A process for damage control in your Exchange/Outlook environment
As a network administrator, you can't describe the funny feeling you get in your stomach when your pager begins to beep again and again while you simultaneously hear your name called over the public address system and notice that all your users have the same email message on their screen that you're seeing on CNN. Welcome to another email worm outbreak.
Odds are, your antivirus software vendor doesn't have an updated signature file, or if the vendor does, its Web site is so overloaded with requests that the result is the same. Few network problems put the spotlight on you, your preparation, and your problem-solving abilities like a widespread email attack. Depending on how you handle the crisis, you can look as smooth as Sherlock Holmes or as bumbling as Inspector Clouseau. Because 80 percent of email outbreaks are related to Microsoft Exchange Server/Microsoft Outlook combinations, I offer some specific advice for reacting to an email worm outbreak on that platform.
Report the Outbreak to a Leader
No matter how an email outbreak is initially discovered, the first IT team member to hear about it needs to alert the team leader, who in turn alerts the other team members and gathers an eradication team. Make sure you have a communication method in place that an email attack won't affect. Because so many people now have cell phones and pagers that can accept email messages, attacks can often overwhelm mobile devices and networks quickly. When the VBS.LoveLetter email worm first hit the United States, my pager stopped working within minutes and my cell phone wasn't operational for 6 hours. Discuss backup communication methods ahead of time, such as overhead paging, private instant-messaging channels, and prearranged land-based phone numbers. Less technology usually wins in these instances.
Collect Initial Facts
As the eradication team gathers, team members need to begin to share what they know about the email attack. Where did it first appear? How long has it been spreading? Does it modify local files? Begin to collect the facts necessary for an initial understanding.
Minimize the Attack's Spread
After you've collected the initial facts, immediately take steps to minimize the spread. These steps can include disabling the email servers and Internet access. On an Exchange server, you can stop the Internet Mail Service (IMS), Message Transfer Agent (MTA), and any other email connector services. If the email worm uses its own SMTP engine to spread, disable Internet access. If malicious code is actively modifying or destroying files on a file server, disconnect users and disable logons. If the attack is bad enough, consider powering down servers and workstations. Make sure you keep track of which computers and services you're disabling so that you can bring them back up later. To minimize spread, you might also want to block certain firewall ports on internal or demilitarized zone (DMZ) firewalls (e.g., port 80 for HTTP, port 25 for SMTP). Blocking firewall ports is also important for protecting against "reentry" from the Internet.
Notify end users about the threat. Make sure the word gets out to all end-user departments about the email worm or virus outbreak. Contact other team leaders, and use voicemail or the public address system to spread the word. As untechnical as it might sound, posting paper signs on entrance doors and in common work areas detailing the problem and what users need to do is a good way to notify users. In a crisis, simple is always better. Also, don't forget these steps:
- Contact remote offices.
- Be sure to let senior managers know what's going on so that they don't get blindsided.
- If the email attack spread from your company to other companies before you could stop it, communicate with those companies as well.
Be Detailed and Collect More Facts
By now, you should have the email worm or virus contained and have taken steps to prevent further damage. The whole team should have gathered and discussed the problem. Now, you can determine the extent of the damage. How widespread is it? How many PCs did the attack affect? How many departments did the attack hit?
Finding out who isn't infected is as important as finding out who is infected. If the attack has affected every machine but one in a particular department, find out what's unique about that user or machine (e.g., the user didn't open the infected email, the machine has the latest service patch installed). A particular workstation component might have prevented the email worm from spreading.
If your antivirus tools should have prevented the attack, figure out why and how the bug got by them. Does the subject or file attachment of the infected email remain the same? If not, do the changes show a pattern?
Prev. page
[1]
2
3
next page 
