Strategies for Managing Malware Risks

On This Page

Introduction
Definition
Challenges
Solutions
Summary
Appendix A: Common Information System Assets
Appendix B: Common Threats
Appendix C: Vulnerabilities
References

Introduction

Welcome to this document from the Midsize Business Security Guidance collection. Microsoft hopes that the following information will help you create a more secure and productive computing environment.

Executive Summary

As malicious software or malware becomes more evolved and sophisticated, so have the software and hardware technologies for helping to prevent malware threats and attacks.

Malware threats have been very costly for midsize businesses in both attack defense and response technologies and operations. The Internet has significantly raised the profile of external threats to midsize business environments while some of the greatest threats still continue, such as internal attacks.

Internal attacks that have the highest potential for damage result from the activities of insiders in the most trusted positions, such as network administrators. Insiders involved with malicious activities are likely to have specific goals and objectives, such as planting a Trojan horse or unauthorized file system browsing while maintaining legitimate access to the systems. More commonly, insiders do not have malicious intent but may plant malicious software by unintentionally connecting infected systems or devices to an internal network resulting in a compromise of the integrity/confidentiality of the system or by affecting system performance, availability, and/or storage capacity.

Analysis of both internal and external threats has led many midsize businesses to investigate systems that help monitor networks and detect attacks, including resources for helping to manage malware risks in real time.

Overview

This document provides information about strategies for helping to manage malware risks in midsize businesses. The document is divided into four main sections: Introduction, Definition, Challenges, and Solutions.

Definition

This section clarifies what malware is (and also what is not malware), its characteristics, and risk management.

Challenges

This section describes many of the common challenges that midsize businesses face with regard to managing malware risks, including:

  • Common information system assets

  • Common threats

  • Vulnerabilities

  • Educating end users and policies

  • Balancing risk management and business need

Solutions

This section provides additional information about policies, approaches, and strategies, including:

  • Physical and logical policies

  • Reactive and proactive approaches to malware and virus prevention

  • Strategies for helping to reduce malware

Malware risk assessment and management are also discussed in this section as part of the strategies to help prevent malware threats. This section will also provide information about monitoring and reporting tools to help scan, detect, and report malware activities.

Who Should Read This Guide

This document is primarily intended for management and IT personnel in midsize businesses to help them better understand malware threats, how to help defend against these threats, and how to respond quickly and appropriately when malware attacks occur.

Definition

Malware is an abbreviation of the words "malicious software." It is a collective noun that includes viruses, worms, and Trojan horses that intentionally perform malicious tasks on a computer system. Technically, malware is any malicious code.

Understanding the Different Types of Malware

The following subsections describe different malware categories.

Concealment
  • Trojan horse. A program that appears to be useful or harmless but that contains hidden code designed to exploit or damage the system on which it is run. Trojan horse programs (also called Trojan code) are most commonly delivered to users through e-mail messages that misrepresent the program's purpose and function. Trojan horse programs do this by delivering a malicious payload or task when they are run.
Infectious Malware
  • Worm. A worm uses self-propagating malicious code that can automatically distribute itself from one computer to another through network connections. A worm can take harmful action, such as consuming network or local system resources, possibly causing a denial of service attack. Some worms can execute and spread without user intervention, while others require users to execute the worm code directly in order to spread. Worms may also deliver a payload in addition to replicating.

  • Virus. A virus uses code written with the express intention of replicating itself. A virus attempts to spread from computer to computer by attaching itself to a host program. It may damage hardware, software, or data. When the host is executed, the virus code also runs, infecting new hosts and sometimes delivering an additional payload.

Malware for Profit
  • Spyware. This type of software is sometimes referred to as spybot or tracking software. Spyware uses other forms of deceptive software and programs that conduct certain activities on a computer without obtaining appropriate consent from the user. These activities can include collecting personal information and changing Internet browser configuration settings. Beyond being an annoyance, spyware results in a variety of issues that range from degrading the overall performance of your computer to violating your personal privacy.

    Web sites that distribute spyware use a variety of tricks to get users to download and install it on their computers. These tricks include creating deceptive user experiences and covertly bundling spyware with other software users might want, such as free file sharing software.

  • Adware. A type of advertising display software, specifically certain executable applications whose primary purpose is to deliver advertising content potentially in a manner or context that may be unexpected and unwanted by users. Many adware applications also perform tracking functions, and therefore may also be categorized as tracking technologies. Some consumers may want to remove adware if they object to such tracking, do not wish to see the advertising caused by the program, or are frustrated by its effects on system performance. Conversely, some users may wish to keep particular adware programs if their presence subsidizes the cost of a desired product or service or if they provide advertising that is useful or desired, such as ads that are competitive or complementary to what the user is looking at or searching for.

For more information, see the Malware topic in Wikipedia at https://en.wikipedia.org/wiki/Malware and the What is Malware? topic in The Antivirus Defense-in-Depth Guide at www.microsoft.com/technet/security/guidance/serversecurity/avdind\_2.mspx\#ELF.

Understanding Malware Behaviors

The various characteristics that each category of malware can exhibit are often very similar. For example, a virus and a worm may both use the network as a transport mechanism. However, a virus will look for files to infect while the worm will simply attempt to copy itself. The following section provides brief explanations of typical malware characteristics.

Target Environments

When malware attempts to attack a host system, a number of specific components may be required before the attack can succeed. The following components are typical examples of the types of components malware may require to launch an attack against a host:

  • Devices. Some malware will specifically target a device type, such as a personal computer, an Apple Macintosh computer, or even a Personal Digital Assistant (PDA). Mobile devices such as cell phones are becoming more popular target devices.

  • Operating systems. Malware may require a particular operating system to be effective. For example, the CIH or Chernobyl virus of the late 1990s could only attack computers running Microsoft® Windows® 95 or Windows 98. Newer operating systems are more secure. Unfortunately, malware is becoming more sophisticated as well.

