Strategies for Managing Malware Risks
Introduction
Definition
Challenges
Solutions
Summary
Appendix A: Common Information System Assets
Appendix B: Common Threats
Appendix C: Vulnerabilities
References
Welcome to this document from the Midsize Business Security Guidance collection. Microsoft hopes that the following information will help you create a more secure and productive computing environment.
As malicious software or malware becomes more evolved and sophisticated, so have the software and hardware technologies for helping to prevent malware threats and attacks.
Malware threats have been very costly for midsize businesses in both attack defense and response technologies and operations. The Internet has significantly raised the profile of external threats to midsize business environments while some of the greatest threats still continue, such as internal attacks.
Internal attacks that have the highest potential for damage result from the activities of insiders in the most trusted positions, such as network administrators. Insiders involved with malicious activities are likely to have specific goals and objectives, such as planting a Trojan horse or unauthorized file system browsing while maintaining legitimate access to the systems. More commonly, insiders do not have malicious intent but may plant malicious software by unintentionally connecting infected systems or devices to an internal network resulting in a compromise of the integrity/confidentiality of the system or by affecting system performance, availability, and/or storage capacity.
Analysis of both internal and external threats has led many midsize businesses to investigate systems that help monitor networks and detect attacks, including resources for helping to manage malware risks in real time.
This document provides information about strategies for helping to manage malware risks in midsize businesses. The document is divided into four main sections: Introduction, Definition, Challenges, and Solutions.
This section clarifies what malware is (and also what is not malware), its characteristics, and risk management.
This section describes many of the common challenges that midsize businesses face with regard to managing malware risks, including:
Common information system assets
Common threats
Vulnerabilities
Educating end users and policies
Balancing risk management and business need
This section provides additional information about policies, approaches, and strategies, including:
Physical and logical policies
Reactive and proactive approaches to malware and virus prevention
Strategies for helping to reduce malware
Malware risk assessment and management are also discussed in this section as part of the strategies to help prevent malware threats. This section will also provide information about monitoring and reporting tools to help scan, detect, and report malware activities.
This document is primarily intended for management and IT personnel in midsize businesses to help them better understand malware threats, how to help defend against these threats, and how to respond quickly and appropriately when malware attacks occur.
Malware is an abbreviation of the words "malicious software." It is a collective noun that includes viruses, worms, and Trojan horses that intentionally perform malicious tasks on a computer system. Technically, malware is any malicious code.
The following subsections describe different malware categories.
- Trojan horse. A program that appears to be useful or harmless but that contains hidden code designed to exploit or damage the system on which it is run. Trojan horse programs (also called Trojan code) are most commonly delivered to users through e-mail messages that misrepresent the program's purpose and function. Trojan horse programs do this by delivering a malicious payload or task when they are run.
Worm. A worm uses self-propagating malicious code that can automatically distribute itself from one computer to another through network connections. A worm can take harmful action, such as consuming network or local system resources, possibly causing a denial of service attack. Some worms can execute and spread without user intervention, while others require users to execute the worm code directly in order to spread. Worms may also deliver a payload in addition to replicating.
Virus. A virus uses code written with the express intention of replicating itself. A virus attempts to spread from computer to computer by attaching itself to a host program. It may damage hardware, software, or data. When the host is executed, the virus code also runs, infecting new hosts and sometimes delivering an additional payload.
Spyware. This type of software is sometimes referred to as spybot or tracking software. Spyware uses other forms of deceptive software and programs that conduct certain activities on a computer without obtaining appropriate consent from the user. These activities can include collecting personal information and changing Internet browser configuration settings. Beyond being an annoyance, spyware results in a variety of issues that range from degrading the overall performance of your computer to violating your personal privacy.
Web sites that distribute spyware use a variety of tricks to get users to download and install it on their computers. These tricks include creating deceptive user experiences and covertly bundling spyware with other software users might want, such as free file sharing software.
Adware. A type of advertising display software, specifically certain executable applications whose primary purpose is to deliver advertising content potentially in a manner or context that may be unexpected and unwanted by users. Many adware applications also perform tracking functions, and therefore may also be categorized as tracking technologies. Some consumers may want to remove adware if they object to such tracking, do not wish to see the advertising caused by the program, or are frustrated by its effects on system performance. Conversely, some users may wish to keep particular adware programs if their presence subsidizes the cost of a desired product or service or if they provide advertising that is useful or desired, such as ads that are competitive or complementary to what the user is looking at or searching for.
For more information, see the Malware topic in Wikipedia at https://en.wikipedia.org/wiki/Malware and the What is Malware? topic in The Antivirus Defense-in-Depth Guide at www.microsoft.com/technet/security/guidance/serversecurity/avdind\_2.mspx\#ELF.
The various characteristics that each category of malware can exhibit are often very similar. For example, a virus and a worm may both use the network as a transport mechanism. However, a virus will look for files to infect while the worm will simply attempt to copy itself. The following section provides brief explanations of typical malware characteristics.
When malware attempts to attack a host system, a number of specific components may be required before the attack can succeed. The following components are typical examples of the types of components malware may require to launch an attack against a host:
Devices. Some malware will specifically target a device type, such as a personal computer, an Apple Macintosh computer, or even a Personal Digital Assistant (PDA). Mobile devices such as cell phones are becoming more popular target devices.
Operating systems. Malware may require a particular operating system to be effective. For example, the CIH or Chernobyl virus of the late 1990s could only attack computers running Microsoft® Windows® 95 or Windows 98. Newer operating systems are more secure. Unfortunately, malware is becoming more sophisticated as well.
Applications. Malware may require a particular application to be installed on the target computer before it can deliver a payload or replicate. For example, the LFM.926 virus of 2002 could only attack if Shockwave Flash (.swf) files could execute on the local computer.
