SlideShare a Scribd company logo

Creating And Enforcing Anti Malware Practices

Download as DOCX, PDF
Diane M. Metcalf, profile picture
Diane M. Metcalf

This document discusses best practices for creating and enforcing anti-malware procedures and policies within an organization. It defines malware and its prevalence and damage. It recommends implementing security policies, systems, user education and intrusion detection. The document also discusses quantifying costs of malware through calculating single loss expectancy, annual loss expectancy and setting a security budget. It recommends performing risk analysis and assessment and creating a security budget to protect networks and data.

1 of 14
Downloaded 14 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
Creating and Enforcing Anti-Malware Procedures and Practices Within an Organization Diane M. Duhé
Abstract Malware poses a significant threat to all computer networks, whether large or small. Malicious software is responsible for data corruption, loss, misuse, identity theft, and many types of unauthorized use. All of these contribute to potential liabilities, loss of services, damage to a company’s reputation, loss of customers and/or stakeholders and possibly to the company’s inability to continue doing business. This paper will provide a summarization of the best practices in regard to creating and enforcing anti-malware procedures, as they pertain to enterprise networks, and data security. The Method of Approach will be research, conducted via the ACM Digital Library, IEEE/IEE Electronic Library, professional journals, web articles, white papers, and utilizing personal work experience as a Network Administrator. The Introduction will define the term “malware” and summarize the prevalence of and damage caused by malware infection in an enterprise. The Best Practices section will discuss creating and implementing Policies, Guidelines and Procedures for securing systems and networks. The Related Costs section will discuss methods for quantifying costs of malware attacks, the importance of utilizing “value calculators” and creating/implementing security budgets. Introduction The term “Malware” once referred to viruses, worms, and trojans, but current malware has evolved into a very selective tool. Malware is no longer written using amateur scripts, or using “copy and paste” methods by script kiddies. Instead, highly trained, paid, programmers are authoring malware, supported via political syndicates, organized crime, government sanctioned-unacknowledged (“dark”) ops, and some nation-states. [1] What began as pranks has evolved into serious criminal activity. Malware is now used for crimes such as industrial espionage, “transmitting digital copies of trade secrets” [2] customer names, future business plans, and contracts, virtually any and all private or personal information. In order to discuss best practices for implementing anti-malware protection, it is necessary to have a basic understanding of enterprise malware infection and its effects.
The Prevalence of Computer Crime The 2010-2011 CSI/FBI report revealed that: • “Malware infection continued to be the most commonly seen attack, with 67.1 percent of respondents reporting it. • Respondents reported markedly fewer financial fraud incidents than in previous years, with only 8.7 percent saying they’d seen this type of incident during the covered period. • Of the approximately half of respondents who experienced at least one security incident last year, fully 45.6 percent of them reported they’d been the subject of at least one targeted attack. • Fewer respondents than ever are willing to share specific information about dollar losses they incurred. Given this result, the report this year does not share specific dollar figures concerning average losses per respondent. It would appear, however, that average losses are very likely down from prior years. • Respondents said that regulatory compliance efforts have had a positive effect on their security programs. • By and large, respondents did not believe that the activities of malicious insiders accounted for much of their losses due to cybercrime. 59.1 percent believe that no such losses were due to malicious insiders. Only 39.5 percent could say that none of their losses were due to non-malicious insider actions. • Slightly over half (51.1 percent) of the group said that their organizations do not use cloud computing. Ten percent, however, say their organizations not only use cloud computing, but have deployed cloud-specific security tools.” [3] Best Practices Malware detection has been accomplished, until very recently, by using “signatures”. Signature based malware detection requires that malware be identified by analysis of the malwares’ code and finding code that is unique to the malware. The discovered code is then used to create anti- malware software that is based on recognizing that code. Once created, the anti-malware software must be installed onto the computer system, and allowed to scan, detect and remove the malware. This entire process must be repeated anew for every novel instance or variant of malware. This method is insufficient and reactive at best [4] As malware continues to evolve in ways to avoid detection, it is simply not practical to continue detection in this manner. Malware is increasingly being written using innovative and aggressive procedures which help to avoid detection, and sometimes even withstanding disinfection efforts. Until new and better proactive detection are available, malware will continue to infect networks and network components, costing the affected businesses time, money and resources.
Frequently, organizations mistakenly treat malware infections as a series of independent episodes. When a malicious program is discovered, it is remediated until the next occurrence on the next system..This method cannot contain infections before they transmit across the network, thereby infecting more components. Spreading malware in this way could potentially damage the organizations ability to carry out daily activities of business. Disinfecting hundreds or thousands of computers on an enterprise network would be a monumental task. A new, pro-active approach must be undertaken for prevention/detection/disinfection and recovery for enterprises networks. It necessarily must be different from the methods used for the same purposes on individual systems. The approach must be viewed as “holistic” security comprised of four phases: Plan, Resist, Detect, and Respond. [5] Interesting figures:  “80% of businesses without a recovery plan went bankrupt within 1 year of a major data loss  59% of companies cannot conduct business during unscheduled IT downtime  3Computer Security Institute, 15th Annual 2010-2011 Computer Crime and Security Survey 1. PLANNING Creating written policies and guidelines Planning an approach to minimize malware infection includes addressing key issues, such as diversity of system configurations and business requirements within an organization, the use of assorted technologies within the organization, logistical challenges presented by the scattering of systems across various geographic locations, internal political hindrances, as well as the legal/regulatory aspects of IT as they pertain to the organization. Implementing clearly written policies helps to mitigate the risks associated with malware. A Policy is “A formal, brief, and high-level statement or plan that embraces an organization’s general beliefs, goals, objectives, and acceptable procedures for a specified subject area.” [7] It defines required actions and sets the rules. All policies should include the following attributes: - Require mandatory compliance - Technology objectives, i.e.: why the technology is being provided to the user