  • Applications. Malware may require a particular application to be installed on the target computer before it can deliver a payload or replicate. For example, the LFM.926 virus of 2002 could only attack if Shockwave Flash (.swf) files could execute on the local computer.

Carrier Objects

If the malware is a virus, it will attempt to target a carrier object (also known as a host) to infect it. The number and type of targeted carrier objects varies widely among different forms of malware, but the following list provides examples of the most commonly targeted carriers:

  • Executable files. These carriers are the targets of the "classic" virus type that replicates by attaching itself to a host program. In addition to typical executable files that use the .exe extension, files with extensions such as the following can also be used for this purpose: .com, .sys, .dll, .ovl, .ocx, and .prg.

  • Scripts. Attacks that use scripts as carriers target files that use a scripting language, such as Microsoft Visual Basic® Script, JavaScript, AppleScript, or Perl Script. Extensions for files of this type include: .vbs, .js, .wsh, and .prl.

  • Macros. These carriers are files that support a macro scripting language of a particular application, such as a word processor, spreadsheet, or database application. For example, viruses can use the macro languages in Microsoft Word and Lotus Ami Pro to produce a number of effects, ranging from mischievous (switching words around in the document or changing colors) to malicious (formatting the computer's hard drive).

Transport Mechanisms

An attack can use one or many different methods to try and replicate between computer systems. This section provides information about a few of the more common transport mechanisms that malware uses.

  • Removable media. The original and probably the most prolific transmitter of computer viruses and other malware (at least until recently) is file transfer. This mechanism started with floppy disks, then moved to networks, and is now finding new media such as Universal Serial Bus (USB) devices and Firewire. The rate of infection is not as rapid as with network-based malware, yet the threat is ever present and hard to eradicate completely because of the need to exchange data between systems.

  • Network shares. When computers were provided a mechanism to connect to each other directly via a network, malware writers were presented with another transport mechanism that had the potential to exceed the abilities of removable media to spread malicious code. Poorly implemented security on network shares produces an environment where malware can replicate to a large number of computers connected to the network. This method has largely replaced the manual method of using removable media.

  • Peer-to-peer (P2P) networks. For P2P file transfers to occur, a user must first install a client component of the P2P application that will use the network.

For additional information, see the "Malware Characteristics" section of The Antivirus Defense in Depth Guide at www.microsoft.com/technet/security/guidance/serversecurity/avdind\_2.mspx\#EQAAC.

What Is Not Included in the Definition of Malware

A variety of threats exist that are not considered malware because they are not computer programs written with malicious intent. However, these threats can still have both security and financial implications for midsize businesses. The following list describes some common examples of threats that should be considered and understood when developing a comprehensive security strategy.

  • Joke software. Joke applications are designed to produce a smile or, at worst, a waste of someone's time. These applications have existed for as long as people have been using computers. Because they were not developed with malicious intent and are clearly identified as jokes, they are not considered malware for the purposes of this guidance. Numerous examples of joke applications exist, producing everything from interesting screen effects to amusing animations or games.

  • Hoaxes. A trick message warning of a virus that doesn’t actually exist is an example of a hoax. Like some other forms of malware, hoaxes use social engineering to attempt to trick computer users into performing some act. However, there is no code to execute in a hoax; the hoaxer is usually simply trying to trick the victim. A common example of a hoax is an e-mail message or a chain-mail that claims a new virus type has been discovered and to warn friends by forwarding the message. This type of hoax message wastes people's time, takes up e-mail server resources, and consumes network bandwidth. However, hoaxes can also cause damage if they instruct users to change computer configurations (for example, deleting registry keys or system files).

  • Scams. An e-mail message that attempts to trick the recipient into revealing personal information that can be used for unlawful purposes (such as bank account information) is a common example of a scam. One particular type of a scam has become known as phishing (pronounced “fishing”) and is also referred to as brand spoofing or carding.

  • Spam. Spam is unsolicited e-mail generated to advertise some service or product. This phenomenon is generally considered a nuisance, but spam is not malware. However, the dramatic increase in the number of spam messages being sent is a problem for the infrastructure of the Internet. Spam also causes lost productivity for employees who are forced to wade through and delete such messages every day.

  • Internet cookies. Internet cookies are text files that are placed on a user's computer by Web sites that the user visits. Cookies contain and provide identifying information about the user to the Web sites that place them on the user computer, along with whatever information the sites want to retain about the user's visit.

    Cookies are legitimate tools that many Web sites use to track visitor information. Unfortunately, some Web site developers have been known to use cookies to gather information without the user's knowledge. Some may deceive users or omit their policies. For example, they may track Web surfing habits across many different Web sites without informing the user. The site developers can then use this information to customize the advertisements the user sees on a Web site, which is considered an invasion of privacy.

For additional detailed information about malware and its characteristics, see The Antivirus Defense-in-Depth Guide on Microsoft TechNet at www.microsoft.com/technet/security/guidance/serversecurity/avdind\_0.mspx.

Understanding Risk Management and Malware

Microsoft defines risk management as the process by which risks are identified and the impact of those risks determined.

Attempting to put in place a plan for security risk management can be overwhelming for midsize businesses. Possible factors may include the lack of in-house expertise, budget resources, or guidelines to outsource.

Security risk management provides a proactive approach that can assist midsize businesses in planning their strategies against malware threats.

A formal security risk management process enables midsize businesses to operate in the most cost efficient manner with a known and acceptable level of business risk. It also gives them a consistent, clear path to organize and prioritize limited resources in order to manage risk.

To facilitate the tasks of managing risks, Microsoft has developed The Security Risk Management Guide, which provides guidance about the following four processes:

  1. Assessing risk. Identify and prioritize risks to the business.

  2. Conducting decision support. Identify and evaluate control solutions based on a defined cost-benefit analysis process.