If the malware is a virus, it will attempt to target a carrier object (also known as a host) to infect it. The number and type of targeted carrier objects varies widely among different forms of malware, but the following list provides examples of the most commonly targeted carriers:
Executable files. These carriers are the targets of the "classic" virus type that replicates by attaching itself to a host program. In addition to typical executable files that use the .exe extension, files with extensions such as the following can also be used for this purpose: .com, .sys, .dll, .ovl, .ocx, and .prg.
Scripts. Attacks that use scripts as carriers target files that use a scripting language, such as Microsoft Visual Basic® Script, JavaScript, AppleScript, or Perl Script. Extensions for files of this type include: .vbs, .js, .wsh, and .prl.
Macros. These carriers are files that support a macro scripting language of a particular application, such as a word processor, spreadsheet, or database application. For example, viruses can use the macro languages in Microsoft Word and Lotus Ami Pro to produce a number of effects, ranging from mischievous (switching words around in the document or changing colors) to malicious (formatting the computer's hard drive).
An attack can use one or many different methods to try and replicate between computer systems. This section provides information about a few of the more common transport mechanisms that malware uses.
Removable media. The original and probably the most prolific transmitter of computer viruses and other malware (at least until recently) is file transfer. This mechanism started with floppy disks, then moved to networks, and is now finding new media such as Universal Serial Bus (USB) devices and Firewire. The rate of infection is not as rapid as with network-based malware, yet the threat is ever present and hard to eradicate completely because of the need to exchange data between systems.
Network shares. When computers were provided a mechanism to connect to each other directly via a network, malware writers were presented with another transport mechanism that had the potential to exceed the abilities of removable media to spread malicious code. Poorly implemented security on network shares produces an environment where malware can replicate to a large number of computers connected to the network. This method has largely replaced the manual method of using removable media.
Peer-to-peer (P2P) networks. For P2P file transfers to occur, a user must first install a client component of the P2P application that will use the network.
For additional information, see the "Malware Characteristics" section of The Antivirus Defense in Depth Guide at www.microsoft.com/technet/security/guidance/serversecurity/avdind\_2.mspx\#EQAAC.
A variety of threats exist that are not considered malware because they are not computer programs written with malicious intent. However, these threats can still have both security and financial implications for midsize businesses. The following list describes some common examples of threats that should be considered and understood when developing a comprehensive security strategy.
Joke software. Joke applications are designed to produce a smile or, at worst, a waste of someone's time. These applications have existed for as long as people have been using computers. Because they were not developed with malicious intent and are clearly identified as jokes, they are not considered malware for the purposes of this guidance. Numerous examples of joke applications exist, producing everything from interesting screen effects to amusing animations or games.
Hoaxes. A trick message warning of a virus that doesn’t actually exist is an example of a hoax. Like some other forms of malware, hoaxes use social engineering to attempt to trick computer users into performing some act. However, there is no code to execute in a hoax; the hoaxer is usually simply trying to trick the victim. A common example of a hoax is an e-mail message or a chain-mail that claims a new virus type has been discovered and to warn friends by forwarding the message. This type of hoax message wastes people's time, takes up e-mail server resources, and consumes network bandwidth. However, hoaxes can also cause damage if they instruct users to change computer configurations (for example, deleting registry keys or system files).
Scams. An e-mail message that attempts to trick the recipient into revealing personal information that can be used for unlawful purposes (such as bank account information) is a common example of a scam. One particular type of a scam has become known as phishing (pronounced “fishing”) and is also referred to as brand spoofing or carding.
Spam. Spam is unsolicited e-mail generated to advertise some service or product. This phenomenon is generally considered a nuisance, but spam is not malware. However, the dramatic increase in the number of spam messages being sent is a problem for the infrastructure of the Internet. Spam also causes lost productivity for employees who are forced to wade through and delete such messages every day.
Internet cookies. Internet cookies are text files that are placed on a user's computer by Web sites that the user visits. Cookies contain and provide identifying information about the user to the Web sites that place them on the user computer, along with whatever information the sites want to retain about the user's visit.
Cookies are legitimate tools that many Web sites use to track visitor information. Unfortunately, some Web site developers have been known to use cookies to gather information without the user's knowledge. Some may deceive users or omit their policies. For example, they may track Web surfing habits across many different Web sites without informing the user. The site developers can then use this information to customize the advertisements the user sees on a Web site, which is considered an invasion of privacy.
For additional detailed information about malware and its characteristics, see The Antivirus Defense-in-Depth Guide on Microsoft TechNet at www.microsoft.com/technet/security/guidance/serversecurity/avdind\_0.mspx.
Microsoft defines risk management as the process by which risks are identified and the impact of those risks determined.
Attempting to put in place a plan for security risk management can be overwhelming for midsize businesses. Possible factors may include the lack of in-house expertise, budget resources, or guidelines to outsource.
Security risk management provides a proactive approach that can assist midsize businesses in planning their strategies against malware threats.
A formal security risk management process enables midsize businesses to operate in the most cost efficient manner with a known and acceptable level of business risk. It also gives them a consistent, clear path to organize and prioritize limited resources in order to manage risk.
To facilitate the tasks of managing risks, Microsoft has developed The Security Risk Management Guide, which provides guidance about the following four processes:
Assessing risk. Identify and prioritize risks to the business.
Conducting decision support. Identify and evaluate control solutions based on a defined cost-benefit analysis process.
Implementing controls. Deploy and operate control solutions to help reduce risk to the business.
Measuring program effectiveness. Analyze the risk management process for effectiveness and verify that controls are providing the expected degree of protection.
Detailed information about this topic is beyond the scope is this paper. However, it is essential to understand the concept and processes in order to help plan, deploy, and implement a solution strategy for malware risk. The following figure shows the four primary processes of risk management.
Figure 1. The 4 primary risk management processes
For more information about risk management, see The Security Risk Management Guide on Microsoft TechNet at https://go.microsoft.com/fwlink/?linkid=30794.
