IT Security Incident Response Plan

Published: September 24th, 2003

Category: Memos

Charles E. Frazier, Vice Provost for Information Technology

The UF IT Security Team has developed an incident response plan to protect the campus network, hosts, and data from the threat of an anticipated new worm that will exploit a vulnerability found in most Microsoft Windows operating systems. The details of the plan are not being published to this publicly archived list, but it is important that you be informed of the seriousness of this problem so that you can ensure appropriate action is taken by your IT staff.

The best defense is to patch vulnerable computers[1]. This is most important and should be your first action. Unfortunately, experience tells us that despite these alerts, not every computer will be patched. And, if that is the case and the worm finds a vulnerble host here, it will eventually find its way on to our network. Thus, it is critical that either all vulnerable computers in your unit are patched or that any unpatched computers are prevented from connecting to the network. In a worst case scenario, to prevent a worm from spreading throughout the network, we will have to block the infection vector – Windows NetBIOS network traffic. NetBIOS is the protocol that Windows uses for remote file and print services.

Filtering NetBIOS will not impact local file and print services, most email, web, or other non-Windows traffic. We understand that this may still severely impact the ability of many users to work, but the impact of a worm could be much more devastating, possibly destroying mission critical data or flooding network traffic, denying service to all users. We will of course avoid NetBIOS filters if we can determine an alternate vector to block. And if NetBIOS filters become necessary, we will do our best to minimize their duration by reducing our exposure. This brings us full circle to the action stated in the first sentence of this paragraph – please be proactive and patch all vulnerable computers. This is by far the easiest and most effective action you and we can take.

I appreciate your prompt attention to this problem. Others have learned the hard way what I hope we can avoid — namely, if we are unprepared, a worm could enter our network at any time.


Comments are currently closed.