Skip to end of banner
Go to start of banner

Anti-Malware Policy

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

Version 1 Next »

Introduction

The threat posed by malware has never been more serious than it is today. Vertic Pty Ltd systems and users are under a constant bombardment of attempts to circumvent security in order to make some kind of gain or to disrupt the normal operation of the organization.

This threat can come from several sources including:

Organised gangs attempting to steal money or commit blackmail

Competitor organisations trying to obtain confidential information

Politically motivated groups

Rogue employees within the organization

Nation state sponsored “cyber-warfare” units

Individuals exercising curiosity or testing their skills

Whatever the source, the result of a successful security breach is that the organization and its stakeholders are affected, sometimes seriously, and harm is caused.

One of the primary tools used by such attackers is malware and it is essential that effective precautions are taken by Vertic Pty Ltd to protect itself against this threat.

This document sets out the organisation’s policy regarding defence against malware. Its intended audience is IT and information security management and support staff who will implement and maintain the organisation’s defences. Malware-related information and advice for users is included in associated policy documents referenced below.

This control applies to all systems, people and processes that constitute the organisation’s information systems, including board members, directors, employees, suppliers and other third parties who have access to Vertic Pty Ltd systems.

The following policies and procedures are relevant to this document:

Mobile Device Policy

Acceptable Use Policy

Internet Acceptable Use Policy

Software Policy

The malware threat

Definition

There is no single definition of the term “Malware” in use but for the purposes of this policy the following definition is used:

“Malware is any code or software that may be harmful or destructive to the information processing capabilities of the organization”

The term is derived from the phrase “Malicious Software” and may also be called malicious code or commonly (but inaccurately) “a virus”.

Types of malware

Malware comes in many forms and is constantly changing as previous attack routes are closed and new ones are found. The most common types of malware found today are:

Virus: a program that performs an unwanted function on the infected computer. This could involve destructive actions or the collection of information that can be used by the attacker

Trojan: a program that pretends to be legitimate code but conceals other unwanted functions. Often disguised as a game or useful utility program

Worm: a program that is capable of copying itself onto other computers or devices without user interaction

Logic bomb: malicious code that has been set to run at a specified date and time or when certain conditions are met

Rootkit: a program used to disguise malicious activities on a computer by hiding the processes and files from the user

Keylogger: code that records keystrokes entered by the user

Backdoor: a program that allows unauthorised access at will to an attacker

Adware: a type of malware that automatically delivers advertisements. Common examples of adware include pop-up ads on websites and those which are displayed by software.

Bot: an autonomous program which can interact with systems and users for malicious intent.

Spyware: a program that enables malicious sources to obtain information about another computer’s activity.

Ransomware: a form of malware that essentially holds a computer system captive while demanding a ransom. Ransomware restricts user access to the computer either by encrypting files on the hard drive or locking down the system. It also displays messages intended to force the user to pay the ransomware creator to remove the restrictions and regain access to their computer.

Often these types of malware will be used in combination with each other. For example, an attacker will encourage an unwitting user to infect a computer with a virus which will allow unauthorised access. This initial access will then be used to install a rootkit to disguise further activities, a keylogger to capture keystrokes and a backdoor to allow future access without detection.

How malware spreads

For malicious software to carry out its intended purpose it needs to be installed on the target device or computer. There are a number of key ways in which malware infects computers and networks, although new ways are being created all the time.

The most common infection techniques are as follows.

Phishing

This method involves tricking the user into taking some action that causes a malicious program to run and infect the computer being used. It is usually achieved via the blanket sending of unsolicited emails (Spam) with file attachments or web links included in them. When the user opens the file or clicks on the link the malicious action is triggered.

Phishing attacks have become more sophisticated in recent years and can be very believable and enticing to the user. More targeted versions of phishing have appeared such as Spear Phishing (aimed at a particular organization) and even Whaling (aimed at an individual).

Websites and mobile code

The widespread use of mobile code such as JavaScript on websites has provided attackers with another route to infect computers with malware. Often websites will be created to host the malware which is activated either upon clicking on a link or in some cases simply by visiting the website.

Increasingly, legitimate websites are being compromised and made to host malware without the owner’s knowledge, making this type of attack very difficult for the user to avoid.