Malware attacks can be mounted via different vectors or attack methods on a specific weak point. It is recommended that midsize businesses perform risk assessments that not only determine their vulnerability profiles but also help determine what level of risk is acceptable to that specific company. Midsize businesses need to develop strategies to help reduce malware risks.
Some of the challenges for reducing malware risks in a midsize business environment include:
Common information system assets.
Common threats
Vulnerabilities
User education
Balancing risk management and business needs.
Information systems security provides essential information to help manage the security of midsize businesses. Common information system assets refer to both the physical and the logical aspects of a company. They could include servers, workstations, software, and user licenses.
Employee business contact data, mobile computers, routers, human resources data, strategic plans, internal Web sites, and employee passwords are all common information system assets. An extensive list is provided in "Appendix A: Common Information System Assets" at the end of this document.
Several methods through which malware can compromise midsize businesses are sometimes referred to as threat vectors, and represent the areas that require the most attention when designing an effective solution to help reduce malware risks. Common threats include natural disasters, mechanical failures, malicious persons, uninformed users, social engineering, malicious mobile code, and disgruntled employees. This wide range of threats presents challenges not only for midsize businesses but businesses of all sizes.
"Appendix B: Common Threats" at the end of this document provides an extensive list of threats that are likely to affect midsize businesses.
Vulnerabilities represent weaknesses in IT system security procedures and policies, administrative controls, physical layout, internal controls, and other areas that could be exploited by a threat to gain unauthorized access to information or disrupt critical processing. Vulnerabilities are both physical and logical. They include natural disaster, mechanical failures, software misconfigurations, unpatched software, and human error. "Appendix C: Vulnerabilities" at the end of this document provides an extensive list of vulnerabilities that are likely to affect midsize businesses.
With regard to physical and logical information security, the biggest vulnerability is not necessarily the computers or software flaws but the computer users. Employees may make obtrusive errors such as typing in their passwords where others can see them, downloading and opening e-mail attachments that contain viruses, or failing to shut down their computers at night. Because human actions can greatly affect computer security, educating employees, IT staff, and management should be made a priority. Equally as important is the need for all personnel to develop good security habits. These approaches simply are more cost efficient for the business in the long run. Training should provide users with recommendations for avoiding malicious activities and should educate about potential threats and how to avoid them. Security practices that users should be aware of include the following:
Never reply to e-mail requests for financial or personal information.
Never provide passwords.
Do not open suspicious e-mail file attachments.
Do not respond to any suspicious or unwanted e-mails.
Do not install unauthorized applications.
Lock their computers when they are not actively using them by by password-protecting the screen saver or through the CTRL-ALT-DELETE dialog box.
Enable a firewall.
Use strong passwords on their remote computers.
Written policies and accepted procedures are a necessity for helping to enforce the security practices. To be effective, all IT policies should include the support of upper management and provide an enforcement mechanism, a way to inform users, and a way to educate users. Example policies might address the following topics:
How to detect malware on a computer.
How to report suspected infections.
What users can do to assist incident handlers such as the last action a user did before the system became infected.
Processes, and procedures to mitigate operating system and application vulnerabilities that malware might exploit.
Patch management, application of security configuration guides and checklists.
Investing in a risk management process helps prepare midsize businesses to articulate priorities, plan to mitigate threats, and address the next threat or vulnerability to the business.
Budget constraints may dictate IT security spending but a well-structured risk management methodology, when used effectively, can help management identify appropriate controls for providing the mission-essential security capabilities.
Midsize business must weigh the delicate balance between risk management and their business needs. The following questions may be helpful when balancing risk management and business needs:
Should the company configure its systems itself or should it be done by the hardware/software supplier? What would be the cost?
Should you use load balancing or clustering as mechanisms to ensure high availability of applications? What does it take to put these mechanisms in place?
Do you need alarm system for your server room?
Should you use electronic key systems for the building or the server room?
What is the company’s budget for computer systems?
What is the company’s budget for technology support and maintenance?
How much money would you estimate your company has spent on your computer systems (hardware /software maintenance) in last year?
How many computers are in the main site of your company? Do you have an inventory of computer hardware and software?
Are your older systems powerful enough to run most of the software you need to run?
How many new or upgraded computers would you estimate you need? How many would be optimum?
Does each user have to have a printer?
For more detail information on risk management, refer to the Security Risk Management Guide at https://go.microsoft.com/fwlink/?linkid=30794.
This section explains different strategies for helping to manage malware risks, including reactive and proactive approaches to malware, physical, and logical policies. Validation methods such reporting tools and monitoring will be discussed as well.
When developing strategies to help reduce malware, it is important to define necessary operational key points where malware detection and/or prevention can be implemented. When it comes to managing malware risk, a single device or technology should not be solely relied upon as the only line of defense. Preferred methods should include a layered approach using proactive and reactive mechanisms throughout the network. Antivirus software plays a key role in this area; however, it should not be the only instrument used to determine malware attacks. For further detailed information on layered approach, refer to the section titled "The Malware Defense Approach" in The Antivirus Defense-in-Depth Guide at www.microsoft.com/technet/security/guidance/serversecurity/avdind\_3.mspx\#E1F.
The following operational key points are discussed further in detail:
Assessing malware risks
Physical security
Logical security
Proactive vs. reactive policies and procedures
Deployment and management
When assessing malware risks, midsize businesses need to be mindful of the attack vectors that are most vulnerable to threats. How are they protected and to what extent? The following questions should be considered:
Does the company have a firewall installed?
Firewalls are an important part of perimeter defense. A network firewall commonly serves as a primary line of defense against external threats to an organization's computer systems, networks, and critical information. Midsize businesses should have some sort of firewalls implemented be it software or hardware firewalls.
Does the company have internal or external vulnerability scan analysis capability? How is the scanned information analyzed?