- Expectations of privacy including the use of monitoring and logging - Detailed acceptable use, outlining permitted as well as prohibited user actions - Detailed restrictions which may involve issues concerning confidentiality - Defined consequences for violations - Implementation focused - Further defined by guidelines and/or standards. Standards, Guidelines and Procedures: Standards are mandatory rules that are written in conjunction with and designed to support a policy. They help makes the policy more effective. Standards usually include specifications for hardware, software and/or behavior, and describe requirements for various configurations. Guidelines are general statements designed to provide a framework within which to implement the policy. They are not mandatory, and are more like suggestions or “best practices”. They provide information on “how” to do something. Guidelines can change frequently, and must be reviewed more often than Standards or Policies. Procedures are the mechanisms for enforcing policies. They are beneficial in times of crisis. They outline “how” the policy is implemented. “Position Statements” are often times precursors to policies, and are much simpler, in that they focus on a particular technology and the expectations for its use within the organization. 2. RESISTING Employing a variety of ways to protect networks from infection and intrusion [8] Implement Security Policies Security Policies must agree with the organizations’ security standards. Policies must be reviewed regularly to reflect the current organizational needs, yet remain compatible with other company policies. Some questions to ask when reviewing a policy are: has the company structure changed? Does the policy reflect the company’s guidelines? Have there been new technology purchases? Are there new State or Federal compliance requirements? Is there new user-behavior to address?
Implement Security Systems Security Systems must be implemented on the network, to protect the network from cybercrime and other threats, such as malware, hacking and information theft. Manage and Control IT Manage and control IT by utilizing an enterprise management system (EMS) to perform network monitoring to ensure policy compliance as well as security at the system level. Implement Group Policy Protecting and securing the network and network resources must occur at both the system and the network level. Group Policy implementation can restrict incoming traffic from the Internet and other less trusted networks, by controlling ports, IP addresses and domains. Group Policy can also control user activity such as what they’re allowed to connect to computer systems, and how removable media, such as USB devices, are to be used. Educate users Ensure network users are educated and informed regarding types of malware attacks, signs of infection, and how to report. Implementing Further Protection: Use a Firewall Utilize Anti-virus/anti malware software Enforce: -Email Policies -Password Policies -Acceptable Use Policies Ensure: Group Policies and Network Monitoring for: -USB and portable devices -Instant Messaging
-Internet Applications -Public Social Networks -Downloading and/or installing software 3. DETECTING Use an Intrusion Detection System- IDS Employing the use of Intrusion Detection hardware/software on the network will help contain possible infections and security breaches. Use a Network Management System Implement Network Management and Monitoring 4. RESPONDING The National Institute of Standards and Technology's “Computer Security Incident Handling Guide” states that there are three steps involved when responding to a confirmed malware attack: [9] Containment Eradication Recovery Performing these steps should be supported by the guidelines that were written during the Security Planning phase, outlined above. Containment Efforts to contain the spread of the malware should include: [10] Instructing users what they should and should not do in the situation in order to help contain the spread of the malicious software. (ie: clicking an email link) . Disconnecting affected systems from the network, temporarily. Eradication Eradicating the malware, (also called “disinfecting”) which involves removing the malware and possibly restoring damaged systems from backups, or rebuilding the systems.
“Locking down” systems, patching vulnerabilities, and reconfiguring affected components on the infrastructure. Recovery Focus on returning to normal operation Confirm that the attack has been contained Ensure the malware has been removed Determine which containment actions can now cease Collaborating with entities such as legal departments or public relations may also be a component of recovery. Response teams should now review their course of action, assess/adjust applicable security mechanisms and agree on methods for improvement. These proceedings conclude the security cycle, and bring the focus back around to the Planning phase again. The Related Costs of Malware Determining and balancing the cost of malware is actually an exercise in risk analysis. The first step to determining this expense, is assigning values to all information assets. The second step is to estimate the potential loss. The assigned asset and loss values are then used to determine the single loss expectancy (SLE), which is defined as the expense of recovering from a single malware attack. [11] Calculating the SLE includes a summation of the following costs: The cost of purchasing/maintaining anti-malware products The ongoing cost for maintaining anti-malware ie: subscriptions for updates/other related services Assigning a value to the company's data (calculated by determining how much it would cost to restore or re-create different types of lost information, such as sales records, tax information, contact information, emails) Lost revenue Potential cost of fines and penalties for violating confidentiality/privacy agreements Loss of employee productivity Cost of repairing damaged systems Hardware overhead (all anti-malware products consume resources such as processing power, memory and disk space)