  3. Implementing controls. Deploy and operate control solutions to help reduce risk to the business.

  4. Measuring program effectiveness. Analyze the risk management process for effectiveness and verify that controls are providing the expected degree of protection.

Detailed information about this topic is beyond the scope is this paper. However, it is essential to understand the concept and processes in order to help plan, deploy, and implement a solution strategy for malware risk. The following figure shows the four primary processes of risk management.

Cc875818.SFMMR1(en-us,TechNet.10).gif

Figure 1. The 4 primary risk management processes

For more information about risk management, see The Security Risk Management Guide on Microsoft TechNet at https://go.microsoft.com/fwlink/?linkid=30794.

Challenges

Malware attacks can be mounted via different vectors or attack methods on a specific weak point. It is recommended that midsize businesses perform risk assessments that not only determine their vulnerability profiles but also help determine what level of risk is acceptable to that specific company. Midsize businesses need to develop strategies to help reduce malware risks.

Some of the challenges for reducing malware risks in a midsize business environment include:

  • Common information system assets.

  • Common threats

  • Vulnerabilities

  • User education

  • Balancing risk management and business needs.

Common Information System Assets

Information systems security provides essential information to help manage the security of midsize businesses. Common information system assets refer to both the physical and the logical aspects of a company. They could include servers, workstations, software, and user licenses.

Employee business contact data, mobile computers, routers, human resources data, strategic plans, internal Web sites, and employee passwords are all common information system assets. An extensive list is provided in "Appendix A: Common Information System Assets" at the end of this document.

Common Threats

Several methods through which malware can compromise midsize businesses are sometimes referred to as threat vectors, and represent the areas that require the most attention when designing an effective solution to help reduce malware risks. Common threats include natural disasters, mechanical failures, malicious persons, uninformed users, social engineering, malicious mobile code, and disgruntled employees. This wide range of threats presents challenges not only for midsize businesses but businesses of all sizes.

"Appendix B: Common Threats" at the end of this document provides an extensive list of threats that are likely to affect midsize businesses.

Vulnerabilities

Vulnerabilities represent weaknesses in IT system security procedures and policies, administrative controls, physical layout, internal controls, and other areas that could be exploited by a threat to gain unauthorized access to information or disrupt critical processing.  Vulnerabilities are both physical and logical. They include natural disaster, mechanical failures, software misconfigurations, unpatched software, and human error. "Appendix C: Vulnerabilities" at the end of this document provides an extensive list of vulnerabilities that are likely to affect midsize businesses.  

User Education

With regard to physical and logical information security, the biggest vulnerability is not necessarily the computers or software flaws but the computer users. Employees may make obtrusive errors such as typing in their passwords where others can see them, downloading and opening e-mail attachments that contain viruses, or failing to shut down their computers at night. Because human actions can greatly affect computer security, educating employees, IT staff, and management should be made a priority. Equally as important is the need for all personnel to develop good security habits. These approaches simply are more cost efficient for the business in the long run. Training should provide users with recommendations for avoiding malicious activities and should educate about potential threats and how to avoid them. Security practices that users should be aware of include the following:

  • Never reply to e-mail requests for financial or personal information.

  • Never provide passwords.

  • Do not open suspicious e-mail file attachments.

  • Do not respond to any suspicious or unwanted e-mails.

  • Do not install unauthorized applications.

  • Lock their computers when they are not actively using them by by password-protecting the screen saver or through the CTRL-ALT-DELETE dialog box.

  • Enable a firewall.

  • Use strong passwords on their remote computers.

Policies

Written policies and accepted procedures are a necessity for helping to enforce the security practices. To be effective, all IT policies should include the support of upper management and provide an enforcement mechanism, a way to inform users, and a way to educate users. Example policies might address the following topics:

  • How to detect malware on a computer.

  • How to report suspected infections.

  • What users can do to assist incident handlers such as the last action a user did before the system became infected.

  • Processes, and procedures to mitigate operating system and application vulnerabilities that malware might exploit.

  • Patch management, application of security configuration guides and checklists.

Balancing Risk Management and Business Needs

Investing in a risk management process helps prepare midsize businesses to articulate priorities, plan to mitigate threats, and address the next threat or vulnerability to the business.

Budget constraints may dictate IT security spending but a well-structured risk management methodology, when used effectively, can help management identify appropriate controls for providing the mission-essential security capabilities.

Midsize business must weigh the delicate balance between risk management and their business needs. The following questions may be helpful when balancing risk management and business needs:

  • Should the company configure its systems itself or should it be done by the hardware/software supplier? What would be the cost?

  • Should you use load balancing or clustering as mechanisms to ensure high availability of applications? What does it take to put these mechanisms in place?

  • Do you need alarm system for your server room?

  • Should you use electronic key systems for the building or the server room?

  • What is the company’s budget for computer systems?

  • What is the company’s budget for technology support and maintenance?

  • How much money would you estimate your company has spent on your computer systems (hardware /software maintenance) in last year?

  • How many computers are in the main site of your company? Do you have an inventory of computer hardware and software?

  • Are your older systems powerful enough to run most of the software you need to run?

  • How many new or upgraded computers would you estimate you need? How many would be optimum?

  • Does each user have to have a printer?

For more detail information on risk management, refer to the Security Risk Management Guide at https://go.microsoft.com/fwlink/?linkid=30794.

Solutions

This section explains different strategies for helping to manage malware risks, including reactive and proactive approaches to malware, physical, and logical policies. Validation methods such reporting tools and monitoring will be discussed as well.

Developing Strategies for Reducing Malware

When developing strategies to help reduce malware, it is important to define necessary operational key points where malware detection and/or prevention can be implemented. When it comes to managing malware risk, a single device or technology should not be solely relied upon as the only line of defense. Preferred methods should include a layered approach using proactive and reactive mechanisms throughout the network. Antivirus software plays a key role in this area; however, it should not be the only instrument used to determine malware attacks. For further detailed information on layered approach, refer to the section titled "The Malware Defense Approach" in The Antivirus Defense-in-Depth Guide at www.microsoft.com/technet/security/guidance/serversecurity/avdind\_3.mspx\#E1F.

