If a computer virus is detected

In the event a computer virus is detected on user workstations or agency servers, there are two immediate paths that the agency can pursue to effectively handle this situation:

  1. Seek guidance from a state, agency or department developed incident response plan and carry out procedures as outlined in that plan and ensure the potential virus is reported to the help desk or agency's incident response team immediately.
  2. If there is not a state, agency or department incident response plan, the agency should follow best practice and contain the virus by disconnecting the infected computer from the network, shutting down the system or disabling affected functions. This will ensure that the infected computer does not spread the virus to other computers on the network.
    • Validate the incident: The next step would be to analyze and validate the incident to determine the incident's scope, such as which networks, systems or applications are affected; who or what originated the incident; and how the incident is occurring (e.g., what tools or attack methods are being used, what vulnerabilities are being exploited). This should be performed by the agency's designated incident response team.
    • Perform a virus scan: This action could be accomplished by performing a virus scan with updated anti-virus software to ensure the software has the latest virus signature to identify the virus. This will help to identify the type and criticality of the virus that resides on the computer. The anti-virus software should have the capability to quarantine and/or delete the virus from the system. It is highly recommended that the computer be scanned once again prior to reconnecting it to the network. It is important for the incident response team to document all steps and actions taken and record all facts regarding the incident.

If there is unauthorized access

If it is suspected that the virus infection led to an attacker gaining unauthorized access to an agency system containing federal tax information (FTI), the agency should notify the Treasury Inspector General for Tax Administration (TIGTA) and the IRS Office of Safeguards. Current contact information for TIGTA is listed in Section 1.8.2 of IRS Publication 1075, Tax Information Security Guidelines for Federal, State, and Local Agencies.

At a minimum, the agency should take the following steps to help prevent future virus infections:

  1. Create an incident response policy if the agency does not already have one in place. The policy is the foundation of the incident response program and defines which events are considered incidents, establishes the organizational structure for incident response, defines roles and responsibilities and lists the requirements for reporting incidents.
  2. It is extremely important that users be provided guidance on what actions are required if a virus infection occurs on their computer because the users are the frontline, and improper handling of an infection could make a minor incident worse. Part of the policy should establish reporting procedures for end users to report potential incidents. The reporting mechanism could be a help desk phone number or an email address. End users should be educated as part of on-going security awareness and training on how to identify potential incidents, their responsibility for reporting potential incidents what information should be provided when reporting a potential incident.
  3. Ensure anti-virus software is installed and running on all hosts throughout the agency, and all copies are kept current with the latest virus signatures through automated signature updates.

The agency can follow guidance provided in the NIST Special Publication 800-61, Computer Security Incident Handling Guide, which outlines in greater detail the procedures for detecting and eradicating viruses and malicious code, and can serve as the basis for an agency incident response policy.

Resource