A tool such as the Microsoft Baseline Security Analyzer (MBSA) is recommended for scanning for misconfigurations or vulnerabilities. It is also possible to outsource the security vulnerability testing process by hiring outside vendors to assess the security environment and provide suggestions for improvement where deemed necessary.
Note MBSA is an easy-to-use tool designed for the IT professional that helps small and medium-sized businesses determine their security state in accordance with Microsoft security recommendations. It also offers specific remediation guidance. Improve your security management process by using MBSA to help detect common security misconfigurations and missing security updates on your computer systems.
Is there a backup and recovery assessment plan in place?
Ensure that there are backup plans and that the backup server is working effectively.
How many kinds of antivirus software does the company have? Is antivirus software installed on all systems?
Reliance on a single antivirus platform may expose a company to risks, because each package has its own strengths and weaknesses.
Does the company have a wireless network implemented? If so, is the security on the wireless network enabled and properly configured?
Even if a wired network is completely secured, an unsecured wireless network can introduce an unacceptable level of risk in an otherwise secure environment. Old wireless standards, such as WEP, are easily compromised, so research should be done to ensure that the most appropriate wireless security solution is in place.
Are the employees trained about how to prevent malware? Are they educated about the topic of malware risks?
The most common form of malware propagation involves some form of social engineering and the most effective defense against social engineering threats is education.
Is there a written policy in place about how to prevent or handle malware threats? How often is the policy reviewed? Is it enforced? How well do staff adhere to this policy?
Ensure that users are trained on how to avoid malware threats and malware prevention. It’s very important to have all of this information documented; written policy pertinent to the above information and procedures should exist and be reinforced. Reviews of this policy should be conducted whenever changes occur to ensure the effectiveness and the validity of stated policies.
Physical security entails restricting access to equipment for the purposes of preventing tampering, theft, human error, and the subsequent downtime caused by these actions.
Although physical security is more of a general security issue than a specific malware problem, it is impossible to protect against malware without an effective physical defense plan for all client, server, and network devices within an organization's infrastructure.
The following list includes critical elements to consider for an effective physical defense plan:
Building security. Who has access to the building?
Personnel security. How restrictive is an employee access right?
Network access points. Who has access to the network equipments?
Server computers. Who has access rights to the servers?
Workstation computers. Who has access rights to the workstations?
If any one of these elements is compromised, there is an increased level of risk that malware could bypass the external and internal network defense boundaries to infect a host on the network. Protecting access to facilities and to computing systems should be a fundamental element of security strategies.
For more detailed information, see the "5-Minute Security Advisor - Basic Physical Security" article on Microsoft TechNet at www.microsoft.com/technet/archive/community/columns/security/5min/5min-203.mspx
Software safeguards for information systems in midsize businesses include user ID and password access, authentication, and access rights, all of which are crucial for managing malware risks. These safeguards help ensure that only authorized users are able to perform actions or access information on a particular server or workstation on the network. Administrators should ensure that systems are configured in a way that is consistent with the job function of the computer user. Configuration of these safeguards may consider the following:
Limiting programs or utilities available to only those needed by the position.
Increasing controls on key system directories.
Increased levels of auditing.
Using least-privilege policies
Limiting use of removable media, such as floppy disks.
Who should be granted Administrative right for the backup server, mail server(s), and file server(s)?
Who should have access to human resources folder(s)?
What privileged right should be given for cross-department folders?
Should a workstation be used by different users? If so, what level of access should be given? Are users authorized to install a software application on their workstations?
User IDs, logon IDs or accounts, and user names are unique personal identifiers for users of a computer program or network that is accessible by more than one user. Authentication is the process for verifying that an entity or object is who or what it claims to be. Examples include confirming the source and integrity of information, such as verifying a digital signature or verifying the identity of a user or computer. To enhance security, it is strongly advised that every logon account have a password—secret authentication data that is used to control access to a resource or a computer. After a user can log on to the network, appropriate access rights should be defined. For example, a particular user can access a human resources folder, but only has Read access and cannot make any changes.
Other logical security issues include:
Password guidelines such as password aging and complexity.
Data and software backup.
Confidential information/sensitive data—use encryption where appropriate.
Appropriate authentication and authorization functions must be provided, corresponding with appropriate use and the acceptable level of risk. Attention should be focused on servers as well as workstations. All aforementioned elements of logical security should be clearly written, enforced, made available companywide as point of references.
Two basic approaches are used to help manage malware risk: proactive and reactive. Proactive approaches include all measures that are taken with the goal of preventing host-based or network-based attacks from successfully compromising systems. Reactive approaches are those procedures that midsize businesses use after they discover that some of their systems have been compromised by an intruder or attack program such as a Trojan horse or other malware.
If the security of a system or network has been compromised, an incident response process is necessary. An incident response is the method of investigating a problem, analyzing its cause, minimizing its impact, resolving the problem, and documenting every step of the response for future reference.
Just as every company takes some measures to prevent future business losses, each also has plans in place to respond to such losses when the proactive measures either were not effective or did not exist. Reactive methods include, disaster recovery plans, reinstallation of operating systems and applications on compromised systems, and switching to alternate systems in other locations. Having an appropriate set of reactive responses prepared and ready to implement is just as important as having proactive measures in place.
The following reactive response hierarchy diagram shows steps for handling malware incidents. Additional information about these steps is provided in the following text.
Figure 2. Reactive Response Hierarchy
Protect human life and people's safety. If affected computers include life support systems, shutting them off may not be an option. Perhaps you could logically isolate such systems on the network by reconfiguring routers and switches without disrupting their ability to help patients.
Contain the damage. Containing the damage that the attack caused helps to limit additional damage. Protect important data, software, and hardware quickly.
Assess the damage. Immediately make a duplicate of the hard disks in any servers that were attacked and put those aside for forensic use later. Then assess the damage.
