S 2.154 Creating a security concept against malware

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Head of IT, IT Security Officer

To achieve effective protection against malware throughout an organisation, adequate and compatible security safeguards need to be selected and implemented.

The use of a conceptional approach is a prerequisite for applying suitable security safeguards to all affected IT systems and for maintaining the required level of protection at all times through regular updates.

The following describes the essential contents of a security concept against malware.

Dependency of the organisation on the use of IT

The dependency of the organisation on the use of IT is assessed in the framework of the security policy and the protection requirements determination. From these documents, it is possible to derive the possible consequences of implementing inadequate security safeguards against malware or of not implementing any safeguards at all. The personnel and financial resources required to eliminate malware and the damages caused by it are usually much higher than the time and expense required to avoid an infection by implementing suitable security safeguards. Adequate protection against malware should be achieved through the use of the security safeguards selected.

Description of the potential threats

Malware poses a risk to proper operations. It has different effects on different IT systems and can severely impair their functionality. Malware can be used to manipulate, steal, or spy on data.

Identification of the IT systems threatened

In general, all IT systems that can come into contact with malware through communication connections or data media are threatened.

At the present time, malware primarily threatens IT systems running Windows operating systems as well as IT systems with application programs whose files can become infected with macro viruses, for example. Malware can appear on other operating systems or application programs as well, though. For example, this also applies to Unix/Linux systems, Mac OS systems, and the operating systems of mobile telephones. Operating systems not belonging to the Windows family of operating systems are not worthwhile targets for the developers of malware at the present time because they are still not widely used. The potential threat to such systems is therefore lower.

Malware also poses a threat to IT systems that are not connected to the internal network. In particular, it is also necessary to take laptops, PDAs, mobile telephones, and other mobile devices into account.

Even stand-alone systems that are able to communicate with other IT systems over alternative channels (for example via dial-up lines or through data media) must be taken into account.

Security safeguards can be set up based on this information. IT systems particularly at risk should be handled with higher priority. Since the threat posed by malware increases as the level of networking between the IT systems increases, IT systems acting as interfaces to the Internet are particularly threatened by malware and should be considered first.

Appointing contact persons

An important aspect of the overview is a list of the contact persons for each of the IT systems. The primary point of contact for users should not be responsible only for providing protection against malware since users are not usually able to reliably determine if their problems are because their computers are infected with malware or if there are other reasons for their problems. It is not necessary to establish a separate, manual reporting system just for malware. Instead, the structures already existing for other types of security incidents should be utilised (see S 6.60 Specification of reporting paths for security incidents and S 2.12 Services and counselling for IT users). In this case, the users should be provided with a single point of contact for reporting all types of security problems (e.g. a user help desk, Support department, etc.).

Accompanying security safeguards

A variety of security safeguards increase the level of protection provided against malware. In addition to the specific aspects of protection from malware described in S 1.6 Protection against malware, there are also other technical and organisational safeguards that contribute to lowering the risk. These accompanying safeguards (security gateways, change management systems, etc.) should also be noted in the framework of the development of a security concept against malware.

Virus protection programs on threatened IT systems

An important technical safeguard to protect against malware is the use of virus protection programs. They generally offer protection against malware as well and not only against viruses.

Nowadays, virus protection programs are usually offered as part of a larger software package that may also include a firewall and an intrusion detection system. For this reason, the safeguards S 5.71 Intrusion detection and intrusion response systems as well as S 4.238 Use of local packet filters should also be taken into account when creating a malware protection concept.

The use of a virus protection program is generally recommended on all IT systems threatened by malware, but certain IT systems are particularly susceptible to malware. The following steps can be followed in the order stated to install virus protection programs throughout the entire organisation.

In the first step, the virus protection programs should be installed on the IT systems where there is a particularly high risk of infection or on which an infection would cause particularly high damage. This especially includes critical servers and IT systems with access to external networks. IT systems that provide a data channel to or from the Internet should also be equipped with suitable protection programs before connecting to the Internet. Note that such programs cannot be used to scan encrypted files. The contents of encrypted files can only be scanned for malware during or after decryption.

In the next step, the rest of the servers and all clients should be equipped with virus protection programs. File servers can become distributors of infected programs and files. For this reason, the data stored on file servers should be scanned for malware regularly by a virus protection program. These scans can also check files that have not been accessed for a long time for malware. A user account that has read access to all the files on the file server must be used to run the scan.

The server operating systems must be taken into account as well in the security concept against malware. Specialised programs for the protection of the communication channels or of the data stored on file servers generally do not offer adequate protection for server operating systems

In addition to the stationary clients, it is also necessary to equip mobile terminal devices (such as laptops and PDAs) and stand-alone systems with adequate protection against malware.

Regardless of which technical security safeguards are implemented against malware, there will always be a certain residual risk left over. Virus protection programs are usually only able to reliably detect the types of malware that existed at the time the signature updates were developed. This means that new malware may not be detected and could cause damage. Even the heuristic analyses or behavioural controls integrated into numerous programs are only able to reduce the residual risk and cannot eliminate it completely.

Organisational regulations and personnel safeguards

The security concept should also specify organisational and personnel rules. Additional information on this subject can be found in the following safeguards, among others:

Updating the security concept against malware

The security concept against malware must be up to date at all times. It is especially necessary to adapt the security concept after making changes to the information system (see also S 2.34 Documentation on changes made to an existing IT system).

Review questions:

© Federal Office for Information Security. All rights reserved.