Determine the annual loss expectancy (ALE) of a single malware attack based on average number of previous attacks per year Multiply the SLE by the ALE to determine the annual cost of malware for the business. [12] Setting a Security Budget Determine the annual cost of malware. It is crucial to plan an anti-malware budget accordingly. The figures from the above calculations will provide a rough estimation for the planned yearly expenditure for anti-malware protection. Assess the amount of risk that the company is willing to take. For example, some companies might choose to accept a higher level of risk of infection, because it’s been determined that the actual probability of attack is very low, or because the organization has lowered some risks in other ways, such as by purchasing insurance, or the use of offsite backup solutions. These calculations can be used in creating a security budget, and /or for calculating the value of the particular anti-malware tools already in place. [13] Calculators There are many risk calculators available online as shareware. They are easy to use, and will generate an estimate of various risks, using several of the variables mentioned above. One such calculator was used to estimate the financial risk for a fictitious organization of 1,000 employees. The calculator located at http://www.cmsconnect.com/Marketing/viruscalc.htm, analyzed the organizations’ workplace and email environment, (using number of employees with email access, number of minutes of email usage per employee per day, and average employee salary) along with the number of IT staff, and average salary The effects of an email malware attack in regards to salary and productivity are found as follows: It was determined that a fictitious organization of 1,000 employees earning an average e of $25/hr, and using email for approximately 30 minutes per day, would cost the company 524 hours, which translates into $13,700.00 in lost salaries per day (or $570.83 per hour)
Return on Investment When using Return on Investment to justify purchasing security technology it is important to remember that avoiding a possible loss is much different than generating income. Use ROI cautiously. Findings Malware affects networks of all sizes, and is installed via various means, many times without a users consent or knowledge. It is costly to businesses in regard to prevention as well as recovery. Malware is no longer viewed as a prank created by script kiddies. Malware is now developed by professional programmers who are paid for their work, and is used to steal information of all kinds. New types of malware are continuously being developed in order to avoid detection. Detection and disinfection can be costly. The way that the enterprise behaves throughout all four phases of the security cycle determines its success in protecting its network and data from malware. [14] Recommendations Risk analysis and assessment must be performed and are a necessary element in assessing the necessary expenditures that a business should prepare to incur. Creating and implementing a security budget are essential in order to protect information assets, privacy, confidentiality, and the network infrastructure. Value I feel that in doing the research for this paper, I have learned about the processes that must be in place to secure an enterprise network and data. I’ve learned about the importance and benefits of policies, guidelines and procedures, I’ve learned about the steps that are necessary for protecting a valuable asset such as an organizations network and that the hardware and software are indeed valuable, but the information
and data that belong to the company have much value as well- indeed maybe more value than the former. It’s not just the computers, hardware, software and employees that enable the company to do business and to remain in business. It is those things in addition to maintaining data integrity, privacy, availability and confidentiality as well. Risk Assessment, Risk Management, and Disaster Recovery are all areas that I have become interested in, recently, and I feel that this paper has introduced me to several key concepts in all of those areas and given me a basic understanding of them. I may make a career change after I graduate, leaving Network Administration, and entering the realm of Risk Management or Security.
References 1. George Ledin, Jr,( (February 2011 vol. 54 - 2)The Growing Harm of Not Teaching Malware, Communications of the ACM 2. Steve Lohr, January 17, 2010, Companies Fight Endless War Against Computer Attacks , NYTimes.com, retrieved 05/27/2011 from: http://www.nytimes.com/2010/01/18/technology/internet/18defend.html 3. 4 Steps To Combat Malware Enterprise-Wide, Lennie Zeltser, Zeltser.com, Retrieved 06/19/11 from: http://zeltser.com/combating-malicious-software/malware-in-the- enterprise.html 4.Ellen Messmer, (2008) Security vendors leaving 'old school' malware detection methods behind, NetworkWorld, retrieved on 06/06/11 from: http://www.networkworld.com/news/2008/121208-crystal-ball-antivirus.html 5. (Source: AbleOne Systems, http://www.ableone.com) 6. Lenny Zeltser, 4 Steps To Combat Malware Enterprise-Wide, Zeltser.com, retrieved on 06/26 from: http://zeltser.com/combating-malicious-software/malware-in-the- enterprise.html 7. The SANS Institute, (2007) A Short Primer for Developing Security Policies 8. 4 Steps To Combat Malware Enterprise-Wide, Lennie Zeltser, Zeltser.com, Retrieved 06/19/11 from: http://zeltser.com/combating-malicious-software/malware-in-the- enterprise.html 9. 4 Steps To Combat Malware Enterprise-Wide, Lennie Zeltser, Zeltser.com, Retrieved 06/19/11 from: http://zeltser.com/combating-malicious-software/malware-in-the- enterprise.html 10. Karen Scarfone, Tim Grance, Kelly Masone, Recommendations of the National Institute of Standards and Technology The National Institute of Standards and Technology, Special Publication 800-61 Revision 1, Computer Security Incident Handling Guide
11. John Edwards, April 30, 2009, Money for Nothing: The Real Cost of Malware, Focus, retrieved 06/028/11 from: http://www.focus.com/briefs/it-security/money-nothing- real-cost-malware/ 12. John Edwards, (2008) The Malware Burden, Network Security Journal,retrieved on June 28, 2011 from: http://www.networksecurityjournal.com/features/malware-burden- 012208/ 9 13. Balancing the cost and benefits of countermeasures, SearchSecurity.com, retrieved on June29 2011 from: http://searchsecurity.techtarget.com/feature/Balancing-the-cost- and-benefits-of-countermeasures 14. 3Computer Security Institute, 15th Annual 2010-2011 Computer Crime and Security Survey Other Resources: -Quest Software, Best Practices in Instant Messaging Management http://www.idgconnect.com/view_abstract/2619/best-practices-instant-messaging- management-2619 -Mark Merkow, Jim Breithaupt, Information Security Principles and Practices, Pearson Education Inc, 2006 - Applegate, L. M., F. W. McFarlan, and R. D. Austin. Corporate Information Strategy and Management: Text and Cases. 6th ed. New York: McGraw Hill, 2003. Acknowledgements 1. Dr. Halstead-Nussloch, my professor for this course, IT6683, for providing the opportunity to research and write this paper 2. Dr. Rutherfoord, my professor for IT5102 “Into to Security”, for her interesting power-point presentations, and all that I have learned from her. 3. Dr. Kim Kenneth Metcalf of UWG, my Fiancé, for challenging and encouraging me.
4. Arden Peterkin, Network Security Consultant for GCPS, for providing invaluable information about the most current network threats detected and remediated there.