Determine the cause of the damage. To ascertain the origin of the assault, it is necessary to understand the resources at which the attack was aimed and what vulnerabilities were exploited to gain access or disrupt services. Review the system configuration, patch level, system logs, audit logs, and audit trails on the systems that were directly affected as well as network devices that route traffic to them.
Repair the damage. It is very important that the damage be repaired as quickly as possible to restore normal business operations and recover any data that was lost during the attack.
Review response and update policies. After the documentation and recovery phases are complete, response and update policies should be thoroughly reviewed.
What should be done if the systems on the network are infected with viruses? The following list includes examples of a reactive approach:
Make sure the firewall in place is working. Get positive control over inbound and outbound traffic on the systems and on the network.
Address the most likely suspects first. Clean the most common malware threats and then check for unknown threats.
Isolate the infected system. Get it off the network and the Internet. Stop the infection from spreading to other systems on the network during the cleaning process.
Research outbreak control and cleanup techniques.
Download the latest virus definitions from antivirus software vendors.
Ensure that antivirus systems are configured to scan all files.
Run a full system scan.
Restore missing or corrupt data.
Remove or clean infected files.
Confirm that the computer systems are free of malware.
Reconnect the cleaned computer systems to the network.
Note It is important to ensure that all computer systems are running recent antivirus software and that automated processes are running to regularly update the virus definitions. It is particularly important that antivirus software be regularly updated on portable computers used by mobile workers. Maintain a database or a log that keeps track of what patches have been applied to the organization's most important systems: Internet-accessible systems, firewalls, internal routers, databases, and back office servers.
A proactive approach for risk management has many advantages over a reactive approach. Instead of waiting for bad things to happen and then responding to them afterwards, you help minimize the possibility of the bad things ever occurring. Plans should be made to protect the organization's important assets by implementing controls to mitigate the risk of vulnerabilities being exploited by malware.
An effective proactive approach can help midsize businesses reduce the number of security incidents that arise in the future, but it is not likely that such problems will completely disappear. Therefore, they should continue to improve their incident response processes while simultaneously developing long-term proactive approaches. The following list includes some examples of proactive measures that can help manage malware risks.
Apply the latest firmware to hardware systems and routers as recommended by vendors.
Apply the latest security patches to server applications and other applications.
Subscribe to security-related e-mail lists from vendors and apply patches when recommended.
Ensure that all Microsoft computer systems are running recent antivirus software.
Ensure that automated processes are running to regularly update the virus definitions.
Note It is particularly important that antivirus software be regularly updated on portable computers used by mobile workers.
Maintain a database that keeps track of what patches have been applied.
Review security logs.
Enable perimeter or host-based firewalls.
Use a vulnerability scanner such as the Microsoft Baseline Security Analyzer to help detect common security misconfigurations and missing security updates on your computer systems.
Use least-privileged user accounts (LUA). If low-privileged processes are compromised, they will do less damage than high-privileged processes. Consequently, using a non-administrator account instead of an administrator account while completing daily tasks offers the user added protection against infection from a host of malware, external or internal security attacks, accidental or intentional modifications to system setup and configurations, and accidental or intentional access to confidential programs or documents.
Enforce strong password policies. Strong passwords reduce the likelihood of an attacker using a brute force attack to escalate privileges. Strong passwords typically have the following characteristics:
15 or more characters.
Never contain account names, real names, or the company name in any form.
Never contain a complete word, slang term, or other readily searchable term.
Is significantly different in content from previous passwords and not incremented.
Makes use of at least three of the following character types:
- Uppercase letters (A, B, C...)
- Lowercase letters (a, b, c...)
- Numerals (0, 1, 2...)
- Non-alphanumeric symbols (@, &, $...)
- Unicode characters (€, ƒ, λ...)
For more information about password policies, see the “Password Best practices” topic on Microsoft TechNet at https://technet2.microsoft.com/WindowsServer/en/Library/e903f7a2-4def-4f5f-9480-41de6010fd291033.mspx?mfr=true.
A proactive approach to managing malware risk in a midsize business environment should include the use of a layered defense-in-depth approach to help protect resources from external and internal threats. Defense-in-depth (sometimes referred to as security in depth or multilayered security) is used to describe the layering of security countermeasures to form a cohesive security environment without a single point of failure. The security layers that form the defense-in-depth strategy should include deploying protective measures from external routers all the way through to the location of the resources, and all points in between. Deploying multiple layers of security can help ensure that if one layer is compromised, the other layers will provide the security needed to protect the resources.
This section discusses the defense-in-depth security model, which is an excellent starting point for understanding the concept. This model identifies seven levels of security defenses that are designed to help ensure that attempts to compromise the security of midsize businesses will be met by a robust set of defenses. Each set is capable of helping to deflect attacks at many different levels.
Detailed definitions of each layer can be modified based on different organizations' security priorities and requirements. The following figure presents the layers of the defense-in-depth model.
Figure 3. The defense-in-depth security model
Data. Risks at the data layer arise from vulnerabilities an attacker could potentially exploit to gain access to configuration data, organization data, or any data that is unique to a device the organization uses.
Application. Risks at the application layer arise from vulnerabilities an attacker could potentially exploit to access running applications. Any executable code a malware writer can package outside of an operating system could be used to attack a system.
Host. This layer is typically targeted by vendors who provide service packs and hot fixes to address malware threats. Risks at this layer arise from attackers exploiting vulnerabilities in the services that the host or device offers.
Internal Network. The risks to businesses' internal networks largely concern the sensitive data transmitted via networks of this type. The connectivity requirements for client workstations on these internal networks also have a number of risks associated with them.
Perimeter Network. Risks associated with the perimeter network layer arise from an attacker gaining access to wide area networks (WANs) and the network tiers that they connect.
Physical Security. Risks at the physical layer arise from an attacker gaining physical access to a physical asset.
Policies, Procedures and Awareness. Surrounding all of the security model layers are the policies and procedures the midsize business needs to put in place to meet and support the requirements for each level.