Removable media

USB memory sticks, CDs, DVDs and other removable media devices provide an effective way of spreading malware onto additional computers. When the media is inserted into the machine the malware will either run and infect the target or will copy itself onto the removable media in order to prepare to infect the next machine it is plugged into.

Hacking

Or “Cracking” as it is more accurately known, is a more targeted and therefore less common method of introducing malware onto a computer or network by gaining unauthorised access to the network from outside (and sometimes inside) the organization. This method requires more knowledge on the part of the perpetrator and often exploits existing vulnerabilities in the software or network devices being used. Once access has been gained, malware will be installed remotely onto the compromised machine.

Anti-malware policy

In order to prevent the infection of Vertic Pty Ltd computers and networks and avoid the potentially dire consequences of such infection, there are several key controls that will be adopted as policy.

The key concept adopted in this policy is “defence in depth” and no single control should be relied upon to provide adequate protection. This is therefore not a choice between controls but a list of necessary controls, all of which should be implemented where possible to guard against the threats outlined in the previous section.

Firewall

A firewall will be installed at all points at which the internal network is connected to the Internet.

Where possible, individual firewalls will be enabled on client computers. Access permissions must be set such that the user cannot disable the firewall.

Anti-virus

A commercial, supported anti-virus platform will be installed within the organization at key locations:

Firewall

Email servers

Proxy servers

All other servers

All user computers

Mobile devices, including laptops (phones and tablets where possible)

All anti-virus clients will be set to obtain signature updates on a regular basis, either directly from the vendor website or from a central server within the organization.

By default, on access scanning must be enabled to provide real time protection. Regular full scans must also be carried out at least monthly.

All anti-virus programs must be configured from a central management console to ensure that the software cannot be disabled or altered by users. This will be routinely verified by the IT Department.

Anti-virus programs must also be configured to stay up to date and to generate audit logs of their actions.

Quarterly reviews of all anti-virus software must be completed to verify that they:

Detect all known and new types of malicious software

Remove all known and new types of malicious software

Protect against all known and new types of malicious software

Systems not requiring anti-virus

Some commonly used systems will not be affected by malware and therefore will not have anti-virus software installed. However, it is important that these systems are reviewed on a regular basis to ensure this situation has not changed.

Spam filtering

A system will be installed to filter out unsolicited and potentially harmful emails (spam). Types of attachments known to often contain malware must be blocked or removed before delivery to the user.

Sandbox detection

Where appropriate, sandbox detection technology should be implemented. This allows executables to be run in an isolated virtual environment while the anti-virus software logs the behaviour of the program. If the anti-virus software detects malicious behaviour, it simply denies the program the ability to be run in a live environment.

Software installation and scanning

Users must not have administrative access to their computer to allow them to install software onto it. Only approved software will be allowed, and this must be installed either by the IT department upon authorised request, or from an approved app store.

Regular scanning of user computers to detect unauthorised software must be carried out.

Vulnerability management

Information on software vulnerabilities will be collected from vendors and third-party sources and updates applied where available. If possible and if permitted by the organisational change management policy, updates will be applied automatically as soon as they are released.

Vulnerability scanning must be carried out regularly, particularly on business-critical servers and networks.

User awareness training

Users must be made aware when starting with the organization of the information security policy and be trained in ways to avoid falling victim to attacks such as phishing.

This awareness training must be repeated on a regular basis to all employees who make use of IT equipment.

Threat monitoring and alerts

Information about emerging threats will be obtained from appropriate sources and users alerted proactively of potential attacks, giving as much detail as possible to maximise the chance of recognition.

Intrusion detection/prevention systems (IDS/IPS) must be deployed on all networks to monitor traffic for malicious activity or policy violations. Any detected activity or violation will be reported either to an administrator or collected centrally using a security information and event management (SIEM) system.

Technical reviews

Regular reviews will be carried out of business-critical servers and networks to identify any malware that has been installed since the last review. This will include the taking of a snapshot of the configuration for later comparison purposes.

Malware incident management

If malware is detected on a server, client, network or other IT component, an information security incident will be raised. This will be managed in accordance with the procedures set out in the Information Security Incident Response Procedure.

  • No labels