More Related Content

PDF
Cybersecurity Preparedness Trends and Best Practices
Tony Moroney
 
PPTX
Risk Management Approach to Cyber Security
Ernest Staats
 
PDF
McNair_Paper_Hill
Dennis Hill
 
PPTX
Understanding the security_organization
Dan Morrill
 
PPTX
Information risk management
Akash Saraswat
 
PDF
Enterprise GRC for PEoplesoft
Appsian
 
PDF
Internal Threats: The New Sources of Attack
Mekhi Da ‘Quay Daniels
 
PDF
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Cybersecurity Preparedness Trends and Best Practices
Tony Moroney
 
Risk Management Approach to Cyber Security
Ernest Staats
 
McNair_Paper_Hill
Dennis Hill
 
Understanding the security_organization
Dan Morrill
 
Information risk management
Akash Saraswat
 
Enterprise GRC for PEoplesoft
Appsian
 
Internal Threats: The New Sources of Attack
Mekhi Da ‘Quay Daniels
 
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 

What's hot (19)

PDF
The Business Case for Data Security
Imperva
 
PPTX
Security Organization/ Infrastructure
Priyank Hada
 
PPSX
Meraj Ahmad - Information security in a borderless world
nooralmousa
 
PDF
Foley-Cybersecurity-White-Paper_3.9.15
James Fisher
 
PDF
Incident response methodology
Piyush Jain
 
PDF
Business case for information security program
William Godwin
 
PPT
Information Risk Management Overview
elvinchan
 
PPTX
Banks and cybersecurity v2
Semir Ibrahimovic
 
PDF
How to Build an Insider Threat Program in 30 Minutes
ObserveIT
 
PPT
The insider versus external threat
zhihaochen
 
PDF
Mobile Security: 5 Steps to Mobile Risk Management
DMIMarketing
 
PPTX
Build an Information Security Strategy
Andrew Byers
 
PPTX
How to assess and manage cyber risk
Stephen Cobb
 
PDF
Cybersecurity Goverence for Boards of Directors
Paul Feldman
 
PPT
1. security management practices
7wounders
 
PDF
Cybersecurity Risk Management for Financial Institutions
Sarah Cirelli
 
PDF
Building an effective Information Security Roadmap
Elliott Franklin
 
PDF
Leveraging Board Governance for Cybersecurity
ShareDocView.com
 
PPT
Start With A Great Information Security Plan!
Tammy Clark
 
The Business Case for Data Security
Imperva
 
Security Organization/ Infrastructure
Priyank Hada
 
Meraj Ahmad - Information security in a borderless world
nooralmousa
 
Foley-Cybersecurity-White-Paper_3.9.15
James Fisher
 
Incident response methodology
Piyush Jain
 
Business case for information security program
William Godwin
 
Information Risk Management Overview
elvinchan
 
Banks and cybersecurity v2
Semir Ibrahimovic
 
How to Build an Insider Threat Program in 30 Minutes
ObserveIT
 
The insider versus external threat
zhihaochen
 
Mobile Security: 5 Steps to Mobile Risk Management
DMIMarketing
 
Build an Information Security Strategy
Andrew Byers
 
How to assess and manage cyber risk
Stephen Cobb
 
Cybersecurity Goverence for Boards of Directors
Paul Feldman
 
1. security management practices
7wounders
 
Cybersecurity Risk Management for Financial Institutions
Sarah Cirelli
 
Building an effective Information Security Roadmap
Elliott Franklin
 
Leveraging Board Governance for Cybersecurity
ShareDocView.com
 
Start With A Great Information Security Plan!
Tammy Clark
 
Ad

Similar to Creating And Enforcing Anti Malware Practices (20)

