Welcome to the 2nd installation of our blog series “Malware 101.” If you haven’t seen our first blog post defining what malware is and common signs of infection, you can read it here. This post will provide tips on how to avoid malware infection and give a high-level view on how to limit spread from a technology perspective. Note: There will always be mistakes made and the possibility of malware, but with employee training, awareness, and the proper security controls, the likelihood of a critical outbreak can be minimized.
1. Planning
Creating a plan to handle malware incidents will prepare you and your users to act accordingly if this happens. Planning and preparing as much as possible can lessen the impact of an incident and lower the amount of damage caused. There are a lot of great tools available to help you plan for an outbreak. For example, NIST SP 800-83 Revision 1 outlines a malware incident handling plan that describes what precautions to take and how to handle an outbreak. You can also run multiple assessments such as risk or business impact assessments to further understand what you need to protect and how much risk you’re willing to accept. Here are a few questions to ask yourself when planning for malware response:
What security controls are in place to prevent malware infection? What controls are in place to avoid infection spread?
Are my users sufficiently trained to practice safe habits and avoid malware if they encounter it?
What plans are in place to use as playbooks if there is an incident? What happens after and how can we learn from it?
What assets are deemed most critical? What risk is acceptable?
Is the network segmented or are there precautions put in place to avoid malware spread? How can we limit spread both internally and externally?
2. Employee Training Do you know how to spot a suspicious email? A good rule of thumb is to never open emails that may seem suspicious or the sender isn't someone you know. If you do open the email with an attachment, think twice before you download. Pre-download scans can save you from downloading malware, but you don’t want to rely fully on that plugin. Analyze every downloadable attachment before you act.
Safe browsing habits! Make sure everyone understands the dangers of downloading untrusted files/software or entering credentials into risky websites or forms. Pop-ups can also be a sneaky way to get malware into your system. Using an ad or pop-up blocker can help cut down on potential opportunities. Think before you click.
Use a trusted Antivirus software and keep it updated. It can be used to detect malicious websites before you visit and in the event you do download malware accidentally, it can quarantine that file and clean the host. New viruses are being added to the database all the time, but your anti-virus can only compare against its most current update, so it’s important to keep that as current as possible. Also, scan your computer regularly. It will help you stay up-to-date on the health of your machine.
3. Security Controls There are so many different approaches we could talk about, but it generally boils down to what security controls you have set in place and where you have them. Having a multi-layer security strategy ensures that if one layer fails, you will still have that vital protection to keep your users and environment safe. Think about the existing security controls you have now. Do they comply with a published framework?
Anti-Virus/file monitoring should be placed in 3 key locations: Gateway, SMTP Server, and on each individual host. Having anti-virus at the gateway means the traffic will dropped before it enters your network if malware is detected. If not, we have another control set on our SMTP server to scan attachments. If that also fails and a user downloads a malicious attachment, the anti-virus on their host machine (or their browser if it scans attachments upon downloading) can catch it.
Security Information and Event Management (SIEM) tools can be a great addition to your security toolbox, as they provide real-time analysis on incoming data and give a great inside look at what goes on within your network. This ties in with file monitoring.
In terms of complying with a security framework, the tool combinations are endless as long as you meet the requirements. You can use a variety of open-source and paid tools depending on the scale and functionality of your business.
These are some basic tips to keep your data safe. We'll continue our Malware 101 series on March 10, check back then for more information and tips!