The Data, Application, and Host layers can be combined into two defense strategies to help protect the business’ clients and servers. Although these defenses share a number of common strategies, the differences in implementing client and server defenses are enough to warrant a unique defense approach for each.
The Internal Network and Perimeter layers can also be combined into a common Network Defenses strategy, because the technologies involved are the same for both layers. The implementation details will differ in each layer, depending on the position of the devices and technologies in the organization's infrastructure. For more information about defense in depth, refer to "Chapter 2: Malware Threats" of The Antivirus Defense-in-Depth Guide at https://go.microsoft.com/fwlink/?LinkId=50964.
Strategies for managing malware risk may comprise all the technologies and approaches discussed thus far in this document. It is recommended that reliable, satisfactory antivirus software is deployed on all systems. Windows Defender, a Microsoft tool that helps you stay productive by protecting your computer against pop-ups, slow performance and security threats caused by spyware and other potentially unwanted software, should be used in concert with antivirus software. In fact, they should be deployed as soon after the operating system installation as possible. The latest antivirus software patches should be applied immediately and configured to maintain effectiveness at detecting and stopping malware. Because no single approach can be relied upon as a total security solution, firewall, gateway, intrusion detection, and other security solution technologies discussed in earlier sections should be hardened in conjunction with antivirus software.
This section will discuss validation, monitoring and reporting, and available technologies.
When the previously identified approaches and technologies for managing malware risks have been studied and implemented, how can you assure that they are deployed effectively?
To validate a proposed solution, use the following tools to help validate the network and system environment:
Antivirus. Scan all systems for viruses using antivirus software with the latest signature file definitions
Windows Defender. Scan all systems using Windows Defender for spyware and other potentially unwanted software
Microsoft Baseline Security Analyzer (MBSA). Scan all systems using MBSA to help identify common security misconfigurations. You can learn more on the Microsoft Baseline Security Analyzer Web site at https://go.microsoft.com/fwlink/?linkid=17809.
In addition, any newly created accounts with appropriate access permissions should be tested and verified making sure that they work as intended.
When strategies and implemented technologies have been validated, the use of software and hardware patches should be applied as necessary for continued security effectiveness. Users and especially IT personnel should always stay current with the latest updates.
Ongoing monitoring of all devices in the network is essential in order to help detect malware attacks. Monitoring can be a complex process. It requires gatherings of information from a number of sources (such as logs from firewalls, routers, switches, and users) to compile a "normal" behavior baseline that can be used to identify abnormal behavior.
Strategies for monitoring and reporting malware in midsize business environments should include technologies and user education.
Technologies refers to properly deployed and implemented hardware and software technologies that can help midsize businesses monitor and report malware activities and respond accordingly. User education refers to awareness programs that include guidance for users about malware incident prevention, avoidance, and how to report incidents appropriately.
Technologies
It is possible to automate an alert monitoring system so that it can report suspected malware infection to a central location or to an appropriate point of contact who can then inform users how to respond. An automated alert system will minimize the delay between an initial alert and users being aware of the malware threat, but the problem with this approach is that it can generate "false positive" alerts. If no one is screening the alerts and reviewing an unusual activity reporting checklist, it is likely that alerts will warn of malware that is not present. This situation can lead to complacency, because users will quickly become desensitized to alerts that are generated too frequently.
It may be helpful to assign members of the network administration team the responsibility of receiving all automated malware alerts from all system monitoring software or antivirus packages that the company uses. The responsible individual or team can then filter out the false positive alerts from the automated systems before issuing alerts to users.
It is recommended that malware solutions be constantly reviewed and kept up-to-date. All aspects of malware protection are important, from simple automated virus signature downloads to complete changes in operational policy. Although some of the following tools have already been mentioned, they are essential for security management, monitoring and reporting:
Network Intrusion Detection (NID). Because the perimeter network is a highly exposed part of the network, it is extremely important that network management systems are able to detect and report an attack as soon as possible.
Microsoft Baseline Security Analyzer (MBSA). Improve the security management process by using MBSA to detect common security misconfigurations and missing security updates on computer systems.
Antivirus signature scanner. Most antivirus software programs currently use this technique, which involves searching the target (host computer, disk drive, or files) for a pattern that could represent malware.
SMTP gateway scanners. These Simple Mail Transfer Protocol (SMTP)-based e-mail scanning solutions are usually referred to as antivirus “gateway” solutions. They have the advantage of working with all SMTP e-mail services rather than being tied to a specific e-mail server product.
Log files. Files that list details of file accesses are stored and kept on a server. Log file analysis can reveal useful data about Web site traffic.
Event Viewer. The administrative tool that reports errors and other events, such as driver failures, file errors, logons, and logoffs.
Microsoft Windows Defender. A program that helps protect your computer against pop-ups, slow performance, and security threats caused by spyware and other unwanted software. It features Real-Time Protection, a monitoring system that recommends actions against spyware when it's detected, and a new streamlined interface that minimizes interruptions and helps users stay productive.
Use Dynamic Security Protection in Internet Explorer 7.
Additional recommended tools that can help scan and apply the latest updates or fixes include:
Microsoft Windows Server Update Services (WSUS) provides a comprehensive solution for managing updates within midsize business network.
Microsoft Systems Management Server 2003 SP 1 provides a comprehensive solution for change and configuration management for the Microsoft platform, enabling organizations to provide relevant software and updates to users quickly and cost-effectively.
Consider subscribing to any new patches that are applicable to your organization. To receive these notifications automatically, you can subscribe to Microsoft Security Bulletins at https://go.microsoft.com/fwlink/?LinkId=21723.
