Fun and games with malware

Over the last couple weeks, we've had some interesting security challenges here at my company. Policy compliance has been keeping me busy, and if that weren't enough, we've been having more fun with viruses.

I've developed a bunch of security policies, and have had good success with getting executive sign-off. That's the good news. But rolling out new security policies can be a challenge because they represent change, and change can be hard for companies. Fortunately, many of the things our policies say are things we are already doing, but there are some things that we will need new tools, technologies or processes to do.

One change that is particularly controversial is an automated screen lock on our Windows systems. I know what you're thinking: How could that be controversial? Isn't it something that everybody does? Not in my company. Here, people aren't used to having to type in a password when they want to use their computer. Now I'm telling them they will have to if they've left their computer unattended for 10 minutes. In my mind, that's plenty of time for someone casually walking by to gain access to anything on the computer. In fact, a few people in my company agree and have suggested that five minutes would be more appropriate. But others think 20 minutes is better, so 10 minutes is the compromise.

The main resistance is from our salespeople. They don't want their screens locking during PowerPoint presentations, fearing that the delay and inconvenience could cost sales. Personally, I think the lockout would make a good impression on customers, showing how diligent we are about security. But not everyone agrees. And in the Windows world, it's one setting for all users. It's not possible to make exceptions or to provide different settings for different groups, and it's also impossible to change or disable this setting while a PowerPoint presentation is in progress.

So, I'm moving forward with enforcing the 10-minute timeout policy, and we will have to deal with the difficulties. I prefer that my security decisions have a minimal negative impact on the business, but sometimes we have to make trade-offs. I guess the sales staff will just have to move the mouse once in a while.

I'm making a lot of progress here, but have been slowed down lately by viruses. I recently wrote about an outbreak of Conficker, which caused havoc on our computers. Since then, our IT team has made great progress in patching our end-user systems and making sure antivirus is installed and up to date everywhere. So, imagine my surprise when we got hit again - this time by a zero-day outbreak!

Despite having all Windows updates installed on our systems and fully updated antivirus software, we were hit by a new malware. Within a few hours it spread completely throughout our company and essentially caused work to stop entirely. This was really a worst case scenario. My team got on the phone with our antivirus company's support line to ask for help but got stuck on hold for three hours before reaching an engineer.

We had to submit samples of the malware to the vendor's website, but they could only promise a 48-hour turnaround for a signature update that would solve our problem. In the end, we got our update in about 24 hours, but we were still down for a day and a half before the outbreak was fully cleaned.

I wish I could learn something from this experience, but the only thing I can think of is: Don't get hit by a zero-day outbreak. And that looks like wishful thinking.