RELATED LINKS : ADMISSIONS | PARKING | NEW STUDENT & FAMILY PROGRAMS | SECURITY

This is a direct copy from an article by NIST

GUIDE TO MALWARE INCIDENT PREVENTION AND HANDLING
An effective awareness program explains proper rules of behavior for use of an organization’s IT systems and information. Accordingly, awareness programs should include guidance to users about malware incident prevention, which can help reduce the frequency and severity of malware incidents. All users within an organization should be made aware of the ways in which malware enters systems, infects them, and spreads; the risks that malware poses; the inability of technical controls to prevent all incidents; and the importance of users in preventing incidents. Awareness activities should also take into account the characteristics of different environments, such as those encountered by telecommuters and traveling employees in hotels, coffee shops, and other external locations. In addition, the organization’s awareness program should cover the malware incident prevention considerations in the organization’s policies and procedures, as described in Section 3.1, as well as generally recommended practices for avoiding malware
incidents. Examples of such practices are as follows:

• Not opening suspicious e-mails or e-mail attachments from unknown or known senders
  
• Not clicking on suspicious Web browser popup windows
  
• Not visiting Web sites that are at least somewhat likely to contain malicious content
  
• Not opening files with file extensions that are likely to be associated with malware (e.g., .bat,
  .com, .exe, .pif, .vbs)
  
• Not disabling the additional security control mechanisms (e.g., antivirus software, spyware
  detection and removal utility, personal firewall)
  
• Not using administrator-level accounts for regular system operation
  
• Not downloading or executing applications from untrusted sources.
  

As described in Section 4, organizations should also make users aware of policies and procedures that apply to malware incident handling, such as how to identify if a system may be infected, how to report a suspected infection, and what users might need to do to assist with incident handling (e.g., updating antivirus software, scanning systems for malware). Users should be made aware of how notices of major malware incidents will be communicated and given a way to verify the authenticity of all such notices. In addition, users should be aware of changes that might be temporarily made to the environment to contain an incident, such as disconnecting infected systems from networks and blocking certain types of e-mail attachments.

As part of awareness activities, organizations should educate their users on the techniques that criminals use to trick users into disclosing information. Organizations should also provide users with recommendations for avoiding phishing attacks, which are described in Section 2.8.1. Examples of such recommendations are as follows:

• Never reply to e-mail requests for financial or personal information. Organizations should notask for such information by e-mail, because e-mail is susceptible to monitoring by unauthorized parties. Instead, call the organization at its legitimate phone number, or type the organization’s known Web site address into a Web browser. Do not use the contact information provided in the e-mail.
  
• Do not provide passwords, PINs, or other access codes in response to e-mails or unsolicited popup windows. Only enter such information into the organization’s legitimate Web site.
  
• Do not open suspicious e-mail file attachments, even if they come from known senders. If an unexpected attachment is received, contact the sender (preferably by a method other than e-mail, such as phone) to confirm that the attachment is legitimate.
  
• Do not respond to any suspicious or unwanted e-mails. (Asking to have an e-mail address removed from a malicious party’s mailing list confirms the existence and active use of that e-mail address, potentially leading to additional attack attempts.)
  

Although user awareness programs help to reduce the frequency and severity of malware incidents, their impact is typically minor compared to that of the technical controls for vulnerability and threat mitigation described in Sections 3.3 and 3.4. An organization should not rely on user awareness as its primary method of preventing malware incidents; instead, the awareness program should supplement the technical controls to provide additional protection against incidents. The awareness program for users should also serve as the foundation for awareness activities for the IT staff involved in malware incident prevention, such as security, system, and network administrators. All

IT staff members should have some basic level of awareness regarding malware prevention, and individuals should be trained in the malware prevention–related tasks that pertain to their areas of responsibility. In addition, on an ongoing basis, some IT staff members (most likely, some members of the security or incident response teams) should receive and review bulletins on new malware threats, assess the likely risk to the organization, and inform the necessary IT staff members of the new threat so that infections can be prevented. IT staff awareness activities related to malware incident handling are discussed in Section 4.