The following operational key points are discussed further in detail:

  • Assessing malware risks

  • Physical security

  • Logical security

  • Proactive vs. reactive policies and procedures

  • Deployment and management

Assessing Malware Risks

When assessing malware risks, midsize businesses need to be mindful of the attack vectors that are most vulnerable to threats. How are they protected and to what extent? The following questions should be considered:

  • Does the company have a firewall installed?

    Firewalls are an important part of perimeter defense. A network firewall commonly serves as a primary line of defense against external threats to an organization's computer systems, networks, and critical information. Midsize businesses should have some sort of firewalls implemented be it software or hardware firewalls.

  • Does the company have internal or external vulnerability scan analysis capability? How is the scanned information analyzed?

    A tool such as the Microsoft Baseline Security Analyzer (MBSA) is recommended for scanning for misconfigurations or vulnerabilities. It is also possible to outsource the security vulnerability testing process by hiring outside vendors to assess the security environment and provide suggestions for improvement where deemed necessary.

    Note   MBSA is an easy-to-use tool designed for the IT professional that helps small and medium-sized businesses determine their security state in accordance with Microsoft security recommendations. It also offers specific remediation guidance. Improve your security management process by using MBSA to help detect common security misconfigurations and missing security updates on your computer systems.

  • Is there a backup and recovery assessment plan in place?

    Ensure that there are backup plans and that the backup server is working effectively.

  • How many kinds of antivirus software does the company have? Is antivirus software installed on all systems?

    Reliance on a single antivirus platform may expose a company to risks, because each package has its own strengths and weaknesses.

  • Does the company have a wireless network implemented? If so, is the security on the wireless network enabled and properly configured?

    Even if a wired network is completely secured, an unsecured wireless network can introduce an unacceptable level of risk in an otherwise secure environment. Old wireless standards, such as WEP, are easily compromised, so research should be done to ensure that the most appropriate wireless security solution is in place.

  • Are the employees trained about how to prevent malware? Are they educated about the topic of malware risks?

    The most common form of malware propagation involves some form of social engineering and the most effective defense against social engineering threats is education.

  • Is there a written policy in place about how to prevent or handle malware threats? How often is the policy reviewed? Is it enforced? How well do staff adhere to this policy?

    Ensure that users are trained on how to avoid malware threats and malware prevention. It’s very important to have all of this information documented; written policy pertinent to the above information and procedures should exist and be reinforced. Reviews of this policy should be conducted whenever changes occur to ensure the effectiveness and the validity of stated policies.

Physical Security

Physical security entails restricting access to equipment for the purposes of preventing tampering, theft, human error, and the subsequent downtime caused by these actions.

Although physical security is more of a general security issue than a specific malware problem, it is impossible to protect against malware without an effective physical defense plan for all client, server, and network devices within an organization's infrastructure.

The following list includes critical elements to consider for an effective physical defense plan:

  • Building security. Who has access to the building?

  • Personnel security. How restrictive is an employee access right?

  • Network access points. Who has access to the network equipments?

  • Server computers. Who has access rights to the servers?

  • Workstation computers. Who has access rights to the workstations?

If any one of these elements is compromised, there is an increased level of risk that malware could bypass the external and internal network defense boundaries to infect a host on the network. Protecting access to facilities and to computing systems should be a fundamental element of security strategies.

For more detailed information, see the "5-Minute Security Advisor - Basic Physical Security" article on Microsoft TechNet at www.microsoft.com/technet/archive/community/columns/security/5min/5min-203.mspx

Logical Security

Software safeguards for information systems in midsize businesses include user ID and password access, authentication, and access rights, all of which are crucial for managing malware risks. These safeguards help ensure that only authorized users are able to perform actions or access information on a particular server or workstation on the network. Administrators should ensure that systems are configured in a way that is consistent with the job function of the computer user. Configuration of these safeguards may consider the following:

  • Limiting programs or utilities available to only those needed by the position.

  • Increasing controls on key system directories.

  • Increased levels of auditing.

  • Using least-privilege policies

  • Limiting use of removable media, such as floppy disks.

  • Who should be granted Administrative right for the backup server, mail server(s), and file server(s)?

  • Who should have access to human resources folder(s)?

  • What privileged right should be given for cross-department folders?

  • Should a workstation be used by different users? If so, what level of access should be given? Are users authorized to install a software application on their workstations?

User IDs, logon IDs or accounts, and user names are unique personal identifiers for users of a computer program or network that is accessible by more than one user. Authentication is the process for verifying that an entity or object is who or what it claims to be. Examples include confirming the source and integrity of information, such as verifying a digital signature or verifying the identity of a user or computer. To enhance security, it is strongly advised that every logon account have a password—secret authentication data that is used to control access to a resource or a computer. After a user can log on to the network, appropriate access rights should be defined. For example, a particular user can access a human resources folder, but only has Read access and cannot make any changes.

Other logical security issues include:

  • Password guidelines such as password aging and complexity.

  • Data and software backup.

  • Confidential information/sensitive data—use encryption where appropriate.

Appropriate authentication and authorization functions must be provided, corresponding with appropriate use and the acceptable level of risk. Attention should be focused on servers as well as workstations. All aforementioned elements of logical security should be clearly written, enforced, made available companywide as point of references.

Proactive vs. Reactive Policies and Procedures

Two basic approaches are used to help manage malware risk: proactive and reactive. Proactive approaches include all measures that are taken with the goal of preventing host-based or network-based attacks from successfully compromising systems. Reactive approaches are those procedures that midsize businesses use after they discover that some of their systems have been compromised by an intruder or attack program such as a Trojan horse or other malware.