PDF
5 Steps to Mobile Risk Management
DMIMarketing
 
DOCX
Project Quality-SIPOCSelect a process of your choice and creat.docx
wkyra78
 
DOCX
Running Head SECURITY AWARENESSSecurity Awareness .docx
toltonkendal
 
PDF
Fundamentals of-information-security
madunix
 
PPTX
Maturing Endpoint Security: 5 Key Considerations
Sirius
 
PDF
ISACA Cybersecurity Audit course brochure
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
PDF
5 steps-to-mobile-risk-management-whitepaper-golden-gekko
DMI
 
PDF
Measure To Avoid Cyber Attacks
Skillmine Technology Consulting
 
PDF
Measures to Avoid Cyber-attacks
Skillmine Technology Consulting
 
PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
Laurie Mosca-Cocca
 
PDF
Cyber-Security-Whitepaper.pdf
Anil
 
PDF
Cyber-Security-Whitepaper.pdf
Anil
 
PPTX
20220803-Cyber Hygiene Presentation.pptx
testprojectindia
 
DOCX
Risk management planExecutive SummaryThe past.docx
SUBHI7
 
PPT
Ethical hacking a licence to hack
amrutharam
 
DOCX
CRITERIA DISTINGUISHED Analyze the origins and evolution of th.docx
willcoxjanay
 
PPT
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
abhichowdary16
 
DOCX
Cyb 690 cybersecurity program template directions the foll
AISHA232980
 
PPTX
CISSP- Security & Risk Management-Domain 1 Overview-Edited.pptx
macraaiclass
 
PDF
ultimate-guide-to-getting-started-with-appsec-veracode
Sean Varga
 
5 Steps to Mobile Risk Management
DMIMarketing
 
Project Quality-SIPOCSelect a process of your choice and creat.docx
wkyra78
 
Running Head SECURITY AWARENESSSecurity Awareness .docx
toltonkendal
 
Fundamentals of-information-security
madunix
 
Maturing Endpoint Security: 5 Key Considerations
Sirius
 
ISACA Cybersecurity Audit course brochure
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
5 steps-to-mobile-risk-management-whitepaper-golden-gekko
DMI
 
Measure To Avoid Cyber Attacks
Skillmine Technology Consulting
 
Measures to Avoid Cyber-attacks
Skillmine Technology Consulting
 
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
Laurie Mosca-Cocca
 
Cyber-Security-Whitepaper.pdf
Anil
 
Cyber-Security-Whitepaper.pdf
Anil
 
20220803-Cyber Hygiene Presentation.pptx
testprojectindia
 
Risk management planExecutive SummaryThe past.docx
SUBHI7
 
Ethical hacking a licence to hack
amrutharam
 
CRITERIA DISTINGUISHED Analyze the origins and evolution of th.docx
willcoxjanay
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
abhichowdary16
 
