Follow this six-step malware response plan
遵循六步恶意软件响应计划
by Michael Mullins CCNA, MCP
作者:Michael Mullins
翻译:endurer
Tags: Security threats | Viruses and worms | Spyware/adware | Security management
标签:安全威胁 | 病毒和蠕虫 | 间谍软件/广告软件 | 安全管理
Takeaway: Sometimes all the preventive care in the world won't protect your systems from the inevitable malware infection. What's the best way to handle it? According to Mike Mullins, an effective malware response plan includes these six steps.
导读:有时尽力预防并不能保护系统免受不可避免的恶意软件的影响。最好的处理方法是什么呢?在Mike Mullins看来,一个有效的恶意软件响应计划包括这六个步骤。
As security administrators, we try to be as proactive as possible?a href="http://articles.techrepublic.com.com/5100-1009_11-6106911.html" target="_blank">applying patches and updates, conducting penetration testing, and establishing usage policies. Unfortunately, sometimes all the preventive care in the world won't protect your systems from the inevitable infection梑e it virus, worm, or some other form of malware.
做为安全管理员,我们尽可能地前摄——应用补丁和更新,举行渗透测试,建立使用策略。不幸地是,有时尽力预防并不能保护系统免受无法避开的恶意软件的影响——这可能是病毒,蠕虫,或其它形式的恶意软件。
《enduer注:1。in the world:究竟,到底
you don't have a care in the world. 你不知人间烦恼为何物》
I've written before about the importance of creating an incident response policy, and I've told you specific steps to take in response to a security incident. But security incidents can vary widely in size and target. While it's imperative to have an overall policy in place, an actual incident response plan should depend on the actual event.
之前我已经写了创建事故响应策略的重要性,并且已经告诉你们响应安全事故采取的特定步骤。但安全事故的大小和目标可能大幅变动。尽管在适当的位置有全面策略是急需的,一个真实的事故响应计划要随一个真实的事故而定。
《enduer注:1。in place:在适当的位置》
Case in point: The growing threat of malware infections. A malware incident response plan is not one that should focus on an active attack; instead, it needs to concentrate on the payload left behind on your systems.
例证:正在增长的恶意软件感染的威胁。一个恶意软件事故响应计划并非关注某个主动攻击,而是要致力于系统留下有效负载。
《enduer注:1。Case in point:例证
2。concentrate on:集中在(专心于)
3。left behind:遗留(留下)》
What is malware?
恶意软件是什么?
Malware is malicious code or software secretly inserted into a system to compromise the confidentiality, integrity, or availability of the data or applications residing on the network. Malware incidents can cause extensive damage and disruption to a network, and they require costly efforts to restore system security and user confidence.
恶意软件是秘密地插入系统、危及网络中的数据或应用程序的保密性,完整性或可用性的恶意代码或软件。恶意软件事故可对网络造成大范围的危害和分裂,并且需要极大的努力来恢复系统安全和用户信任.
《enduer注:1。insert into:把...写入;扎入;插入》
We can separate malware threats into five broad categories. Here's a quick overview:
我们可以将恶意软件威胁分成5大类。简概如下:
- Viruses: Self-replicating code inserts copies of the virus into host programs or data files. Viruses can attack both operating systems and applications.
病毒:自我复制代码插入宿主程序或数据文件。病毒可攻击操作系统和应用程序。
- Worms: A self-replicating, self-contained program executes without user intervention. Worms create copies of themselves, and they don't require a host program to infect a system.
蠕虫:一个执行时无需用户介入,自我复制的独立程序。蠕虫创建自身拷贝,并且它们不需要宿主程序来感染系统。
《enduer注:1。self-contained: 设备齐全的, 独立的, 沉默寡言的》
- Trojan horses: This self-contained, non-replicating program appears to be benign, but it actually has a hidden malicious purpose. Trojan horses often deliver other attacker tools to systems.
特洛伊木马:这是独立的,非自我复制程序,表面良好,但实际具有隐藏的恶意目的。特洛伊木马通常释放其它攻击工具到系统。
- Malicious mobile code: This software with malicious intent transmits from a remote system to a local system. Attackers use it to transmit viruses, worms, and Trojan horses to a user's workstation. Malicious mobile code exploits vulnerabilities by taking advantage of default privileges and unpatched systems.