Reactive Approaches

If the security of a system or network has been compromised, an incident response process is necessary. An incident response is the method of investigating a problem, analyzing its cause, minimizing its impact, resolving the problem, and documenting every step of the response for future reference.

Just as every company takes some measures to prevent future business losses, each also has plans in place to respond to such losses when the proactive measures either were not effective or did not exist. Reactive methods include, disaster recovery plans, reinstallation of operating systems and applications on compromised systems, and switching to alternate systems in other locations. Having an appropriate set of reactive responses prepared and ready to implement is just as important as having proactive measures in place.

The following reactive response hierarchy diagram shows steps for handling malware incidents. Additional information about these steps is provided in the following text.

Cc875818.SFMMR2(en-us,TechNet.10).gif

Figure 2. Reactive Response Hierarchy

  • Protect human life and people's safety. If affected computers include life support systems, shutting them off may not be an option. Perhaps you could logically isolate such systems on the network by reconfiguring routers and switches without disrupting their ability to help patients.

  • Contain the damage. Containing the damage that the attack caused helps to limit additional damage. Protect important data, software, and hardware quickly.

  • Assess the damage. Immediately make a duplicate of the hard disks in any servers that were attacked and put those aside for forensic use later. Then assess the damage.

  • Determine the cause of the damage. To ascertain the origin of the assault, it is necessary to understand the resources at which the attack was aimed and what vulnerabilities were exploited to gain access or disrupt services. Review the system configuration, patch level, system logs, audit logs, and audit trails on the systems that were directly affected as well as network devices that route traffic to them.

  • Repair the damage. It is very important that the damage be repaired as quickly as possible to restore normal business operations and recover any data that was lost during the attack.

  • Review response and update policies. After the documentation and recovery phases are complete, response and update policies should be thoroughly reviewed.

What should be done if the systems on the network are infected with viruses? The following list includes examples of a reactive approach:

  • Make sure the firewall in place is working. Get positive control over inbound and outbound traffic on the systems and on the network.

  • Address the most likely suspects first. Clean the most common malware threats and then check for unknown threats.

  • Isolate the infected system. Get it off the network and the Internet. Stop the infection from spreading to other systems on the network during the cleaning process.

  • Research outbreak control and cleanup techniques.

  • Download the latest virus definitions from antivirus software vendors.

  • Ensure that antivirus systems are configured to scan all files.

  • Run a full system scan.

  • Restore missing or corrupt data.

  • Remove or clean infected files.

  • Confirm that the computer systems are free of malware.

  • Reconnect the cleaned computer systems to the network.

Note It is important to ensure that all computer systems are running recent antivirus software and that automated processes are running to regularly update the virus definitions. It is particularly important that antivirus software be regularly updated on portable computers used by mobile workers. Maintain a database or a log that keeps track of what patches have been applied to the organization's most important systems: Internet-accessible systems, firewalls, internal routers, databases, and back office servers.

Proactive Approaches

A proactive approach for risk management has many advantages over a reactive approach. Instead of waiting for bad things to happen and then responding to them afterwards, you help minimize the possibility of the bad things ever occurring. Plans should be made to protect the organization's important assets by implementing controls to mitigate the risk of vulnerabilities being exploited by malware.

An effective proactive approach can help midsize businesses reduce the number of security incidents that arise in the future, but it is not likely that such problems will completely disappear. Therefore, they should continue to improve their incident response processes while simultaneously developing long-term proactive approaches. The following list includes some examples of proactive measures that can help manage malware risks.

  • Apply the latest firmware to hardware systems and routers as recommended by vendors.

  • Apply the latest security patches to server applications and other applications.

  • Subscribe to security-related e-mail lists from vendors and apply patches when recommended.

  • Ensure that all Microsoft computer systems are running recent antivirus software.

  • Ensure that automated processes are running to regularly update the virus definitions.

    Note   It is particularly important that antivirus software be regularly updated on portable computers used by mobile workers.

  • Maintain a database that keeps track of what patches have been applied.

  • Review security logs.

  • Enable perimeter or host-based firewalls.

  • Use a vulnerability scanner such as the Microsoft Baseline Security Analyzer to help detect common security misconfigurations and missing security updates on your computer systems.

  • Use least-privileged user accounts (LUA). If low-privileged processes are compromised, they will do less damage than high-privileged processes. Consequently, using a non-administrator account instead of an administrator account while completing daily tasks offers the user added protection against infection from a host of malware, external or internal security attacks, accidental or intentional modifications to system setup and configurations, and accidental or intentional access to confidential programs or documents.

  • Enforce strong password policies. Strong passwords reduce the likelihood of an attacker using a brute force attack to escalate privileges. Strong passwords typically have the following characteristics:

    • 15 or more characters.

    • Never contain account names, real names, or the company name in any form.

    • Never contain a complete word, slang term, or other readily searchable term.

    • Is significantly different in content from previous passwords and not incremented.

    • Makes use of at least three of the following character types:

      - Uppercase letters (A, B, C...)

      - Lowercase letters (a, b, c...)

      - Numerals (0, 1, 2...)

      - Non-alphanumeric symbols (@, &, $...)

      - Unicode characters (€, ƒ, λ...)

For more information about password policies, see the “Password Best practices” topic on Microsoft TechNet at https://technet2.microsoft.com/WindowsServer/en/Library/e903f7a2-4def-4f5f-9480-41de6010fd291033.mspx?mfr=true.

Defense-in-Depth

A proactive approach to managing malware risk in a midsize business environment should include the use of a layered defense-in-depth approach to help protect resources from external and internal threats. Defense-in-depth (sometimes referred to as security in depth or multilayered security) is used to describe the layering of security countermeasures to form a cohesive security environment without a single point of failure. The security layers that form the defense-in-depth strategy should include deploying protective measures from external routers all the way through to the location of the resources, and all points in between. Deploying multiple layers of security can help ensure that if one layer is compromised, the other layers will provide the security needed to protect the resources.