Cyb 690 cybersecurity program template directions the foll
AISHA232980
 
CISSP- Security & Risk Management-Domain 1 Overview-Edited.pptx
macraaiclass
 
ultimate-guide-to-getting-started-with-appsec-veracode
Sean Varga
 
Ad

Creating And Enforcing Anti Malware Practices

  • 1. Creating and Enforcing Anti-Malware Procedures and Practices Within an Organization Diane M. Duhé
  • 2. Abstract Malware poses a significant threat to all computer networks, whether large or small. Malicious software is responsible for data corruption, loss, misuse, identity theft, and many types of unauthorized use. All of these contribute to potential liabilities, loss of services, damage to a company’s reputation, loss of customers and/or stakeholders and possibly to the company’s inability to continue doing business. This paper will provide a summarization of the best practices in regard to creating and enforcing anti-malware procedures, as they pertain to enterprise networks, and data security. The Method of Approach will be research, conducted via the ACM Digital Library, IEEE/IEE Electronic Library, professional journals, web articles, white papers, and utilizing personal work experience as a Network Administrator. The Introduction will define the term “malware” and summarize the prevalence of and damage caused by malware infection in an enterprise. The Best Practices section will discuss creating and implementing Policies, Guidelines and Procedures for securing systems and networks. The Related Costs section will discuss methods for quantifying costs of malware attacks, the importance of utilizing “value calculators” and creating/implementing security budgets. Introduction The term “Malware” once referred to viruses, worms, and trojans, but current malware has evolved into a very selective tool. Malware is no longer written using amateur scripts, or using “copy and paste” methods by script kiddies. Instead, highly trained, paid, programmers are authoring malware, supported via political syndicates, organized crime, government sanctioned-unacknowledged (“dark”) ops, and some nation-states. [1] What began as pranks has evolved into serious criminal activity. Malware is now used for crimes such as industrial espionage, “transmitting digital copies of trade secrets” [2] customer names, future business plans, and contracts, virtually any and all private or personal information. In order to discuss best practices for implementing anti-malware protection, it is necessary to have a basic understanding of enterprise malware infection and its effects.
  • 3. The Prevalence of Computer Crime The 2010-2011 CSI/FBI report revealed that: • “Malware infection continued to be the most commonly seen attack, with 67.1 percent of respondents reporting it. • Respondents reported markedly fewer financial fraud incidents than in previous years, with only 8.7 percent saying they’d seen this type of incident during the covered period. • Of the approximately half of respondents who experienced at least one security incident last year, fully 45.6 percent of them reported they’d been the subject of at least one targeted attack. • Fewer respondents than ever are willing to share specific information about dollar losses they incurred. Given this result, the report this year does not share specific dollar figures concerning average losses per respondent. It would appear, however, that average losses are very likely down from prior years. • Respondents said that regulatory compliance efforts have had a positive effect on their security programs. • By and large, respondents did not believe that the activities of malicious insiders accounted for much of their losses due to cybercrime. 59.1 percent believe that no such losses were due to malicious insiders. Only 39.5 percent could say that none of their losses were due to non-malicious insider actions. • Slightly over half (51.1 percent) of the group said that their organizations do not use cloud computing. Ten percent, however, say their organizations not only use cloud computing, but have deployed cloud-specific security tools.” [3] Best Practices Malware detection has been accomplished, until very recently, by using “signatures”. Signature based malware detection requires that malware be identified by analysis of the malwares’ code and finding code that is unique to the malware. The discovered code is then used to create anti- malware software that is based on recognizing that code. Once created, the anti-malware software must be installed onto the computer system, and allowed to scan, detect and remove the malware. This entire process must be repeated anew for every novel instance or variant of malware. This method is insufficient and reactive at best [4] As malware continues to evolve in ways to avoid detection, it is simply not practical to continue detection in this manner. Malware is increasingly being written using innovative and aggressive procedures which help to avoid detection, and sometimes even withstanding disinfection efforts. Until new and better proactive detection are available, malware will continue to infect networks and network components, costing the affected businesses time, money and resources.
  • 4. Frequently, organizations mistakenly treat malware infections as a series of independent episodes. When a malicious program is discovered, it is remediated until the next occurrence on the next system..This method cannot contain infections before they transmit across the network, thereby infecting more components. Spreading malware in this way could potentially damage the organizations ability to carry out daily activities of business. Disinfecting hundreds or thousands of computers on an enterprise network would be a monumental task. A new, pro-active approach must be undertaken for prevention/detection/disinfection and recovery for enterprises networks. It necessarily must be different from the methods used for the same purposes on individual systems. The approach must be viewed as “holistic” security comprised of four phases: Plan, Resist, Detect, and Respond. [5] Interesting figures:  “80% of businesses without a recovery plan went bankrupt within 1 year of a major data loss  59% of companies cannot conduct business during unscheduled IT downtime  3Computer Security Institute, 15th Annual 2010-2011 Computer Crime and Security Survey 1. PLANNING Creating written policies and guidelines Planning an approach to minimize malware infection includes addressing key issues, such as diversity of system configurations and business requirements within an organization, the use of assorted technologies within the organization, logistical challenges presented by the scattering of systems across various geographic locations, internal political hindrances, as well as the legal/regulatory aspects of IT as they pertain to the organization. Implementing clearly written policies helps to mitigate the risks associated with malware. A Policy is “A formal, brief, and high-level statement or plan that embraces an organization’s general beliefs, goals, objectives, and acceptable procedures for a specified subject area.” [7] It defines required actions and sets the rules. All policies should include the following attributes: - Require mandatory compliance - Technology objectives, i.e.: why the technology is being provided to the user
