A massive virus attack hit the University of Exeter this month (Jan 2010) which resulted in the entire network being shutdown. Zack Whittaker of ZDNET, reported that the network was taken offline by both the virus and the network staff in an attempt to protect the infrastructure. The virus impact lasted days whilst staff tried to recover the situation. My interest in this event from a Service Management perspective was two-fold.
Firstly, the University stated that they believe the virus to come from outside the network – either a staff or student PC.
University campuses are, of course, complex beasts and the IT teams who secure them can have a tough job. The problem is compounded by having a massive userbase of students who may plug their own devices into the network, or may show little care for the security of a communal computer and put it at unnecessary risk. You may have students who are using P2P file-sharing to download music, software, movies and games. Clearly some control is needed to restrict what programs can be run when connected to the network. The ITIL Service Design publication contains details of the Information Security Management framework which consists of five elements – control, plan, implement, maintain, security governance. It also describes the 5 different types of measures that need to be put in place depending on the importance attached to vulnerable information. These include preventative, reductive, detective, repressive, and corrective. The University appear to have reductive measures in place but the preventative measures are questionable.
Secondly, an internal email from the network security administration was quoted as saying. “This is what happens when software update service admins don’t auto approve” which suggests that someone managing the network updates had not patched the exploitable computers with the appropriate fix. Another source stated that the virus hit a vulnerability in Windows Vista (MS09-050). A check on the Microsoft website shows that a patch for this was available in October 2009. This raises not only a concern around Information Security Management but more so Change Management and Release Management.
If the University is reliant on a administration to remember to approve a a network update to remove a virus threat then the Change Management system needs to be revised so that these activities are automated and the Release Management process ensures that the patches are applied to all the relevant devices. This of course assumes an accurate Configuration Management System so that the vulnerable devices can be easily identified. Uhmmmm. Maybe a blog for another day?
MACANTA can help you ensure your processes are effective and efficient with our Process Development service.
Karen Ferris is a Director of Macanta Consulting and can be contacted at Karen.Ferris@macanta.com.au