Implementing Instant Policy Changes

Slipping Through the Cracks

The Bagle payload came within a password-protected archive-file attachment, which let it bypass our first level of defense--an e-mail gateway scanning/blocking appliance. And this worm had not yet been addressed by our desktop antivirus application vendor. Therefore, we needed to create our own solution.

Jon and Dirk were adamant that ACME should immediately implement a measure that would block password-protected archive files but let other archive files through. This meant we'd be blocking many valid, business-related archive attachments along with the infected ones. The valid files would be held in quarantine. Users would be notified that the files had been blocked and could be released through a call to the helpdesk.

The catch: This policy change could affect end-user productivity and, ultimately, business operations.

I took a quick look at our employee handbook to be sure we'd reserved the right to block potentially harmful attachments--thank goodness, we hadn't been specific about attachment type. Still, I knew it would take time to get approval from upper management for the policy change we needed to make. I was fortunate to have the backing of our CIO, Steve Fox, who has made my job harder in other situations but, in an emergency, lets me shoot first and ask questions later. I wanted to empower my staff in much the same way. So I gave the go-ahead for the blocking change.Steve gave his OK, then the expedited approval process and monitored upper management for any red flags that might be raised.

Ready and Waiting

Approvals in hand, we informed our helpdesk staffers to prepare them for the inevitable onslaught of user calls. We sent out an e-mail message to tell all employees about the change, in layman's terms. And we updated our written security policies to reflect the new blocking policy.

Some of our users weren't exactly thrilled about the change. Our legal department, for example, receives most of its e-mail attachments in the password-protected archive file format, so those users suddenly found most of their files blocked. But once they understood the new policy and the reasons behind it, our users got into the habit of calling the helpdesk to retrieve valid files that were flagged and quarantined.

This latest attack was no picnic, but it did teach us several valuable lessons. First, don't expect systems, such as gateways and antivirus software, to catch every problem--they won't. Second, be willing to make policy changes on the fly--but only after assessing the potential impact on your users and your business. Third, empower your people to act swiftly in an emergency.This probably won't be the last time we'll have to react to an unanticipated threat. I just hope the process always goes as smoothly. Otherwise, we could be in real trouble.

Hunter Metatek is an enterprise IT director with 15 years' experience in network engineering and management. The events chronicled in this column are based in fact--only the names are fiction. Write to the author at [email protected].