I just started last week as an IT manager for a small online college. Our employee network is comprised of about 50 clients of both VPN and local users. As the first day of my job went, I found no patch management in place and improper antivirus that has been not working for at least six months or longer. Day 2 I began a scan of all of my clients and found over 400 viruses, worms, and trojans on my network, not to mention spyware and adware galore. Obviously, our network has been owned by the bad guys for some time and all data on the network has been compromised.
I have two questions. Obviously, this network needs to be burnt and rebuilt. However, I can't seem to get upper management to see the urgency or direness of the situation. How does one get the message across to those in charge that we have a real situation on our hands?
Question 2: If the nature of the compromise has been around for so long, what can be done with the data at hand since I obviously do not trust my back-ups as well? How do I go about even starting to test the integrity of the data on the network?
In regards to your first question, try and document all the observations and scanning results. Create a matrix of data damage. Now depending on the importance and sensitivity of the data, map it to the potential business value it holds. The matrix should also mention the time, effort and cost associated in dealing with such a situation versus cost savings using a proactive measure. Information is an asset and needs to be protected in the same manner as any other business asset. The availability and integrity of data is what matters in business and if that's not there, business will fail to continue. In your case, mere description of the damage should be enough to start raising red flags.
In regards to your second question, integrity means consistency, accuracy, and correctness of the data. Actually, your software must ensure data preservation, i.e., it must have mechanisms to ensure that the medium to which you are writing or backing up can preserve your data over a long period of time. In terms of archiving, one crucial element of any backup software is the verification or validation of two important stumbling blocks -- the backup archive and the medium of storage.
Now, obviously you can't go testing the integrity of the data until you get rid of all the viruses and other malicious code on your network. The first step is to patch all the servers, client PC's and devices with the latest security and product updates. Install antivirus software with the latest definition to remove all the viruses and malicious stuff. Once you are done with this, run data integrity checks using tools provided by either your vendors or you can download one from the securityfocus or sourceforge site. They will help you in estimating the actual integrity status and data loss.
This was first published in March 2007