Reducing the Likelihood (and Impact) of a Malware Incident

Krystal Martin, Risk & Business Advisory Senior
December 2016

Malware refers to a program that is inserted into a system, often without the user’s knowledge, with the intent of compromising the confidentiality, integrity, or availability of the user’s data, applications, or operating system. As such, malware has become a significant external threat to financial systems, causing widespread damage and disruption to organizations both large and small. When planning an approach to malware prevention, organizations should be mindful of how their environments are structured and how they can incorporate prevention activities into their existing capabilities.

A robust malware prevention program, inclusive of both end-user education, and the implementation and maintenance of a prevention strategy, can reduce the likelihood of being impacted by malware.

The National Institute of Standards and Technology (NIST) explains that four main elements in preventing a malware incident are policy, awareness, vulnerability mitigation, and threat mitigation.

Policy

Policies and procedures for malware prevention provide a basis for implementing preventive controls. If an organization does not clearly identify malware prevention activities in its policies, it is unlikely to perform these activities consistently and effectively. Effective policies and procedures specify the types of preventative technologies and tools that are in use by the organization, the requirements for maintaining those tools, and acceptable use standards, such as restricting or prohibiting the use of unnecessary software and removable media.

Awareness

Establishing and maintaining general malware awareness programs for all users serves as an important aspect of preventing malware by reducing the large number of incidents that occur through human error. Effective awareness training reinforces established malware policies and procedures, including acceptable use standards and incident response policies that apply when potential malware has been identified. Another effective method for improving awareness of malware threats is engaging in social engineering testing, where employees who fail to pass the test are given extra training and those who prevail are given positive reinforcement.

Vulnerability Mitigation

Malware attacks seek to exploit vulnerabilities in an organization’s infrastructure. Vulnerabilities often can be mitigated by applying patches or firmware upgrades to update software, or by reconfiguring the software (such as by disabling a vulnerable, yet non-essential service). Automated patch management products that can identify, acquire, distribute, and install security-related patches to all devices helps to reduce the risk of manual error and allow a more robust and timely approach to updating network devices. In addition, organizations should establish hardening and configuration standards for all devices that follow the principle of least privilege, providing only the minimum necessary rights to the appropriate users, processes, and hosts. This can aid in preventing malware incidents as attackers often need administrator-level rights to exploit vulnerabilities in a system. Configuration measures should include identifying and disabling unneeded services, changing default usernames and passwords, and removing unsecured file shares on all devices.

Threat Mitigation

Implementing a layered approach of threat mitigation technologies and tools, including antivirus software, intrusion prevention systems, firewalls, content filtering tools, as well as application whitelisting and blacklisting can prevent threats from successfully attacking systems and networks.

Antivirus software is an invaluable tool and should be deployed on all devices that are connected to an organization’s network, configured and maintained properly with the most up-to-date signatures, and patched regularly (to eliminate vulnerabilities in the software itself). A centrally-managed antivirus solution can be controlled and monitored by IT administrators and is less vulnerable to accidental deletion or configuration by end users. Intrusion prevention systems and firewalls should be deployed and monitored. As key detective controls, configured properly, these tools prevent and detect malware threats that enter an organization’s environment. Content filtering tools are useful to stop email and block email file attachments that are often associated with malicious code (e.g. .pif, .tbs) before they come into contact with the network; reducing the amount of spam that reaches end users is a nice side benefit. In addition, web content filtering should be configured to prevent users from accessing material that is inappropriate, block pop-ups, and restrict downloads, further reducing the risk of malware delivery. Lastly, application whitelisting and blacklisting can be used by an organization to specify which applications a device or user is authorized to use, and block specific applications known to be a risk. This can be useful in preventing malware from reaching critical devices within an organization’s environment.

Implementing an effective and dynamic malware prevention program that includes strong policies and procedures, creating awareness of malware prevention for end users, and deploying and monitoring the most useful technologies and tools can reduce an organization’s risk of exposure of a malware threat.

If you have any questions, please call Krystal Martin or your BNN advisor at 1.800.244.7444.

Disclaimer of Liability: This publication is intended to provide general information to our clients and friends. It does not constitute accounting, tax, or legal advice; nor is it intended to convey a thorough treatment of the subject matter.