Request for Technical Assistance
Please provide guidance pertaining to the handling of a federal user's computer that could possibly be infected with a virus.
There are two immediate paths that the agency can pursue to effectively handle this situation:
- Seek guidance from a state, agency or department developed incident response plan and carry out procedures as outlined in that plan. Ensure the potential virus is reported to the help desk or agency's incident response team immediately.
- If there is not a state, agency or department incident response plan to follow, the agency should follow best practice and contain the virus by disconnecting the infected computer from the network, shutting down the system, or disabling affected functions.This will ensure that the infected computer does not spread the virus to other computers on the network. The next step would be to analyze and validate the incident to determine the incident's scope, such as which networks, systems, or applications are affected; who or what originated the incident; and how the incident is occurring (e.g., what tools or attack methods are being used, what vulnerabilities are being exploited). This should be performed by the agency's designated incident response team. This could be accomplished by performing a virus scan with updated anti-virus software to ensure the software has the latest virus signature to identify the virus. This will help to figure out the type and criticality of the virus that resides on the computer. The anti-virus software should have the capability to quarantine and/or delete the virus from the system. It is highly recommended that the computer be scanned once again prior to reconnecting it to the network. It is important for the incident response team to document all steps and actions taken and record all facts regarding the incident.
If it is suspected that the virus infection led to an attacker gaining unauthorized access to an agency system containing federal tax information (FTI), the agency should notify the Treasury Inspector General for Tax Administration (TIGTA) and the IRS Office of Safeguards. The TIGTA hotline for incident reporting is 1-800-366-4484, and can also be found in the IRS Publication 1075.
At a minimum, the agency should take the following steps to help prevent future virus infections:
- Create an incident response policy if the agency doesn't have one already. The policy is the foundation of the incident response program and defines which events are considered incidents, establishes the organizational structure for incident response, defines roles and responsibilities, and lists the requirements for reporting incidents.
- It is extremely important that users be provided guidance on what to do if a virus infection occurs on their computer, because the users are the frontline, and improper handling of an infection could make a minor incident worse. As part of the policy establish reporting procedures for end users to report potential incidents. The reporting mechanism could be a help desk phone number or an email address. End users should be educated as part of on-going security awareness and training on how to identify potential incidents, their responsibility for reporting potential incidents, what information should be provided when reporting a potential incident.
- Ensure anti-virus software is installed and running on all hosts throughout the agency, and all copies are kept current with the latest virus signatures through automated signature updates.
The agency can follow guidance provided in the NIST Special Publication 800-61, Computer Security Incident Handling Guide, which outlines in greater detail the procedures for detecting and eradicating viruses and malicious code, and can serve as the basis for an agency incident response policy.