User Education
As mentioned in an earlier section of this document, all users should be educated about malware and its characteristics, the severity of potential threats, avoidance techniques, the ways that malware spreads, and the risks that malware poses. User education should also include awareness of the policies and procedures that apply to malware incident handling, such as how to detect malware on a computer, how to report suspected infections, and what users themselves can do to assist incident handlers. Midsize businesses should conduct training sessions about strategies for managing malware risks for IT staff members who are involved in malware incident prevention.
Malware is a complex and constantly evolving area of computer technology. Of all the problems that are encountered in IT, few are as prevalent and costly as malware attacks and the associated costs of dealing with them. Understanding how they work, how they evolve over time, and the attack vectors that they exploit can help midsize businesses deal with the issue proactively and create more efficient and effective reactive processes. Malware uses so many techniques to create, distribute, and exploit computer systems that it can be difficult to understand how any system can be made secure enough to withstand such attacks. However, understanding the challenges and having strategies for managing malware risks in place will enable midsize businesses to manage their systems and network infrastructure in a manner that helps reduce the likelihood of a successful attack.
This appendix lists information system assets commonly found in midsize businesses of various types. It is not intended to be comprehensive, and it is unlikely that this list will represent all of the assets present in your organization's unique environment. It is provided as a reference list and a starting point to help midsize businesses get underway.
Table A.1. List of Common Information Systems Assets
Asset class |
Highest level description of your asset |
Next level definition (if needed) |
Asset value rating (5 is the highest) |
---|---|---|---|
Tangible |
Physical infrastructure |
Data centers |
5 |
Tangible |
Physical infrastructure |
Servers |
3 |
Tangible |
Physical infrastructure |
Desktop computers |
1 |
Tangible |
Physical infrastructure |
Mobile computers |
3 |
Tangible |
Physical infrastructure |
PDAs |
1 |
Tangible |
Physical infrastructure |
Cell phones |
1 |
Tangible |
Physical infrastructure |
Server application software |
1 |
Tangible |
Physical infrastructure |
End-user application software |
1 |
Tangible |
Physical infrastructure |
Development tools |
3 |
Tangible |
Physical infrastructure |
Routers |
3 |
Tangible |
Physical infrastructure |
Network switches |
3 |
Tangible |
Physical infrastructure |
Fax machines |
1 |
Tangible |
Physical infrastructure |
PBXs |
3 |
Tangible |
Physical infrastructure |
Removable media (tapes, floppy disks, CD-ROMs, DVDs, portable hard drives, PC card storage devices, USB storage devices, and so on.) |
1 |
Tangible |
Physical infrastructure |
Power supplies |
3 |
Tangible |
Physical infrastructure |
Uninterruptible power supplies |
3 |
Tangible |
Physical infrastructure |
Fire suppression systems |
3 |
Tangible |
Physical infrastructure |
Air conditioning systems |
3 |
Tangible |
Physical infrastructure |
Air filtration systems |
1 |
Tangible |
Physical infrastructure |
Other environmental control systems |
3 |
Tangible |
Intranet data |
Source code |
5 |
Tangible |
Intranet data |
Human resources data |
5 |
Tangible |
Intranet data |
Financial data |
5 |
Tangible |
Intranet data |
Marketing data |
5 |
Tangible |
Intranet data |
Employee passwords |
5 |
Tangible |
Intranet data |
Employee private cryptographic keys |
5 |
Tangible |
Intranet data |
Computer system cryptographic keys |
5 |
Tangible |
Intranet data |
Smart cards |
5 |
Tangible |
Intranet data |
Intellectual property |
5 |
Tangible |
Intranet data |
Data for regulatory requirements (GLBA, HIPAA, CA SB1386, EU Data Protection Directive, and so on.) |
5 |
Tangible |
Intranet data |
U.S. Employee Social Security numbers |
5 |
Tangible |
Intranet data |
Employee drivers' license numbers |
5 |
Tangible |
Intranet data |
Strategic plans |
3 |
Tangible |
Intranet data |
Customer consumer credit reports |
5 |
Tangible |
Intranet data |
Customer medical records |
5 |
Tangible |
Intranet data |
Employee biometric identifiers |
5 |
Tangible |
Intranet data |
Employee business contact data |
1 |
Tangible |
Intranet data |
Employee personal contact data |
3 |
Tangible |
Intranet data |
Purchase order data |
5 |
Tangible |
Intranet data |
Network infrastructure design |
3 |
Tangible |
Intranet data |
Internal Web sites |
3 |
Tangible |
Intranet data |
Employee ethnographic data |
3 |
Tangible |
Extranet data |
Partner contract data |
5 |
Tangible |
Extranet data |
Partner financial data |
5 |
Tangible |
Extranet data |
Partner contact data |
3 |
Tangible |
Extranet data |
Partner collaboration application |
3 |
Tangible |
Extranet data |
Partner cryptographic keys |
5 |
Tangible |
Extranet data |
Partner credit reports |
3 |
Tangible |
Extranet data |
Partner purchase order data |
3 |
Tangible |
Extranet data |
Supplier contract data |
5 |
Tangible |
Extranet data |
Supplier financial data |
5 |
Tangible |
Extranet data |
Supplier contact data |
3 |
Tangible |
Extranet data |
Supplier collaboration application |
3 |
Tangible |
Extranet data |
Supplier cryptographic keys |
5 |
Tangible |
Extranet data |
Supplier credit reports |
3 |
Tangible |
Extranet data |
Supplier purchase order data |
3 |
Tangible |
Internet data |
Web site sales application |
5 |
Tangible |
Internet data |
Web site marketing data |
3 |
Tangible |
Internet data |
Customer credit card data |
5 |
Tangible |
Internet data |
Customer contact data |
3 |
Tangible |
Internet data |
Public cryptographic keys |
1 |
Tangible |
Internet data |
Press releases |
1 |
Tangible |
Internet data |
White papers |
1 |
Tangible |
Internet data |
Product documentation |
1 |
Tangible |
Internet data |
Training materials |
3 |
Intangible |
Reputation |
|
5 |
Intangible |
Goodwill |
|
3 |
Intangible |
Employee moral |
|
3 |
Intangible |
Employee productivity |
|
3 |
IT Services |
Messaging |
E-mail/scheduling (for example, Microsoft Exchange) |
3 |
IT Services |
Messaging |
Instant messaging |
1 |
IT Services |
Messaging |
Microsoft Outlook® Web Access (OWA) |
1 |
IT Services |
Core infrastructure |
Active Directory® directory service |
3 |
IT Services |
Core infrastructure |
Domain Name System (DNS) |
3 |
IT Services |
Core infrastructure |
Dynamic Host Configuration Protocol (DHCP) |
3 |
IT Services |
Core infrastructure |
Enterprise management tools |
3 |
IT Services |
Core infrastructure |
File sharing |
3 |
IT Services |
Core infrastructure |
Storage |
3 |
IT Services |
Core infrastructure |
Dial-up remote access |
3 |
IT Services |
Core infrastructure |
Telephony |
3 |
IT Services |
Core infrastructure |
Virtual Private Networking (VPN) access |
3 |
IT Services |
Core infrastructure |
Microsoft Windows® Internet Naming Service (WINS) |
1 |
IT Services |
Other infrastructure |
Collaboration services (for example, Microsoft SharePoint®) |
|
This appendix lists threats that are likely to affect midsize businesses. The list is not comprehensive, and, because it is static, will not remain current. It is provided as a reference list and a starting point to help your organization get underway.
