The term malware refers to malicious software that is designed to damage or disrupt a computer system. Malware creation is on the rise due to our increased reliance and usage of technology, which presents an opportunity for cyber criminals to make money.
What is the risk?
Malware infections can cause material harm to your IT systems. This might include disruption of business services, unauthorised export of sensitive information or loss of access to critical data (e.g. caused by ransomware).
Malware can be introduced into your network via a variety of ways:
- Email: Email still provides a primary path for internal and external information exchange. Malicious email attachments can cause their payload to be executed when the file is opened or otherwise processed. Email with malicious content may be specifically targeted at known individuals (known as spear phishing) with access to sensitive information, or at roles with elevated privileges. Alternatively malicious email may include embedded links that direct users to websites hosting malicious content.
- Web browsing: Users could browse (or be directed to) websites that may contain malicious content, which seeks to compromise applications (such as the browser) that interact with that content.
- Removable media and personally owned devices: Malware can be transferred to a network through the uncontrolled introduction of removable media or the direct connection of untrusted devices. This might include (for example) connecting a smartphone via a USB port, even if intended only to charge the device.
How can the risk be managed?
Develop and implement anti-malware policies: Develop and implement corporate anti-malware policies and standards and ensure that they are consistently implemented across your infrastructure. The approach should be applicable and relevant to all business areas.
Manage all data import and export: All data should be scanned for malicious content at the network perimeter, whether that’s internet gateways or facilities to introduce removable media.
Blacklist malicious web sites: Ensure that the perimeter gateway uses blacklisting to block access to known malicious web sites.
Provide dedicated media scanning machines: Stand-alone workstations can be provided and equipped with appropriate anti-virus products. The workstation should be capable of scanning the content contained on any type of media and inspect recursive content within files. Ideally every scan should be binded to a known user.
Establish malware defences: Malware can attack any system process or function so multiple defensive layer protection (defence in depth) should be considered. This should include the following controls:
- Employ end user device protection. Antivirus applications provide malware protection on many platforms, however some platforms (some smartphones for example) may need further protection mechanisms such as application whitelisting.
- Deploy antivirus and malicious code checking solutions to scan inbound and outbound objects at the network perimeter. Where host based antivirus is used it may be sensible to use different products to increase overall detection capability. Any suspicious or infected malicious objects should be quarantined for further analysis.
- Deploy a content filtering capability on all external gateways to try to prevent attackers delivering malicious code to common desktop applications such as the web browser.
- Install firewalls where appropriate, configuring them to deny traffic by default.
- If the business processes can support it, consider disabling certain browser plugins or scripting languages.
- Where possible, disable the autorun function to prevent the automatic execution of malicious code from any type of removable media. Equally, if removable media is introduced, the system should automatically scan it for malicious content.
- Ensure systems and components are well configured according to the secure baseline build and kept up to date.
User education and awareness: Users should understand the risks from malware and the day-to-day processes they can follow to help prevent a malware infection from occurring. The user instructions should contain the following:
- Try to stop and think before clicking on links, but don’t worry if you think you’ve clicked on something harmful. Tell your security team as soon as possible and they will help.
- Do not connect any unapproved removable media or personally owned device to the network.
- Report any strange or unexpected system behaviour to the appropriate security team.
- Maintain awareness of how to report a security incident.