S 2.224 Prevention against malware

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: User, Administrator

There is no such thing as perfect protection against malware. For this reason, it is especially important to repeatedly explain the threat of malware to all users.

Furthermore, all IT systems that need to be protected from malware within a networked structure must be included in the security concept against malware. Virus protection programs should be installed at appropriate locations to ensure all possible paths of infection are covered (see also S 2.154 Creating a security concept against malware).

By taking a few important procedures and recommendations into account, it is possible to reduce the risk of an infection with malware:

• Virus protection programs that are updated regularly should be used.
• All files and programs received from third parties should be scanned for potential malware before they are used or executed. The scan should be performed automatically, if possible.
• Malware can be embedded in the active content of web sites (using Java, JavaScript, and especially ActiveX, for example). In this case, the malware may be executed without the user even noticing it. Consideration should be given to configuring the Internet browser so that active content cannot even be loaded on to the organisation's computers in the first place or is only executed when it comes from a trusted site, for example.
• Malware is often used to spy on passwords or other access data. For this reason, passwords should never be stored on the IT systems.
• The sender information contained in e-mails cannot be trusted without additional, corresponding security mechanisms since it is easy to fake the reply address and name of the sender. Even if the sender information is correct and the sender is trustworthy, it should not be assumed that this sender knowingly sent the e-mail. A piece of malicious software on his computer may have read the sender's address book and automatically sent e-mails to the recipients it found there. For this reason, e-mail attachments and any other files received should never be opened when the e-mail has a strange subject line or contains an unusual message. When in doubt, the communication partners should be asked if they really sent the messages.
  If possible, digital signatures should be used when sending e-mails in order to be able to verify the authenticity and correctness of the contents of the e-mails (see S 4.34 Using encryption, checksums or digital signatures).
• Numerous data and many programs can be obtained from a variety of different sources, for example from mirror servers in the Internet or from CD-ROMs enclosed in magazines. As a general rule, data and programs should only be loaded from trustworthy sources, and in particular from the original web site or an original data medium from the manufacture (see also S 4.177 Assuring the integrity and authenticity of software packages).
• In general, the functionality of all programs should be tested on test systems before installation and approval and should also be scanned for malware infections (see also S 4.65 Testing of new hardware and software for more information on this subject).
• The CERT websites or other security-related information services should be checked regularly to see if the programs used have attracted attention because they send data on the IT system of the user to other IT systems without his or her knowledge (see also S 2.35 Obtaining information on security weaknesses of the system). Such problems were not only discovered in several application programs, but also affected certain program libraries. The programmers who used these libraries were not always aware that this would result in the disclosure of user information to third parties.
• When installing programs, the program instructions and terms of usage should be read carefully. In many cases, these documents even point out (more or less clearly) that certain user or system data will be collected and disclosed when the program is used.
• Most modern operating systems today come with integrated packet filters. These packet filter functions should be activated on every IT system possible. When using a Windows operating system, there are also special personal firewalls available that offer additional security functions (for example functions to monitor processes or the registry) in addition to a packet filter function. It should be determined which IT systems require the additional use of a personal firewall.
• The user rights on the clients and other terminal devices should be restricted to the greatest extent possible. This also includes only using applications whose execution does not require the user to have administrator rights. The more rights a user has, the higher the probability that a piece of malware introduced by this user will be able to function correctly and penetrate even deeper into the system.
• The protection of the network must not only be limited to the external border of the network. To protect confidential data, it is also necessary to form secure internal subnetworks that are as isolated as possible from the other areas of the network. Appropriate network segmentation in combination with adequate protection of the internal network borders limits the capabilities of malware.
• If the protection against malware fails and a piece of malicious software is able to execute a damage function, then this must be detected as quickly as possible based on the network response. The best chances for detection are obtained by closely monitoring the network.
  
  For this reason, the network activity and e-mail traffic should be monitored regularly and logged. In many cases, it is possible to detect malware because it generates undesired data traffic. The type of activity coming into question in this case includes transmission of unusually large amounts of data, repeated transmissions at certain intervals, or an unusually high number of outgoing e-mails, for example. Intrusion detection systems can be used to automatically search for such unusual activity.
• There is one special issue to take into account in terms of the preventive safeguards against key loggers. Since the sale of key loggers is legal in many countries, the manufacturers of virus protection programs seldom put key logger signatures in their signature database. For this reason, it should be clear how well the virus protection program used is actually able to detect key loggers. When in doubt, additional programs specially designed to detect key loggers should be used.
• Not only regular program files can contain malware, but also the files of application programs that use a macro language (macro viruses). Programs affected by macro viruses include the commonly used office programs (such as text editors or spreadsheets) of most manufacturers. Many application programs offer options for increasing the level of protection against macro malware. For example, it may be possible to prevent the execution of macros by default when opening files. The corresponding recommendations from the manufacturers of the application programs should be checked in this regard and compared to the organisation's own security requirements. As an additional prevention measure, users should be informed how they can prevent the automatic execution of any macros contained in the files. Unfortunately, the procedure to follow is different for almost every program and even every program version, and the procedures are not always reliable either.

Review questions:

• Is an up-to-date virus protection program used and are its malware signatures updated in short intervals?
• Are the data and programs received scanned for malware before use?
• Has it been ensured that users are only granted the authorisations they actually need to do their work?
• Is network activity sufficiently monitored in order to detect unusual activity as quickly as possible?
• Are the packet filter functions enabled on all IT systems threatened by malware?
• Is adequate protection against key loggers ensured?
• Have the users been informed of the procedures and codes of conduct for protection against malware?