Table B.1. List of Common Threats
High level description of the threat |
Specific example |
---|---|
Catastrophic incident |
Fire |
Catastrophic incident |
Flood |
Catastrophic incident |
Earthquake |
Catastrophic incident |
Severe storm |
Catastrophic incident |
Terrorist attack |
Catastrophic incident |
Civil unrest/riots |
Catastrophic incident |
Landslide |
Catastrophic incident |
Avalanche |
Catastrophic incident |
Industrial accident |
Mechanical failure |
Power outage |
Mechanical failure |
Hardware failure |
Mechanical failure |
Network outage |
Mechanical failure |
Environmental controls failure |
Mechanical failure |
Construction accident |
Non-malicious person |
Uninformed employee |
Non-malicious person |
Uninformed user |
Malicious person |
Hacker, cracker |
Malicious person |
Computer criminal |
Malicious person |
Industrial espionage |
Malicious person |
Government sponsored espionage |
Malicious person |
Social engineering |
Malicious person |
Disgruntled current employee |
Malicious person |
Disgruntled former employee |
Malicious person |
Terrorist |
Malicious person |
Negligent employee |
Malicious person |
Dishonest employee (bribed or victim of blackmail) |
Malicious person |
Malicious mobile code |
This appendix lists vulnerabilities that are likely to affect midsize businesses. The list is not comprehensive, and, because it is static, will not remain current. It is provided as a reference list and a starting point to help your organization get underway.
Table C.1. List of Vulnerabilities
High level vulnerability class |
Brief description of the vulnerability |
Specific example(if applicable) |
---|---|---|
Physical |
Unlocked doors |
|
Physical |
Unguarded access to computing facilities |
|
Physical |
Insufficient fire suppression systems |
|
Physical |
Poorly designed buildings |
|
Physical |
Poorly constructed buildings |
|
Physical |
Flammable materials used in construction |
|
Physical |
Flammable materials used in finishing |
|
Physical |
Unlocked windows |
|
Physical |
Walls susceptible to physical assault |
|
Physical |
Interior walls do not completely seal the room at both the ceiling and floor |
|
Natural |
Facility located on a fault line |
|
Natural |
Facility located in a flood zone |
|
Natural |
Facility located in an avalanche area |
|
Hardware |
Missing patches |
|
Hardware |
Outdated firmware |
|
Hardware |
Misconfigured systems |
|
Hardware |
Systems not physically secured |
|
Hardware |
Management protocols allowed over public interfaces |
|
Software |
Out of date antivirus software |
|
Software |
Missing patches |
|
Software |
Poorly written applications |
Cross site scripting |
Software |
Poorly written applications |
SQL injection |
Software |
Poorly written applications |
Code weaknesses such as buffer overflows |
Software |
Deliberately placed weaknesses |
Vendor backdoors for management or system recovery |
Software |
Deliberately placed weaknesses |
Spyware such as keyloggers |
Software |
Deliberately placed weaknesses |
Trojan horses |
Software |
Deliberately placed weaknesses |
|
Software |
Configuration errors |
Manual provisioning leading to inconsistent configurations |
Software |
Configuration errors |
Systems not hardened |
Software |
Configuration errors |
Systems not audited |
Software |
Configuration errors |
Systems not monitored |
Media |
Electrical interference |
|
Communications |
Unencrypted network protocols |
|
Communications |
Connections to multiple networks |
|
Communications |
Unnecessary protocols allowed |
|
Communications |
No filtering between network segments |
|
Human |
Poorly defined procedures |
Insufficient incident response preparedness |
Human |
Poorly defined procedures |
Manual provisioning |
Human |
Poorly defined procedures |
Insufficient disaster recovery plans |
Human |
Poorly defined procedures |
Testing on production systems |
Human |
Poorly defined procedures |
Violations not reported |
Human |
Poorly defined procedures |
Poor change control |
Human |
Stolen credentials |
|
-
www.microsoft.com/technet/security/guidance/serversecurity/avdind\_3.mspx\#EBKAE
Survey of Security Risk Management Practices
www.microsoft.com/technet/security/guidance/complianceandpolicies/secrisk/srsgch02.mspx
Security Risk Management Guide
www.microsoft.com/technet/security/guidance/complianceandpolicies/secrisk/default.mspx
The Antivirus Defense-in-Depth Guide * *
www.microsoft.com/technet/security/guidance/serversecurity/avdind\_0.mspx
Download