  • 5. - Expectations of privacy including the use of monitoring and logging - Detailed acceptable use, outlining permitted as well as prohibited user actions - Detailed restrictions which may involve issues concerning confidentiality - Defined consequences for violations - Implementation focused - Further defined by guidelines and/or standards. Standards, Guidelines and Procedures: Standards are mandatory rules that are written in conjunction with and designed to support a policy. They help makes the policy more effective. Standards usually include specifications for hardware, software and/or behavior, and describe requirements for various configurations. Guidelines are general statements designed to provide a framework within which to implement the policy. They are not mandatory, and are more like suggestions or “best practices”. They provide information on “how” to do something. Guidelines can change frequently, and must be reviewed more often than Standards or Policies. Procedures are the mechanisms for enforcing policies. They are beneficial in times of crisis. They outline “how” the policy is implemented. “Position Statements” are often times precursors to policies, and are much simpler, in that they focus on a particular technology and the expectations for its use within the organization. 2. RESISTING Employing a variety of ways to protect networks from infection and intrusion [8] Implement Security Policies Security Policies must agree with the organizations’ security standards. Policies must be reviewed regularly to reflect the current organizational needs, yet remain compatible with other company policies. Some questions to ask when reviewing a policy are: has the company structure changed? Does the policy reflect the company’s guidelines? Have there been new technology purchases? Are there new State or Federal compliance requirements? Is there new user-behavior to address?
  • 6. Implement Security Systems Security Systems must be implemented on the network, to protect the network from cybercrime and other threats, such as malware, hacking and information theft. Manage and Control IT Manage and control IT by utilizing an enterprise management system (EMS) to perform network monitoring to ensure policy compliance as well as security at the system level. Implement Group Policy Protecting and securing the network and network resources must occur at both the system and the network level. Group Policy implementation can restrict incoming traffic from the Internet and other less trusted networks, by controlling ports, IP addresses and domains. Group Policy can also control user activity such as what they’re allowed to connect to computer systems, and how removable media, such as USB devices, are to be used. Educate users Ensure network users are educated and informed regarding types of malware attacks, signs of infection, and how to report. Implementing Further Protection: Use a Firewall Utilize Anti-virus/anti malware software Enforce: -Email Policies -Password Policies -Acceptable Use Policies Ensure: Group Policies and Network Monitoring for: -USB and portable devices -Instant Messaging
  • 7. -Internet Applications -Public Social Networks -Downloading and/or installing software 3. DETECTING Use an Intrusion Detection System- IDS Employing the use of Intrusion Detection hardware/software on the network will help contain possible infections and security breaches. Use a Network Management System Implement Network Management and Monitoring 4. RESPONDING The National Institute of Standards and Technology's “Computer Security Incident Handling Guide” states that there are three steps involved when responding to a confirmed malware attack: [9] Containment Eradication Recovery Performing these steps should be supported by the guidelines that were written during the Security Planning phase, outlined above. Containment Efforts to contain the spread of the malware should include: [10] Instructing users what they should and should not do in the situation in order to help contain the spread of the malicious software. (ie: clicking an email link) . Disconnecting affected systems from the network, temporarily. Eradication Eradicating the malware, (also called “disinfecting”) which involves removing the malware and possibly restoring damaged systems from backups, or rebuilding the systems.
  • 8. “Locking down” systems, patching vulnerabilities, and reconfiguring affected components on the infrastructure. Recovery Focus on returning to normal operation Confirm that the attack has been contained Ensure the malware has been removed Determine which containment actions can now cease Collaborating with entities such as legal departments or public relations may also be a component of recovery. Response teams should now review their course of action, assess/adjust applicable security mechanisms and agree on methods for improvement. These proceedings conclude the security cycle, and bring the focus back around to the Planning phase again. The Related Costs of Malware Determining and balancing the cost of malware is actually an exercise in risk analysis. The first step to determining this expense, is assigning values to all information assets. The second step is to estimate the potential loss. The assigned asset and loss values are then used to determine the single loss expectancy (SLE), which is defined as the expense of recovering from a single malware attack. [11] Calculating the SLE includes a summation of the following costs: The cost of purchasing/maintaining anti-malware products The ongoing cost for maintaining anti-malware ie: subscriptions for updates/other related services Assigning a value to the company's data (calculated by determining how much it would cost to restore or re-create different types of lost information, such as sales records, tax information, contact information, emails) Lost revenue Potential cost of fines and penalties for violating confidentiality/privacy agreements Loss of employee productivity Cost of repairing damaged systems Hardware overhead (all anti-malware products consume resources such as processing power, memory and disk space)
