by Marian Bodunrin
4:30 min read or Audio
Malware is a type of computer program designed to infect a legitimate user’s computer with the intent to inflict harm. Malware comes in various forms such as, viruses, Trojans, spyware, worms, etc. Malware is a huge and growing problem, costing businesses millions of dollars and typically exposes or damages vital data. New forms constantly appear and can be hard to catch. CIS Control #8 addresses recommendations that should be implemented to reduce an organization’s risk.
The degree of damage caused by malware varies according to the type of malware, the type of device that is infected and the nature of the data that is stored or transmitted by the device. As a result, defense strategy needs to act on multiple levels. Defenses need to prevent malware from being installed, from running if it is installed, and from spreading if it runs. This is defense-in-depth and requires a strong set of automated tools.
Automated malware detection and removal software is an absolute requirement. It needs to cover everything on the network: servers, workstations, mobile devices, and anything else that has a processor and runs code. Regular updates are necessary to keep up with new threats, and machines should be checked to make sure they're getting the updates. Also, periodic vulnerability scans, along with malware detection and blocking should prevent a network from being compromised and succumbing to a botnet.
Shadow IT increases risk. If people are running machines that aren't authorized, they aren't going to be consistently monitored and protected. The first and second CIS controls stress the importance of keeping track of everything on a network, and malware protection is one of the reasons that makes such inventories so important.
It isn't enough to put protective software on each machine without an overall plan. Defenses are very hard to manage if haphazardly installed. Each machine would need its own updates, and hostile code that gets blocked on one system could get through on another. Centrally administered and automated protection gives your network a more consistent defense.
Keeping track of what protective software finds is important. It should be set up to log all incidents, and part of administrators’ responsibilities is to review the logs. If an issue turns up on one machine, it may be present elsewhere as well. If an attack occurs repeatedly, it's time to check the defenses against it and strengthen them as necessary.
Network monitoring needs to check for traffic that could indicate malware. The most popular malware model today is the Command & Control (C&C), where it reports to a server, sends information, and gets instructions. The monitoring system should log DNS queries in order to catch requests to C&C domains. Effective firewalls can capture suspicious file transfers and block hostile traffic. This isn't limited to blocking ports and IP addresses; the best software can catch malicious packets at the application level, after SSL decryption.
If a device is caught running malware, the network protection software should quarantine it immediately. Keeping malware from spreading buys time to fix the problem in spite of its urgency.
Limiting the attack surface
External devices, such as thumb drives, are inherently convenient and yet they create risks. Many are too trusting of drives received as promotional giveaways, even legitimate ones are sometimes inadvertently infected. Auto-running when devices are inserted is a convenient feature that ought to be buried, and this feature should be disabled on all machines. Thumb drives are the most common, but the caution applies to all mountable devices brought in from the outside.
A solid defense will have anti-malware software scan for each newly mounted device. If there are suspicious files on it, the scan will automatically dismount it. Newly downloaded files need the same consideration. Each one should be scanned, and the ones that are flagged should be blocked from running.
The multi-layered approach
It's unrealistic to expect any defense to stop all malware at the perimeter. There are just too many threats, new ones being invented and unleashed all the time, and some will make it past the first line of defense. Stopping threats requires a coordinated effort in the firewall, devices on the network edge, server protection, and monitoring.
The multi-layered approach is to:
Everyone understands that malware protection is necessary but turning it into a systematic set of practices takes a coordinated effort. Everyone involved needs to be working on the same comprehensive cybersecurity plan.
by Marian Bodunrin
3:45 min read | Audio
Web browsers and email clients are very common points of entry for malicious code due to their daily usage by users. Content can be manipulated to entice users into taking actions that can greatly increase risk resulting in loss of data and other attacks. Controlling the use of browsers and having a defined list is critical. The CIS’ Control #7 addresses several key points in protecting an organization’s environment as well as provides recommendations to mitigate risks. While some of the controls may seem too restrictive for an organization's needs, most are clearly necessary and implementing them will ensure a more robust cybersecurity blueprint.
An organization’s browser, the portal to the internet, is also the first line of defense against malware threats. Minimizing attack vectors should be the number one goal-- ensuring only fully supported web browsers are allowed to execute and deploy updates. Obviously, as much as possible, updates should happen as soon as they become available, and a formal written policy should be developed addressing user behavior.
At times it can be difficult to control the sites users access. Enforcing a network-based URL filter that limits the system’s ability to connect to websites not approved by the organization will help to monitor this vulnerability.
Keep in mind that if vulnerabilities within the browser are not available, attackers also target common web browser plugins that may allow them to hook into the browser or directly into the operating system. To mitigate this risk, uninstall or disable any unauthorized browser plugins or add-on applications.
An e-mail security program needs to provide confidentiality, data origin authentication, message integrity, and nonrepudiation of origin. CSC # 7 provides several recommendations to help ensure email security. Using a spam filtering tool will aid in reducing malicious emails that come into the network. Deploying a Domain-based Message Authentication, Reporting and Conformance (DMARC) protocol will ensure that legitimate email is properly authenticated against established SPF (Sender Policy Framework) standards. Fraudulent activity appearing to come from the organization’s domains are blocked. Installing an encryption tool to secure email and communication adds another layer of security for users and the network.
Spoofed messages are dangerous because they can create a false sense of trust. Employees are more likely to respond to a message that seems to come from someone they know. The SPF standards guard against this by checking if messages are coming from a mail server that is authorized to use the sender's address. While the CIS specifically recommends SPF, other protocols such as DKIM work well with it, and implementing both is advisable.
Implementing this control should be neither very disruptive nor very difficult. In a security-focused organization, end users are typically not allowed to install their own software, and updates are deployed as soon as they are available by the authorized department. Software needs to be kept up to date in general, and Web browsers and mail clients will be part of this practice. Administrators should also restrict and monitor the use of plugins. At times there might be special work requirements that involve a plugin--such requests should go through the administrator for approval.
The simple rule to follow when implementing this control is, “Make it simple for the users or they will find a way around it.” Increasing complexity or the effort users have to put in often leads to privilege misuse or other methods to defeat the controls. It is worth mentioning that human error is still the major cause of most breaches and incidents. Overall, implementing this control provides a large improvement in safety for relatively little effort.