Guidance
10 Steps: Malware Prevention
From: UK CESG, Department for Business, Innovation & Skills, Cabinet Office and Centre for the Protection of National Infrastructure
First published: 5 September 2012
Last updated: 16 January 2015
1.Summary
Any information exchange carries a degree of risk as it could expose the organisation to malicious code and content (malware) which could seriously damage the confidentiality, integrity and availability of the organisation’s information and Information and Communications Technologies (ICT) on which it is hosted. The risk may be reduced by implementing security controls to manage the risks to all business activities.
2.What is the risk?
Malware infections can result in the disruption of business services, the unauthorised export of sensitive information, material financial loss and legal or regulatory sanctions. The range, volume and originators of information exchanged with the business and the technologies that support them provide a range of opportunities for malware to be imported. Examples include:
Email
Still provides the primary path for internal and external information exchange. It can be used for targeted or random attacks (phishing) through malicious file attachments that will release their payload when the file is opened or contain embedded links that redirect the recipient to a website that then downloads malicious content
Web browsing and access to social media
Uncontrolled browsing, including access to social media websites and applications, could provide an opportunity for an attacker to direct malicious content to a individual user or lead to the download of malicious content from a compromised or malicious website
Removable media and personally owned devices
Malware can be transferred to a corporate ICT system through the use of removable media or the connection of a personally owned device
3.How can the risk be managed?
3.1Develop and publish corporate policies
Develop and implement policies, standards and processes that deliver the overall risk management objectives but directly address the business processes that are vulnerable to malware.
3.2Establish anti-malware defences across the organisation
Agree a top level corporate approach to managing the risk from malware that is applicable and relevant to all business areas.
3.3Scan for malware across the organisation
Protect all host and client machines with antivirus solutions that will actively scan for malware.
3.4Manage all data import and export
All information supplied to or from the organisation electronically should be scanned for malicious content.
3.5Blacklist malicious websites
Ensure that the perimeter gateway uses blacklisting to block access to known malicious websites.
3.6Provide dedicated media scanning machines
Standalone workstations (with no network connectivity) should be provided and equipped with two antivirus products. The workstation should be capable of scanning the content contained on any type of media and, ideally, every scan should be traceable to an individual.
4.Establish malware defences
Malware can attack any system process or function so the adoption of security architecture principles that provide multiple defensive layers (defence-in-depth) should be considered. The following controls are considered essential to manage the risks from malware:
• Deploy antivirus and malicious code checking solutions with capabilities to continuously scan inbound and outbound objects at the perimeter, on internal networks and on host systems, preferably using different products at each layer. This will increase detection capabilities whilst reducing risks posed by any deficiencies in individual products. Any suspicious or infected objects should be quarantined for further analysis
• Deploy a content filtering capability on all external gateways to try to prevent attackers delivering malicious code to the common desktop applications used by the user, the web browser being a prime example. Content filtering can also help to counter the risks from a compromised information release mechanism or authorisation process that may allow sensitive data to be sent to external networks
• Install firewalls on the host and gateway devices and configure them to deny traffic by default, allowing only connectivity associated with known white listed applications
• If the business processes can support it, disable scripting languages such as Windows Scripting, Active X, VBScript and JavaScript
• Where possible, disable the auto run function to prevent the automatic import of malicious code from any type of removable media. Equally, if removable media is introduced, the system should automatically scan it for malicious content
• Regularly scan every network component and apply security patches in compliance with the corporate security patching and vulnerability management policy
• Apply the secure baseline build to every network device and mobile platform
5.User education and awareness
Users should understand the risks from malware and the day to day secure processes they need to follow to prevent a malware infection from occurring. The security operating procedures for the corporate desktop should contain the following:
• Comply with the removable media policy at all times
• Do not open attachments from unsolicited emails
• Do not click on hyperlinks in unsolicited emails
• Do not connect any unapproved removable media or any unapproved personally owned device to the corporate network. For more information consult the BYOD Guidance at https://gov.uk/cesg/byod-guidance
• Report any strange or unexpected system behaviours to the appropriate security team
• Maintain an awareness of how to report a security incident
Guidance
10 Steps: Incident Management
From: UK CESG, Department for Business, Innovation & Skills, Cabinet Office and Centre for the Protection of National Infrastructure
First published: 5 September 2012
Last updated: 16 January 2015
1.Summary
All organisations will experience an information security incident at some point. Investment in establishing effective incident management policies and processes will help to improve resilience, support business continuity, improve customer and stakeholder confidence and reduce any financial impact.