  • 9. Determine the annual loss expectancy (ALE) of a single malware attack based on average number of previous attacks per year Multiply the SLE by the ALE to determine the annual cost of malware for the business. [12] Setting a Security Budget Determine the annual cost of malware. It is crucial to plan an anti-malware budget accordingly. The figures from the above calculations will provide a rough estimation for the planned yearly expenditure for anti-malware protection. Assess the amount of risk that the company is willing to take. For example, some companies might choose to accept a higher level of risk of infection, because it’s been determined that the actual probability of attack is very low, or because the organization has lowered some risks in other ways, such as by purchasing insurance, or the use of offsite backup solutions. These calculations can be used in creating a security budget, and /or for calculating the value of the particular anti-malware tools already in place. [13] Calculators There are many risk calculators available online as shareware. They are easy to use, and will generate an estimate of various risks, using several of the variables mentioned above. One such calculator was used to estimate the financial risk for a fictitious organization of 1,000 employees. The calculator located at http://www.cmsconnect.com/Marketing/viruscalc.htm, analyzed the organizations’ workplace and email environment, (using number of employees with email access, number of minutes of email usage per employee per day, and average employee salary) along with the number of IT staff, and average salary The effects of an email malware attack in regards to salary and productivity are found as follows: It was determined that a fictitious organization of 1,000 employees earning an average e of $25/hr, and using email for approximately 30 minutes per day, would cost the company 524 hours, which translates into $13,700.00 in lost salaries per day (or $570.83 per hour)
  • 10. Return on Investment When using Return on Investment to justify purchasing security technology it is important to remember that avoiding a possible loss is much different than generating income. Use ROI cautiously. Findings Malware affects networks of all sizes, and is installed via various means, many times without a users consent or knowledge. It is costly to businesses in regard to prevention as well as recovery. Malware is no longer viewed as a prank created by script kiddies. Malware is now developed by professional programmers who are paid for their work, and is used to steal information of all kinds. New types of malware are continuously being developed in order to avoid detection. Detection and disinfection can be costly. The way that the enterprise behaves throughout all four phases of the security cycle determines its success in protecting its network and data from malware. [14] Recommendations Risk analysis and assessment must be performed and are a necessary element in assessing the necessary expenditures that a business should prepare to incur. Creating and implementing a security budget are essential in order to protect information assets, privacy, confidentiality, and the network infrastructure. Value I feel that in doing the research for this paper, I have learned about the processes that must be in place to secure an enterprise network and data. I’ve learned about the importance and benefits of policies, guidelines and procedures, I’ve learned about the steps that are necessary for protecting a valuable asset such as an organizations network and that the hardware and software are indeed valuable, but the information
  • 11. and data that belong to the company have much value as well- indeed maybe more value than the former. It’s not just the computers, hardware, software and employees that enable the company to do business and to remain in business. It is those things in addition to maintaining data integrity, privacy, availability and confidentiality as well. Risk Assessment, Risk Management, and Disaster Recovery are all areas that I have become interested in, recently, and I feel that this paper has introduced me to several key concepts in all of those areas and given me a basic understanding of them. I may make a career change after I graduate, leaving Network Administration, and entering the realm of Risk Management or Security.
  • 12. References 1. George Ledin, Jr,( (February 2011 vol. 54 - 2)The Growing Harm of Not Teaching Malware, Communications of the ACM 2. Steve Lohr, January 17, 2010, Companies Fight Endless War Against Computer Attacks , NYTimes.com, retrieved 05/27/2011 from: http://www.nytimes.com/2010/01/18/technology/internet/18defend.html 3. 4 Steps To Combat Malware Enterprise-Wide, Lennie Zeltser, Zeltser.com, Retrieved 06/19/11 from: http://zeltser.com/combating-malicious-software/malware-in-the- enterprise.html 4.Ellen Messmer, (2008) Security vendors leaving 'old school' malware detection methods behind, NetworkWorld, retrieved on 06/06/11 from: http://www.networkworld.com/news/2008/121208-crystal-ball-antivirus.html 5. (Source: AbleOne Systems, http://www.ableone.com) 6. Lenny Zeltser, 4 Steps To Combat Malware Enterprise-Wide, Zeltser.com, retrieved on 06/26 from: http://zeltser.com/combating-malicious-software/malware-in-the- enterprise.html 7. The SANS Institute, (2007) A Short Primer for Developing Security Policies 8. 4 Steps To Combat Malware Enterprise-Wide, Lennie Zeltser, Zeltser.com, Retrieved 06/19/11 from: http://zeltser.com/combating-malicious-software/malware-in-the- enterprise.html 9. 4 Steps To Combat Malware Enterprise-Wide, Lennie Zeltser, Zeltser.com, Retrieved 06/19/11 from: http://zeltser.com/combating-malicious-software/malware-in-the- enterprise.html 10. Karen Scarfone, Tim Grance, Kelly Masone, Recommendations of the National Institute of Standards and Technology The National Institute of Standards and Technology, Special Publication 800-61 Revision 1, Computer Security Incident Handling Guide
  • 13. 11. John Edwards, April 30, 2009, Money for Nothing: The Real Cost of Malware, Focus, retrieved 06/028/11 from: http://www.focus.com/briefs/it-security/money-nothing- real-cost-malware/ 12. John Edwards, (2008) The Malware Burden, Network Security Journal,retrieved on June 28, 2011 from: http://www.networksecurityjournal.com/features/malware-burden- 012208/ 9 13. Balancing the cost and benefits of countermeasures, SearchSecurity.com, retrieved on June29 2011 from: http://searchsecurity.techtarget.com/feature/Balancing-the-cost- and-benefits-of-countermeasures 14. 3Computer Security Institute, 15th Annual 2010-2011 Computer Crime and Security Survey Other Resources: -Quest Software, Best Practices in Instant Messaging Management http://www.idgconnect.com/view_abstract/2619/best-practices-instant-messaging- management-2619 -Mark Merkow, Jim Breithaupt, Information Security Principles and Practices, Pearson Education Inc, 2006 - Applegate, L. M., F. W. McFarlan, and R. D. Austin. Corporate Information Strategy and Management: Text and Cases. 6th ed. New York: McGraw Hill, 2003. Acknowledgements 1. Dr. Halstead-Nussloch, my professor for this course, IT6683, for providing the opportunity to research and write this paper 2. Dr. Rutherfoord, my professor for IT5102 “Into to Security”, for her interesting power-point presentations, and all that I have learned from her. 3. Dr. Kim Kenneth Metcalf of UWG, my Fiancé, for challenging and encouraging me.
  • 14. 4. Arden Peterkin, Network Security Consultant for GCPS, for providing invaluable information about the most current network threats detected and remediated there.