing any infected resources from trying to “call home.”
So, if the MPLS circuit wasn’t to blame, what was? The source, we think, was a vendor’s laptop. That’s the problem I’m going to need more funds to address. And the problem isn’t just that rogue laptops can introduce viruses. The problem is that our network is very flat, and visitors who connect to it will find little to stop them from accessing our intellectual property.
We have a policy banning vendor representatives from connecting to our network. But the ban is regularly violated, and until I can get the company to invest in Cisco’s Network Admission Control or a similar technology, rogue laptops will continue to be a risk. Eventually, when the network team completes the upgrade of our network, I’ll be able to mandate segmentation, with our internal desktop network clearly separated from public areas like conference rooms, which should be authorized for limited Internet access only.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