2.What is the risk?
Security incidents are inevitable and they will vary in their business impact. All incidents need to be effectively managed, particularly those that invoke the organisation’s disaster recovery and business continuity plans. Some incidents can, on further analysis, be indicative of more severe underlying problems.
If businesses fail to implement an incident management capability that can detect, manage and analyse security incidents the following risks could be realised:
A major disruption of business operations
Failure to realise that an incident has occurred and manage it effectively may compound the impact of the incident, leading to a long term outage, serious financial loss and erosion of customer confidence
Continual business disruption
An organisation that fails to address the root cause of incidents by addressing weaknesses in the corporate security architecture could be exposed to consistent and damaging business disruption
Failure to comply with legal and regulatory reporting requirements
An incident resulting in the compromise of sensitive information covered by mandatory reporting controls that are not adhered to could lead to legal or regulatory penalties
The organisation’s business profile will determine the type and nature of incidents that may occur, and the impact they will have, and so a risk-based approach that considers all business processes should be used to shape the incident management plans. In addition, the quality and effectiveness of the security policies and the standards applied by the organisation will also be contributing factors to preventing incidents.
3.How can the risk be managed?
3.1Obtain senior management approval and backing
The organisation’s Board needs to understand the risks and benefits of incident management and provide appropriate funding to resource it and lead the delivery.
3.2Establish an incident response capability
The organisation should identify the funding and resources to develop, deliver and maintain an organisation-wide incident management capability that can address the full range of incidents that could occur. This capability could be outsourced to a reputable supplier, such as those on the Cyber Incident Response (CIR) scheme. The supporting policy processes and plans should be risk based and cover any legal and regulatory reporting or data accountability requirements.
3.3Provide specialist training
The incident response team may need specialist knowledge and expertise across a number of technical (including forensic investigation) and non-technical areas. The organisation should identify recognised sources of specialist incident management training and maintain the organisation’s skill base.
3.4Define the required roles and responsibilities
The organisation needs to appoint and empower specific individuals (or suppliers) to handle ICT incidents and provide them with clear terms of reference to manage any type of incident that may occur.
3.5Establish a data recovery capability
Data losses occur and so a systematic approach to the backup of the corporate information asset base should be implemented. Backup media should be held in a physically secure location on-site and off-site where at all possible and the ability to recover archived data for operational use should be regularly tested.
3.6Test the incident management plans
All plans supporting security incident management (including Disaster Recover and Business Continuity) should be regularly tested. The outcome of the tests should be used to inform the development and gauge the effectiveness of the incident management plans.
3.7Decide what information will be shared and with whom
For information bound by specific legal and regulatory requirements the organisation may have to report any incidents that affect the status of that information within a specific timeframe. All internal and external reporting requirements should be clearly identified in the Incident Management Plans.
3.8Collect and analyse post-incident evidence
The preservation and analysis of the user or network activity that led up to the event is critical to identify and remedy the root cause of an incident. The collected evidence could potentially support any follow on disciplinary or legal action and the incident management policy needs to set out clear guidelines to follow that comply with a recognised code of practice.
3.9Conduct a lessons learned review
Log the actions taken during an incident and review the performance of the incident management process post incident (or following a test) to see what aspects worked well and what could be improved. Review the organisational response and update any related security policy, process or user training that could have prevented the incident from occurring.
3.10Educate users and maintain their awareness
All users should be made aware of their responsibilities and the procedures they should follow to report and respond to an incident. Equally, all users should be encouraged to report any security weaknesses or incident as soon as possible and without fear of recrimination.
3.11Report criminal incidents to Law Enforcement
It is important that online crimes are reported to Action Fraud or the relevant law enforcement agency to build a clearer view of the national threat picture and deliver an appropriate response