CHAPTER 19: MALWARE PROTECTION

Malware is an extremely common threat that can cause significant damage; fortunately, basic controls are already sufficient to mitigate the vast majority of malware attacks.

Considering the return on investment, here at IT Governance, we strongly recommend you implement at least basic anti-malware measures such as anti-malware software and firewalls. As you will see, however, there are many additional measures you could take; the right ones for you will depend on your specific needs. Having said that, there is a key principle to follow: manage all data import and export. In other words, scan all data at your network perimeters to keep malware out.

Also remember that a leading cause of malware infections is human error – a member of staff falling for a phishing scam, for example. As such, it is a good idea to not just rely on technical measures, but also give all staff awareness training, so they will learn to recognise threats and take appropriate action. This is discussed further in Chapter 24.

Anti-malware software

Anti-malware (or antivirus) software is perhaps the most common anti-malware measure, and is often included for free in popular operating systems. Simply enabling it can make you significantly more secure, but you will need to keep it up to date to make sure it remains effective against the latest threats.

Besides enabling and keeping your anti-malware software up to date, you also need to run regular, full scans. These can be set to run automatically, but you can also do this on a per-access basis when malware may enter your networks, such as when an email attachment is being downloaded.

Although less well known, antivirus and anti-malware software solutions also exist for smartphones and tablets. Consider how attractive company devices can be as malware targets – they often store or have access to significant amounts of confidential or sensitive information, but also often lack the security computers tend to have. You can, however, take other approaches to protect such devices from malware, including whitelisting (covered later).

Firewalls

Firewalls, which are also commonly included for free in popular operating systems, provide a barrier to traffic seeking to cross the perimeter by only allowing authorised traffic to pass. This requires setting the default firewall rule to ‘deny’ and enforcing a whitelist with authorised protocols, ports and applications. In effect, firewalls work as filters that protect your boundaries.

Firewalls are discussed further in Chapter 20.

Whitelisting

Whitelisting involves creating a list of applications permitted on a device, and blocking any application (or processes within a certain application) not appearing on that list from running, and is suitable for both computers and mobile devices.

Whitelisting requires significantly less maintenance than software, as it does not rely as strongly on keeping up to date with the latest threats. It also combines well with anti-malware software, since whitelisting mitigates the risk of the software not detecting some malware. However, it can increase administrator workloads if it is especially restrictive, or impact user productivity if deployed poorly, so it is important to strike the right balance between usability and security.

Sandboxing

Sandboxing involves running an application in an isolated environment, limiting its access to the rest of your networks and devices. The idea is that sandboxing will prevent scenarios like a malware-infected USB stick plugged into someone’s computer from infecting the rest of your network because its contents are first checked in an isolated environment. Sandboxing is also a good way of testing patches before installing them on the rest of your network.

Backups

Taking regular backups is one of the most basic and oldest cyber security controls, but it is particularly important. In the event that malware breaks through your defences and infects your systems, having backups handy means, for instance, that ransomware cannot effectively force you to pay a ransom. Keep in mind, however, that some ransomware variants can delete or infect your backups too, so make sure that the backup service itself is adequately isolated and protected by measures such as anti-malware software.

Also remember that malware can remain dormant for long periods before triggering, so think about how frequently you need to run your backups and how long to retain them. This will entirely depend on how critical the information is for you; for instance, if you rely on data coming in constantly, you probably need at least daily backups that may not need to be kept for more than a week.