恶意传播代码(恶意移动代码):从远程系统传染到本地系统的有恶意企图的软件。攻击者使用它来传输病毒,蠕虫和特洛伊木马到用户的工作站。
- Tracking cookies: Accessed by many Web sites, these persistent cookies allow a third party to create a profile of a user's behavior. Attackers often use tracking cookies in conjunction with Web bugs.
Tracking cookies:由一些网站访问,这些永久cookies允许第三方创建用户行为文件。攻击者通常将tracking cookies与网站bugs配合使用。
《in conjunction with:连同(共同,与-协力,连带着)》
These are the main categories of the malware threats threatening your users and your network. What happens when they succeed? An effective malware response plan includes these six steps:
这些是威及用户和网络的恶意软件威胁的主要类型。它们成功时会发生什么呢?一个有效的恶意软件响应计划包括这6个步骤:
- Preparation: Develop malware-specific incident handling policies and procedures. Conduct malware-oriented training and exercises to test your policies and procedures. Determine whether your procedures work before you actually have to use them.
预防:开始特定恶意软件事故处理策略和过程。举行针对恶意软件的培训和训练来测试策略和过程。在实际使用他们之前判断你的过程是否工作。
- Detection and analysis: Deploy and monitor antivirus/anti-spyware software. Read malware advisories and alerts produced by antivirus/ anti-spyware vendors. Create toolkits on removable media that contain up-to-date tools for identifying malware, examining running processes, and performing other analysis actions.
检测和分析:部署和监视抗病毒/抗间谍软件。阅读病毒/抗间谍软件提供商的恶意软件建议和警告。创建包含最新识别恶意软件,检验运行中的进程,和执行其它分析活动的工具的工具包或移动媒介。
《enduer注:1。up-to-date:最新的,现代的》
- Containment: Be prepared to shut down a server/workstation or block services (e.g., e-mail, Web browsing, or Internet access) to contain a malware incident. Decide who has the authority to make this decision based on the malware activity. Early containment can stop the spread of malware and prevent further damage to systems both internal and external to your network.
控制:为关闭服务器/工作站或封锁服务(例如电子邮件,网页浏览或Internet访问)作好准备,以控制恶意软件事故。决策者基于恶意软件活动作出决策。及早控制可停止恶意软件传播和预防对网络内部和外部的更大危险。 《enduer注:1。Be prepared to:准备》
- Eradication: Be prepared to use a variety of eradication techniques to remove malware from infected systems.
根除:准备使用各种根除技术来移除被感染系统中的恶意软件。
《enduer注:1。a variety of:种种(若干,各种)》
- Recovery: Restore the confidentiality, integrity, and availability of data on infected systems, and reverse containment measures. This includes reconnecting systems/networks and rebuilding compromised systems from scratch or known good backups. The incident response team should assess the risks of restoring network services, and this assessment should guide management decisions about restoration of services.
恢复:恢复被感染系统中数据的保密性,完整性和可用性,并翻转封闭措施。这包括重新连接系统/网络和从受损处或好的备份中重建受损系统。事故响应团队要评估恢复网络服务的风险,并且这个评估要指导管理者对恢复服务的决定。
- Report: Gather the lessons learned after each malware incident to avert similar future incidents. Identify changes to security policy, software configurations, and the addition of malware detection and prevention controls.
报告:在每一次恶意软件事故后收集教训以避免未来的类似事故。认定安全策略、软件配置和恶意软件检测和防御控制的改变。
Final thoughts
结束语
When it comes to responding to a malware incident, you can deploy all the detection and monitoring tools on the planet, but you still have to get your users involved! Educate your users on how to identify infections, and teach them the steps to take if their system becomes infected.
当提到对恶意软件事故的响应时,你可以在全球布置所有检测和监视工具,但你仍会有用户被卷入!教育用户如何鉴别感染,并教他们如果系统被感染时应采取的步骤。
《enduer注:1。when it comes to:当提到...;就...而论》