The NRL IS Security Course Handbook

Virus Reporting (Stand-Alone Systems)

A computer virus infection is a reportable security incident. Department of the Navy (DON) policy requires that each computer security incident be reported by the NRL IS Security office to the Naval Computer Incident Response Team (NAVCIRT) as soon as possible.
If a virus or a suspected virus is detected by a user at NRL, take the following actions:

1. Notify your IS System Manager and the IS Security Office of the infection and take the necessary actions to minimize the spread of the virus within your activity.

2. Notify all activities that may have received infected diskettes or network files from your activity. Everyone concerned must know about the virus so that it may be stopped and removed.

3. If possible, capture samples of the virus(es) on diskette (no more than 1 diskette per virus). Forward them with the information in paragraph 5 below via your ISSM for analysis to the NRL IS Security Office.

4. Use Toolbox or a commercial antiviral software to remove the infection.

5. Provide the following information to NRL IS Security via your ISSM.

a) Name of the virus

b) How the virus was first detected and identified

c) Damage or observations resulting when the virus triggers

d) Damage caused to your systems, if any

e) Source of the virus, if known

f) Other locations, within or outside of your activity, possibly infected as a result of sharing infected media or files

g) Number and types of systems infected (i.e. hard disks and servers)

h) Number of floppy diskettes infected (approximate)

i) Method of clean-up (removal software, format disk, etc.)

j) Number of work hours expended to remove the infection (approximate)

k) Your name, phone and location

The IS Security Office will make an immediate and thorough investigation of all virus infections reported.

Virus Prevention

Scan all disks before they are used. Be cautious of all newly acquired software. Check new software for infection before it is run for the first time. Never boot from an unprotected diskette. Backup files and programs. Watch for unusual operation indicators. Use virus detection software.

Network Virus Protection

Networks at greatest risk to virus like (worms, etc.) infections are users of UNIX and PC-DOS, loosely administered networks, networks which permit dial-up access, homogeneous networks where most systems employ the same operating systems or hardware, and open networks which allow any organization to be connected. Defense organizations such as NRL not only need to be concerned because of the potential damage a virus might cause, but also because of potential news media attention and organizational oversight.

Network Protection Precautions

System administrators can take a number of steps to minimize the potential for a virus attack.

1. Change passwords frequently

2. Prohibit the introduction of any unapproved software

3. Continuously monitor and investigate performance utilization changes or other unusual activities

4. Continuously update and maintain access controls and integrity measures

5. Maintain updated program and operating system access

6. If possible, restrict write access to particular data objects on an individual basis

7. Train users to report unusual behavior or results immediately

8. Ensure remote diagnostic lines are only connected when needed

9. Set system software defaults in positions which reduce potential security vulnerabilities

Incidence Response Activities (Network Virus/Worm Attack)

NRL is seldom the identifying organization, incidents involving self replicating-computer viruses in computer systems and networks have underscored the need for NRL wide coordination and support. When a network virus is discovered on Milnet, Arpanet, or NSFnet, the Naval Computer Incident Response Team (NAVCIRT) will immediately advise all Navy organizations of its existence and suggested actions.
The IS Security Group will work closely with other federal agencies to coordinate identification and response efforts when acute computer network security incidences of this type are detected. The group will ensure suggested NAVCIRT corrective actions are implemented. Upon initial discovery of a previously undetected network related virus infection, the ADP Security Office will contact NAVCIRT immediately to formulate a combined response.