This section discusses the defense-in-depth security model, which is an excellent starting point for understanding the concept. This model identifies seven levels of security defenses that are designed to help ensure that attempts to compromise the security of midsize businesses will be met by a robust set of defenses. Each set is capable of helping to deflect attacks at many different levels.

Detailed definitions of each layer can be modified based on different organizations' security priorities and requirements. The following figure presents the layers of the defense-in-depth model.

Cc875818.SFMMR3(en-us,TechNet.10).gif

Figure 3. The defense-in-depth security model

  • Data. Risks at the data layer arise from vulnerabilities an attacker could potentially exploit to gain access to configuration data, organization data, or any data that is unique to a device the organization uses.

  • Application. Risks at the application layer arise from vulnerabilities an attacker could potentially exploit to access running applications. Any executable code a malware writer can package outside of an operating system could be used to attack a system.

  • Host. This layer is typically targeted by vendors who provide service packs and hot fixes to address malware threats. Risks at this layer arise from attackers exploiting vulnerabilities in the services that the host or device offers.

  • Internal Network. The risks to businesses' internal networks largely concern the sensitive data transmitted via networks of this type. The connectivity requirements for client workstations on these internal networks also have a number of risks associated with them.

  • Perimeter Network. Risks associated with the perimeter network layer arise from an attacker gaining access to wide area networks (WANs) and the network tiers that they connect.

  • Physical Security. Risks at the physical layer arise from an attacker gaining physical access to a physical asset.

  • Policies, Procedures and Awareness. Surrounding all of the security model layers are the policies and procedures the midsize business needs to put in place to meet and support the requirements for each level.

The Data, Application, and Host layers can be combined into two defense strategies to help protect the business’ clients and servers. Although these defenses share a number of common strategies, the differences in implementing client and server defenses are enough to warrant a unique defense approach for each.

The Internal Network and Perimeter layers can also be combined into a common Network Defenses strategy, because the technologies involved are the same for both layers. The implementation details will differ in each layer, depending on the position of the devices and technologies in the organization's infrastructure. For more information about defense in depth, refer to "Chapter 2: Malware Threats" of The Antivirus Defense-in-Depth Guide at https://go.microsoft.com/fwlink/?LinkId=50964.

Deployment and Management

Strategies for managing malware risk may comprise all the technologies and approaches discussed thus far in this document. It is recommended that reliable, satisfactory antivirus software is deployed on all systems. Windows Defender, a Microsoft tool that helps you stay productive by protecting your computer against pop-ups, slow performance and security threats caused by spyware and other potentially unwanted software, should be used in concert with antivirus software. In fact, they should be deployed as soon after the operating system installation as possible. The latest antivirus software patches should be applied immediately and configured to maintain effectiveness at detecting and stopping malware. Because no single approach can be relied upon as a total security solution, firewall, gateway, intrusion detection, and other security solution technologies discussed in earlier sections should be hardened in conjunction with antivirus software.

This section will discuss validation, monitoring and reporting, and available technologies.

Validation

When the previously identified approaches and technologies for managing malware risks have been studied and implemented, how can you assure that they are deployed effectively?

To validate a proposed solution, use the following tools to help validate the network and system environment:

  • Antivirus. Scan all systems for viruses using antivirus software with the latest signature file definitions

  • Windows Defender. Scan all systems using Windows Defender for spyware and other potentially unwanted software

  • Microsoft Baseline Security Analyzer (MBSA). Scan all systems using MBSA to help identify common security misconfigurations. You can learn more on the Microsoft Baseline Security Analyzer Web site at https://go.microsoft.com/fwlink/?linkid=17809.

In addition, any newly created accounts with appropriate access permissions should be tested and verified making sure that they work as intended.

When strategies and implemented technologies have been validated, the use of software and hardware patches should be applied as necessary for continued security effectiveness. Users and especially IT personnel should always stay current with the latest updates.

Monitoring and Reporting

Ongoing monitoring of all devices in the network is essential in order to help detect malware attacks. Monitoring can be a complex process. It requires gatherings of information from a number of sources (such as logs from firewalls, routers, switches, and users) to compile a "normal" behavior baseline that can be used to identify abnormal behavior.

Strategies for monitoring and reporting malware in midsize business environments should include technologies and user education.

Technologies refers to properly deployed and implemented hardware and software technologies that can help midsize businesses monitor and report malware activities and respond accordingly. User education refers to awareness programs that include guidance for users about malware incident prevention, avoidance, and how to report incidents appropriately.

Technologies

It is possible to automate an alert monitoring system so that it can report suspected malware infection to a central location or to an appropriate point of contact who can then inform users how to respond. An automated alert system will minimize the delay between an initial alert and users being aware of the malware threat, but the problem with this approach is that it can generate "false positive" alerts. If no one is screening the alerts and reviewing an unusual activity reporting checklist, it is likely that alerts will warn of malware that is not present. This situation can lead to complacency, because users will quickly become desensitized to alerts that are generated too frequently.

It may be helpful to assign members of the network administration team the responsibility of receiving all automated malware alerts from all system monitoring software or antivirus packages that the company uses. The responsible individual or team can then filter out the false positive alerts from the automated systems before issuing alerts to users.

It is recommended that malware solutions be constantly reviewed and kept up-to-date. All aspects of malware protection are important, from simple automated virus signature downloads to complete changes in operational policy. Although some of the following tools have already been mentioned, they are essential for security management, monitoring and reporting:

  • Network Intrusion Detection (NID). Because the perimeter network is a highly exposed part of the network, it is extremely important that network management systems are able to detect and report an attack as soon as possible.

  • Microsoft Baseline Security Analyzer (MBSA). Improve the security management process by using MBSA to detect common security misconfigurations and missing security updates on computer systems.

