Sunday, March 15, 2009


I have briefly mentioned Mass Casualty Incidents in the past. It's time to delve in to this a little and see where we end up. I'll likely spread this out over a few posts.

One of the most widespread diseases in existence is malaria. There's an estimated 200 to 300 million cases worldwide each year. 2-3 million of those result in death. There is currently no vaccine.

Let's focus on malaria for the time being. Malaria is primarily spread through female mosquitos that pass a parasite to the victim. That is to say a mosquito attaches itself to a victim, and injects saliva in to the wound to keep blood from clotting and the blood flowing. There are areas of the world where mosquitos are highly prevalent, and these are also places of high infection rates.

Wait a second. Let's summarize. An infectious disease, spread worldwide, causes death, and there is no vaccine, only treatment?

Sounds a bit like a malware infection, or rather a malware outbreak doesn't it? What if I were to tell you this is like the USB malware infections that spread all over, and caused the military to take a draconian approach of banning USB keys?

I say this quite a bit but the best way to master your field is to study the methods used in other fields. For an outbreak of this nature I refer to treating and preventing of malaria.

Think about it. Infected USB media is exactly like a mosquito, they contain a parasite and infect computers by injecting the executable referenced in their autorun files.

Let me spell this out for you. When you're faced with a transient population in the tens of thousands and a computer population of twice that number, and you have malware that spreads from one population to another, what do you do? That is to say you've got mobile people with infected USB keys and systems that are either infected or about to be infected.

Think malaria. Kill the mosquitos, innoculate and protect the uninfected, treat the infected. Unfornately this is a problem. Ever tried to track down thousands of USB keys? How do you get a hold of the USB keys? How do you kill the infection on their USB keys?

The answer is obvious. You can't track them down. So, let's focus on the second and third problem. The solution, as is often the case, presented itself.

In a highly distributed and decentralized environment (as many large organizations are), what needs to occur? Coordination, Communication, Information. This is step 1. Without this, everything else fails.

Consider calling emergency gathering of key staff to establish the process and procedure for dealing with the threat. Once the scope of the threat is conveyed, the action plan is established and off you go. Instructions and ideas get shared and the uninfected population is already in the process of being further protected by local IT staff.

What about the infected and the unknown?

In the digital world, you can't kill USB keys by spraying them with repellent and other chemicals and you can't compel tens of thousands of people to turn over their USB keys. But you can establish a triage center for the people in posession of them, and ask them to bring them in. There are two problems with this approach.

1) Scope of population. There is of course a realization that not all USB keys will be accounted for, but through the coordination of efforts to innoculate and protect the uninfected, while treating the infected, an intersection occurs, whereby both populations get protected and treated.

2)Laziness. People will not go out of their way to get a flu shot and they will not go out of their way to get their USB key checked. So, do what the medical field does, establish triage centers in multiple, high traffic areas.

So just what is a triage center for USB keys? It consists of uninfectable systems (mac and/or linux systems), and scripts to detect infected USB keys. Simply have an individual insert their usb stick and within seconds you know if you've got an infection. Then you innoculate the USB stick and make changes to attempt to prevent a recurring infection. In addition, you provide the person with the equivalent of a flyer that has detailed instructions to follow to innoculate and prevent infection of their computer.

But wait..what's missing here? Knowledge of the threat. In the midst of all of this, signature development needs to occur and threat assessments must continue. This is all about continuous information gathering. Samples need to be gathered and analyzed to determine the types and functionality of the malware. A line must be drawn that differentiates high value assets from the assets of little to no value. This is where further triage takes place.

More on this later.