Guidance

10 Steps: Malware Prevention

Updated 16 January 2015

This guidance was withdrawn on 11 July 2016

This content has been moved to the CESG website: https://www.cesg.gov.uk/10-steps-cyber-security

1. Summary

Any information exchange carries a degree of risk as it could expose the organisation to malicious code and content (malware) which could seriously damage the confidentiality, integrity and availability of the organisation’s information and Information and Communications Technologies (ICT) on which it is hosted. The risk may be reduced by implementing security controls to manage the risks to all business activities.

2. What is the risk?

Malware infections can result in the disruption of business services, the unauthorised export of sensitive information, material financial loss and legal or regulatory sanctions. The range, volume and originators of information exchanged with the business and the technologies that support them provide a range of opportunities for malware to be imported. Examples include:

Email

Still provides the primary path for internal and external information exchange. It can be used for targeted or random attacks (phishing) through malicious file attachments that will release their payload when the file is opened or contain embedded links that redirect the recipient to a website that then downloads malicious content

Web browsing and access to social media

Uncontrolled browsing, including access to social media websites and applications, could provide an opportunity for an attacker to direct malicious content to a individual user or lead to the download of malicious content from a compromised or malicious website

Removable media and personally owned devices

Malware can be transferred to a corporate ICT system through the use of removable media or the connection of a personally owned device

3. How can the risk be managed?

3.1 Develop and publish corporate policies

Develop and implement policies, standards and processes that deliver the overall risk management objectives but directly address the business processes that are vulnerable to malware.

3.2 Establish anti-malware defences across the organisation

Agree a top level corporate approach to managing the risk from malware that is applicable and relevant to all business areas.

3.3 Scan for malware across the organisation

Protect all host and client machines with antivirus solutions that will actively scan for malware.

3.4 Manage all data import and export

All information supplied to or from the organisation electronically should be scanned for malicious content.

3.5 Blacklist malicious websites

Ensure that the perimeter gateway uses blacklisting to block access to known malicious websites.

3.6 Provide dedicated media scanning machines

Standalone workstations (with no network connectivity) should be provided and equipped with two antivirus products. The workstation should be capable of scanning the content contained on any type of media and, ideally, every scan should be traceable to an individual.

4. Establish malware defences

Malware can attack any system process or function so the adoption of security architecture principles that provide multiple defensive layers (defence-in-depth) should be considered. The following controls are considered essential to manage the risks from malware:

• Deploy antivirus and malicious code checking solutions with capabilities to continuously scan inbound and outbound objects at the perimeter, on internal networks and on host systems, preferably using different products at each layer. This will increase detection capabilities whilst reducing risks posed by any deficiencies in individual products. Any suspicious or infected objects should be quarantined for further analysis
• Deploy a content filtering capability on all external gateways to try to prevent attackers delivering malicious code to the common desktop applications used by the user, the web browser being a prime example. Content filtering can also help to counter the risks from a compromised information release mechanism or authorisation process that may allow sensitive data to be sent to external networks
• Install firewalls on the host and gateway devices and configure them to deny traffic by default, allowing only connectivity associated with known white listed applications
• If the business processes can support it, disable scripting languages such as Windows Scripting, Active X, VBScript and JavaScript
• Where possible, disable the auto run function to prevent the automatic import of malicious code from any type of removable media. Equally, if removable media is introduced, the system should automatically scan it for malicious content
• Regularly scan every network component and apply security patches in compliance with the corporate security patching and vulnerability management policy
• Apply the secure baseline build to every network device and mobile platform

5. User education and awareness

Users should understand the risks from malware and the day to day secure processes they need to follow to prevent a malware infection from occurring. The security operating procedures for the corporate desktop should contain the following:

• Comply with the removable media policy at all times
• Do not open attachments from unsolicited emails
• Do not click on hyperlinks in unsolicited emails
• Do not connect any unapproved removable media or any unapproved personally owned device to the corporate network. For more information consult the BYOD Guidance at https://gov.uk/cesg/byod-guidance
• Report any strange or unexpected system behaviours to the appropriate security team
• Maintain an awareness of how to report a security incident