  • Antivirus signature scanner. Most antivirus software programs currently use this technique, which involves searching the target (host computer, disk drive, or files) for a pattern that could represent malware.

  • SMTP gateway scanners. These Simple Mail Transfer Protocol (SMTP)-based e-mail scanning solutions are usually referred to as antivirus “gateway” solutions. They have the advantage of working with all SMTP e-mail services rather than being tied to a specific e-mail server product.

  • Log files. Files that list details of file accesses are stored and kept on a server. Log file analysis can reveal useful data about Web site traffic.

  • Event Viewer. The administrative tool that reports errors and other events, such as driver failures, file errors, logons, and logoffs.

  • Microsoft Windows Defender. A program that helps protect your computer against pop-ups, slow performance, and security threats caused by spyware and other unwanted software. It features Real-Time Protection, a monitoring system that recommends actions against spyware when it's detected, and a new streamlined interface that minimizes interruptions and helps users stay productive.

  • Use Dynamic Security Protection in Internet Explorer 7.

Additional recommended tools that can help scan and apply the latest updates or fixes include:

  • Microsoft Windows Server Update Services (WSUS) provides a comprehensive solution for managing updates within midsize business network.

  • Microsoft Systems Management Server 2003 SP 1 provides a comprehensive solution for change and configuration management for the Microsoft platform, enabling organizations to provide relevant software and updates to users quickly and cost-effectively.

Consider subscribing to any new patches that are applicable to your organization. To receive these notifications automatically, you can subscribe to Microsoft Security Bulletins at https://go.microsoft.com/fwlink/?LinkId=21723.

User Education

As mentioned in an earlier section of this document, all users should be educated about malware and its characteristics, the severity of potential threats, avoidance techniques, the ways that malware spreads, and the risks that malware poses. User education should also include awareness of the policies and procedures that apply to malware incident handling, such as how to detect malware on a computer, how to report suspected infections, and what users themselves can do to assist incident handlers. Midsize businesses should conduct training sessions about strategies for managing malware risks for IT staff members who are involved in malware incident prevention.

Summary

Malware is a complex and constantly evolving area of computer technology. Of all the problems that are encountered in IT, few are as prevalent and costly as malware attacks and the associated costs of dealing with them. Understanding how they work, how they evolve over time, and the attack vectors that they exploit can help midsize businesses deal with the issue proactively and create more efficient and effective reactive processes. Malware uses so many techniques to create, distribute, and exploit computer systems that it can be difficult to understand how any system can be made secure enough to withstand such attacks. However, understanding the challenges and having strategies for managing malware risks in place will enable midsize businesses to manage their systems and network infrastructure in a manner that helps reduce the likelihood of a successful attack.

Appendix A: Common Information System Assets

This appendix lists information system assets commonly found in midsize businesses of various types. It is not intended to be comprehensive, and it is unlikely that this list will represent all of the assets present in your organization's unique environment. It is provided as a reference list and a starting point to help midsize businesses get underway.

Table A.1. List of Common Information Systems Assets

Asset class

Highest level description of your asset

Next level definition (if needed)

Asset value rating (5 is the highest)

Tangible

Physical infrastructure

Data centers

5

Tangible

Physical infrastructure

Servers

3

Tangible

Physical infrastructure

Desktop computers

1

Tangible

Physical infrastructure

Mobile computers

3

Tangible

Physical infrastructure

PDAs

1

Tangible

Physical infrastructure

Cell phones

1

Tangible

Physical infrastructure

Server application software

1

Tangible

Physical infrastructure

End-user application software

1

Tangible

Physical infrastructure

Development tools

3

Tangible

Physical infrastructure

Routers

3

Tangible

Physical infrastructure

Network switches

3

Tangible

Physical infrastructure

Fax machines

1

Tangible

Physical infrastructure

PBXs

3

Tangible

Physical infrastructure

Removable media (tapes, floppy disks, CD-ROMs, DVDs, portable hard drives, PC card storage devices, USB storage devices, and so on.)

1

Tangible

Physical infrastructure

Power supplies

3

Tangible

Physical infrastructure

Uninterruptible power supplies

3

Tangible

Physical infrastructure

Fire suppression systems

3

Tangible

Physical infrastructure

Air conditioning systems

3

Tangible

Physical infrastructure

Air filtration systems

1

Tangible

Physical infrastructure

Other environmental control systems

3

Tangible

Intranet data

Source code

5

Tangible

Intranet data

Human resources data

5

Tangible

Intranet data

Financial data

5

Tangible

Intranet data

Marketing data

5

Tangible

Intranet data

Employee passwords

5

Tangible

Intranet data

Employee private cryptographic keys

5

Tangible

Intranet data

Computer system cryptographic keys

5

Tangible

Intranet data

Smart cards

5

Tangible

Intranet data

Intellectual property

5

Tangible

Intranet data

Data for regulatory requirements (GLBA, HIPAA, CA SB1386, EU Data Protection Directive, and so on.)

