Operation Fighting Nimda

by Noel Laam

Early in the morning of 20 September 2001 when I came into the office and switched on the PC as usual, the screen was appearing funny and small windows kept popping up as if they were saying hello to me. While I was wide at sea about what had happened, a neighbouring colleague came to my rescue and told me that we were likely to be attacked by a virus/worm.

And the Operation Fighting Nimda formally began.

An interim command was set up at once, and the whole of the Computing Services Centre (CSC) was on the alert and prepared to fight the malicious worm. All departments were informed of the news and to shut down the machines right away to stop the infection from spreading. At 10 am when the necessary information of Nimda and the essential patches were collected, the technical staff of the CSC and the Enterprise Solutions Unit (ESU) were immediately gathered, briefed and sent to all departments that had reported to have infected with Nimda to carry out the rescue - to check the machines, to clean up the worms if the machines were infected, to apply patches to all machines, and to boot up the systems again when all machines in a department were all fixed.

Minimal staff were left in the office for liaison, and most were running in and out of the office cross-checking for the latest information and reporting on the progress. It was just like in the battlefield. After one whole day of hectic work, except for those departments who opted to take care of their own machines, most machines in a number of departments were rescued by the following day, and were able to perform their duties as normal.

After this worm attack, I was thinking, what did we learn from it?

This incident certainly reminded us of the urgency to raise users' awareness on security protection so as to better protect our campus network. At the moment, some departments look after their own servers, and CSC's recommended measures, security patches, and virus updates may not be adopted or implemented in time. As a result, these servers were invaded and being used to mount other attacks. We need to better organise the University strength in intrusion detection and virus protection, and to have better control and management of the network services. The CSC is now working out ways to tighten the network security in various areas, and though this may cause some inconveniences to users, it is necessary and vital if we want to safeguard the users' interest and protect the University from avoidable virus/worm and hacker attacks.

We in the CSC will definitely continue to work hard to strengthen our sophisticated network to fight against virus/worm attack. How about you? Will you lend us a hand?