Blocking the malicious virus attack "three elements": Isolation, curb, and destroying the current virus attacks have become more and more increase. It is estimated that there are 100,000 popular viruses, hundreds of new viruses each month, and there are 1 plurality of accessories per 15 emails. It is not enough to prevent virus software to cope with this situation, we need a comprehensive, positive, adaptive security threat management method, which should include three elements: Isolate - Identifying the ongoing attack; curb Prevent security threats to expand; extinguish - eliminate the imminent threat with appropriate patches, anti-virus tools, while taking the necessary actions while preventing similar attacks. Isolate Most security issues are caused by interlocation between various security technologies. They are often separated from each other. Typical examples are: a firewall sends a warning that violates rules, one IDS detected a signature (a latter Trojm horse program) matched, a virus program also detected This Trojan horse program. Each program or an alert is issued, or these situations are recorded on the work log, but there is no analysis of the above three events, and thus, there is no finding, perhaps someone is trying to control the server, and it is already in Troy Trojan. Why do this happen? Because there are too many system security alerts and events, the main alert is ignored. Therefore, accurate isolation of existing attacks, analyzes event-related, and determines security priority and appropriate alarms, these absolutely essential. Once the system has intelligence, it is possible to assess which alert is critical. Intelligent security will set and strengthen the security and priority of security protection based on business value and business priority, and the security threat to critical services must be given to the highest security priority, and quickly isolate it. For example, issues involving online stores are much greater than the risk of business operations compared to issues involving internal training systems. Therefore, when the two routers are downtime, the same alert should not be issued, and should be linked to the business background when checking each router, and issues an alert according to the appropriate priority. Contain contains a variety of forms. For example, the virus may also capture and isolate the appropriate antivirus software at the PC level. However, this is mostly a limited defense method. Due to certain clearly identifiable personality features of the virus, the entry point containing attacks in the network will be more effective. The virus carried by the email attachment named A should be detected by a filter or corresponding gateway on a mail server and is immediately intercepted. In order to prevent the attachment with a virus from being opened in the company, it is necessary to deploy the blocking function, separating the department, server or even personal computers. Take the Visual Basic script virus such as "Love Letter" as an example, facing such an intrusion, you can quickly release a policy over the network - do not perform the VB script before the end of the virus broke out. Rapidly apply a series of policies in an outbreak point to achieve effective curb. Of course, you should develop a disaster recovery plan. This way, once the IP attack is detected, the part of the network or changing the rules of the network switch will block the entry of the packet. A more thorough curb method is to deploy a "honeypot" to collect self-sacrificial servers for evidence left by the attacker. Once the invasion is detected, you can point the attack on the "honeypot" server isolated from the rest of the system. This method is especially useful if you want to reverse passive beatings and file a lawsuit against those who implement attacks.