5

Tangible

Intranet data

U.S. Employee Social Security numbers

5

Tangible

Intranet data

Employee drivers' license numbers

5

Tangible

Intranet data

Strategic plans

3

Tangible

Intranet data

Customer consumer credit reports

5

Tangible

Intranet data

Customer medical records

5

Tangible

Intranet data

Employee biometric identifiers

5

Tangible

Intranet data

Employee business contact data

1

Tangible

Intranet data

Employee personal contact data

3

Tangible

Intranet data

Purchase order data

5

Tangible

Intranet data

Network infrastructure design

3

Tangible

Intranet data

Internal Web sites

3

Tangible

Intranet data

Employee ethnographic data

3

Tangible

Extranet data

Partner contract data

5

Tangible

Extranet data

Partner financial data

5

Tangible

Extranet data

Partner contact data

3

Tangible

Extranet data

Partner collaboration application

3

Tangible

Extranet data

Partner cryptographic keys

5

Tangible

Extranet data

Partner credit reports

3

Tangible

Extranet data

Partner purchase order data

3

Tangible

Extranet data

Supplier contract data

5

Tangible

Extranet data

Supplier financial data

5

Tangible

Extranet data

Supplier contact data

3

Tangible

Extranet data

Supplier collaboration application

3

Tangible

Extranet data

Supplier cryptographic keys

5

Tangible

Extranet data

Supplier credit reports

3

Tangible

Extranet data

Supplier purchase order data

3

Tangible

Internet data

Web site sales application

5

Tangible

Internet data

Web site marketing data

3

Tangible

Internet data

Customer credit card data

5

Tangible

Internet data

Customer contact data

3

Tangible

Internet data

Public cryptographic keys

1

Tangible

Internet data

Press releases

1

Tangible

Internet data

White papers

1

Tangible

Internet data

Product documentation

1

Tangible

Internet data

Training materials

3

Intangible

Reputation

 

5

Intangible

Goodwill

 

3

Intangible

Employee moral

 

3

Intangible

Employee productivity

 

3

IT Services

Messaging

E-mail/scheduling (for example, Microsoft Exchange)

3

IT Services

Messaging

Instant messaging

1

IT Services

Messaging

Microsoft Outlook® Web Access (OWA)

1

IT Services

Core infrastructure

Active Directory® directory service

3

IT Services

Core infrastructure

Domain Name System (DNS)

3

IT Services

Core infrastructure

Dynamic Host Configuration Protocol (DHCP)

3

IT Services

Core infrastructure

Enterprise management tools

3

IT Services

Core infrastructure

File sharing

3

IT Services

Core infrastructure

Storage

3

IT Services

Core infrastructure

Dial-up remote access

3

IT Services

Core infrastructure

Telephony

3

IT Services

Core infrastructure

Virtual Private Networking (VPN) access

3

IT Services

Core infrastructure

Microsoft Windows® Internet Naming Service (WINS)

1

IT Services

Other infrastructure

Collaboration services (for example, Microsoft SharePoint®)

 

Appendix B: Common Threats

This appendix lists threats that are likely to affect midsize businesses. The list is not comprehensive, and, because it is static, will not remain current. It is provided as a reference list and a starting point to help your organization get underway.

Table B.1. List of Common Threats

High level description of the threat

Specific example

Catastrophic incident

Fire

Catastrophic incident

Flood

Catastrophic incident

Earthquake

Catastrophic incident

Severe storm

Catastrophic incident

Terrorist attack

Catastrophic incident

Civil unrest/riots

Catastrophic incident

Landslide

Catastrophic incident

Avalanche

Catastrophic incident

Industrial accident

Mechanical failure

Power outage

Mechanical failure

Hardware failure

Mechanical failure

Network outage

Mechanical failure

Environmental controls failure

Mechanical failure

Construction accident

Non-malicious person

Uninformed employee

Non-malicious person

Uninformed user

Malicious person

Hacker, cracker

Malicious person

Computer criminal

Malicious person

Industrial espionage

Malicious person

Government sponsored espionage

Malicious person

Social engineering

Malicious person

Disgruntled current employee

Malicious person

Disgruntled former employee

Malicious person

Terrorist

Malicious person

Negligent employee

Malicious person

Dishonest employee (bribed or victim of blackmail)

Malicious person

Malicious mobile code

Appendix C: Vulnerabilities

This appendix lists vulnerabilities that are likely to affect midsize businesses. The list is not comprehensive, and, because it is static, will not remain current. It is provided as a reference list and a starting point to help your organization get underway.

Table C.1. List of Vulnerabilities

High level vulnerability class

Brief description of the vulnerability

Specific example(if applicable)

Physical

Unlocked doors

 

Physical

Unguarded access to computing facilities

 

Physical

Insufficient fire suppression systems

 

Physical

Poorly designed buildings

 

Physical

Poorly constructed buildings

 

Physical

Flammable materials used in construction

 

Physical

Flammable materials used in finishing

 

Physical

Unlocked windows

 

Physical

Walls susceptible to physical assault

 

Physical

Interior walls do not completely seal the room at both the ceiling and floor

 

Natural

Facility located on a fault line

 

Natural

Facility located in a flood zone

 

Natural

Facility located in an avalanche area

 

Hardware

Missing patches

 

Hardware

Outdated firmware

 

Hardware

Misconfigured systems

 

Hardware

Systems not physically secured

 

Hardware

Management protocols allowed over public interfaces

 

Software

Out of date antivirus software

 

Software

Missing patches

 

Software

Poorly written applications

Cross site scripting

Software

Poorly written applications

SQL injection

Software

Poorly written applications

Code weaknesses such as buffer overflows

Software

Deliberately placed weaknesses

Vendor backdoors for management or system recovery

Software

Deliberately placed weaknesses

Spyware such as keyloggers

Software

Deliberately placed weaknesses

Trojan horses

Software

Deliberately placed weaknesses

 

Software

Configuration errors

Manual provisioning leading to inconsistent configurations

Software

Configuration errors

Systems not hardened

Software

Configuration errors

Systems not audited

Software

Configuration errors

Systems not monitored

Media

Electrical interference

 

Communications

Unencrypted network protocols

 

Communications

Connections to multiple networks

 

Communications

Unnecessary protocols allowed

 

Communications

No filtering between network segments

 

Human

Poorly defined procedures

Insufficient incident response preparedness

Human

Poorly defined procedures

Manual provisioning

Human

Poorly defined procedures

Insufficient disaster recovery plans

Human

Poorly defined procedures

Testing on production systems

Human

Poorly defined procedures

Violations not reported

Human

Poorly defined procedures

Poor change control

Human

Stolen credentials

 

References

Download

Get the Strategies for Managing Malware Risks paper